BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

Notes From RSA: Accountability In Security

Following
This article is more than 8 years old.

At the RSA Security Conference last week in San Francisco, I had the opportunity to sit down with the founder of Whitehat Security, Jeremiah Grossman. In a quiet corner of a hotel restaurant we chatted about things that we had seen at the conference.

One thing that struck me was the lack of any sort of overarching theme this year. In the past the conference would revolve around a topic. There was Anonymous one year, Cloud and Snowden on others. This year, there really wasn’t anything that stood out to me. That all disappeared in a puff of smoke when Jeremiah hit me with a rather interesting development.

I’ve always been struck by the fact that the software industry has kept an arms length towards software liability. We have seen data breaches reported on a continuous basis from 2012 when I talked about it being the summer of breach to current day. Back then we saw breaches reported for sites such as LinkedIn, eHarmony, Last.fm, Gamigo, Elections Ontario and many others. Flash forward to today and we see massive data breaches in Home Depot, Target, eBay, JP Morgan, Anthem and well, you get the idea.

(Image used under CC from Yuri Yu Samoilov)

These organizations all had security measures in place. As far as I know, all of them had security programs. Yet, we see that millions and millions of records were exposed. Why is this the case? Why to we collectively vilify the victims of a data breach? I know that I have been guilty of it in the past. But, I can admit that I was mistaken to do so.

Back in 2007 I read a book that was co-authored by Jeremiah Grossman, Robert ‘RSnake’ Hansen and others that dealt with cross site scripting problems. While I enjoyed the book, XSS Exploits: Cross Site Scripting Exploits and Defense, I decided to have fun with the security devices on my network. It occurred to me that all of these systems had web management interfaces. Each one that I tested fell to my cursory tests. In some cases I was able to have free hand to manipulate the login screen and, in one case, I was able to inject code though the SSL library.

The security tools were written to defend against various threats but, were not well secured themselves. While all of the vendors were easy to work with at least one company, which I have never disclosed, suggested that they would sue me ‘into oblivion’. Here we are eight years later and what has changed?

Well, Whitehat has taken the step to change the status quo. Accountability has been a long standing problem with security. Jeremiah told me that their company will now start offering clients $250,000 if their website was compromised using an attack that Whitehat may have overlooked. Now, that number is up to $500,000. I rather enjoy this foray by Whitehat into demonstrating accountability.

I hope that more companies will follow suit and put their money where their mouths are.