RSA: Hackers Can Help You Improve Security


The next time hackers probe your network, don't just view it as a threat -- think of it as an opportunity, too. That was the message from Jeremiah Grossman, founder and CTO at WhiteHat Security, who spoke at last week's RSA Conference 2012 in San Francisco. His advice: Harness the wisdom of the hacker crowd by enlisting them to expose the security weaknesses in your own systems.

If that sounds crazy, consider that Google, Facebook, and the Mozilla Foundation are just some of the organizations with active programs that pay hackers to find and report security flaws in their products. For example, Google pays up to $10,000 for the discovery of a single security vulnerability in the Chrome browser.

"This has been effective and it works," Grossman said.

In fact, Grossman said he'd like to see military and government organizations run similar programs. While acknowledging that these organizations would likely have serious reservations about running white-hat hacking contests, he noted that the current system of trying to shut out intrusions isn't working.

"The first rule of recreational hacking is you don't touch .mil and .gov, because they have a lot of resources to come after you. That means they only get tested by the bad guys," he said. "This would actually improve national security to a significant degree at very low cost and risk."

Application security is frequently overlooked by most organizations, Grossman said. He pointed out a disconnect in technology budgeting between lines of business and IT security in this area: While CFOs typically spend the majority of an organization's technology budget on applications, CISOs generally spend the least amount of money on application security -- choosing instead to prioritize areas such as firewalls and antivirus.

"The biggest line item in non-security should match the biggest line item in security," Grossman advised. In other words, if a business spends most on software, IT security should spend the most on securing that software.

Looking back at recent high-profile security breaches, Grossman argued that improved web application security would have stood the best chance of repelling those attacks: "For any of the major breaches you've seen, spending more on firewalls and antivirus doesn't help at all."

The reason CISOs tend to spend more in areas such as firewalls and antivirus software has to do with compliance rules, which tend to encourage spending on the wrong things, Grossman said -- likely because it's easier to measure whether a technology is installed than whether it's providing an adequate defense.

Grossman also noted that the industry needs more of what he calls "builders, breakers, and defenders." Builders are developers who can write secure code. Breakers are skilled in locating vulnerabilities in written code. And defenders turn back attacks on websites.

The Building Security in Maturity project, which aims to provide standard security guidelines and metrics, recommends that roughly 1 percent of all programmers should be software security specialists. Grossman estimates the industry needs some 12,000 breakers -- and possibly tens of thousands of defenders. Meanwhile, only a fraction of that talent is working in IT today.

"This is why I teach people to do hacking," Grossman said. "I want to teach as many people as I can, in info security and outside the bubble."

Susan Kuchinskas covers technology, business, and culture from Berkeley, California.