Corelan Cybersecurity Research

Good morning friends,  welcome to Hack In The Box 2014, hosted at “De Beurs van Berlage” in the beautiful city of Amsterdam.   This year’s edition starts with a keynote by Katie Moussouris, previous lead at Microsoft Security Response Center (MSRC) and now the brand new Chief Policy Officer at HackerOne.

Katie starts the keynote by explaining that Microsoft has started the Bounty programs because they had to come up with a better way to interact with the community.   While crediting people in the MS Security bulletins was an important “currency” for researchers, other companies/bug bounty programs started offering money for vulnerability information, so MS agreed they had to do the same.  As a side effect, it was possible to get vulnerability information at an earlier stage in the product development cycle and fix bugs before a product is released.

Katie states that “as long as humans write code, there will always be flaws in code”.  Flaws are also caused by the fact that we innovate and continue to innovate faster.  At the same time, Katie explains, by reporting bugs, researchers show empathy with developers that work on complex enterprise software, which is a good thing.

Researchers typically don’t really care about ISO compliance and emphasizes that (most) researchers already do a great job in reporting vulnerabilities, Katie realized that this is not always the case with companies that receive these vulnerability reports. She decided to work on an 2 ISO standards (ISO 29147:2014 and ISO 30111:2013) to help to guide how companies should handle vulnerability reports.  The standard covers the entire process from receiving and processing vulnerability reports, triage bugs, perform root cause analysis, etc etc.  Adopting a standard allows companies to be more proactive instead of reactive.

The security industry has been going on a very long time, a lot of bugs in a lot of systems and applications have been found, reported and fixed. A couple of researchers got together and started the “I am the Cavalry” movement, which is basically a “call to action” to the community, asking them to focus on “hacking” things that focus on human life and the public good (Medical devices, critical infrastructure, etc).   Hacking a bank website is definitely important and certainly has value, she says, but there’s even more important things out there. 

“Instead of fuzzing just applications, we should focus on Fuzzing the chain of influence”.  

Katie explains that there’s more layers involved than just software and hardware. We should focus on all layers in the ecosystem, we should try to get in front of the policy makers and work on global awareness.  We’re all ambassadors. We have the ability and the technology to work together and make a better world and improve our future.

We all have a responsibility to ourselves, to each other and the future, to take the knowledge that we have and share it with as many people as we can. Instead of copying lines of code from a book, like it used to be many years ago, we now have a network of people, of resources, to use and to rely on.  Let’s all work together.  If you are a defender of networks, learn how to hack it. Break out of your comfort zones.

About Katie Moussouris

Katie Moussouris used to lead the Security Community Outreach and Strategy team at Microsoft. Her team’s work encompasses Security Ecosystem Strategy programs such as Microsoft’s BlueHat conference and worldwide hacker conference engagement, security researcher outreach, Vulnerability Disclosure Policies, and MSVR (Microsoft Vulnerability Research, Microsoft’s research and reporting of vulnerabilities in 3rd party software). Katie also serves as the vulnerability disclosure lead SME for the US National Body of the International Standards Organization (ISO), having performed all three roles in disclosure – finder, coordinator, and vendor for both open and closed source software.

Katie was one of the Artists Formerly Known as @stake, and she published one of the last security advisories they released in 2004, prior to being acquired by Symantec. Katie has performed dozens of software penetration tests, security code audits, design reviews, and secure software development lifecycle reviews for major software vendors and major companies in industries across the board, from finance to e-commerce, to healthcare. She has found critical vulnerabilities and offered remediation recommendations for major components of critical infrastructure in these industries, before they could be widely exploited.

At Symantec, Katie founded and ran the first team in Symantec’s 20-year history to ever publish security vulnerability advisories in 3rd-party products. See http://www.symantec.com/research. Katie has spoken on Vulnerability Disclosure and secure development lifecycles at several security conferences, including RSA2010, SOURCEBoston, Shmoocon, Toorcon Seattle, and she was a keynote speaker at Shakacon in June 2008. Katie spoke at Black Hat USA in August of 2008 on her program, Microsoft Vulnerability Research (MSVR), and most recently again at BlackHat USA 2010 on disclosure. Katie is also working on a book on Vulnerability Disclosure.

Katie announced that she joined startup HackerOne, as Chief Policy Officer 

© 2014 – 2021, Peter Van Eeckhoutte (corelanc0d3r). All rights reserved.

Similar/Related posts:

HITB2014AMS – Interview with Katie Moussouris HITB2014AMS – Day 2 – Keynote 4: Hack It Forward HITB2014AMS – Day 1 – Keynote 2: Building a Strategic Defense Against the Global Threat Landscape HITB2012AMS Day 1 – Intro and Keynote On CVE-2014-1770 / ZDI-14-140 : Internet Explorer 8 "0day"