Main Stage: Let Me Tell You a Story: Technology and the 4 Vs

Explore how the tech industry normalizes insecure software & what we can do about it. Learn why secure development practices & vendor accountability are crucial for safer products.

Key takeaways
  • The cybersecurity industry faces a software quality problem rather than a cybersecurity problem - we need more secure products, not more security products

  • Common vulnerabilities like memory safety violations, cross-site scripting, and SQL injection have persisted for decades, showing a systematic disregard for secure development

  • Technology vendors have normalized creating defective, insecure software by prioritizing speed to market and features over security

  • The Secure by Design initiative aims to transform the industry by having vendors commit to secure development practices, with nearly 200 companies now signed to the pledge

  • Organizations that procure software should demand more from vendors through their purchasing power and by asking security-focused questions during acquisition

  • Unlike other industries that track and reduce defects, the software industry has accepted vulnerabilities as inevitable rather than treating them as product defects

  • The industry must move away from victim-blaming (e.g., “they didn’t patch”) and focus on vendor responsibility for secure product development

  • Contract language for software puts all risk on customers - a practice that wouldn’t be accepted in other industries like aviation or automotive

  • Secure development frameworks and memory-safe programming languages can help eliminate entire classes of vulnerabilities

  • Success requires both supply-side (vendor) and demand-side (customer) commitment to security, along with potential software liability standards