We may have over-learned the lesson about the limits of cyber defense. However, Facebook’s surprise award of $50,000 to two researchers for their work on a new method for discovering vulnerabilities in web applications back on cyber defense - and that’s a welcome change.
I know what you’re thinking “Who says we’ve been under investing in cyber defense?” That’s fair enough. Defensive technologies do eat up most of the security budget -from endpoint protection software (aka “antivirus”) and intrusion detection. And regulations like PCI DSS - the Payment Card Industry Data Security Standard - concentrate almost entirely on preventative measures to protect sensitive data.
All that’s true. And yet, the last five years has seen the focus of private and public resources turned to what might be broadly referred to as cyber “offense.” We’ve been told over and over again that antivirus software doesn’t work (which is true) and that traditional perimeter-based protections like firewalls were necessary, but insufficient to stop stealthy, sophisticated attackers capable of using social engineering techniques and drive-by exploits of web browsers to gain a foothold on your employees’ computers and, from there, work their way to your company’s crown jewels.
In response, we’ve been admonished to think of attackers as “who” and not “what” and to research hacks to the ends of the earth - literally. We’ve poured resources into profiling of malicious actors, of the type firms like FireEye/Mandiant and Crowdstrike do. More broadly: the industry has poured serious cash into vulnerability research, with bug bounty programs from most major software firms and high-profile contests like Pwn2Own attracting worldwide media attention.
In that same period, investments in the kinds of tools and technologies that might make software applications less prone to hacking have lagged. For all the bug bounty programs, how many secure coding contests are there?
Part of that lies in the nature of the task. Discovering a serious software vulnerability is no easy task - it can require weeks or months of intensive focus. But it is a discrete task. A vulnerability is a vulnerability - and its easy enough to prove that its for real, or it's not. But how does one go about rewarding the application developer for not creating the vulnerability in the first place?
Facebook took an important step in that direction this week when it awarded its first-ever Internet Defense prize to two researchers from Ruhr-Universität Bochum in Germany for their work on a method for making software less prone to being hacked.
The prize, $50,000, will be used to help the two further refine the tools they developed, which make it easier to find so-called “second order” vulnerabilities in web applications.
In a post on Facebook.com, John Flynn, a security engineering manager at Facebook, said that the prize money was intended to reward nuts-and-bolts security research on cyber defense that “prevents vulnerabilities and reduces the effectiveness of attacks.”
The Internet Defense Prize recognizes what Flynn called “superior quality research that combines a working prototype with significant contributions to the security of the Internet—particularly in the areas of protection and defense.”
As I noted over at Security Ledger, the winning submission, which was presented at the recent USENIX Security Conference in San Diego, improves analysis of untrusted data flows within web applications. The researchers, Johannes Dahse and Thorsten Holz, developed an automated method for collecting “all locations in persistent stores that are written to and can be controlled (tainted) by an adversary.” Basically, their analysis tool provides comprehensive auditing of data flows within a web application, but defers decisions about whether particular data flows are malicious until all “taintable writings to persistent stores are known.”
Chris Eng, Veracode’s Vice President of Security Research said that the prize is a good start.
“Bug bounties are becoming commonplace, and while they provide tremendous value, they focus on offensive work – find a security flaw, patch it, repeat ad infinitum.”
Over time, that kind of hunt-and-fix approach does improve the security of the product through tactical refinements. But defensive technologies are more strategy than tactics, he said. “They seek to either make exploitation more difficult or to identify and eradicate entire swaths of flaws at once.”
Eng notes that Facebook isn’t the only company to put their resources behind better defense. Microsoft’s BlueHat Prize has been a major bounty for defense in recent years. But the more the merrier - especially with so much work to be done.