37C3 - Writing secure software

• Trust your code, not the security experts; research and test on your own to ensure security.
• Secrecy is not security, just keeping data private.
• Zero-sum approach: you should either not do something to maintain secrecy or make all security solutions work.
• Red Team’s job is to poke the defense systems, but when these guys get hired they realize no one can keep security strong for long.
• Even companies which have made cybersecurity budget more than their revenues were affected by attacks.
• Zero-down is best; do all critical decisions before coding for faster time-to-market.
• Attack a little bit and get access or hack the server while logging off.
• When no two components are in the system they could not be attacked with known vectors.
• There may have been no zero-down vulnerability available, so people start getting into more software-related topics.
• This all was bad because they chose no two components and it resulted in this problem.
• Industry tends to tell you that it was 60% secure and then give bad info.
• They can show your stuff and make you wonder which piece of software, software they use, which browser do you use, etc., this might be more convincing.

…

• Do I tell a story of code not even a security industry? The code that didn’t help you and you realized at first.
• Most often companies have not invested into anything at all, just did marketing because they have security solution companies.
• Industry keeps a false record, the software it takes about 1. …