The Security BSides San Francisco event is just around the corner, and Tripwire is pleased to have two of our best and brightest scheduled to deliver talks, both of which will be on Sunday, February 23, at the DNA Lounge, which also hosted the event last year.
At 2:00 p.m. PST Craig Young (@CraigTweets), a computer security researcher with Tripwire’s Vulnerability and Exposures Research Team (@TripwireVERT), will deliver a session titled A Day in the Life of a Security Researcher.
Young is well known in the world of vulnerability research, as he has identified and responsibly disclosed dozens of vulnerabilities in products from Google, Amazon, IBM, NETGEAR, and others.
His research has resulted in numerous CVE assignments and repeated recognition in the Google Application Security Hall of Fame.
In 2013, Young presented at various conferences including DEFCON 21 regarding weaknesses in how Google authenticates users (recording of subsequent demo here).
He has more recently turned his attention to the security of embedded devices, including NAS products (video demo here), IP cameras, and SOHO routers, where he has found several critical flaws affecting millions of users.
In regards to his upcoming BSidesSF talk, Young points out that neuroscience tells us that the human brain is wired for trust. In the physical world this is what enables us to work together to form our modern society. In the digital realm however this disposition towards trust can create weaknesses which undermine the integrity of our computer systems.
“Frequently, programmers make the mistake of trusting that input being processed within their applications will maintain some expected format, and when these assumptions are made but not actually enforced, there is the possibility for someone to subvert the system by manipulating these inputs,” Young said. “This talk focuses on methodologies for identifying these assumptions and determining whether they can be exploited by an untrustworthy user.”
Young was inspired to put this talk together because he believes it is important that security knowledge is not confined to just those who are professional security researchers, as our society is now so very dependent on a vast number of interconnected systems, all of which can be considered potential targets for an attack.
“Every year that we expand our technological capabilities without improving our capability to secure this technology, we get closer and closer to a world in which people cannot and should not trust the technology we’ve come to depend on,” Young said.
“By exposing more people to the thought process involved with recognizing vulnerabilities, I hope to alter their perspectives regarding the technology around us and encourage practices of responsible disclosure which benefit everyone.”
Although the information that will be covered in the session is very important to security researchers and pen testers, Young believes it is even more important for software developers and testers,and this talk will not only shed some light on common programming mistakes, but will also examine the tools needed to recognize when these mistakes have been made, and the knowledge to better understand the potential consequences.
“Security is not something which can be added in later, as it is most effective when products are developed from the ground up with security as a major consideration,” Young said. “For this to happen, it is necessary to educate the engineers tasked with creating new products and services not just with textbook definitions of vulnerability, but also with true real-world examples of how vulnerabilities are identified.”
Young intends for audience members to come away with a handful of key tips and tricks which have a proven track record for finding some of the most prevalent and potentially devastating vulnerabilities.
“For individuals who have always wanted to find vulnerabilities but don’t know where to start, this presentation will build the foundations of that starting point,” Young said.
Young said he hopes that the audience will apply the information in an ethical manner, saying that teaching people how to find vulnerabilities is in some ways much like teaching them how to break into houses, and the knowledge is always at risk of being abused.
“These are both important knowledge sets which can be equally applied towards improving security or bypassing security,” Young cautioned. “I don’t think it is fair to try to pick and choose who should be allowed to learn what, so instead we must maintain a focus on ethical behavior and hope that students take it to heart.”
Young concluded our interview by pointing out that Philip K Dick, a prolific science fiction author, once wrote that “reality is that which, when you stop believing in it, doesn’t go away.”
“By this definition, security is perhaps a diametric opposite of reality, as security definitely goes away when you stop believing in and thinking about it,” Young said, noting that the predominant mentality that says we need to shift our focus towards dealing with breaches rather than securing our networks threatens to undermine security for the next generation of technological innovation.
“We must instead continue to strive towards comprehensive security education for the engineers designing tomorrow’s products and services while simultaneously planning for the eventual breach,” Young said.
“By doing this, we can raise the cost for adversaries associated with finding vulnerabilities, while also staying prepared for breaches from determined groups or individuals.”
- Chromejacking – Or How I Learned to Stop Worrying and Love Chromium Sync
- OpenX Ad Server and Remote Code Execution Vulnerability
- Distributed Nmap Port Scanning with a DNmap Megacluster
- Vulnerabilities: It’s Time to Review Your ReviewBoard
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Definitive Guide to Attack Surface Analytics
Also: Pre-register today for a complimentary hardcopy or e-copy of the forthcoming Definitive Guide™ to Attack Surface Analytics. You will also gain access to exclusive, unpublished content as it becomes available.
Title image courtesy of ShutterStock