CEO of Trail of Bits
High-assurance code reviews: How consulting works when the risks are high
The business of software security consulting is changing. For many years, consultants have relied on manual code reviews to populate bug trackers and satisfy compliance requirements. Today, substantial amounts of software have severe consequences for failure. Cryptographic libraries, cloud-native software, embedded software in hardware devices, and smart contracts are too critical to fail. If you had two weeks to secure a high-assurance target, how would you do it? What techniques work and which do not in a rapid, time-boxed review where the stakes are high? Trail of Bits has conducted hundreds of such reviews and developed a process that creates predictable outcomes for them. In this talk, I'll share some of the lessons learned dealing with high-risk software.
Dan Guido is the CEO of Trail of Bits, a cybersecurity firm he founded in 2012 to address software security challenges with cutting-edge research. In his tenure leading Trail of Bits, Dan has grown the team to 90 engineers, led the team to compete in the DARPA Cyber Grand Challenge, built an industry-leading blockchain security practice, and refined open-source tools for the endpoint security market. In addition to his work at Trail of Bits, Dan is active on the boards of four early stage technology companies. Dan contributes to cybersecurity policy papers from RAND, CNAS, and Harvard. He runs Empire Hacking, a 1,700-member meetup group focused on NYC-area cybersecurity professionals. His last hobby coding project -- AlgoVPN -- is the Internet's most recommended self-hosted VPN. In prior roles, Dan taught a capstone course on software exploitation at NYU as a faculty member and the Hacker in Residence, consulted at iSEC Partners (now NCC Group), and worked as an incident responder for the Federal Reserve System. In 2021, he was inducted to the SFS Hall of Fame by a panel of US government cybersecurity leaders.