Jeremiah Grossman

The Solution to Application Security’s Biggest Challenge, Vulnerability Remediation, May Finally Arrive

2024-07-10T15:36:00.000-07:00

The importance of vulnerability management is simple — find and fix issues before an adversary finds and exploits them. Unfortunately, the remediation rates reported by leading application security vendors average only around 50% or far less. And when vulnerabilities are fixed it takes weeks or months. The rest of the vulnerabilities? They’re often never fixed and this has been the reality for many years [1][2][3][4][5].

The underlying reason for vulnerabilities not getting fixed is basically resource constraints. When application vulnerabilities are found, typically they must be fixed by an internal software development group, not the InfoSec team. And since software development resources are always scarce, allocation between vulnerability remediation and building new features is purely a business decision. And the needs of the business largely favor revenue generating features over security issues.

At the same time, many companies have hundreds and often thousands of websites in total with an untold number of code repositories supporting them. And in my experience working in application security for ~20 years, such as WhiteHat Security and 1000+ customers, only ~20% of their websites are routinely scanned for vulnerabilities. And this essentially the same for the underlying code repositories as well.

And the reason for the lack of pervasive application scanning is understandable: if a company already can’t keep up with their current remediation challenges, they’re certainly not going to want to spend more money to identify potentially thousands more vulnerabilities that they also can’t fix any time soon.

A scalable vulnerability remediation solution is what holds back pervasive application scanning, and leaves thousands of companies at risk without viable options. Finding a way to remediate vulnerabilities faster, easier, and cheaper would be absolutely monumental and push the entire application security industry forward. That’s why I’ve been focusing and researching this problem for well over a decade.

I’ve worked with WAF technology, RASP technology, browser technology, leveraging third-party development shops, and anything else that might work. All these approaches have their pros and cons, and do work in certain scenarios, but ultimately they have so far been unsuccessful in broad market adoption. More product innovation is needed.

AI technology provides an exciting opportunity to solve vulnerability remediation. We’re already seeing how developers are able to leverage AI to automatically generate code. In the same way, what if it was possible for AI to import Static Application Security Testing (SAST) results and automatically fix the code with an AI Agent built on LLM technology. Ideally, all a developer would need to do is review the fixed code and accept it for QA testing in a single click. This allows a developer to fix an issue while it's fresh in their mind in less than a minute, much better than getting a ticket 3 months after the code was written.

There are at least a few vendors working on this approach. Recently I was introduced to a start-up called Amplify, who is building a product based on this exact concept. Amplify provides developers with an AI-powered tool that automatically fixes vulnerabilities in a way that would be equivalent to having a Sr. Developer and Sr. Security Engineer sitting and solving the problem together. The potential of this technology is exciting and will only get better over time. I believed in the founder, the vision, and implementation enough to become an Angel investor.

I personally want to be part of solving this problem after spending most of my career in the application security industry. Success would enable every company to finally be able to scan their entire code repositories for vulnerabilities, and when vulnerabilities are found, they can do something about it quick and easy. Remediation rates would be drastically improved, mean-time-to-fix goes way down, and application breaches become rare. This is the entire goal of the application security industry — and it could be right around the corner!

Why InfoSec Vendors Force Customers to Work with Sales

2024-07-09T08:59:00.000-07:00

If you visit practically any enterprise InfoSec vendor’s website and are interested in trying out their products or services without speaking to a sales rep first, good luck — this is rarely allowed. Even just getting pricing info from a vendor without engaging in a sales process is next to impossible. The vast majority require customers to email or fill out an online form, schedule a meeting with a sales rep, sit through a PowerPoint presentation, and THEN they’ll let customers try the product. And all of this happens in a carefully scripted and supervised manner. For many customers, this experience is often frustrating and avoided whenever possible.

I’ve long asked why sales leaders and reps insist on connecting in person with customers before even considering allowing demos or providing pricing. One explanation they give is if trials are allowed without an initial sales meeting, customers will struggle with installation, configuration, or usage and fail to comprehend ‘full’ value. Sales leaders are concerned about potentially losing deals to competitors who require a more hands-on white-glove process.

As for pricing, sales reps will say if the website reveals pricing upfront and competitor’s websites don’t, customers might get sticker shock and avoid contacting them. This prevents sales reps from having an opportunity to demonstrate the product and justify the value while the customer looks into another solution. For these reasons and others, is supposedly why customers must endure a people-intensive, painstaking, pressured, slow, and frustrating sales process.

While these enterprise sales philosophies may have once made sense in a previous decade, today, they feel antiquated and inferior. For example, we see the sales models of big cloud service providers such as Amazon, Google, and Microsoft. They’re capable of collectively selling hundreds of billions of dollars a year in IT services to the smallest of the small and largest of the large organizations in the world, basically friction-free. At any time, an interested customer can spin up thousands, hundreds of thousands, and even millions of dollars worth of services without ever having to speak to a sales rep or anyone in minutes. Why can’t or why isn’t every InfoSec vendor following their example?

Is the value of today's InfoSec products really too complicated for customers to understand on their own? Are customers really incapable of figuring out how to deploy products without assistance from sales? Does making pricing info readily available actually drive customers away toward competitors? If so, then my contention is we have a serious and industry-wide product deficiency problem on our hands. And every problem is an opportunity to improve.

For the average start-up I’ve worked with, the sales department generally represents 12-18% of the overall company budget. And the marketing department budgets are roughly the same. Marketing spending is an important consideration here because they have to find and push hard to convince customers to engage in a sales-led process rather than just clicking a link. Then, often because a vendor’s sales reps don’t have an existing relationship with a customer needed to get their attention, they’ll rely on the channels (i.e., VARs). For this very reason, many customers prefer to evaluate and buy through one of their ‘trusted partners.’ Tack on another 3-30% of the cost of sales in channel commissions.

All of these sales and marketing costs add up and partially explain why enterprise security products are so expensive. And contribute to why they’re out of the price range of many small and medium businesses (SMBs). In the current model, it’s just not worth a vendor’s time to sell to SMBs unless they engage on their own. Personally, I see a huge opportunity for existing vendors and start-ups alike who successfully solve this problem.

Imagine for a moment if an InfoSec vendor found a way to cut down this sales and marketing overhead by enabling a self-provisioned sales process, and invested those dollars directly into their product that can [gasp] sell itself! The overall cost of sales goes down, customer satisfaction goes up, deals are done quicker, the vendors become more competitive, and opens up new market opportunities (eg, SMBs). The sales apparatus of the big incumbent security vendors will have a difficult time making such a shift because the entire sales department will resist. Therefore, the advantage goes to the start-ups. And we’re recently just starting to see trends of InfoSec vendors selling through Amazon’s marketplace, for example. I’m hoping this is a trend.

InfoSec Market Labor Shortage and Predictions

2024-06-27T07:55:00.000-07:00

Observations

From my personal experience and through conversations I’ve had with many other security pros, we’ve observed that the average level of competency among enterprise InfoSec personnel is either flat or decreasing. And this has been steadily taking place for several years. This occurs despite the plethora of widely accessible educational content and professional training options. This is important to note because in order to remain effective the operational environment of InfoSec also requires professionals to learn an ever-expanding knowledge base. As an every expert will attest, this is a significant challenge for every individual and organization.

Then as businesses digitize essentially every product and service in modern life, today’s IT environments have become incredibly sprawling and more complex by the day. This level of complexity, and the associated legacy IT backlog, makes it exceptionally difficult for practitioners to comprehend, monitor, and maintain robust security of the environments they’re meant to defend.

Causes
The InfoSec market is growing rapidly ($172B annually with 10-12% CAGR), leading to a high demand for skilled professionals across the corporate spectrum. The demand and subsequent skill gap are exacerbated by new and emerging technologies such as IT/OT, cloud, virtualization, microservices, blockchain, low-code/no-code, new programming languages and frameworks, and of course, AI/ML.

Nobody can claim expertise in all these areas or even close. Additionally, InfoSec does not have structured and widely available pathways to onboard entry-level talent. Hiring managers also commonly struggle to accurately assess the level of expertise of potential hires due to the nuanced and complex nature of InfoSec skills.

Prediction
In the near term, there are no scalable options yet on the horizon to broadly address these labor issues, and we have every indication and expectation that the skill gap will remain and likely even widen. If so, and for lack of better options, we can only expect organizations to continue placing inadequately trained and inexperienced personnel to fill vacant security roles who operate closer to program managers. This is a reasonable approach given the current constraints.

Subsequently, many organizations lack confidence in their ability to sufficiently protect their environments from breaches — and for good reason. Many practitioner surveys published over the years support this observation. While some people will suggest substantive wage increases as an immediate solution, to which I don't necessarily disagree, doing so can only help individual organizations. The larger net effect can only serve to shift labor shortages from one area of the market to another and will do little to solve the overall industry shortage.

Opportunity

An increasing number of organizations and their security programs will rely upon Managed Security Service Providers (MSSPs) for third-party assistance — especially MSSPs who are willing to take on contractual liability. Of course, reliance on MSSPs does not necessarily solve the core challenges; it only transfers the security problems from organizations to the MSSPs. Security product innovation remains a crucial component of the market. The MSSP market winners will be those capable of offering a comprehensive suite of security controls capable of keeping up with an evolving threat landscape. That said, no amount of technology automation in any segment of InfoSec completely removes the need for human expertise. Therefore, the MSSPs who can best hire, train, and retain top talent will have the long-term competitive edge.
If an increasing percentage of InfoSec budgets are going to flow through MSSPs, this becomes an increasingly attractive go-to-market strategy for both incumbent security vendors and start-ups alike. Especially for those capable of integrating seamlessly into the current MSSPs technology stack and processes.
Businesses are finding that cyber-insurance is becoming compulsory. And it makes sense because if you feel that you can’t protect against the breach, at least protect against the monetary loss. So we’re going to see an expansion of cyber-insurance carriers, both large and start-ups, offering insurance packages that come with a suite of security solutions bundled in — for free. The question is, will they build these technologies themselves, partner for the capability, or make acquisitions?

My prediction is: All three.

1950 Mercury Christmas Present

2020-12-21T10:47:00.008-08:00

As a gift, or sometimes more like a curse, my dad passed down his love of classic cars to his children. Each of us has our favorites, and one of mine is a 1950 Mercury. Not just any 1950 Mercury, but a particular highly customized “led sled” hot rod. Chopped, dropped, frenched, chrome out grill, shaved door handles, bagged with black paint and red flames. It’s the kind of car most people will only see in a classic car magazine or more likely a comic book. Such as car is not really supposed to exist in real life. You’re not going to see one on the road. You’re not even going to see one at a car show. In fact, I’d never seen one like it [in person] until last year, and I’ve searched for 20 years. It’s my unicorn.

One might ask why I just didn’t buy an old broken-down Merc and restore it. It’s a fair question. I have helped my dad restore classic cars since I was a kid. However, a 1950 Mercury project like I described would have been very different, a whole other level of cost and difficulty. Believe me, I considered it for years. The shell of body, IF you can somehow find one somewhere in any condition, will still cost $15-20K due to the rarity. Then I’d somehow have to transport it to Hawaii because they don’t exist anywhere in the state. I looked. Then the customization requires a set of skills that only master body mechanic would be capable of, with heavy fabrication skills, and a machine shop to match. With the facilities at my disposal and of Hawaii in general, it just wasn’t going to be possible. Finding and buying one in relatively close condition was the only option.

Over the last 25 years I’ve travelled a lot. 1 million miles on United Airlines alone, but who’s counting. In every state and city I’ve visited, I’d routinely fire up Craigslist and see if any of my bucket list cars were for sale in the area. The years rolled by, and while I did manage to buy pair of 19 64 Lincoln Continentals, I never ever came across my dream 1950 Mercury – that is until this time last year.

