Software Security Engineering: Lessons from the Past to Fix the Future

Explore software security engineering insights and strategies in this 39-minute OWASP Foundation talk. Learn from past events to address recurring security issues, achieve maximum resilience against known and unknown threats, and understand why DevSecOps may not be the ultimate solution. Discover crucial aspects often overlooked by organizations, analyze historical bug patterns, and gain practical recommendations for integrating security throughout the software development lifecycle. Examine the paradigm shift in software security engineering, debunk common misconceptions, and understand the importance of explicit security measures in each engineering phase.

Intro
Who am I? How my experience is relevant to this talk?
Overview
Top OS and OS-Native Apps Vulnerat That has be around for over one to two decades
History of Few Common Bug Classes
The Big Question
The Two Most Prominent Reasons
2 Typical Response For A Bug Report of the applications and software you support
Disadvantage of Such Mitigation Str
2 The Way "The Industry" Respond To Any Publicly Reported Security Bug
Understanding Bug Class and Bug Na
Translating A Bug Class To It's Corresponding Root Cause and Bug Nature
The Way "The Industry" Must Respd To Any Publicly Reported Bugs
Decoding The Nature of a Bug MSO
Decoding The Nature of a Bug More Examples
Recommendations Based on learnings from the historical bug reports
Typical Exploit and Defense In Depth
Targeted Exploit Mitigation
Web-based Application Mitigation
Introducing Behavioral Based Check
Integrating Machine Learning
Recommendations Based on learnings from the OS and Browser mitigation
The Paradigm Shift in Software Security Engineering
The Paradigm Shift and The Rise In Misconception
Applying Common-Sense Security In Each Engineering Lifecycle
Migrating to DevOps / DevSecOps?
The Herd Mentality (Going with the flow without rational thinking)
Building Security into the SDL is always explicit, not implicit
Final Words