Gunnar Peterson is a Managing Principal at Arctec Group. He is focused on distributed systems security for large mission critical financial, financial exchanges, healthcare, manufacturer, and insurance systems, as well as emerging start ups. Mr. Peterson is an internationally recognized software security expert, frequently published, an Associate Editor for IEEE Security & Privacy Journal on Building Security In, a contributor to the DHS Build Security In portal on software security, a Visiting Scientist at Carnegie Mellon Software Engineering Institute, and an in-demand speaker at security conferences. He maintains a popular information security blog.
This is a lecture on cloud security that was not strictly part of SecAppDev, but delivered at an OWASP Belgium chapter meeting.
“Everything we think of as a computer today is really just a device that connects to the big computer that we are all collectively building"-Tim O'Reilly
My friend Chris Hoff asked this question in a recent podcast - "why is the OWASP Top Ten the same year after year? why don't these things gets fixed?". The reason is that software security and security architecture and design is nowhere near as a high priority as it needs to be.
If you look at the evolution of software over the years, you will see a history of more and more systems and data being connected together. Beginning with the Web through to component based application and then to Web services, at each step the common theme is more connectivity, more integration. Software is a rapidly changing universe
Unfortunately, Information Security has not kept up. Our field started out promisingly in the mid-90s with network firewalls and SSL for security mechanisms to defend websites, but that is about as far it got. In 1999 when SOAP emerged as a firewall-friendly protocol designed for the explicit reason to go through the firewall, that should have been a wake up call to Information Security that the "firewall + SSL" security architecture was past its prime, but here 10 years later we are still hitting the snooze button.
My view is that as technology is deployed we need security mechanisms that form fit to those new technologies, instead what we have is security technologies that form fit to auditor's excel spreadsheets.