Christmas of 2019 the family travels out from Hawaii to Tennessee to spend the holiday with relatives. I’ve been to Tennessee many times before, mostly Memphis and Nashville. Nice wide-open country, friendly people, and my favorite part are the fireworks stores. Hawaii and California basically outlawed everything except sparklers, but not Tennessee. Tennessee has stores that look like Target that sell everything in all shapes, sizes, and colors. Complete with push button video demonstrations in the store so you can see what you’re buying. On this trip I filled up two grocery carts to the brim and let loose inner child pyromaniac. Let me tell you, my kids and I had a blast lighting up the sky over the river out back. All eyebrows accounted for.

Early one evening, a couple days before the 25^th, it was time to check Craigslist. To my utter astonishment, a 1950 Mercury showed up in the results located around a 1.5hr drive away. I couldn’t believe it. I was skeptical, very skeptical. No way this could be real. No way. At first I thought it must be a targeted ad or a scam or something based on my search history. It looked just like everything I’d hoped and dreamed for 20+ years. Again, I’m in a VERY rural area of Tennessee outside of Knoxville with an extremely small population. I double-checked I was searching in the right area. Yup. Maybe the listing was outdated? Nope. Posted 2 days ago. Obvious signs of a scam? It didn’t look like it. The only way to know for sure is to call the seller. And just like that, Marvin picked up!

On the phone I asked Marvin every question about the car I could think of. Where’d you get it? Does it really look as good as in the pictures? Who built it? How’s it run? What’s wrong with it? Rust? The price? Well, let’s be honest, I didn’t care about the price. This was literally the opportunity of a lifetime and I wasn’t about to miss even the opportunity to see it – IN REAL LIFE! So, I scheduled a time for first thing the next morning, jumped in the rental car with my son (14) and uncle Jim, and we headed out to the boonies on a classic car adventure!

After a long drive, we pulled up to the address and right there we see it parked in the driveway. A gleaming and perfect 1950 Mercury coupe. My world stopped. The three of us just stared. It looked like a full-size hot wheel. It didn’t look like real. Every detail was exactly how I’ve always imagined it. We lifted the hood, opened the doors, and crawled underneath it. E very detail was perfect right down to the 3-inch chop, push-button trunk and door locks, and electric windows. The damn thing even had pin striping on the frame. THE FRAME! The only thing that was incomplete was the interior, which had late model Acura seats. I didn’t care, I could easily replace that later. Marvin explained that’s he’s a body guy and built the car himself over the last many years. Swapped out all the old Mercury internals and replaced everything with Chevy parts. He did all the body work personally, at home, in his homemade paint booth garage.

We took the car on a short drive around the neighborhood. This thing hadn’t seen the road in a couple of decades. It rolled, it stopped, it ran great. Because I wasn’t prepared, and typically avoid impulse purchases, I tried to find any reasonable excuse to NOT buy this car. I mean I wasn’t in Tennessee to buy a car, and this wasn’t on a work trip. I was there on a family vacation, completely unprepared. Still, I couldn’t say no, I had to have it. This opportunity was never going to come up again. Never. Ever.

Marvin wanted 4 stacks of high society and not a penny less. Not a bank wire. Not a cashier’s check. Not PayPal. Not Bitcoin. Marvin was a good ol’ country boy through and through. He wanted cash in hand. I explained to Marvin that I’m from out of town and didn’t travel prepared to make such a large cash transaction. If he could give me a little time to figure things out, and NOT sell the car to anyone else, I’d appreciate it. He agreed. I’m guessing there wasn’t going to be someone else showing up ready to buy THE car, in THIS part of the country, for THAT much in cash, 2 days out from Christmas anyway.

The next day my son and I visited a local bank branch, let them know we needed to make a large cash withdrawal to buy a car. After some identify check verification, they said the bank manager who can authorize the amount wasn’t in – holiday vacation. Dah! Back in the car and rush off to the next branch. I don’t have much time to get this done because we’ll be flying out in a couple days.

Arrived at bank branch #2, waited through another series of identity checks, manager approved the amount, but they informed me that they don’t have nearly enough cash on hand. The holiday apparently wiped out their cash reserves. They’d have to order it, which would take at least a few days. I explained that I needed it now as I’d be flying out by then and asked what my options where. So, the manager called two other branches in the area. The only one that could help was another hour drive away, and maybe they had enough. Off we go!

Bank branch #3. By this point I learned to immediately ask to speak to the manager. I explained what I needed, and again went through the identity check procedure. Unfortunately, the bank didn’t have enough hundred-dollar bills to cover the amount, nor enough fifties, so we had to accept the remainder in twenties. Whatever. Cash is cash right!? Success!

Now, how many times does a young kid get to feast their eyes on so much money and be able to physically hold it? So, we just had to take the obligatory photo of the experience. Our next step was to contact the seller and drive back out to buy the car and get it picked up.

Let’s pause for a moment to reflect on the visual of this moment. My son and I are two out of towners from Hawaii, in rural Tennessee, driving a rented mini-van cross country, carrying a large of amount of cash in mixed denominations, and after just having visited 3 banks. You better believe I was following every single traffic law making sure to avoid getting pulled over and caught up in some kind of civil asset forfeiture situation. “No sir, I swear, we’re just trying to buy a classic car.”

In the meantime, I’m calling around the area trying to find a tow truck driver that’s working and has the equipment to pick up a classic car in a remote region. 5 companies later, I finally found someone whose up for the job. I tell him the time and please. We’re set!

We finally arrive back at the seller’s house, and strangely his entire family is there waiting. His wife, one of his daughters, and her husband. Weird. The invite us in the house, and I get the distinct impress this affair was something far more important than just a car transaction but didn’t know what it was. My son and I sat at the kitchen table making small talk while the family divided up each brick of cash, counted it, and visually inspected each bill for counterfeits. They tell us fake bills have been a problem recently in the local area. They’d hold each bill up to the light, looking for the mag strip and watermark. The painstaking process took 2 hours. It was fine though, the family was very nice, and we got to know them and the car a little bit better.

Here’s where things become truly incredible. Once they’re nearly done counting the money, no issues, Marvin’s wife gets up from the table to make a call on the cordless phone. I hadn’t even seen one of those in years. I make out that the call is to another daughter that lives nearby. She explained that her dad just sold the Merc, and that’d be paying off her mortgage with the money as a Christmas gift. My jaw about hit the floor and my eyes are open double-wide.

They shared that Marvin had been working on the Merc for 3 years, night and day, and it was finally in good enough condition to sell. Then my son and I somehow showed up. Apparently, their daughter had recently lost her husband, leaving children behind and they’d fallen on tough times. The money was to help make sure that she and the kids would be taken care of. Like I said, this might be the ONLY way that someone would very build or part with such a car.

My son Jaye and I are witnessing this. A pure and special moment in a family taking place right in front of us in the most impossible of circumstances. Talk about an experience. I got my dream car, they paid off their house. Merry Christmas.

A 1951 Ford for Dad

2020-12-21T10:27:00.008-08:00

I wanted to get my dad a gift, but not just any gift. The perfect gift. For a diehard hot-rodder like my dad, there can only be one thing -- a car. Of course, not just any ol' thing with four wheels. He quite literally has 50 mostly junkers and clunkers already. Only THE DREAM CAR would do. What kind of car that was I really didn't know. I had to find out exactly, EXACTLY what that kind of car without letting my dad know and spoil the surprise. For this I asked my brother Zach for help. Discreetly, while both of them were watching a hotrod show on TV, Zach found out that dad's all-time favorite car is a 1951 Ford 2 door with the original flathead v8 engine. Score!

As the story goes, this is the very same car his dad, my grandfather, had bought for him at age 16 for $50. Cars have a way of making a lasting impression on people like this. True to the stereotypical ethnicity of our namesake, grandpa Hyman was worried that he might have overpaid. For reasons I still don’t know, my dad had never owned another like it since. We’re talking 50 years! This is extremely odd because over the years he’s owned essentially every other kind of car, having always been somehow connected to the car business. It probably had to do with their rarity, especially on Maui, as I came to find out to the hard way.

For months, and months, and months, Zach and I scoured Craigslist national wide and the whole rest of the Internet. We found only the trailer queen show cars selling for many tens of thousands, or on the other end of the spectrum, a pile of rusty incomplete junk. Neither option could be considered for our perfect gift. We wanted something in between. Something decent, or at least restorable, but the make and model had to be exactly right. Zach and I weren’t about to give up.

Finally, on Dec 30, 2013, a Craigslist listing came up in a place called Yantis, TX. Ever heard of it? We hadn’t either. It’s 2.5 hours East... yes... East of Dallas, TX. And remember, all of us live 4,000 miles away on the Hawaiian island of Maui. We had no idea how to get the car back to paradise. We’ll solve that problem later. Undeterred, I immediately called the seller asking if the car was available. It was! W00T! From the description, if the car was anything close to what was advertised, this was exactly what we were looking for. The price was right, perhaps even a deal. Zach and I were seriously excited!

Next, Zach calls the seller to ask a bunch of questions to make 100% certain this was everything we wanted. It was. Our search was over. Well, sort of. 24 hours later, I call the seller prepared to pay the asking price, sight unseen. I said I'd fly out immediately to get if necessary. This was more than a little shocking to the seller. “Long drive,” he says to me after revealing where I live. The seller said he was a little uncomfortable allowing me to purchase the car sight unseen, especially since he doesn't know me and I'm so far away. He didn’t want me to be disappointed upon arrival and not buy it. Obviously, a really nice guy. He did say another interested party is coming to look at the car the following day, on New Year’s Day!

Uh, oh. At this point in the conversation, I'm extremely worried. This person might buy the car that was in my mind already MY DAD’s CAR! Who knows when I might get another chance like this?! I tried everything I could to lock in the deal over the phone, but to no avail. The seller assured me it’s more likely the other guy is just looking and won't buy it, and if they don't, it's mine. I'm asked to phone the next day to get my answer. Talk about a stressful waiting period. All I can do now is hope for the best and prepare for an immediate flight out to Dallas in case things go well.

Now, I there are two problems to sort out and less than a day to do it. 1) I have to convince my dad to take a short notice trip with me to Texas without letting him know the exact reason why. 2) The seller requires either cash in hand or a cashier’s check from a local Texas bank.

Fortunately, my dad is always up for an adventure. So, I said asked if he'd like to take a business trip with me to visit WhiteHat in both Santa Clara and Houston. He'd never really visited the company before to see what I built. It was a fortunate coincidence the car and a WhiteHat office was in Texas. He agreed.

Next, getting a sizable amount of cash over New Year’s Day, 4,000 miles away, when I bank at a local Hawaii bank that has no out of state branches, proved to be a far more significant challenge. Western Union and Money Orders would were of no use even if the locations were open at the time. Darn holidays! Their daily limits were too small for my current needs. FYI: The dollar amount here is less than an average new car off a lot, but still something you’d not want to carry around, let alone on a plane flight.

I call the seller the following day, he green lights the deal, and I’m overjoyed. I quickly buy some plane tickets, ouch on the short notice price, and let my dad know we're leaving in 5 hours. He was a little stunned I moved so quickly, and didn't think I was serious at first, but again... he's normally game for whatever. This time proved no different.

Note: I didn’t have a way to solve the cash problem, so was I no choice but to figure it out upon arrival in Dallas. And, we're gone, just like that.

A 7-hour red-eye flight later and we're in Dallas at 6am on Jan 2. Oh, did I mention it was friggin’ cold — like 35F. I can tolerate frigid temperature OK, but Dad's lived for 30 years in Maui and will wear sweaters when it dips below 70F. While he’s always up for an adventure, life and death circumstance and all that not being a problem, it just better not be cold. I can tell he's having second thoughts about this trip right when we step outside of the terminal. He quickly puts on every piece of clothing he packed.

We grab a rental car, check-in to a hotel, get a bite to eat, and head to the bank -- "to open a new bank account just in case”… of a zombie apocalypse is my cover story. Turns out the best way to get cash in a hurry, given my constraints, is calling your source bank, asking them to raise the daily limit on your debit account to whatever you need, and having the destination bank perform a cash advance. This essentially looks a typical debit card transaction, but instead of a 50in TV, you get cash. The process took some doing and some waiting, but I got it done. Whew!

