Desmond File

Blog archive

Iron Chef Competition at Black Hat Cooks Up Security Goodness

Brian Chess has forgotten more about application security than I'll ever know. The founder and chief scientist of security solutions firm Fortify Software was a speaker at the Black Hat information security conference that concludes today in Las Vegas. He also served as host of the Iron Chef: Fuzzing Challenge security cook-off at the conference, which offered attendees a creative alternative to the usual 60-minute PowerPoint presentation format.

Chess admits that the Iron Chef format -- cribbed from the popular cable TV show of the same name -- hardly imitates real-life conditions. Under the format, two security experts have 60 minutes to discover and exploit a code flaw in an open source multimedia server application. One contestant is armed with static analysis tools, while the other uses random fuzz testing. At the end of the hour, the experts present their findings and work to judges, who select a winner.

"Like the 'Iron Chef' TV show, it's utterly ridiculous that you can take what a chef does and present it as a competition based on what they do in an hour," admitted Chess, who said the format lets "the audience feel like they were more involved and have some fun."

He said the Iron Chef format was valuable in letting attendees see how the vastly different approaches could be used toward the same goal.

"By far, my favorite comment from anybody yesterday came from Window Snyder. She's the chief security person at Mozilla and she was one of the judges," Chess said. "She came away with a much better understanding of the capabilities of static analysis and that was a really good deal."

In an e-mail exchange, Snyder wrote: "Fuzzing has been very successful for us and found lots of vulnerabilities. My experience with static analysis has been that there are so many false positives that it can be difficult to get any real value out of it. I was impressed that these guys were able to identify what appears to be a significant issue in such a short period of time using static analysis tools, and it made me reconsider whether it was time to take another look at these tools."

One thing the session illustrated is the need for security professionals and developers to find a common ground in crafting more resilient software. Chess said that application developers must incorporate security best practices in their work, even as they partner with security experts. The growing challenge of securing software demands a blended approach.

"There are two functions here and it is irreducible," Chess said. "We need to have software developers who will do their best to build the right thing. And then we need people to come and verify that they did build the right thing."

Is your organization doing enough to make security part and parcel of software development? Let me know at [email protected].

Posted by Michael Desmond on 08/07/2008 at 1:15 PM


comments powered by Disqus

Featured

  • Black White Wave IMage

    New Azure AI VMs Immediately Claim Top500 Supercomputer Rankings

    Visual Studio coders who dabble in artificial intelligence projects can now take advantage of new Azure virtual machines (VMs) featuring 80 GB NVIDIA GPUs that immediately claimed four spots on the TOP500 supercomputers list, Microsoft said.

  • Colorful Night IMage

    Auto Completions Speed Up in Java on Visual Studio Code

    Java jockeys using Microsoft's Visual Studio Code editor will see faster code completions thanks to a new language server.

  • New Toolkit for Writing Visual Studio Extensions (And Where to Find Extensions)

    Microsoft details a new Extensibility Essentials toolkit for VS 2022 and explains where to find your favorite tools.

  • New TypeScript 4.5 Improves Asynchronous Programming

    TypeScript 4.5 has shipped with a new Awaited type and Promise improvements for enhancing asynchronous programming in Microsoft's popular take on JavaScript that adds statically checked types.

Upcoming Events