Bringing Autonomy to AppSec - Dr. David Brumley - ESW Vault

Log4j, solar winds, tesla hacks, and the wave of high profile appsec problems aren’t going to go away with current approaches like SAST and SCA. Why? They are:

-40 years old, with little innovation

-Haven’t solved the problem.

In this segment, we talk about fully autonomous application security. Vetted by DARPA in the Cyber Grand Challenge, the approach is different:

-Prove bugs, rather than trying to list all of them.

-Zero false positives, which leads to better autonomy.

Segment Resources:

Article on competition: https://www.darpa.mil/about-us/timeline/cyber-grand-challenge

Technical article on approach: https://spectrum.ieee.org/mayhem-the-machine-that-finds-software-vulnerabilities-then-patches-them

Example vulns discovered:

https://forallsecure.com/blog/forallsecure-uncovers-critical-vulnerabilities-in-das-u-boot

https://github.com/forallsecure/vulnerabilitieslab

Show Notes: https://securityweekly.com/vault-esw-12