I call the seller, tell him I'm in town and ready to go. He's quite surprised because in the same 12-hour period I'm in Maui and then in Texas. Hey, I move quick. I ask for directions. By now it's about 2pm and time to head out for a 2.5 hour drive to get the car. My dad still has no idea what I’m up to.

We start getting noticeably WAY out in the boonies, and we have no cell phone reception for miles. That’s when dad finally asks me, “Are we meeting someone out here for business?” I reply, “yes, we're meeting someone."

Then it happened, not 60 seconds later, I see the car, sitting perfectly out in an open driveway. It's red, shiny, gorgeously chromey, and at 1/4 mile away, completely unmistakable.

I slyly point the car out to dad, who doesn’t see it yet, and say inquisitively, "Hey, what's that car over there?" He squints and instantly says in a more than surprised, curious, and somehow measured tone, "That's... that's a 1951 Ford!"

“Dad,” I say, "That's why we're here.”

“What!?” He exclaims, even more confused now than before.

“See that man coming out of the house over there, he’s expecting us. He's selling us that car today.

We're in the driveway now and dad gets out without a word, surveys the car at 10 feet, barely acknowledging the seller. Like a little boy again, he can’t take his eyes off the car. Clearly, it’s like it's a dream, and he can't believe he's actually seeing this car, his dream car, with his own eyes. Again, you never see these cars anywhere. He mutters, “Oh my God,” obviously overwhelmed. I introduce myself to the seller then stand back quietly to take photos of the moment while the seller introduces his gem. He tells us all about the car, it's history, and on and on like only true car aficionados can appreciate.

At long last, I ask the most important question. “Dad, do you want this car?” He's not quite sure how to answer, but clearly, it's a “yes.” I pay the man and then let dad know we have to either drive or trailer his ‘new’ car back to California for shipping. He opts for the former. Obvious to anyone sane, driving an untested 60 year old car 2,000 miles cross country, is ill advised. But whatever, this car was getting back to Maui. Nothing was going to stop that from happening now. My dad tells me he would have bought this car even if the engine was missing.

We return the rental car and set out for a LONG drive back to the California’s SF Bay area to ship out the car to Maui. I don't think I drove the car for the first 1,000 miles of the journey. Hah! We had a handful of various close calls along the way, but overall nothing major. Hundreds of people waved at us along the way. Everyone from the motorcycle gangs to others in high-end BMW's. The car performed amazingly well by any standard. We've dropped it off for shipping and it took a few weeks to get to its new home in Maui, Hawaii.

Remember, we’re all here on earth for just a tiny moment in time. Make it count. Take the time, MAKE the opportunity, and be open to spontaneous adventure with the people you love. No matter what happens, you’ll be happy that you did.

Evolution of The Press

2018-08-29T10:03:00.000-07:00

Below is a working theory on the evolution of The Press in the United States as it relates to their relationship with the government and the people. I expect to continue refining the theory as new perspectives and competing ideas are discussed.

Phase 1) TL/DR; The press’s primary value in the system is transmitting a message from the government to the people. The press’s customers are their subscribers who purchase news.

Consider the early days of United States of America throughout the late 1700s and 1800s. As elected officials governed and managed the business of a young country, operationally it was crucial they had a way to broadly communicate with their citizens. They needed to let the everyone know that there was a strong hand was on the tiller, that the people are safe, and they can sleep well at night.

Imagine government’s options to communicate across the country. Think about the technology that was available. How ideas and thoughts were recorded and how they were transmitted. There was no radio. There was no television. There certainly wasn’t an Internet. Ink and paper was the state of the art. While the government could physically write down their message, outside of standing at podiums surrounded by small local gatherings of people or leafletting, they did not have a scalable means of transmitting their message to the masses. So, the government and the country needed assistance. This need is where an entity called “The Press” established it’s value in the larger system — transmission of the government’s messages.

The press had journalists with the necessary tools to record the government’s message down on paper, who would perform some amount of fact checking, and then package the information as a cohesive and largely transcribed story. The press also had access to a new invention called the printing press enabling them to productize the message, such as a newspaper. And most importantly, the press created channels of distribution, such as horses automobiles, and the telephone to deliver the message to a variety of locations where it could be easily purchased. Put simply, the process was the press would be invited in by the government to document their message, print a large number of copies of newspapers, and then make the materials widely available to the people where the had the opportunity to buy it.

This predominately was the value the press provided to the system — transmission. Of course it was important for the press to be mindful about what they printed, particularly the accuracy and relevancy of the message, otherwise people might stop paying for it in favor of another newspaper. The people depended upon the credibility of the press to tell the story right. Let’s not forget this. This dynamic between the government, the press, and the people carried through until about the 40s and 50s when the radio and television began changing the paradigm.

Phase 2) TL/DR; The press’s value proposition in split between transmitting the government’s message to the people to telling them how to think about the message. The press’s customers are their subscribers and advertisers.

Over time communications technology advanced and became far more affordable. Radio became common place in society and television sets started appearing in the average U.S. household in the early 1950s. With these modern tools the government could transmit their message directly to the people across the country and cut out the middleman — the press. The government no longer exclusively needed the press to get its message out to the masses.

And since the government could bring their message directly to the people, and the country was in a more stable position, they didn’t necessarily have to always help people sleep at night. In fact, often the opposite was true. Causing some amount of fear actually helped the government further consolidate their power. As a result, the press needed to find a new way to provide value to the system, beyond just message transmission, in order to maintain their survival.

During this period the press began shifting their value proposition from solely message transmission to telling people how to think about the government’s message. The press would take the governments message, create a compelling narrative to help people interpret the story, and transmit their product to the masses over the television and radio airwaves. As a product, this method of news packaging and delivery was attractive to people. There had become a significant increase of information to parse from a variety of sources, too much for any one individual to decide what was important to consume. The Ted Koppel’s and Tom Brokaw’s of the television news world became the credible sources of the press and filled a void left by the government to help the country sleep well at night.

There were a couple of problems the press needed overcome though. For example, it was not possible for the press to make money with electronically broadcast news in the same way they did with print media. It was not mechanically possible to charge viewers or listeners for news transmitted electronically. The press’s solution was sponsored advertising. News content accompanied by commercials. As such, the more people that watched and listened, and the longer they did so, the more valuable their advertising slots became. Another challenge the press needed to overcome with television and radio was that the physical time available to watch or listen to content was more limited. There is far more space to pack in far more content into the pages of a daily newspaper than what’s possible in a couple of hours of daily broadcast news spots.

Collectively, the new adversing-based business model and a limited amount of space for content changed how the press covered the government’s message in two profound ways. First, it shifted the priority for the transmission and accuracy of the message as their main value proposition in favor of whatever kept people watching and listening. And secondly, the press had to be more choosey with what message and narrative filled the available time and what didn’t. Furthermore, the press had to narrowly cater to a particular demographic of person with their content than what was originally necessary with print. In television and radio the more the news captures emotions and attention, the better the press does financially.

Fast forward several decades under these conditions and the people begin to clearly see a lot of bias in the press and an agenda. And while bias and agenda is certainly present, how could there NOT be, but in this context it’s best not to think the press is taking a principled stand. They’re not. Instead think of their bias and agenda as simply the press’s way of focusing their product at a particular customer like any business would. The press is drawing a circle around a suitable demographic for their product and value proposition, which again is to both transmit the government’s message and tell people how to think about in a way that helps to maximize ears and eyeballs. For example, there effectively isn’t a left-wing or right-wind press in a truly principled manner. The exact opposite is true. There are left-wing and right-wing people where the press tailor makes a narrative based on the government’s message that is compelling to them.

Phase 3) TL/DR; The press’s value proposition is telling people how to think about the government’s message. The press’s customers are advertisers.

Enter the Internet in the early 1990s where transmission of information had become easy and inexpensive for everyone, and not just within the United States, but the entire modern world. The government no longer needed the press to transmit their message to the people at all. The government could transmit directly to the people or the people could go directly to the government. No middleman required. Without anyone needing the press for message transmission, as a business, print media fell off a cliff in under two decades. For survival sake, the press had to complete the transition away from transmission of the government’s message as a value proposition to nearly exclusively telling people how to think about it. That’s all of value they offer and in doing so message accuracy can be sacrificed whenever necessary. And of course the press’s content is heavily layered with advertisements.

As is turns out, the best way to attract more viewers for longer is to connect on a deep emotional level. Do whatever you can to rile up your viewers and they’ll continue coming back for more, even share the content forward to others in their social group, where even more ads can be lucratively served. Press outlets such as Fox News, CNN, MSNBC, and more all cross the political spectrum have strongly adopted this approach. The press outlets that didn’t adapt, died.

As a product, these sources offer people a compelling and packaged way to validate their worldview — and THAT’s what keep the press ultimately credible and trustworthy in their minds. As evidence notice how the Ted Koppel’s and Tom Brokaw’s of the press have been replaced by Alex Jones, Bill O’Reilly, Keith Olbermann and Don Lemon’s. Is this change of their starting lineup designed to give viewers access to more accurate news or instead get people emotionality invested? Even when the press is demonstrably biased, factually incorrect, call it ‘Fake News’ if you like, it’s extremely difficult for people to suddenly distrust the press they decided to loyally watch for so long and find another compelling source. Perception becomes reality and exists long after the occasional and quietly posted retraction.

Phase 4) TL/DR; If via the Internet people once again adopt a direct paid-for news model, the press’s primary value become providing people with an individually relevant, timely, and accurate news source of the government’s message.

Going forward into the future, many feel there is a demand for relevant, timely, and accurate news sources. News that’s devoid of the influences of advertisements and paid directly by the people. Several press outlets have set-up paywalls and the business model is showing signs of success. All people have to do is register an account on a website or mobile application and supply a credit card online to become a subscriber. Another business model is micro-payments, where viewers pay for their content a la carte — by the article. A relatively new web browser named Brave, which includes ad blocking, offers native push button micro-payment functionality which supports participating content publishers.

Here’s the thing: If any transition back to directly paid-for news truly starts gaining enough traction to threaten to the ad-based model, fierce resistance by the advertising industry is sure to follow. Google and Facebook, which dominate the online advertising industry, who along side many others who make all their billions annually off ‘free’ content, will do everything they can to prevent the transition. Their livelihoods depend on it. Regardless, if it so happens that the paid-for model once again takes hold, many positive externalities may also come with it. Fake news goes away. Click-bait headlines go away. Online spam goes away. Privacy invading ads go away. All of these shady practices found on the Internet depend wholly on advertisements to function. The adoption of ad blockers, which now stands over 20% marketshare, indicates that people are making a choice, even if they aren’t yet paying for their content. Broad access to new technology is once again causing a shift in the press and how the government communicates it’s message.

The evolutionary waves of the penetration-testing / vulnerability assessment market

2018-07-17T17:38:00.002-07:00

Over the last two decades the penetration-testing / vulnerability assessment market went through a series of evolutionary waves that went like this…

1st Wave: “You think we have vulnerabilities and want to hire an employee to find them? You’re out of your mind!"

The business got over it and InfoSec people were hired for the job.

2nd Wave: "You want us to contract with someone outside the company, a consultant, to come onsite and test our security? You’re out of your mind!"

The business got over it and consultant pen-testing took over.

3rd Wave: "You want us to hire a third-party company, a scanning service, to test our security and store the vulnerabilities off-site? You’re out of your mind!’

The business got over it and SaaS-based vulnerability assessments took over.

4th Wave: "You want us to allow anyone in the world to test our security, tell us about our vulnerabilities, and then reward them with money? You’re out of your mind!"

Businesses are getting over it and the crowd-sourcing model is taking over.

The evolution reminds us of how the market for ‘driving’ and ‘drivers’ changed over the last century. People first drove their own cars around, then many hired personal drivers, then came along cars-for-hire services (cabs / limos) with ‘professional’ drivers that you didn’t personally know, and now to Uber/Lyft where you basically jump into some complete stranger’s car. Soon, we’ll jump into self-drivers cars without a second thought.

