This month marked the 23rd Black Hat conference. If you’ve never made the trip to Las Vegas, the event typically focuses on the technical aspects of the latest threats from the point of view of front-line security engineers.
As my colleague, the other Michael, did for the Gartner Security and Risk Management Summit earlier this year, I thought I’d summarize some of the key trends from this cornerstone conference.
Main Takeaway: Security Must Start with the Developer
Most of the attack vectors discussed at the conference were due to poor software design and obvious programming flaws — from IoT firmware with hardcoded passwords, to default network settings that leave millions of routers exposed.
“Software teams must own security just as security must also focus on software,” writes Kelly Sheridan, staff editor at Dark Reading. While discussing that theme from this year’s Black Hat, she also raises the point that “there are more developers than there are security pros.” To compensate for this resource gap, organizations need to share security risks across departments.
Even though most problems start with software, security best practices have largely focused on responding to software vulnerabilities with patching. Why isn’t secure software development more of a focus? Why don’t security professionals and DevOps teams work together?
In most cases, software development is outsourced or (even when developed internally) security is not a part of the design spec. Even worse, security is not part of the QA process, leaving even the most obvious flaws unnoticed.
3 Key Sessions
These are the top sessions that represent the overall discussion and tone of this year’s Black Hat conference.
1. Keynote: Every Security Team is a Software Team Now
Security is everyone’s job.
Square’s Mobile Security Lead, Dino Dai Zovi, led the conversation on how security teams and software developers need to work together. Security teams need to become full-stack software teams, just as software teams need to own security from the start of development.
If security teams are no longer the sole arbiters of this domain, then how does their role evolve? Well, the first step would be for security teams to participate in software development and share their unique perspectives.
By balancing the workload in this way, security teams and developers can stay productive and build for a future where software is inherently more stable.
2. Shifting Knowledge Left: Keeping up with Modern Application Security
Mark Stanislav, Head of Security Engineering at Duo (a Two-Factor Authentication company), and Fletcher Heisler, CEO at Hunter2 (an Application Security company), spearheaded the conversation on how the development lifecycle and human factors impact security.
He cited from his research in Dark Reading that shows that “70% of developers are expected to write secure code, but less than 50% of these developers receive feedback on security.” (Slides available here). Compounding this, traditional cybersecurity frameworks (like OWASP Top 10 application security risks) are becoming less relevant to modern appsec and critical security risks. For example, “Nearly one in five developers are not at all familiar with the Top 10 OWASP application security risks,” according to Veracode, an application security company.
Application security has many variables, and existing solutions — like frameworks and interactive training — don’t fully accommodate them. Learning to combat the dynamic nature of threat vectors targeting applications requires more immersive education than videos, slideshows, and gamification can provide.
If engineers are supposed to make security one of their areas of priority, then they’ll need a fresh perspective to approach the problem. This is where the human element comes into play. Instead of making engineers click-through tutorials or watch videos on Security 101, professionals in this space should challenge engineers with questions and present them with simulations of real-world problems to solve hands-on. Most importantly, QA teams need to test the code so that security becomes a release criteria for new updates.
3. Attacking and Defending the Microsoft Cloud (Office 365 & Azure AD)
(If you missed this, I covered many of the same topics in my presentation for the Gartner Security and Risk Management Summit earlier this summer.)
Who knows Microsoft better than Microsoft? Mark Morowczynsk, the Principal Program Manager at Microsoft, teamed up with CTO Sean Metcalf to explore the most common attacks on the Office cloud and how to defend against them. Morowczynsk grounded the conversation in the fact that the cloud is public by design and isn’t inherently secure — making more urgent the need for cloud-app developers to build security into the core.
While much of Black Hat targeted software, infrastructure, and code, Mark and Sean focused on the end-user and that attacks that target the human vulnerability.
Key areas of focus were account compromise/BEC and token theft. To combat this, the two discussed methods to detect attack activity. They also suggested that by leveraging cloud identity, organizations could achieve secure cloud administration.
Admins need MFA, and so do all users at every organization. To take this a step further, use Conditional Access and Privilege Identity Management tools that can block access based on location, application, and risk.
No matter what training people receive, they will inevitably fall victim to phishing. Microsoft’s features for monitoring users and app permissions mitigate this risk after the click.
Advanced threats have gotten to the point where security teams alone can’t shoulder the responsibility. Patching and reactive monitoring happens much too late to prevent today’s threats.
Much of the discussion this year might seem exasperating for end users who have very little control over what happens before the product release. The fact that the industry is turning its focus to address it should offer some hope.
Until then, end user best practice is as important as ever. Multi-factor authentication, conditional access control, and end-user education are the last lines of defense.
Security engineers — and everyone else, from developers to accountants — need to integrate security awareness into the company culture.