{"id":8329,"date":"2021-03-19T09:08:34","date_gmt":"2021-03-19T08:08:34","guid":{"rendered":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/?post_type=session&#038;p=8329"},"modified":"2023-05-11T00:59:25","modified_gmt":"2023-05-11T00:59:25","slug":"keynote-1-the-myths-of-software-security","status":"publish","type":"session","link":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/keynote-1-the-myths-of-software-security\/","title":{"rendered":"KEYNOTE 1: The Myths of Software Security"},"content":{"rendered":"<p><iframe title=\"#HITB2023AMS KEYNOTE: The Myths Of Software Security - Mark Curphey\" width=\"800\" height=\"450\" src=\"https:\/\/www.youtube.com\/embed\/a9e6NFGwHvk?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" allowfullscreen><\/iframe><\/p>\n<p dir=\"ltr\" style=\"text-align: justify;\">The security industry has always brimmed with the results of industry surveys, the opinions of experts wrapped up as facts and a set of industry best practices handed down over the years. If you look behind the curtains, all too often, they are just myths. Some things are from folklore passed down over time, some things are sold as convenient facts when they are really inconvenient truths and other things are just plain lies. I have looked behind the curtains and I am going to expose some of the myths of software security.<\/p>\n<p dir=\"ltr\" style=\"text-align: justify;\">Did you know that the \u201cshift left\u201d movement that preaches that its cheaper to fix bugs upstream than downstream is based on a bogus study in the 70\u2019s that probably never took place? It is. I will walk through the history so you can judge yourself.\u00a0 People keep saying software security is at a crisis point but little credible evidence shows that. It&#8217;s the same story that has been told in the software industry for years.<\/p>\n<p dir=\"ltr\" style=\"text-align: justify;\">The world has gone crazy over SBOMs or software bills of materials. They are touted as a way to show what open source is in an application but there are so many ways you can circumvent them that today they are analogous to you signing off your own doctors note. I\u2019ll show you why and how with example after example.<\/p>\n<p dir=\"ltr\" style=\"text-align: justify;\">We have seen surveys from security firms with names like The XXX Institute or The center of xxx. It\u2019s pure cheap marketing. They are almost all \u2018pay to play\u2019 firms that will come up with whatever data supports your marketing message if you part with some hard fast cash. I will show you how to lie with statistics, just like the cosmetics\u00a0 industry does on TV.<\/p>\n<p dir=\"ltr\" style=\"text-align: justify;\">Top tens are everywhere, the most famous being the OWASP Top Ten. Some have a level of rigor behind the data, but others are nothing more than sales data sheets. I will dive into the murky world of top tens. If we have time there are many more myths to explore such as the 10 x security researcher, independent communities and community benchmarks.<\/p>\n","protected":false},"template":"","class_list":["post-8329","session","type-session","status-publish","hentry"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v23.3 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>KEYNOTE 1: The Myths of Software Security - HITBSecConf2023 - Amsterdam<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/keynote-1-the-myths-of-software-security\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"KEYNOTE 1: The Myths of Software Security - HITBSecConf2023 - Amsterdam\" \/>\n<meta property=\"og:description\" content=\"The security industry has always brimmed with the results of industry surveys, the opinions of experts wrapped up as facts and a set of industry best practices handed down over the years. If you look behind the curtains, all too often, they are just myths. Some things are from folklore passed down over time, some [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/keynote-1-the-myths-of-software-security\/\" \/>\n<meta property=\"og:site_name\" content=\"HITBSecConf2023 - Amsterdam\" \/>\n<meta property=\"article:modified_time\" content=\"2023-05-11T00:59:25+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/keynote-1-the-myths-of-software-security\/\",\"url\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/keynote-1-the-myths-of-software-security\/\",\"name\":\"KEYNOTE 1: The Myths of Software Security - HITBSecConf2023 - Amsterdam\",\"isPartOf\":{\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/#website\"},\"datePublished\":\"2021-03-19T08:08:34+00:00\",\"dateModified\":\"2023-05-11T00:59:25+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/keynote-1-the-myths-of-software-security\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/keynote-1-the-myths-of-software-security\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/keynote-1-the-myths-of-software-security\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Session\",\"item\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"KEYNOTE 1: The Myths of Software Security\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/#website\",\"url\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/\",\"name\":\"HITBSecConf2023 - Amsterdam\",\"description\":\"#HITB2021AMS\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"KEYNOTE 1: The Myths of Software Security - HITBSecConf2023 - Amsterdam","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/keynote-1-the-myths-of-software-security\/","og_locale":"en_US","og_type":"article","og_title":"KEYNOTE 1: The Myths of Software Security - HITBSecConf2023 - Amsterdam","og_description":"The security industry has always brimmed with the results of industry surveys, the opinions of experts wrapped up as facts and a set of industry best practices handed down over the years. If you look behind the curtains, all too often, they are just myths. Some things are from folklore passed down over time, some [&hellip;]","og_url":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/keynote-1-the-myths-of-software-security\/","og_site_name":"HITBSecConf2023 - Amsterdam","article_modified_time":"2023-05-11T00:59:25+00:00","twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/keynote-1-the-myths-of-software-security\/","url":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/keynote-1-the-myths-of-software-security\/","name":"KEYNOTE 1: The Myths of Software Security - HITBSecConf2023 - Amsterdam","isPartOf":{"@id":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/#website"},"datePublished":"2021-03-19T08:08:34+00:00","dateModified":"2023-05-11T00:59:25+00:00","breadcrumb":{"@id":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/keynote-1-the-myths-of-software-security\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/keynote-1-the-myths-of-software-security\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/keynote-1-the-myths-of-software-security\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/"},{"@type":"ListItem","position":2,"name":"Session","item":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/"},{"@type":"ListItem","position":3,"name":"KEYNOTE 1: The Myths of Software Security"}]},{"@type":"WebSite","@id":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/#website","url":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/","name":"HITBSecConf2023 - Amsterdam","description":"#HITB2021AMS","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-json\/wp\/v2\/session\/8329"}],"collection":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-json\/wp\/v2\/session"}],"about":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-json\/wp\/v2\/types\/session"}],"wp:attachment":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-json\/wp\/v2\/media?parent=8329"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}