As we see, each new wave doesn't necessarily replace the last -- it's additive. Provided there is an economically superior ROI and value proposition, people also typically get over their fears of the unknown and will adopt something new and better. It just takes time.

All these vulnerabilities, rarely matter.

2018-05-07T11:38:00.000-07:00

There is a serious misalignment of interests between Application Security vulnerability assessment vendors and their customers. Vendors are incentivized to report everything they possible can, even issues that rarely matter. On the other hand, customers just want the vulnerability reports that are likely to get them hacked. Every finding beyond that is a waste of time, money, and energy, which is precisely what’s happening every day. Let’s begin exploring this with some context:

Within any Application Security vulnerability statistics report published over the last 10 years, they’ll state that the vast majority of websites contain one or more serious issues — typically dozens. To be clear, we’re NOT talking about website infected with malvertizements or network based vulnerabilities that can trivially found via Shodan and the like. Those are separate problems. I’m talking exclusively about Web application vulnerabilities such as SQL Injection, Cross-Site Scripting, Cross-Site Request Forgery, and several dozen more classes. The data shows only half of those reported vulnerabilities ever get fixed and doing so take many months. Pair this with Netcraft’s data that states there’s over 1.7B sites on the Web. Simple multiplication tells us that’s A LOT of vulnerabilities in the ecosystem laying exposed.

The most interesting and unexplored question to me these days is NOT the sheer size of the vulnerability problem, or why so many issue remain unresolved, but instead figuring out why all those ‘serious’ website vulnerabilities are NOT exploited. Don’t get me wrong, a lot of websites certainly do get exploited, perhaps on the order of millions per year, but it’s certainly not in the realm of tens or even hundreds of millions like the data suggests it could be. And the fact is, for some reason, the vast majority of plainly vulnerable websites with these exact issues remain unexploited for years upon years.

Some possible theories as to why are:

These ‘vulnerabilities’ are not really vulnerabilities in the directly exploitable sense.
The vulnerabilities are too difficult for the majority of attackers to find and exploit.
The vulnerabilities are only exploitable by insiders.
There aren’t enough attackers to exploit all or even most of the vulnerabilities.
There are more attractive targets or exploit vectors for attackers to focus on.

Other plausible theories?

As someone who worked in the Application Security vulnerability assessment vendor for 15+ years, here is something to consider that speaks to theory #1 and #2 above.

During the typical sales process, ‘free’ competitive bakeoffs with multiple vendors is standard practice. 9 out of 10 times, the vendor who produces the best results in terms of high-severity vulnerabilities with low false-positives will win the deal. As such, every vendor is heavily incentivized to identify as many vulnerabilities as they can to demonstrate their skill and overall value. Predictively then, every little issue will be reported, from the most basic information disclosure issues to the extremely esoteric and difficult to exploit. No vendor wants to be the one who missed or didn’t report something that another vendor did and risk losing a deal. More is always better. As further evidence, ask any customer about the size and fluff of their assessment reports.

Understanding this, the top vulnerability assessment vendors invest millions upon millions of dollars each year in R&D to improve their scanning technology and assessment methodology to uncover every possible issue. And it makes sense because this is primarily how vendors win deals and grow their business.

Before going further, let’s briefly discuss the reason why we do vulnerability assessments in the first place. When it comes to Dynamic Application Security Testing (DAST), specifically testing in production, the whole point is to find and fix vulnerabilities BEFORE an attacker will find and exploit them. It’s just that simple. And technically, it just takes the exploitation of one vulnerability for the attacker to succeed.

Here’s the thing: if attackers really aren’t finding, exploiting, or even caring about these vulnerabilities as we can infer from the supplied data — the value in discovering them in the first place becomes questionable. The application security industry industry is heavily incentivized to find vulnerabilities that for one reason or another have little chance of actual exploitation. If that’s the case, then all those vulnerabilities that DAST is finding rarely matter much and we’re collectively wasting precious time and resources focusing on them.

Let’s tackle Static Application Security Testing (SAST) next.

The primary purpose of SAST is to find vulnerabilities during the software development process BEFORE they land in production where they’ll eventually be found by DAST and/or exploited by attackers. With this in mind, we must then ask what the overlap is between vulnerabilities found by SAST and DAST. If you ask someone who is an expert in both SAST and DAST, specifically those with experience in this area of vulnerability correlation, they’ll tell you the overlap is around 5-15%. Let’s state that more clearly, somewhere between 5-15% of the vulnerabilities reported by SAST are found by DAST. And let’s remember, from an I-dont-want-to-be-hacked perspective, DAST or attacker-found vulnerabilities are really the only vulnerabilities that matter. Conceptually, SAST helps find them those issues earlier. But, does it really? I challenge anyone, particularly the vendors, to show actual broad field evidence.

Anyway, what then are all those OTHER vulnerabilities that SAST is finding, which DAST / attackers are not? Obviously, it’ll be some combination of theories #1 - #3 above. They’re not really vulnerabilities, they’re too difficult to remotely find/exploit, or attackers don’t care about them. In either case, what’s the real value for the other 85-95% of vulnerabilities reported by SAST? A: Not much. If you want to know why so many reported 'vulnerabilities' aren’t fixed, this is your long-winded answer.

This is also why cyber-insurance firms feel comfortable writing policies all day long, even if they know full well their clients are technically riddled with vulnerabilities, because statistically they know those issues are unlikely to be exploited or lead to claims. That last part is key — claims. Exploitation of a vulnerability does not automatically result in a ‘breach,’ which does not necessarily equate to a ‘material business loss,’ and loss is the only thing the business or their insurance carrier truly cares about. Many breaches do not result is losses. This is an crucial point that many InfoSec pros are unable to distinguish between — breach and loss. They are NOT the same thing.

So far we’ve discussed the misalignment of interests between Application Security vulnerability assessment vendors and their customers. The net-result of which is that that we’re wasting huge amounts of time, money, and energy finding and fixing vulnerabilities that rarely matter. If so, the first thing we need to do is come up with a better way to prioritize and justify remediation, or not, of the vulnerabilities we already know exist and should care about. Secondly, we must more efficiently invest our resources in the application security testing process.

We’ll begin with the simplest risk formula: probability (of breach) x loss (expected) = risk.

Let’s make up some completely bogus numbers to fill in the variables. In a given website we know there’s a vanilla SQL Injection vulnerability in a non-authenticated portion of the application, which has a 50% likelihood of being exploited over a year period. If exploitation results in a material breach, the expected loss is $1,000,000 for incident handling and clean up. Applying our formula:

$1,000,000 (expected loss) x 0.5 (probability of breach) = $500,000 (risk)

In which case, in can be argued that if the SQL injection vulnerability in question costs less than $500,000 to fix, then that’s the reasonable choice. And, the sooner the better. If remediation costs more than $500,000, and I can’t imagine why, then leave it as is. The lesson is that the less a vulnerability costs to fix the more sense it makes to do so. Next, let’s change the variables to the other extreme. We’ll cut the expected loss figure in half and reduce the likelihood of breach to 1% over a year.

$500,000 (expected loss) x 0.01 (probability of breach) = $5,000 (risk)

Now, if vulnerability remediation of the SQL Injection vulnerability costs less than $5,000, it makes sense to fix it. If more, or far more, then one could argue it makes business sense not to. This is the kind of decision that makes the vast majority of information security professionals extremely uncomfortable and instead why they like to ask the business to, “accept the risk.” This way their hands are clean, don’t have to expose their inability to do risk management, and can safely pull an, “I told you so,” should an incident occur. Stating plainly, if your position is recommending that the business should fix each and every vulnerability immediately regardless of the cost, then you’re really not on the side of the business and you will continue being ignored.

What’s needed to enable better decision-making, specifically how to decide what known vulnerabilities to fix or not to fix, is a purpose-built risk matrix specifically for application security. A matrix that takes each vulnerability class, assigns a likelihood of actual exploitation using whatever available data, and containing an expected loss range. Where things will get far more complicated is that the matrix should take into account the authentication status of the vulnerability, any mitigating controls, the industry, resident data volume and type, insider vs external threat actor, a few other things to improve accuracy.

While never perfect, as risk modeling never is, I’m certain we could begin with something incredibly simple that would far outperform our the way we currently do things — HIGH, MEDIUM, LOW (BLEH!). When it comes to vulnerability remediation, how exactly is a business supposed to make good informed decisions about remediation using traffic light signals? As we’ve seen, and as all previous data indicates, they don’t. Everyone just guesses and 50% of issues go unfixed.

InfoSec's version of the traffic light: This light is green, because in most places where we put this light it makes sense to be green, but we're not taking into account anything about the current street’s situation, location or traffic patterns. Should you trust that light has your best interest at heart? No. Should you obey it anyway? Yes. Because once you install something like that you end up having to follow it, no matter how stupid it is.

Assuming for a moment the aforementioned matrix is created, all of a sudden it fuels the solution to the lack of efficiency in the application security testing process. Since we’ll know exactly what types of vulnerabilities we care about in terms of actual business risk and financial loss, investment can be prioritized to only look for those and ignore all the other worthless junk. Those bulky vulnerability assessment reports would likely dramatically decrease in size and increase in value.

If we really want to push forward our collective understanding of application security and increase the value of our work, we need to completely change the way we think. We need to connect pools of data. Yes, we need to know what vulnerabilities websites currently have — that matter. We need to know what vulnerabilities various application security testing methodologies actually test for. Then we need to overlap this data set with what vulnerabilities attackers predominately find and exploit. And finally, within that data set, which exploited vulnerabilities lead to the largest dollar losses.

If we can successfully do that, we’ll increase the remediation rates of the truly important vulnerabilities, decrease breaches AND losses, and more efficiently invest our vulnerability assessment dollars. Or, we can leave the status quo for the next 10 years and have the same conversations in 2028. We have work to do and a choice to make.

My next start-up, Bit Discovery

2018-03-27T05:00:00.000-07:00

The biggest and most important unsolved problem in Information Security, arguably all of IT, is asset inventory. Rather, the lack of an up-to-date asset inventory that includes all websites, servers, databases, desktops, laptops, data, and so on. Strange as it sounds, the vast majority of organizations with more than even a handful of websites simply do not know what they are, where they are, what they do, or who is responsible for them. This is also strange because an asset inventory is the first step of every security standard and recommended by every expert.

After many of years of research, it turns out the reason why is rather simple: There are currently no enterprise-grade products, or at least anything widely adopted, that solves this problem. This is important because obviously it’s impossible to secure what you don’t know you own. And, without an up-to-day asset inventory, the most basic and reasonable security questions simply can’t be answered:

What percentage of our websites have been tested for vulnerabilities?
Which of our websites have GDPR, PCI-DSS, or other compliance concerns?
Which of our websites are up-to-date on their patches, or not?
An organization has been acquired, what IT assets do they have?

As of today, with Bit Discovery, all of this is about to change. BitDiscovery is a website asset inventory solution designed to be lightning fast, super simple, and incredibly comprehensive.

While identifying the websites owned by a particular organization may sound simple at first blush, let me tell you, it’s not. In fact, asset inventory is probably the most challenging technical problem I’ve ever worked on in my entire career. As Robert ‘RSnake’ Hansen’s, member of Bit Discovery’s founding team describes in glorious detail, the variety of challenges are absolutely astounding. Just in terms of cpu, memory, disk, bandwidth, software and scalability in general, we’re talking about a legitimate big data problem.

Then there’s the challenges that websites may exist on different IP-ranges, domains, hosting providers, fall under a variety of marketing brands, managed by various subsidiaries and partners, confused by domain typo-squatters and phishing scams, and may come and go without warning. Historically, finding all of an organizations websites is typically conducted through on-demand scanning seeded by a domain name or IP-address range. For anyone who has ever tried this model, they know it’s tedious, time consuming (hours, days, etc), and false-positive and false-negative prone. It became clear that solving the asset inventory problem required a completely different approach.

