- tl;dr sec
- Posts
- The Unabridged History of Application Security
The Unabridged History of Application Security
Jim gives a fun and engaging history of computer security, with an overall encouraging message
Things are getting a lot better, and we should be proud of what we’ve done.
InfoSec started in October 1967, with a task force formed by ARPA (Advanced Research Projects Agency). The Rand Report R-609 (Security Controls for Computer Systems) then determined additional steps that should be taken to improve security, which was declassified in 1975.
Firesheep played a critical role in getting popular web apps (e.g. Facebook, Twitter, GMail) to adopt TLS on more than just the login page.
Look at all we’ve accomplished as a community.
ZAP and Dependency Checker have been incredibly valuable in pushing the security industry forward. If you’re going to sell a product, it better at least be better than these open source tools.
For better and for worse, people point to us for advice as a community.
Jim aptly points out the importance of OWASP: the security industry, and the tech industry more broadly, relies on the recommendations of OWASP for what good security should look like, best practices to adopt, and more.
We have an obligation to take this trust seriously, and behave accordingly, with thoughtfulness and responsibility.
Jim references a talk that describes how strict-dynamic
can make rolling out CSP much easier, which I believe is the 2017 AppSec EU talk Making CSP great again! by Google Information Security Engineers Michele Spagnuolo and Lukas Weichselbaum (slides, video).
I found some other related info on this blog post: The new way of doing CSP takes the pain away.
Some humorous and some aspirational predictions about the future of security.