AppSec California 2015

Writing secure software is far cheaper for society as a whole than fixing vulnerable software after it is released. Teaching developers how to write secure software can be very effective in the short term, but over time security knowledge becomes less relevant, some security-conscious developers move into management, and additional uninitiated developers join the work force each year. While secure software development training will always play a role in helping secure application development, are there ways we can prevent even the least security-savvy developers from regularly shooting themselves (and their customers) in the foot? Yes. By providing development environments and APIs that subtly guide developers down a secure implementation path, we can prevent whole classes of vulnerabilities with very little effort. This talk will discuss the properties that tend to exist in safe development environments and will propose some guiding principles that API designers should consider.