Kevlin Henney - Code as Risk42:17 34 views 100% Published 2 months ago
"What is risk? Many people aren't sure, but it's not just uncertainty: risk is exposure to uncertainty.
Instead of just plastering over the cracks, security should also involve reducing the size and number of cracks, reducing the opportunities for cracks to appear, reducing the class of errors and oversights that can open a system to failure instigated from the outside. We can learn a lot from other kinds of software failures because every failure unrelated to security can be easily reframed as a security failure opportunity.
This is not a talk about access control models, authentication, encryption standards, firewalls, etc. This is a talk about reducing the risk that lives in the code and the assumptions of architecture, reducing the risk in development practices and in the blind spot of development practices."