London 20 & 21st May 2010, Westminster Conference Centre

Once software is released it is difficult to change, hence the need to design-in security. But security research keeps advancing, therefore the ability to fix new issues quickly without affecting current functionality is of high commercial value.

During a financial services project the presenter was able to fix the recent Java zerodays in Oracle's RDBMS before they were made public by using static code analysis in conjunction with real-time application monitoring.

Lessons learnt can be applied to the SDLC, and enable software security technicians to both find and understand security bugs, thus revealing the limitations of patching after the fact.