CanSecWest 2022

Did you know that GitHub reports 500 times more developers than security experts? That means we’re developing software faster than we can manually check it.

Unfortunately, it also means the status quo gives offense a permanent advantage. We all know that defense needs to check software at the speed and scale of development, while offense just needs to find one exploitable bug in deployed software.

In 2016, DARPA asked if there was a better approach. They asked whether it was possible to build an autonomous appsec stack – a sort of autopilot for appsec – that could run at machine speeds and scale. The answer was yes, but using technology that few would have initially guessed. The base of the tech stack was fuzzing and symbolic execution.

The question we now face: how do we change the world to adopt the proven fully automatic approach? How does the automatic tech stack differ from what’s found in practice, and what are the barriers to making the world safer? Is the future of appsec human, or a machine?