Bio: David Brumley is the CEO of ForAllSecure and a professor at Carnegie Mellon University. Dr. Brumley brings a unique perspective blending three separate lives. First, he is a CEO. ForAllSecure is bringing the autonomy we all crave in application security development, deployment, and pentest we all crave. ForAllSecure’s product Mayhem has zero false positives (devs hate false positives), while also automatically building the real barrier to deploying patches: insufficient testing (which devs love). Second, he is a tenured professor, with over 50 publications in computer security. His work has received numerous conference awards, and he is the recipient of the US PECASE award from President Obama, the highest award in the US for early-career scientists and engineers, and a Sloan award. Third, he knows amazing hackers. He led the creation of picoctf.com, the world’s largest hacking platform, and helped co-found PPP, one of the US’s top-ranked CTF hacking teams. These three lives help blend a holistic picture of computer security in both theory and practice, and from the executive office to the pentester.
Abstract: In 2016 ForAllSecure demonstrated Mayhem, a tool for automatically finding and fixing bugs in COTS software. Mayhem showed appsec on autopilot was possible, which is like DevOps (and DevSecOps/SecDevOps) turned up to 11. Fast-forward to today, Mayhem is a commercial product with an expanding user base.
We found the challenges we thought we would face — deeper analysis, bigger results — are not necessarily the biggest barriers in practice. I’ll cover the hidden barriers (or at least not obvious to us initially) for adopting security tools, and how to break them down and get your ideas and tools into development pipelines to make the world’s software safer.