Iron Chef Competition at Black Hat Cooks Up Security Goodness
Brian Chess has forgotten more about application security than I'll ever know.
The founder and chief scientist of security solutions firm Fortify Software
was a speaker at the Black Hat information security conference that concludes
today in Las Vegas. He also served as host of the Iron
Chef: Fuzzing Challenge
security cook-off at the conference, which offered
attendees a creative alternative to the usual 60-minute PowerPoint presentation
Chess admits that the Iron Chef format -- cribbed from the popular cable TV
show of the same name -- hardly imitates real-life conditions. Under the format,
two security experts have 60 minutes to discover and exploit a code flaw in
an open source multimedia server application. One contestant is armed with static
analysis tools, while the other uses random fuzz testing. At the end of the
hour, the experts present their findings and work to judges, who select a winner.
"Like the 'Iron Chef' TV show, it's utterly ridiculous that you can take
what a chef does and present it as a competition based on what they do in an
hour," admitted Chess, who said the format lets "the audience feel
like they were more involved and have some fun."
He said the Iron Chef format was valuable in letting attendees see how the
vastly different approaches could be used toward the same goal.
"By far, my favorite comment from anybody yesterday came from Window Snyder. She's the chief security person at Mozilla and she was one of the judges," Chess said. "She came away with a much better understanding of the capabilities of static analysis and that was a really good deal."
In an e-mail exchange, Snyder wrote: "Fuzzing has been very successful for us and found lots of vulnerabilities. My experience with static analysis has been that there are so many false positives that it can be difficult to get any real value out of it. I was impressed that these guys were able to identify what appears to be a significant issue in such a short period of time using static analysis tools, and it made me reconsider whether it was time to take another look at these tools."
One thing the session illustrated is the need for security professionals and
developers to find a common ground in crafting more resilient software. Chess
said that application developers must incorporate security best practices in
their work, even as they partner with security experts. The growing challenge
of securing software demands a blended approach.
"There are two functions here and it is irreducible," Chess said.
"We need to have software developers who will do their best to build the
right thing. And then we need people to come and verify that they did build
the right thing."
Is your organization doing enough to make security part and parcel of software
development? Let me know at email@example.com.
Posted by Michael Desmond on 08/07/2008 at 1:15 PM