Why Does the Industry Make Insecure Software
Craig Chamberlain at BSides Boston 2017
The computer / information security business is now decades old and we're still growing negative metrics - CVEs and security flaws are are supernumerary; software security disasters are increasingly larger; "data breaches" and "cyber attacks" are front page news on a constant basis. We know that software security isn't getting done well, in many cases, and could be better. In order to understand the problem, we need to examine exactly why it is done poorly and the economic forces that create current outcomes. To understand this, we need to examine exactly how insecure software gets built, and why organizations choose to do this.