Desmond File

Blog archive

Iron Chef Competition at Black Hat Cooks Up Security Goodness

Brian Chess has forgotten more about application security than I'll ever know. The founder and chief scientist of security solutions firm Fortify Software was a speaker at the Black Hat information security conference that concludes today in Las Vegas. He also served as host of the Iron Chef: Fuzzing Challenge security cook-off at the conference, which offered attendees a creative alternative to the usual 60-minute PowerPoint presentation format.

Chess admits that the Iron Chef format -- cribbed from the popular cable TV show of the same name -- hardly imitates real-life conditions. Under the format, two security experts have 60 minutes to discover and exploit a code flaw in an open source multimedia server application. One contestant is armed with static analysis tools, while the other uses random fuzz testing. At the end of the hour, the experts present their findings and work to judges, who select a winner.

"Like the 'Iron Chef' TV show, it's utterly ridiculous that you can take what a chef does and present it as a competition based on what they do in an hour," admitted Chess, who said the format lets "the audience feel like they were more involved and have some fun."

He said the Iron Chef format was valuable in letting attendees see how the vastly different approaches could be used toward the same goal.

"By far, my favorite comment from anybody yesterday came from Window Snyder. She's the chief security person at Mozilla and she was one of the judges," Chess said. "She came away with a much better understanding of the capabilities of static analysis and that was a really good deal."

In an e-mail exchange, Snyder wrote: "Fuzzing has been very successful for us and found lots of vulnerabilities. My experience with static analysis has been that there are so many false positives that it can be difficult to get any real value out of it. I was impressed that these guys were able to identify what appears to be a significant issue in such a short period of time using static analysis tools, and it made me reconsider whether it was time to take another look at these tools."

One thing the session illustrated is the need for security professionals and developers to find a common ground in crafting more resilient software. Chess said that application developers must incorporate security best practices in their work, even as they partner with security experts. The growing challenge of securing software demands a blended approach.

"There are two functions here and it is irreducible," Chess said. "We need to have software developers who will do their best to build the right thing. And then we need people to come and verify that they did build the right thing."

Is your organization doing enough to make security part and parcel of software development? Let me know at [email protected].

Posted by Michael Desmond on 08/07/2008 at 1:15 PM


comments powered by Disqus

Featured

  • Microsoft's Tools to Fight Solorigate Attack Are Now Open Source

    Microsoft open sourced homegrown tools it used to check its systems for code related to the recent massive breach of supply chains that the company has named Solorigate.

  • Microsoft's Lander on Blazor Desktop: 'I Don't See a Grand Unified App Model in the Future'

    For all of the talk of unifying the disparate ecosystem of Microsoft-centric developer tooling -- using one framework for apps of all types on all platforms -- Blazor Desktop is not the answer. There isn't one.

  • Firm Automates Legacy Web Forms-to-ASP.NET Core Conversions

    Migration technology uses the Angular web framework and Progress Kendo UI user interface elements to convert ASP.NET Web Forms client code to HTML and CSS, with application business logic converted automatically to ASP.NET Core.

  • New TypeScript 4.2 Tweaks Include Project Explainer

    Microsoft shipped TypeScript 4.2 -- the regular quarterly update to the open source programming language that improves JavaScript with static types -- with a host of tweaks including a way to explain why files are included in a project.

Upcoming Events