Bit Discovery, thanks to the acquisition and integration of OutsideIntel, is unique because we take routine snapshots of the entire Internet, organizing massive amounts of information (WHOIS, passive DNS, netblock info, port scans, web crawling, etc.), extract metadata, and distil it down to simple and elegant asset inventory tracking. As a completely web-based application, this is what gives Bit Discovery its incredible speed and comprehensiveness. Instead of waiting days or weeks for an asset discovery scan to complete, searches take just seconds or less.

After years of hard work and months private beta product testing with dozens of Fortune 500 companies, we’re finally ready to officially announce Bit Discovery and just weeks away from our first full production release. I’m particularly proud and personally honored to be joined by an absolutely world-class founding team. As an entrepreneur you couldn’t ask for a better, more experienced, or inspiring group of people. All of us have worked together for many years on a variety of projects, and we’re ready for our next adventure! Our vision is that every organization in the world needs an asset inventory, which includes what we like to say, “Every. Little. Bit.”

Founding Team (5):

Jeremiah Grossman (CEO)
Robert ‘RSnake’Hansen (Chief Technology Office)
Llana Grossman (Product Management)
Lex Arquette (Head of Engineering)
Heather Konold (Chief of Staff)

Investment ($2,700,000, led by Aligned Partners):

As you can see, our goals at Bit Discovery are extremely ambitious and we need strong financial backing fully realize them. As part of the company launch, we’re also thrilled to announce a $2,700,000 early stage round led by Susan Mason (Managing Partner, Aligned Partners).

During our fund raising process, we interviewed well over a dozen exceptional venture capitalist firms, and we were very picky in the process. Aligned’s experience, style, and investment approach matched with us perfectly. Their team specializes in experienced founding teams who have been-there-and-done-that, who operate companies in a capital efficient manner, who know their market and customers well, and where the founders and investors interests are in alignment. That’s us and we couldn’t be happier with the partnership.

And, as Steve Jobs would say, “one more thing.” Every company can benefit from the assistance and personal backing by other highly experienced industry professionals. The funding round includes individual investments by Alex Stamos (Chief of Information Security, Facebook), Jeff Moss (Founder, Black Hat and Defcon), JimManico (Founder, Manicode Security), and Brian Mulvey (Managing Partner, PeakSpan Capital).

Collectively, between Bit Discovery’s founding team and investor group, I’ve never seen or heard of a more experienced and accomplished team that brings everything together for a company launch. We have everything we need for a runaway success story. We have the right team, the right product, the right financial partners, and we’re at the right time in the market. All we have to do is put in the work, serve our customers well, and the rest will take care of itself.

Finally, the Bit Discovery team wants to personally thank all the many people who helped us along the way and behind the scenes. We sincerely appreciate everyone’s help. We couldn’t have gotten this far without you. Look out world, we’re ready to do this!

SentinelOne and My New Role

2018-03-09T09:00:00.000-08:00

Two years ago, I joined SentinelOne as Chief of Security Strategy to help in the fight against malware and ransomware. I’d been following the evolution of ransomware for several years prior, and like a few others, saw that all the ingredients were in place for this area of cyber-crime to explode.

We knew it was likely that a lot of people were going to get hurt, that significant damage could be inflicted, and something needed to be done. The current anti-malware solutions, even the most popular, were ill-equipped to handle the onslaught. Unfortunately, we weren’t wrong, and that was about the time I was first introduced to SentinelOne.

When I met SentinelOne, it was just a tiny Silicon Valley start-up. It was quickly apparent to me that they had the right team, the right technology, and most importantly – the right vision necessary to make a meaningful difference in the world. SentinelOne is something special, a place poised for greatness, and an opportunity where I knew I could make a personal impact. The time was right for me, so I made the leap! Today, only a short while later, SentinelOne is a major player in the endpoint protection with super high aspirations.

Since joining I have had a front row seat to several global ransomware outbreaks including WannaCry, nPetya, and other lesser-known malware events as the SentinelOne team "laid the hardcore smackdown" on all of them. One particularly memorable event was WannaCry launching at the exact moment I was on stage giving a keynote presentation to raise awareness about ransomware. Quite an experience, but also a proud moment as all of our customers remained completely protected. One can't hope for better than that!

On SentinelOne's behalf, I have had the unique opportunity to participate in the global malware dialog, learn a ton more about the information security industry, continue helping protect hundreds of companies, and something I’m personally proud of: launch the first ever product warranty against ransomware ($1,000,000). I contributed to some cutting-edge research alongside some truly brilliant and passionate people. It’s been a tremendous experience, one which I’m truly thankful for.

I wish I had all the time in the world to pursue all of my many interests, which as an entrepreneur, is one of my greatest challenges. For me, it will soon be time to announce and launch my next adventure -- a new startup! I’ll share more details in a few weeks, but it’s something my co-founders and I have been quietly working on for years.

The best part is that I don’t have to say goodbye to SentinelOne. I’ll be moving into a company advisory role. This way I still get to remain connected, in-the-know and continue helping SentinelOne achieve its full potential.

For now, a very special thank you to everyone at SentinelOne, especially Tomer Weingarten (Co-Founder, CEO) for leading the charge and allowing me to be a part of the journey.

The Ad-Tech Industry Must Finally Admit That Their Product (Ads) is Dangerous

2017-04-18T14:04:00.001-07:00

How would you react if I told you that computer security experts are six times more likely to run just an ad blocking software on their PCs, over just anti-malware? Would you be surprised?

That was the result from a Twitter poll I conducted last year, in which more than 1,000 self-identified computer security experts shared that they are more concerned about ads than malware. While social media polls are admittedly unscientific, I’d argue these numbers are actually pretty close to reality, which means that roughly three-out-of-four computer security experts largely view ad-blocking as a more indispensable part of protection than anti-virus software by far. Let that sink in for a moment.

Malvertising, or malicious ads, are hurting people – a lot of people. Anyone who is familiar with the malware problem will tell you that. As just one example of many, last year ads appeared on the New York Times, BBC, AOL, NFL and other popular websites in a malicious campaign attempting to install “ransomware” on visitors’ computers. To put things into context, the chances are better that the average internet user - roughly 99 percent of the population - will be hacked via their own browser then they will by a nation-state. The reason for this? Online ads.

I understand the business model… really, I do. Publishers rely on their viewers seeing ads because that’s how they make their money. In return they provide all of us with free content and services. If ads are blocked, publishers make less money, and the free content and services dries up. On the other hand, these same ads are one of the leading threats to personal security and privacy. So, what we have here is an online version of a Mexican standoff. Neither side is able to proceed without exposing themselves to danger.

So here we are without many technical options: the only thing internet users can do to protect themselves is to install an ad blocker (like hundreds of million of users have already done); and the only thing a publisher can do is to use an ad blocker detector on their website(s). This allows them to decide to block content and/or issue a plea to whitelist their ads. Unfortunately, the technology model for publishers to ‘safely’ include third-party content such as ads into their pages is also lacking. There just isn’t a comprehensive and scalable way to check billions of ads daily to see if they’re safe to distribute – or if the origin of an ad is reputable. Of course, publishers can also supplement or replace advertising revenue streams with a paid-for-content model, hosting conferences, asking for donations, and so on.

Let's also be very clear— neither the publisher, advertisers, or the ad-tech industry that binds everything together takes on any liability for malvertising, infecting a user with malware, or the resultant damage. This also means that they have zero incentives to meaningfully address the problem, and never ever seem to want to talk about the security concerns that make ad blocking an essential security practice. They only want to talk about the money their side is losing, or how to make ads more visually tolerable. But even if ads magically become less obnoxious and less costly in terms of bandwidth, we still have the security problem. Until the advertising technology industry admits that their product - the ads themselves - are simply dangerous, there can be no real resolution.

InfoSec warranties and guarantees

2017-02-20T21:52:00.001-08:00

This is a living list of InfoSec companies who offer warranties and guarantees on their various products and services. If you know of others that should be on the list, please comment.

Cymmetria
KnowBe4
AsTech Consulting (press release), Vigilance / Qualys (terms)
Waratek
SentinelOne
Trusona
WhiteHat Security
Symantec & Norton (money-back)
McAfee (money-back)
Trustwave
HIPAA Secure New
Forcepoint
Avira
Proofpoint
DigiCert
Comodo
Armor
Verizon (100% uptime SLA), including DDoS

InfoSec Start-up Advising and Product Recommendations

2017-02-01T15:58:00.001-08:00

As a long-time InfoSec veteran and entrepreneur, I’m often asked by company founders to join their advisory board and lend a hand. Sometimes the founders need someone with experience they can trust to bounce ideas off of, provide guidance on how to scale their business, point out the many pitfalls to avoid, make key introductions, and so on. I’ve been in this advisor role for many years, as well as mentoring more than fifty young businesses over the last five years alone through a startup incubator. Making this contribution has been highly rewarding, both personally and professionally. It leverages the many successes and mistakes I’ve made in my career to help others. Advising and mentoring is something I plan to continue doing for the foreseeable future. The only downside is that due to time constraints, I have to be extremely selective.

When I come across a hot new start-up, I fully research the company, try out the product, research their target market, meet the management team, speak with a handful of customers, and if I have something useful to offer, only then do I feel comfortable enough to get involved. Oh, another requirement is that none should be competitive with one another. Because I do my homework and have a deep understanding of the information security industry, I’m often asked by colleagues what companies I’d recommend in a particular space or a product to solve a particular enterprise problem. For those interested, below is where I’ve placed my bets and what I’m recommending.

Full Disclosure: I’ve a financial interest in most of these companies below, but not all of them. And if I don't have a stake, it doesn't mean I won't recommend them -- I can be just as impressed otherwise. I’ve also indicated where I serve in an official advisory capacity.

Anti-Bot

FunCAPTCHA (Advisory Board)

“FunCaptcha is the fastest and most effective way to protect your website from spam and abuse. We stop billions of spammers every year for clever brands that monetize their registrations and content.”

Anti-Virus / Endpoint Protection (Enterprise)

SentinelOne (Employed)

"SentinelOne unifies endpoint threat prevention, detection and response in a single platform driven by sophisticated machine learning and intelligent automation. With SentinelOne, organizations can detect malicious behavior across multiple vectors, rapidly eliminate threats with fully-automated, integrated response capabilities, and adapt their defenses against the most advanced cyber attacks."

Bug Bounty / Security Crowd-Sourcing

Bugcrowd (Advisory Board)

"The pioneer and innovator in crowdsourced security testing for the enterprise, Bugcrowd harnesses the power of tens of thousands security researchers to surface critical software vulnerabilities and level the playing field in cybersecurity. Bugcrowd also provides a range of responsible disclosure and managed service options that allow companies to commission a customized security testing program that fits their specific requirements. Bugcrowd’s proprietary vulnerability disclosure platform is deployed by Tesla, Pinterest, Western Union, Fitbit and many others."

Website Vulnerability Assessment

WhiteHat Security (Founder)

"WhiteHat Security is the leading provider of website risk management solutions. Sentinel, WhiteHat's flagship product, is the most accurate, complete and cost-effective website vulnerability management solution available. It delivers the flexibility, simplicity and manageability that organizations need to take control of website security and prevent Web attacks. WhiteHat Sentinel is built on a Software-as-a-Service (SaaS) platform designed from the ground up to scale massively, support the largest enterprises and offer the most compelling business efficiencies, lowering your overall cost of ownership."

Security Risk and Vulnerability Intelligence

Kenna Security (Advisory Board)

"Kenna is a software-as-a-service Risk and Vulnerability Intelligence platform that accurately measures risk and prioritizes remediation efforts before an attacker can exploit an organization’s weaknesses. Kenna automates the correlation of vulnerability data, threat data, and 0-day data, analyzing security vulnerabilities against active Internet breaches so that InfoSec teams can prioritize remediations and report on their overall risk posture."

Security-in-the-SDLC / Security Requirements

SD Elements (Advisory Board)

"SD Elements automates software security requirements based on your project’s technology, business and compliance drivers. SD Elements eliminates security vulnerabilities in the most cost effective way, before scanning begins."

AppSec Vulnerability Remediation

AsTech Consulting

"AsTech Consulting is a security consulting company which helps clients understand their risks and what to do about them. As independent security specialists, we employ very experienced security professionals, more than half of which have over 15 years of relevant experience."

