ad-free
Channel / Source:
TEDx Talks
Published: 2016-04-15
Source: https://www.youtube.com/watch?v=fi44mL7mcq0
the technology is critical for society I think that's probably self evident to the text crowd but it's worth at least thinking about because not only are we getting progressively cooler more useful technologies electricity television PC's the web mobile internet of things we're also adopting those technologies and an ever increasing rate and technology impacts everyone you might be excited about some sort of hipster artisanal back to
nature chocolate bars but you're gonna find out about him on Pinterest you're gonna talk your friends bottom use your iPhones security is critical for technology has become increasingly depend on these technologies we start to have explicit and more important implicit expectations of how our data is going to be treated in the security world we think about this with the acronym CIA now I don't mean the
Central Intelligence Agency what I mean is confidentiality integrity and availability because confidentiality causes ask the question who has access to my data integrity causes us to ask the question who can modify my data and availability causes to ask the question do I have access to my data everybody thinks about this %HESITATION you a lot with credit cards no credit card information being compromised and that's it
important example but if you think about it when your credit card numbers compromise the bank spends a couple dollars issues you new card everybody goes on with their lives but what about if your medical information is compromised once that data is out you can never bring it back in so we talk about security were not just talking about financial information technology these days is pretty much
basically all software hardware moves comparatively slow and even the things that we think of as hardware processing storage networking all of those have a malleable layer of software on top that makes everything work together and you think about applications those are all software you talk to people on Facebook that software if you order things from Amazon and have them bring you to bring them to you
and and hour later that software if you do some sort of big data analysis secure cancer you're gonna be doing that with software so the coders that right this software basically control the pace of innovation what that also means is that they control the security of the systems there ultimately creating that would all be well and good if the coders building these systems new about security
but by and large they don't I would to Trinity university here in town received an excellent education it was reassuringly expensive I have and in this year what prepared me vocationally to be a professional programmer we almost never talk about security in our networking class we had little game to see who could show the funniest window on the professor's workstation an assistance administration seminar we learn
that we could spoof emails if we're a professor but really security was viewed as something specialized or as an after thought it wasn't central to the curriculum we need to change the way that we create coders if we want them to build secure systems this has to be baked in from the start it's not something that we're able to bolt on yeah my company we make
a lot of money you an aftermarket training to teach dealt delivers about security that's fantastic but it doesn't scale we've got to change the way that we create these coders how do you get coders to care about security this is hard to do there's a lot to learn in a computer science education and a lot of time students don't have the context that the industry really
wants them to have so that makes it really challenging to reach them what's a good example important data gets stored in databases you access this data using the structured query language or sequel sequel injections of vulnerability that can impact the confidentiality integrity and availability of data if you're creating application to manage credit card data you have to test those applications for sequel injection of their own
abilities based on the payment card industry data security standard PCI DSS you you wouldn't think you could get bored or lost during a six minute talk yeah but we managed we managed and imagine if you will that you're a college student you marry never taken a database class you're probably not super concerned about your credit card information as long as there's a young still out your
space on the balance we've got to make this simpler for programmers to think about right we've got to make this message more universal and what I want people to start doing is getting coders to ask what should my co do there's a lot of thought in software about what your software should do right if I'm building a banking system I should be able to transfer money
from a checking account to my savings account and traditional software testing finds those types of problems we need to flip that around and get developers encoders to start asking questions what shouldn't my system do for example of a building a banking system I probably shouldn't be able to transfer money from your savings account to my checking account this one alleviate all security issues but it will
start to change the landscape and will start to set the foundation for building more secure systems in the future we need to install an adversarial mindset in the soft developer population so in closing we need coders to start not just think about what their code dies but also figuring out what should my could be doing and as consumers of technology we need to start asking the
