DeepSec 2024 Talk: Modern vs. 0ld Sk00l – Seth Law
The development landscape includes an ever-changing set of security practices. It has finally become standard practice to perform penetration testing, run threat modeling, teach developers about security, push left, and have zero trust. This shows the industry is better off today than in previous years. Or does it? Get a taste for the actual history of security and why everything old is new again. See security failures as they existed in years past and how they still exist in modern examples from the last year. Finally, explore the strategies that effectively catch these problems early in the development lifecycle without spending a fortune on security snake oil.
We asked Seth a few more questions about his talk.
Please tell us the top 5 facts about your talk.
- Modern vs. 0ld 5k00l is a comparison of theoretical vs. practical security controls.
- Early security research anticipated security issues that exist in practice.
- Security issues that existed in early days of the Internet are still a problem.
- Software security has evolved slowly, but is too concentrated on vulnerabilities.
- Implementing recommended controls from the early days of computing are an effective way to secure a system.
How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?
As I consult with companies across the globe, I notice the same security vulnerabilities and issues recurring on a weekly basis, despite strategies for resolving these issues being explored in the 1960s and 1970s. Reading these theoretical papers pushed me to think about my experiences and how we, as an industry, can better help organizations secure their systems. In addition, I have a growing concern that we are repeating the same mistakes and approaches that have proven ineffective and want to explore strategies that various mature organizations used to eliminate these issues.
Why do you think this is an important topic?
Security is hard. Even though we know what we should do, doesn’t mean it happens. We must explore all options to become disciplined and need to be reminded of where security started and that old ideas are still relevant.
Is there something you want everybody to know – some good advice for our readers, maybe?
I explore the ideas and conclusions from The Ware Report, which is a good background for any security professional.
A prediction for the future – what do you think will be the next innovations or future downfalls with your field of expertise / the topic of your talk in particular?
New technology will continue to make the same security mistakes that have occurred in the past. For example, just because AI feels smart doesn’t mean it won’t cause further security failures. Like mobile and web3 before it, there are similar security issues since we don’t learn from previous mistakes.
Seth Law is the Founder of Redpoint Security (redpointsecurity.com). Over the last 20 years, Seth has worked within multiple security disciplines, including application development, cloud architecture, and network protection, both as a manager and individual contributor. Seth has honed his security skills using offensive and defensive techniques, including tool development and security research. His understanding of the software development lifecycle and ability to equate security issues to development tasks has allowed him to speak at conferences ranging from Black Hat and DEF CON to local security meetups. In his spare time, Seth revels in deep-level analysis of programming languages and inherent flaws, develops the iOS version of HackerTracker, and co-hosts the Absolute AppSec podcast with Ken Johnson.