Tennessee Leeuwenburg
Bureau Of Meteorology
Tennessee Leeuwenburg is the head of secure coding at the Bureau of Meteorology and a software engineer by background. He is currently working on improving the technologies which are securing the software development lifecycle. He brings both a practitioner's technical view and a manager's birds-eye strategic view to "shifting left" the challenges faced by modern organisations in the area of cybersecurity. Shifting left refers to identifying, resolving and avoiding issues earlier, more quickly and more effectively - before they make it into the wild. AusCERT-2018_Tennessee_Leeuwenburg_New-Thinking-in-Automatically-Identifying-Vulnerabilities-During-Software-Development

New Thinking in Automatically Identifying Vulnerabilities During Software Development

Too often, the information security industry focuses on cure over prevention. This presentation will cover a more holistic approach to utilising automated tools to assess source code health, considering not a single team or product but an entire organisation. We also look at how to leverage new techniques in machine learning to automatically discover new classes of vulnerability at a low cost. This presentation is targeted not only at development managers, but organisations wishing to better connect software developers with "blue teams", and anyone wishing to gain a better understanding of how to address security issues far earlier in the software lifecycle. This presentation will include technical as well as conceptual content with demonstrations of these concepts and how to apply them. Code analysis techniques, control-flow analysis, input-output taint analysis and fuzzing are well understood for detecting security vulnerabilities during the development lifecycle. Existing tools nonetheless frequently fail to adequately protect systems for a variety of reasons that will be summarised in this presentation. The failings of these approaches, often due to inconsistent application, lack of holistic management by development managers, and gaps in tool capabilities should all serve as motivation to develop a new modality for managing and understanding code. The focus of much of the information security industry at the moment is on software which is already in operations -- on finding exploited systems, identifying and tracking known exploits and then patching and updating systems. From a software engineer's perspective, this response is simply too late and too reactive to be relied upon exclusively, and misses out significant opportunities to improve the software engineering process itself. Shifting the focus back onto securing the software lifecycle and understanding code holistically rather than as a collection of products will improve the control of organisations over the security of their applications.