The security industry has always brimmed with the results of industry surveys, the opinions of experts wrapped up as facts and a set of industry best practices handed down over the years. If you look behind the curtains, all too often, they are just myths. Some things are from folklore passed down over time, some things are sold as convenient facts when they are really inconvenient truths and other things are just plain lies. I have looked behind the curtains and I am going to expose some of the myths of software security.
Did you know that the “shift left” movement that preaches that its cheaper to fix bugs upstream than downstream is based on a bogus study in the 70’s that probably never took place? It is. I will walk through the history so you can judge yourself. People keep saying software security is at a crisis point but little credible evidence shows that. It’s the same story that has been told in the software industry for years.
The world has gone crazy over SBOMs or software bills of materials. They are touted as a way to show what open source is in an application but there are so many ways you can circumvent them that today they are analogous to you signing off your own doctors note. I’ll show you why and how with example after example.
We have seen surveys from security firms with names like The XXX Institute or The center of xxx. It’s pure cheap marketing. They are almost all ‘pay to play’ firms that will come up with whatever data supports your marketing message if you part with some hard fast cash. I will show you how to lie with statistics, just like the cosmetics industry does on TV.
Top tens are everywhere, the most famous being the OWASP Top Ten. Some have a level of rigor behind the data, but others are nothing more than sales data sheets. I will dive into the murky world of top tens. If we have time there are many more myths to explore such as the 10 x security researcher, independent communities and community benchmarks.