Desmond File

Blog archive

Iron Chef Competition at Black Hat Cooks Up Security Goodness

Brian Chess has forgotten more about application security than I'll ever know. The founder and chief scientist of security solutions firm Fortify Software was a speaker at the Black Hat information security conference that concludes today in Las Vegas. He also served as host of the Iron Chef: Fuzzing Challenge security cook-off at the conference, which offered attendees a creative alternative to the usual 60-minute PowerPoint presentation format.

Chess admits that the Iron Chef format -- cribbed from the popular cable TV show of the same name -- hardly imitates real-life conditions. Under the format, two security experts have 60 minutes to discover and exploit a code flaw in an open source multimedia server application. One contestant is armed with static analysis tools, while the other uses random fuzz testing. At the end of the hour, the experts present their findings and work to judges, who select a winner.

"Like the 'Iron Chef' TV show, it's utterly ridiculous that you can take what a chef does and present it as a competition based on what they do in an hour," admitted Chess, who said the format lets "the audience feel like they were more involved and have some fun."

He said the Iron Chef format was valuable in letting attendees see how the vastly different approaches could be used toward the same goal.

"By far, my favorite comment from anybody yesterday came from Window Snyder. She's the chief security person at Mozilla and she was one of the judges," Chess said. "She came away with a much better understanding of the capabilities of static analysis and that was a really good deal."

In an e-mail exchange, Snyder wrote: "Fuzzing has been very successful for us and found lots of vulnerabilities. My experience with static analysis has been that there are so many false positives that it can be difficult to get any real value out of it. I was impressed that these guys were able to identify what appears to be a significant issue in such a short period of time using static analysis tools, and it made me reconsider whether it was time to take another look at these tools."

One thing the session illustrated is the need for security professionals and developers to find a common ground in crafting more resilient software. Chess said that application developers must incorporate security best practices in their work, even as they partner with security experts. The growing challenge of securing software demands a blended approach.

"There are two functions here and it is irreducible," Chess said. "We need to have software developers who will do their best to build the right thing. And then we need people to come and verify that they did build the right thing."

Is your organization doing enough to make security part and parcel of software development? Let me know at [email protected].

Posted by Michael Desmond on 08/07/2008 at 1:15 PM

comments powered by Disqus


Subscribe on YouTube

Upcoming Events