 Okay, so my name is Cristina. I'm the co-founder and the chief operating officer of videos risk It's a company that develops software to have other companies build secure software and individual developers to have a self-service of security Requirements for the software but enough about me because you are the protagonist of this talk Who in this audience wants to build software that is resilient to cyber attacks? Yes, yes, that's the right answer. We all do right Yeah, we all do and the good news is that it's in your hands you are the heroes you are the heroes of making your software secure and Somehow you already know how to do it. I'll tell you about it The problem is that we are thinking about this cyber security business all wrong my opinion We we've conceived it as an afterthought We conceive it as as something that can be laid out on top of your software once it's finished So it's like waiting for divine forces coming from outer space to Tell you how your software has to be secure building You buy a package of security software after your application is built and the package Builds a pyramid perimeter around you on top of you everywhere and makes it magically secure well that's not how it works and the Let me tell it's to Hope for some outer space solutions to make your software secure It's messy in the best of cases as we say in Spanish is a bit of a chapuza You don't you don't walk around doing that you embed it at the beginning Before there's even a line of code even written Because not all software can be hacked if you build a Software that is well thought that is well designed that is robust that software is impenetrable Let me tell you a story Before we we founded idiots risk. We were talking working in a cyber security company Consultancy our jobs. I was in business development. We had security analysts doing all-day long pen testing of applications That were already built and that they were dying to go into the market as fast as possible and So one day one Friday evening at the pub. I was asking a security analyst and the company So how does your week look like for? for in the work wise and he said said well, I have this massive application to pen test and I've had a look today briefly diagonally as we call it and I Already know what's wrong with it and they are not going to like it and said why because They wanted to go into the market in three weeks and the problem is that I have to rebuild it from scratch I was like why so because they don't have backs. They have design flaws That made me think so I took the chance to make an experiment when the insurance company came to us saying We haven't started building this application. It's going to be awesome. It's going to be very innovative in the market So I want you to book time in four months to do the pen test of it We will have two months to to fix everything you tell us to fix and then go into the market two months later And I say hold on how about you give us your your Developers your architects and I put it together in a room with a whiteboard with the security analyst And we design it from a scratch before there's even a line of code written All together So that's what we did. We got into the room We spent four hours there of a session and the developers I don't know they were saying so We are going to reset the password by sending an email with the password in clear text. Those were the times and And the security analyst no no you have to send a unique link with good runs the random token Okay, okay, okay, so how are you going to secure this communication between this component that other component? Well, we don't think about that. Well, you you have to encrypt it. Okay, we'll do that By the time the application came four months later We found exactly half of the Vulnerabilities that we were used to find in a software How they took not two months, but two weeks to fix them and And that product came into the market a month and a half before expected Okay, who in this audience is as old as me as to remember installing a slag where from a floppy disk in the early 90s Mondomy ashamed age is experience and experience is a degree Yeah, so now And pre open source software runs the world It is in the most critical systems of the world. It's in the state Defenses, it's everywhere in the business is at the base of the software stack of Every company Now more than ever we need to secure to that we have the social responsibility of making our software secure It's ethical That we always study we have to make good secure software for the good of the humankind But that's true. Why because it's not only in businesses estate defenses and and Spaceships it's in life itself We need to be responsible It's in our hands to make secure software. It's not gonna come from outer space. We need to do it well by design Robust so yeah for me and this sound that's an energy company here in Spain the largest one It's not an energy company. It's a software company. They might be developing 10,000 applications a year The the largest medical devices company in the world has 2,500 developers working for them So it's not really a medical device company is it is a software company there Software is eating the world And attackers know that And they know they go for software vulnerabilities. Why because they know that applications are the weakest Defenses in any business moreover right now they have a financial Benefit coming direct from their attacks. Why bother? Let's put in some example downloading the database of users of Ashley Madison to sell it into a doji broker in the dark web and then That's just dirty Just let's hack cryptocurrencies. Okay, so this is only going to get worse Why because we are only going to keep on producing more and more software, aren't we? This is not going anywhere. So it's not only the quantity of The software we produce or the attacker incentives is the complexity of the software We are building the more complex the more space the more room for mistakes for flaws vulnerabilities We are creating the attack surface increases And the secure cyber security market came up with all these amazing software That we buy we all buy we all fall for it To secure the software that we already built and that it's finished and done Well, that has two very dangerous Implications one is that all software can be hacked and that security comes from outer space From somewhere else some other specialist that is in another field than than yours The developers security analyst, there's a whole chiasm in the middle. There's a big space between the two of them Well, this is not true Robust software can not be hacked and security is something you built from a start Let me draw Similarity and analogy between the safety in the physical world and security in the intangible world of software Why we are not worried about Huge storm blowing out this building right now Because we already know that when this building was with was planned They thought about the historical maximum wind blows in Bilbao They thought about the strength of the materials. They thought about the length of the beams to hold the ceiling Well, that's very obvious We cannot believe we won't believe that at any point We called in a builder and said build as a conference room The building has a low I go with it and then we call a separate company to make it safe Well, that's what companies are making at doing with software right now. We have to Think security from the start as another property of the software Because 50% of the vulnerabilities enters before there is even a line of code written And this is in your hands So how do we do this you already know Because you know Perfectly how to do a performance software With good quality, don't we? We all do good quality. We don't build software and then we buy a package to make it quality like So if you know how to do this and you do because I know you do You already have security in there. It's another property We call it software secure by design and the activity them to do it It's threat modeling Regulation is coming from everywhere from the NIST they say They say up there use forms of risk modeling such as threat modeling attack modeling attacks your face mapping software secure by design Here the national cyber security strategy the White House the Biden law calls it resilient by design And the European Union with the cyber resilience act proposal that it's coming up now. It says not only This this shift left She's left security into your code. Well, it's that left stuff before there's this code written That is all for us to think That is no magic boxes where you can put your code and make it safe and make it secure There's not an escort Like we used to be the pen testers coming and save our code There's no cavalry coming for you Because you are the cavalry and it's in your hands. You are the heroes Okay, thank you very much