Over the past 20 years we have seen application security evolve from analysing application code through Static Application Security Testing (SAST) tools, to detecting vulnerabilities in running applications via Dynamic Application Security Testing (DAST) tools. The past 10 years have seen new flavours of tools to provide combinations of static and dynamic tools via Interactive Application Security Testing (IAST), examination of the components and libraries of the software called Software Composition Analysis (SCA), protection of web applications and APIs using signature-based Web Application Firewalls (WAF), and monitoring the application and blocking attacks through Runtime Application Self Protection (RASP) techniques.
The past 10 years has also seen an increase in the uptake of the DevOps model that combines software development and operations to provide continuous delivery of high quality software. As security has become more important, the DevOps model has evolved to the DevSecOps model where software development, operations and security are all integrated. There has also been increasing usage of learning techniques, including machine learning, and program synthesis. Several tools have been developed that make use of machine learning to help developers make quality decisions about their code, tests, or runtime overhead their code produces. However, such techniques have not been applied to application security as yet.
In this talk I discuss how to provide an automated approach to integrate security into all aspects of application development and operations, aided by learning techniques. This incorporates signals from the code operations and beyond, and automation, to provide actionable intelligence to developers, security analysts, operations staff, and autonomous systems. I will also consider how malware and threat intelligence can be incorporated into this model to support Intelligent Application Security in a rapidly evolving world.
Cristina is the Vice President of the Oracle Software Assurance organisation where she leads a team of security researchers and software and machine learning engineers to make application security and software assurance, at scale, a reality. She was the founding Director of Oracle Labs Australia in 2010, where she led a team of researchers and engineers for close to 12 years, with a focus on scaling up Program Analysis techniques in new application security tools. Cristina led and successfully released Oracle Parfait, a static analysis tool used by thousands of C, C++ and Java developers each day. Cristina’s passion for tackling the big issues in the field of Program Analysis began with her PhD work in binary decompilation at the Queensland University of Technology, which led to her being named the Mother of Decompilation for her pioneering contributions to this domain.
Before she joined Oracle and Sun Microsystems, Cristina held academic posts at major Australian Universities, co-edited Going Digital, a landmark book on Cybersecurity, and served on the executive committees of ACM SIGPLAN and IEEE Reverse Engineering. She holds 20+ US patents and over 50 peer-reviewed publications, and has given Keynotes at international Computer Science conferences. Where possible, she channels her interests into mentoring young programmers and minorities in STEM.