- tl;dr sec
- The Unabridged History of Application Security
The Unabridged History of Application Security
Jim gives a fun and engaging history of computer security, with an overall encouraging message
InfoSec started in October 1967, with a task force formed by ARPA (Advanced Research Projects Agency). The Rand Report R-609 (Security Controls for Computer Systems) then determined additional steps that should be taken to improve security, which was declassified in 1975.
Firesheep played a critical role in getting popular web apps (e.g. Facebook, Twitter, GMail) to adopt TLS on more than just the login page.
ZAP and Dependency Checker have been incredibly valuable in pushing the security industry forward. If you’re going to sell a product, it better at least be better than these open source tools.
Jim aptly points out the importance of OWASP: the security industry, and the tech industry more broadly, relies on the recommendations of OWASP for what good security should look like, best practices to adopt, and more.
We have an obligation to take this trust seriously, and behave accordingly, with thoughtfulness and responsibility.
Jim references a talk that describes how
strict-dynamic can make rolling out CSP much easier, which I believe is the 2017 AppSec EU talk Making CSP great again! by Google Information Security Engineers Michele Spagnuolo and Lukas Weichselbaum (slides, video).
I found some other related info on this blog post: The new way of doing CSP takes the pain away.
Some humorous and some aspirational predictions about the future of security.