When discussing the need for tighter, and better cyber-security one of the common themes discussed at Black Hat centered around the lack of research and preparation on the part of software developers. Katie Moussouris, in speaking at the special event, “Beyond the Gender Gap: Empowering Women in Security,” mentioned that her career revolved round encouraging software developers in major corporations to address security at the design stage or as early as possible in the development phase. The issue with this, of course, is that if a potential exploit is discovered, the individual responsible for that discovery would receive no credit for it. The fix would simply exist as a part of an after-thought – thus encouraging the habit of sitting still, waiting for the problem to become evident, and then offering a security patch. When internal efforts fail, it would behoove developers to seek outside assistance. However, this solution is one that is not readily accepted. In the panel, Moussoris cited Microsoft’s initial commitment to not pay individuals to hack their product, and the challenges she faces in encouraging software developers in their creation of their Bug Bounty programs on sites such as Moussoris’ HackerOne.
In the instance that companies like Adobe institute their Bug Bounty programs, they range in effectiveness as participants can be awarded in everything from cash to a high-five for their efforts. However, when one considers how many vulnerabilities continue to crop up in Adobe’s software, a high-five may not be enough. Given the compromises that their Flash updates have caused, it is clear that Adobe’s approach is failing. The gravity of this issue is especially evident as Cisco’s most recent Midyear Security Report and resulting blog entry call upon companies, “To reduce the occurrence of these common code errors, software developers should participate in regular security training to build awareness of current vulnerabilities, trends, and threats.” Although the ball for creating, publishing, and updating secure software lies within the hands of software developers, only a naïve or irresponsible user would sit back and wait for the developers to handle it.
The pro-active approach, on the user end, is to assume that every software system is inherently flawed and problematic – to have a security solution already in place that can detect when employing a new software system has unintended and quite possibly, disastrous consequences. Defensive security systems must be flexible enough and powerful enough to meet evolving threats coming from an onslaught of flawed software systems and riddled web user interfaces, that can catch users unaware but ideally, not unprepared.
As the Internet of Everything becomes more of a reality, it is the onus of the user to make sure that they are meeting the challenges that come with it. Conferences like Black Hat open up the dialogue by asking important questions, the most resounding being, “What do you plan to do to keep your information secure?” In a room full of options, this question may seem both overwhelming and considerably difficult. No one can afford to spend money on services that (while not being comprehensive) will not work with others, in accidentally duplicating coverage, or even investing in a system that flat does not meet the demands of a connected world.
Finding solutions and making connections are why security professionals attend Black Hat. At the MetaFlows kiosk, our engineers were able to explain to professional after professional as to why the SaaS model works and how the MetaFlows MSS is a cooperative solution that pulls from a variety of sources, partnering with Emerging Threats, Cyber-TA, and Virus Total, to name a few. As Microsoft plans to release Windows 10 and Adobe continues to update their products, it is imperative that every user have a security plan in place to protect the integrity of their data.