Runtime Application Self-Protection (RASP)

Prevoty

"Prevoty provides a new RASP (runtime application self-protection) capability, enabling applications to protect themselves. Unlike traditional security approaches that try to defend against hackers at the network layer, Prevoty works inside the application itself and the analysis engine is smart enough to actively prevent anything malicious from executing. "

Browser Security & Privacy

Brave

"We have a mission to save the web by increasing browsing speed and safety for users, while growing ad revenue share for content creators."

What keeps me in the security industry

2016-10-20T12:12:00.003-07:00

It’s common for long-time information experts like myself to be asked what keeps us in the security industry. Some say it’s a good stable job that nicely pays the bills. Others find the work interesting and enjoy the constant intellectual challenge. Some the like the people, the community, the culture, and exchange of ideas. Of course for many, it be some combination of all these things. For myself, while each of the above plays a part, I must admit those haven’t been my core reasons to stay on for a long time now.

Like I’ve said many times in the past, the Internet is single greatest invention we’re likely to witness in our lifetime. The Internet is a place that now connects over 2 billion people. The Internet is how we communicate and keep up with friends and family. It’s where we shop. It’s how we learn about ourselves and the world. It’s where bank and pay bills. It’s what entertains us and how we get from place to place. It’s how we better ourselves. Entire economies are now dependent on the Internet. If you think about it, we’re often more open and honest about our most intimate secrets with the Google search box than any our closest confidants. There is not a single person among us, or perhaps anyone we know, that won’t be online today. Something this important, this vital to the world and to humanity, must be protected. The Internet.

The time each of us has in this life is limited and far too short. Every day is a gift. And in that time few people ever get an opportunity to be a part of something greater than themselves. A chance to make an impact and to do something that truly matters. Internet security matters. So for me, to play even a small part in helping to protect the Internet and the billions of people connected feels like a good way to spend ones life time. That’s why I’m still here.

In the immortal words of Dan Geer, “There is never enough time. Thank you for yours.”

I'm joining the fight against malware and ransomware with SentinelOne

2016-06-06T15:13:00.001-07:00

Today is a big day for me. I’m contributing to a company called SentinelOne, but I really don’t think of it as a job. I’ve accepted an opportunity to work side by side with other brilliant and highly motivated people where we’re all helping to solve important and challenging InfoSec problems. In this case, malware and ransomware. You see, more than anything, I want to make a positive impact on InfoSec. As I’ve said many times, we who work InfoSec are responsible for protecting the greatest invention we’ll see if our lifetime — the Web, the Internet, and the billions of people using it every day. That’s our mission, our calling. As such, I’ve always kept a evolving list of our industries biggest challenges, which I include in most of my slide decks.

Intersection of security guarantees and cyber-insurance
Explosion of Ransomware
Vulnerability remediation
Industry skill shortage
Measuring the impact of SDLC security controls

The only problem on the list I haven’t gotten the chance to work on is ransomware, an incredibly effective and fast-growing form of malware that’s taking over. I’ve long railed hard about the crap antivirus products on the market and the billions of dollars people and companies spend annually to effectively make themselves less secure. Yes, that’s right, I said LESS secure. The FBI recently published that ransomware victims paid out $209 million in Q1 2016 compared to $24 million for ALL of 2015. Some non-trivial percentage of those ransom dollars will be used for R&D, so the smart money says ransomware will quickly get even more sophisticated and out of hand. And to that point, in recent and well publicized news, ransomware is also responsible for disrupting the care of patients in a few hospitals. This can’t be allowed — lives are at risk!

In my life after WhiteHat, I looked at ton of companies and interesting opportunities where I could lend a helping hand, of which there was no shortage. My inbox was crushed with many worthy projects, but I knew I had to choose wisely. Then out pops a company with some super cool tech and few have heard of them, SentinelOne. SentinelOne is right smack in the middle of the malware/ransomware war, for which Gartner calls next-generation endpoint protection (NG EPP). I met with the founders, the team, all super cool and passionate people. A real gem of a start-up. I felt strongly that I needed to join this fight. Plus, I’ll be working on some exciting stuff behind that scenes that I can’t wait to share with world. Good things take time, so please, standby!

Life is Better without Username Reuse (email aliases FTW!)

2016-05-23T13:59:00.002-07:00

Facebook, LinkedIn, Amazon, PayPal, Yahoo, Google. We keep accounts with many of these websites. They and many others use email addresses as the first half of the classic username and password combo. They do this because email addresses are unique and double as a reasonably secure communication channel with the user. And of course we often sign-up for things online to receive information by entering our email address. All this email address sharing, while technically nothing being wrong with it, unfortunately causes several highly annoying problems. These problems can be solved, or at least made far easier to deal with, by leveraging email address aliases. An email alias is where you create one or more email addresses that all send to the same account, vaguely similar to desktop folder shortcuts.

With email address sharing / username reuse, by far the biggest problem we run into is spam. And the more we share and reuse our email addresses across systems, the bigger the spam problem becomes. Sometimes websites sell our email addresses. Other times they share them with third-partie business partners, and from time to time they get leaked in a data breach. Whatever the case, once an email address is out there, it’s out there. No taking it back and no amount of mailing list opting out will help. I know. I’ve tried.

There are other problems too. Anyone who knows your email address can easily determine what systems you’re using (i.e. “This email address is already registered.”). This issue is not only a privacy issue, but a potential security issue as it makes it easier to target your account via brute force, phishing, password recovery hacks, etc. And of course when you have several online accounts, you’re constantly notified via email, which explodes your inbox. Creating rules in your email app using strings in the subject or content body helps, but doing so isn’t easy and never comprehensive. When all these problems are tied to your email email address, there is no escape. You can’t easily kill or change your main email address because all your friends, family, and business contacts use it too.

My solution to these problems, which has been working great, is by using email address aliases based on custom domain name. For example, my personal domain is jeremiahgrossman.com. So as an example, I create a new email alias that’s just for Facebook, like fb@jeremiahgrossman.com. Or on Paypal it would be pp@jeremiahgrossman. You can technically use any email alias for this purpose, even a random one. When email is sent to these aliases they automatically forward to my main email address. I never reuse these email address aliases for any other than their intended use, and never use my main email address to register for anything if I can help it.

It does cost a few bucks to pay for domain name and email hosting, but it ain’t much these days and the value is WAY worth it. When things are set up this way, I can be reasonably sure that any email to these aliases, that is supposedly from them, is legit and not a phishing scam because no one else knows the email address / username I used. And since the particular website is only using the email address alias I gave them, inbox rules are way easier.

Then if the email address is leaked, gets spammed out, or whatever, I can just kill it off, create another, and change the account email address / username. The up front work is a little tedious, but again, worth it. And the best part, when you have your own domain name, email aliases are essentially free — I’ve about 100 now. And there is no reason you can’t use any old crap domain name either.

Good luck!

Millions experience serious computer security problems and have no one to call for help

2016-05-18T11:20:00.002-07:00

A couple times a week, people I may or may not know reach out to me for help because they’re experiencing some kind of computer security catastrophe. Sometimes the situation is serious, other times not. They might be dealing with an online bank account takeover, online scam, data breach, malware infection, identity theft, and the list goes on and on from there. Whatever the circumstance, a great many people often find themselves thrust into the deep end of this technology driven world, without the know-how to solve the problem on their own, and no one to call for help. These experiences are especially painful for the elderly and small-business owners, whose livelihood are disrupted, and the stress takes a toll on them. Personally, I hate it when good people get taken advantage of.

In the most recent case, I was introduced to the founder of a TV and movie production company through a mutual friend. They explained that someone is messing with their website and actively using their company name to scam their business contacts. They said ‘hacked,’ but that could mean anything these days. The situation was causing them real brand damage, and with over a dozen show titles to their credit, the business impact is severe. Even over the impersonal medium of email, you could sense a deep feeling of helplessness and desperation. As you might expect, I tend to keep myself happily occupied with family, work, and martial arts and don’t have a lot of time to spare for things like this. But, this plea originated from a good friend, the victim didn’t have anyone else to turn to, and helping out felt like the right thing to do.

After taking a call and exchanging a few emails, I got the real story. Someone, a scammer, registered an incredibly similar domain name to the legitimate one used by the production company. The fake domain name was being used to create a clone of the real website. The scammer then subtly changed the names and photos of the staff and updated the contact information so that any incoming communication would instead go to them. Through email, phone calls, or search results visitors would be contacted by the scammer, who pretended to be with the production company, and would proceed to con their victims out of money. This is a simple, inexpensive, and effective scam that could happen to basically anyone – and it does.

The near-term plan was to get the scam website taken down. Long-term, try to take ownership over the look-a-like domain name.

To start, the first thing I needed to know is who owns the offending domain name. A quick WHOIS lookup revealed the registrar is GoDaddy, but the domain owner itself was masked by Domains By Proxy, a popular service for those wishing to preserve their online privacy. I often use this service myself! This means without going through a legal process, obtaining the real domain owner information isn’t going to happen. Still, in the event the production company would like to try and get ownership over the domain using ICANN’s and trademark law, they have the registrar info to further that process. Next, I needed to identify where the website is being hosted. The ‘dig’ command easily gets me the IP address of the cloned website and an ARIN lookup tells me who the IP address belongs to — the name of the hosting provider. For those curious, collectively performing these tasks took me far less time than writing this paragraph.

Let’s pause our story for a moment to consider the technical knowledge required to get this far, which includes a set of skills many techies take for granted and forget that the vast majority of people simply don’t have. Few people can explain what a domain name is, have any idea what a domain registrar or an IP address is, what’s WHOIS, or even ICANN. They’ve certainly never heard of ARIN, and only a vague familiarity with hosting providers for that matter. And thus far, we’ve only collected purely public information and in doing so reached a point where most can’t get to on their own. Techies should empathize and exercise patience with those not nearly as literate in how the Internet works as we are. Anyway, back to our story.

Now that we’ve learned who the hosting provider is, I helped the production company founder draft an email to send that concisely explains the problem and what we’d like the action to be. Take down the website! Their website nicely listed the abuse@ email address and I pressed send on the message. I figured it could be a while for them to get back to us, and in the meantime decided to take a close look at the scammer’s website.

Using every web hackers best friend, view-source, I skimmed the underlying code of the website. Maybe the scammer left clues as to their identity, tools they used to clone the website, or whatever. In less than 60 seconds, I immediately spotted something very interesting. While the HTML of the page is hosted locally, all the CSS, images, and most importantly, the Javascript is being SRC’ed in from the real website! As you’ll see if a moment, this was a major oversight on the scammer’s part. Are you thinking what I’m thinking? We’ll see. :)

1) In the logs of the real website, we should be able to ascertain who and how many people visited the scammers website. Because every time someone visits one of his web pages, their browser automatically pulls in the aforementioned third-party content from something we control. This means the visitors IP address is logged, as is what web page they are currently looking at — called the referer. And yes, this is intentionally misspelled and a throwback to Internet antiquity.

2) If we have the visitors IP address information, it’s quite likely we also have the scammer’s too! Provided they didn’t mask that as well. And if they are, that’s useful bit of information as well. Either way, their IP address is probably the first one we see the in the logs when the referer of the fake website appeared. If we decide to go after the bad guy directly, we at least have something to begin tracking them down with. Subpoenaing the hosting provider or Domains By Proxy is of course another possible course of action, but we’ll see about that path later.

3) This is the big one. Any web hacker would have quickly theorized that we can probably modify the javascript on the real website, which again is called by the fake website, to at least temporarily redirect it’s visitors. And, that’s exactly what we did! A quick 3-line block of code did just the trick!

if (window.location.host != ‘<real-website.com>') {
window.location = ‘<real-website.com>’;
}

At this moment, we got the production company and visitors of the scammer’s website some immediate relief. That is until the bad guy notices what we did and updates their website code, which is trivial to do. Next I ask the domain registrar (GoDaddy) about the process for taking ownership over domain names that are designed for abuse. They point us towards an ICANN’s trademark dispute policy and suggested we consult with a lawyer experienced in such legal measures. I then advise the founder to seriously consider going down his route.

A couple days go by, and while we wait for the hosting provider to respond, we notice the aforementioned redirect stopped working. As expected, the scammer caught on and fixed their code so that all the web page files now point locally. Drat! What we did learn is the scammer is sentient, responsive, and persistent. He didn’t care so much that were we onto his little game. Interesting. Such brazenness indicated that the scammer is probably outside the US jurisdiction – or optionally just stupid. Then like magic on the same exact day, and the timing could not have been better, the hosting provider informs us that they completed their investigation and disable the scammers website. Success!

For now, my work is done and the production company founder profusely express their thankfulness. This was a good feeling. However, that doesn’t necessarily mean this is the end of our little story, or that it will be a happy one. After all, this is the security of the web we’re talking about, and plainly said, it’s fundamentally broken.

You see, the scammer can easily set up shop with a new hosting provider and start the identical scam all over again and there is absolutely nothing anyone can do to prevent that. There is no good way to help visitors tell the difference between the real website from the fake one. And even if we use ICANN’s process to take ownership over the domain name, the scammer could easily just register another suitable look-a-like domain in no time flat and we’re back at it all over again. This problem is never ending and there really is no good way to solve it once and for all. A website owner’s only option is to wait for something bad to happen, give me or someone else with the right skills a call for help, and proceed similarly.

What I can do is actively monitoring the illegitimate domain name to see when and if it’s IP address changes. If it does, this would indicate that the scammer is moving hosting providers. It took a couple weeks, and that’s exactly what appears to be happening right now. Grr. This is kind of thing happens every day, to who knows how many people, and honestly I’m not sure what the answer is. One thing I do know, the world needs the help of a lot more good computer security people. Join in!

7 Tips to Get the Absolute Best Price from Security Vendors

2016-05-17T10:39:00.000-07:00

Security budgets are always extremely tight, so it’s smart to get the absolute best price possible from your security vendors. Never ever pay full price, or even take the first quote vendors give you. That price just sets the stage and it’s best to think of it as the ‘dummy price,’ so don’t pay it! I’ve spent nearly two decades sitting at the price negotiation table in the security industry and seen all manner of techniques customers use successfully to win discounts, and more people should use them. Customers, even small ones, can exercise a ton of leverage over their security vendors if they only knew how. And, more often than not, vendors themselves don’t really mind. It signals that a deal is likely to be made and to a vendor, that’s what’s most important.

While it’s common for large companies to have negotiations handled by a separate department, typically called ‘Procurement,’ many leave the responsibility to whomever is actually making the purchase. In either case, security practitioners can personally say, do, and offer things the procurement department can’t to help obtain the best possible price. Remember, security product margins can range anywhere from 40-60% or even higher. I’ve seen discounts well over 50% of the originally quoted price. Some vendors will even take a loss to win your business, depending on the size of your brand and the reference you’ll provide.

Note: I’m not a big fan of this as you risk not being treated well as a customer long-term. The vendor may decide to drop you later because you’re unprofitable. So, allow vendors to make a profit, just not an obscene one.

Below you’ll find my ranked list of the most powerful negotiating techniques I’ve come across in the purchasing process, many of which are applicable beyond security purchases…

1. Negotiate Price at Quarter End / Year End

More than anything, businesses want financial predictability. They want to be able to plan out, with a high degree of accuracy, precisely how much business is expected to close at least two quarters into the future. Sales forecasting is largely a Sales department function. So when end of the quarter is just a few weeks away, and overall sales volume isn’t where it needs to be, the sales rep (and their bosses) scramble and make concessions to bridge the gap and hit their forecast. The larger the sales forecast gap, and the closer to quarter end, the more desperate they become and more open they’ll be to deep discounts or throwing in additional products / services to sweeten the pot.

Smart customers simply ask sales reps when their quarter or fiscal year ends, just after the vendor asks the customer what their budget range is. So, if you like the product, and you’re likely to buy it, let them know you’ll commit to the purchase in the current quarter, before the end, if they give you a good deal. Vendors will routinely knock 10-30% (or more) off the price, just with the ability to accurately forecast a deal closing. If the vendor is unwilling to work with you and the purchase isn’t urgent, let them know you’re more likely to purchase next quarter, which ads uncertainty to their forecast and they’ll have a decision to make. Rinse. Repeat.

2. Multi-Year Deals

As previously mentioned, businesses love predictability. For this reason, subscription-based businesses, like Software-as-a-Service, love predictable renewals rates. Security vendors know that just because you’re a customer this year, it doesn’t automatically mean you’ll be a customer next year — as the market is highly competitive. They know they’ll likely have to negotiate price with existing customers before the contract expires, which comes at a cost of time and sales forecast uncertainly.

To reduce this uncertainly, subscription-based businesses will often give attractive discounts to customers willing to sign up for multi-year deals. Two to three year deals are typical, likely fetching a 5-10% discount, possibly more if you’re willing to pay up front, but we’ll explore this more in a moment. It’s also best to refrain from committing to more than three years for security purchases as it’s difficult to know what the business needs will be that far out, or how the product landscape may have changed in that time.

3. Paying In Advance

For many security services, such as subscription SaaS products, you pay monthly or quarterly after services are rendered. For the security vendor’s finance department, that means they’re out some amount of money to service you before you pay them for those services. If you like a particular security service and plan to continue having it for a least another year, consider paying for a year or more in advance. For the vendor, having getting cash up front is often attractive and it takes payment uncertainty out of the equation, giving their business additional flexibility. Obviously, the bigger the deal, the better in terms of discounting. This method can win another 5-10% or so in discounts on its own.

4. Customer Reference, Case Study, Gartner Reference

In InfoSec it’s extremely difficult to get customers to speak publicly, or even privately, about their experience with a given security product. When a customer does consent to speak, it’s incredibly powerful, and few things generate more business for security vendors than vocally happy customers. Customers should use this power to their advantage, especially if they really really like a security product and want to see the company do well.

To do this, customers can serve as a reference in a few different ways:

a. Private Reference – speaks to other customers

b. Public Reference, Individual – willing to do case studies, press, events, quotes, but as an individual versus the company

c. Public Reference – Company – the company is endorsing the product and brand, including a logo on the vendors website, slides, etc.

All of this is good and even a non-contractual promise to be a reference can lead to great discounts. As a small warning, many organizations have policies regarding speaking on behalf of the company, so make sure to follow those. If you can find out if the security vendor is in the process of working with Gartner on the magic quadrant of their space, customers who are willing to be a positive reference in this time period are like gold. I’ve personally seen seriously deep discounts here, even free!

5. Ask for More Stuff, Not Always Price Discounts

Let’s say you’re asking for a discount, but for whatever reason the security vendor isn’t agreeable. This could be because they need to keep their average sales price (ASP) above a particular threshold so their business looks good to their board and investors. In these circumstances, you can instead ask for them to throw in things that are more easy for them to give away or commit to.

a. Extra subscription time, especially if full deployment will take a while.

b. Additional services or software licenses

c. A better customer support package.

d. Free training.

d. Payment flexility. How and how often payment has to be made.

e. Product roadmap enhancements that’ll better serve you.

In many circumstances, security vendors will find the items on this list easier to give you than discounting the overall deal. You get more, but pay the same.

6. Find Out What Others Paid. Competitive Bids.

When entering pricing discussions, it’s always helpful to know what other customers paid as a point of reference. You may or may not be able to get the same deal as they did, but you want something in at least the general vicinity. There are a couple of ways to obtain this information.

a. Ask a colleague you personally know, who has already purchased a product you’re considering. What kind of deal did they get?

b. Ask the vendors for customer references during the evaluation process, which is something all customers should do as a matter of course. Not only ask the reference what they liked and didn’t like about the product, but what they paid.

c. Ask the vendor for their competitor’s pricing, and how they compare with it.

In some cases, pricing information is considered confidential, but it doesn’t hurt to ask. Having this pricing research on hand greatly helps get you the best deal possible.

Additionally, you’re probably considering between two or more comparable products to solve a particular security problem. If the products themselves are a toss up, meaning you’d be happy with either option, consider sharing the bids with the competing security vendors. No security vendors want to lose a competitive deal in the last stage simply because the competition slightly edged them on price. You’d be surprised how quickly vendors will knock off 5—10% as a take away from the competition.

7. Go Direct

Many customers have a preferred reseller, typically called Value Added Resellers (VARs), through which they make their security purchases. Among other things, VARs make vendor management much easier for customers. They’ll help identify security program gaps, document purchase requirements, product selection, answer questions, and more. For the value they add, VARs usually take a roughly 30% margin on each product sale. Then, of course, they can tack on additional dollars for consulting and implementation if there is a need. The remaining 70% of the sale price goes to the security vendor.

Here’s the thing, the business of the VAR is in the first two letters — V.A… VALUE. ADDED. If a VAR is not adding enough value, which is often the case, they’re justifiably not entitled to their 30%. And in these circumstances, the VAR can and should be bypassed to go direct to the security vendor where the customer can get a [30%] discount without costing the vendor anything. And, unless there is a good reason not to, get bids from 3 VARs so they’ll have to fight to get you the best deal – fight to win your business. Often VARs will cut into their own profit margin to land the deal.

There you have it. Seven ways to help maximize the purchasing power of the security budget. Good luck!

From 300 lbs to 200 lbs

2016-05-12T17:14:00.000-07:00

Did you know that one point in my life I was just over 300 pounds? Most don’t, but I was. Then after considerable effort, I got to the 250 pounds range and remained for several years. At the time of this writing, I’m about 210 pounds. My goal is to stabilize at around 200 pounds with a body fat of ~10%. If all goes as planned, maybe in 6 months or so I’ll be about where I want to be. At 6’2”, it’s a pretty solid physique. Upon witnessing my physical transformation, many friends and family ask how I’m doing this. “What’s your secret?” Spoiler: I don’t have one.

Before going any further, let me clearly state that I’m NOT a personal trainer. I’m NOT a nutritionist. And I’m certainly NOT trying to sell anything. This post simply answers the question people ask by listing out my nutrition and exercise regiment. Additionally, while everything I’ve done has undoubtedly improved my overall health, the goal is primarily focused towards improving my performance in combat sports, such as particularly Brazilian Jiu-Jitsu and Mixed Martial Arts. Competing at a high-level requires that I’m very strong, fast, flexible, with good cardio and balance. A lean and muscle-toned physique is most ideal.

Nutrition

Food is what fuels my body to perform at my best during each training session. My daily consumption maps as best as I can to the planned physical activity. If I break down and eat something I shouldn’t, it happens, my performance noticeably suffers and I get my butt kicked as a consequence. It sucks. As it turns out, not wanting to get punched in the face, choked, or arm hyper extended is a great motivator!

Each week I have 4 very hard training days, 2 lighter training days, and 1 rest day. And that’s how I plan out my meals. For most of the last year, I was predominantly eating lean meats, vegetables, and fruit. The Paleo diet is the closest example. Then for the last ~3 months I shifted to a whole-food Vegan diet with some minor exceptions.

Additional nutrition rules I follow:

No caffeine
No alcohol
Liquid is primarily water (occasionally iced tea, tea, or carbonated water with lime)
No dairy
Nothing fried
Very little processed food
No vitamins or supplements (I may include them later at some point)

Hard Training Day

Paleo: To get through my training sessions, 2300 - 2400 calories feels about right. Under 2100 and I would gas out early. Over 2400 and body fat wouldn’t come off. I targeted my protein intake at just under 1g per pound of body weight, which is a good zone according to what many bodybuilders suggest to build muscle. Fat intake at no more than 50g. And of course the rest being the carbs for energy I need for training.

Reaching these macros requires several full meals during the day, and timed so my belly isn’t too full during class. And honestly, if you look at the meal plan, its been really hard physically eating so much food. On the upside, while [bad food] cravings are certainly an issue, I was never, ever hungry!

Vegan: On the outset, I didn’t know how my body would react to being Vegan. I didn’t know what the cravings would be like, if I’d have the necessary energy needed, etc. So, I got rid of the whole calorie and macro counting thing. Instead decided to start by simply eating whatever I wanted, whenever I wanted, as long as it was whole-food and vegan, and then fine tune from there. Note that I routinely replace many of the ingredients on the list with suitable replacements as I want to eat a wide variety of food in order to get all the recommended vitamins and minerals.

While the calorie counts on my Vegan diet are higher than the Paleo version, the weight / fat has been coming off with similar speed. And honestly, I feel notably better being vegan so far and my physical performance has improved. My mind is a bit clearer, joints move easier, and my recovery is faster. Cool eh!?

Light Training

Paleo: Take my hard training day meal plan, then drop the calories to 1600 - 1700, mostly from the carbs. Eat just enough food to get through my training and no more.

Vegan: Same thing, reduce calories mostly from slow burning carbs (oatmeal, sweat potato, etc) down to roughly 1800 as this feels right.

In both hard and light training days, I generally stop eating for the day around 5pm — particularly anything containing any sugars, like fruit. The strategy here is that by the time my early morning training starts the next day, my cardio workout will largely burn fat as fuel as all the sugar / carbs in my system have already been metabolized. Then afterwards I can eat again — yay! :)

Rest Day

24 hour fast (no food, but water / tea is ok). While this helps stabilize my insulin levels, it’s also about simple math — and besides, I’m not training at all anyway. Consider that 1 pound of fat equals 3,500 calories. So, by foregoing ~1800 calories per week here, I get to lose an extra 1/2 off the top. Each month, that’s roughly 2 pounds of fat. Awesome!

Training / Exercise

As mentioned, my exercise is primarily designed for combat sports. Then I mix in some low intensity cardio and weight training to support those activities. Collectively it’s about 4 hard days of training, 2 lighter days, and 1 rest day. Most weeks I’ll miss a session here and there when life gets in the way, but what you see is the plan I set out to accomplish each and every week and whatever happens, happens. I’ll try to get the time back in some other way before reseting on Monday. On the average, I get done about 75% or more of what’s on the list.

The intensity of each class can vary greatly depending on what we’re learning, what I’m physically capable of that day, and so on. Either way, I do the best that I can with a mission of improving … in whatever small amount that might be. And those with a sharp eye, who read this far, might notice that I have a salsa dance class listed. It was recommended by my Muay Thai coach as a way of improving my footwork, timing, and coordination. And, it works! Go figure.

That’s it. My secret is hard work and dedication, which is basically all anyone needs to accomplish anything in life.

My last days at WhiteHat and setting sights on the future

2016-03-07T09:06:00.000-08:00

I’ve said it many times; the Web is probably the greatest invention we’ll see in our lifetime. The Web touches the lives of everyone we know, every family member, every child, every friend, and everyone we meet. The Web connects over two billion people and fuels entire economies. It’s a place where we learn, communicate, and share our closest kept secrets. Something as important as the Web must be protected and I’ve always felt it was a privilege to do so. For the last 15 years, as founder of WhiteHat Security, I’ve done exactly that every single day. WhiteHat has not just changed my life, it has been my life — wholly inseparable. Bittersweet as it is, the end of March will be my last day.

Right now, I’d like to take a moment to reflect. While it’s impossible to measure, I sometimes think about how many hacks didn’t happen — how many people and companies were not hacked — as a result of the work we did at WhiteHat. People have often shared how much we’ve helped them and how important our work is. It’s an amazing feeling knowing that what you do matters. Everyone should be so fortunate. In that sense, WhiteHat is not just another company. It’s something more, much more. WhiteHat represents a mission, an ideal, a state of being. I’ve strived to embody these attributes since Day 1. I’ve always worked tirelessly to be the best at what I do and have had a personal passion for innovation.

WhiteHat was the first company to adopt a Software-as-a-Service model in Application Security. Though our statistics report that thousands rely upon, we were the first to bring measurable data to the industry. We pioneered the founding of two industry groups, OWASP and WASC. We led the creation of the first AppSec lexicon, the Threat Classification, and the language everyone uses when speaking AppSec. We’ve released much of the most cutting-edge and foundational security research to date, which has raised awareness globally. And we were the first vendor to offer a security guarantee. I’m sure sure I’m missing several other firsts, but already no other company has such a record of industry contribution and market success.

While I have a lot to be proud of, none of this would have been possible without a great many amazing people and lifelong friends. I’d like to personally thank the hundreds of WhiteHat employees, both past and present, for helping protect the Web and making WhiteHat the success that it is. They are what I’m most proud of and grateful for. Working with you all has been a singular honor. I would also like to send a very special thank you to the over 1,000 customers who believed in me, believed in WhiteHat, and entrusted us to protect them. Your trust and support always meant everything to me. Thank you to our partners all over the world who brought us to their customers and championed our cause. And thank you to the security community, the lifeblood of the entire industry, and who carry us all.

Of course many will be curious about what I’m going to do next. While I’m not yet ready to reveal those details, what I can share is that I remain genuinely excited about the future of the security industry. I’m not going anywhere. Every day I see new and interesting problems that I’d like an opportunity to solve and expand my horizons. More than anything, that’s why I’m leaving WhiteHat, but its spirit will always be with me and continue to influence my life. Any of us has the capacity to change the world, we just have to allow ourselves the chance to do so.

Hack Yourself First.

An idea to help secure U.S. cybersecurity…

2015-12-03T06:56:00.000-08:00

… and looking for the right person to show us how to do so.

A few years back I was watching a presentation given by General Keith B. Alexander, who was at the time Commander, U.S. Cyber Command and previously Director of the National Security Agency (NSA). Gen. Alexander’s remarks focused on the cybersecurity climate from his perspective and the impact on U.S. national and economic security. One comment he made caught my attention, specifically that the Department of Defense has 15,000 networks to protect. As an application security person I can only imagine how many total websites, a favorite target among hackers, that equates to. I’d bet very few of DoD’s websites by percentage get professionally assessed for vulnerabilities. Anyway, from this it became clear the General understands big picture cybersecurity problems in terms of scale.

At about 1:05:00 into the video the General opened the floor to questions and the most interesting one came from a Veteran. He said there are a lot of Veterans that would like to help with the country’s cybersecurity efforts, and asked if there were any programs available enabling them to do so. The General answered that he didn’t know for sure, but he didn’t think so. I did some research and according to a Bureau of Labor Statistics report from Sep, 2015, — there are roughly 449,000 unemployed veterans. This was fascinating to me: as I see it, this is a ready-and-willing labor force that perhaps at least a small percentage of which could apply their skills to cybersecurity.

This got me thinking and an idea hit me, but before sharing it, I need to explain a bit how WhiteHat works internally for it to make sense.

WhiteHat assesses websites for vulnerabilities. If customers fix those issues, they are far less likely to get hacked. Simple. What makes WhiteHat different is we’re able to perform these assessments at scale. And, I’m not talking just basic scanning, but true quality assessments with business logic tests carried out by real experts, a strict requirement. The challenge is that AppSec skills are extremely scarce and sought after. Ask any hiring manager. Recognizing the severe skill shortage more than a decade ago, WhiteHat created it’s Threat Research Center — our Web hacker army. TRC is specifically equipped, complete with a training program and unparalleled playground of permission-to-hack websites, to hire eager entry-level talent and turn them into experienced professionals quickly. Age and background of the applicants doesn’t matter. Today, WhiteHat has proven itself to be the best – and only – place for newcomers to get into the industry.

President Obama addressed the nation’s military on September 11, 2015 and mentioned the increasingly challenging state of cyber warfare: “What we’ve seen by both state and non-state actors is the increasing sophistication of hacking, the ability to penetrate systems that we previously thought would be secure. And it is moving fast.” The same website vulnerability issues that we’ve addressed in the private sector are felt in the defense realm.

This is where the idea comes in…

Let’s say the DoD launched a cybersecurity program to assess all of its websites for vulnerabilities. The result would be fewer breaches that are much harder to carry out. To do this the DoD would obviously need a scalable vulnerability scanning technology, but more importantly, the necessary AppSec manpower. This is where WhiteHat would come in as we have all the pieces. Financial issues aside, WhiteHat would be able to conduct all these assessments, continuously, and could do so using veteran labor — exclusively. We have the tech, the hiring process, the training program, pretty close to everything the program would require. All we need is a DoD program to partner up with.

If such a plan and program existed, everyone would win.

The DoD would be able to increase their cybersecurity defenses at scale and better protect the nation.
A large number of U.S. military veterans could be put to work towards a common cause, protecting the country’s cybersecurity, while acquiring InfoSec skills in the highest demand. Something the President said he wanted to do.
WhiteHat continues to grow its Web hacker army. Indeed, we already employ several veterans in the TRC who represent many of our best and brightest.

Of course there are details that need to be addressed, like how the DoD’s website vulnerability data would be safeguarded and the security of WhiteHat’s infrastructure would have to be closely audited (but considering who we already count as customers, I’m confident we’d be able to satisfy any reasonable standard). Or maybe installed onto one of their networks, which is fine too. And then those doing the work, veterans whose backgrounds are already vetted and more trusted than the average “Johnny pen-tester.”

So, the question is … now what?

Over the past 3 years I’ve discussed this idea with dozens of people, both inside and outside the government, and while everyone agrees it’s a good idea, getting traction has been difficult to say the least. Some cybersecurity training programs exist for veterans, but they tend to be either small, dormant, or not something that really protects U.S. cybersecurity.

Referring to emerging cyberthreats in a lecture at Stanford in June 2015, Secretary of Defense Ashton Carter said, “We find the alignment in open partnership, by working together. Indeed, history shows that we’ve succeeded in finding solutions to these kinds of tough questions when our commercial, civil, and government sectors work together as partners.” It would seem that even the highest levels of leadership in the DoD agree that this is the only path forward that makes sense for securing the nation’s digital assets.

At this point, the best path forward is to simply put the idea out there for open discussion, and hopefully the “right person” will see it. Someone in the government who can help us carry it forward and contact us. If you are such a person, or know who is, we welcome the opportunity to talk — leaders within the VA, the DoD, or other parts of government. And hey, if you think the idea is crazy, stupid, or not viable for some reason… I am also interested in hearing why you think so (twitter: @jeremiahg).

The Ad Blocking Wars: Ad Blockers vs. Ad-Tech

2015-12-02T06:08:00.000-08:00

More and more people find online ads to be annoying, invasive, dangerous, insulting, distracting, expensive, and just understandable, and have decided to install an ad blocker. In fact, the number of people using ad blockers is skyrocketing. According to PageFair’s 2015 Ad Blocking Report, there are now 198 million active adblock users around the world with a global growth rate of 41% in the last 12 months. Publishers are visibly feeling the pain and fighting back against ad blockers.

Key to the conflict between ads and ad blockers is the Document Object Model, or DOM. Whenever you view a web page, your browser creates a DOM – a model of the page. This is a programmatic representation of the page that lets JavaScript convert static content into something more dynamic. Whatever is in control of the DOM will control what you see – including whether or not you see ads. Ad blockers are designed to prevent the DOM from including advertisements, while the page is designed to display them. This inherent conflict, this fight for control over the DOM, is where the Ad Blockers vs. Ad-Tech war is waged.

A recent high profile example of this conflict is Yahoo Mail’s recent reported attempt to prevent ad-blocking users from accessing their email, which upset a lot of people. This is just one conflict in an inevitable war over who is in control of what you see in your browser DOM – Ad Blockers vs. Ad-Tech (ad networks, advertisers, publishers, etc.).

Robert Hansen and I recently performed a thought experiment to see how this technological escalation plays out, and who eventually wins. I played the part of the Ad Blocker and he played Ad-Tech, each of us responding to the action of the other.

Here is what we came up with…

Ad-Tech: Deliver ads to user’s browser.
User: Decides to install an ad blocker.
Ad Blocker: Creates a black list of fully qualified domain names / URLs that are known to serve ads. Blocks the browser from making connections to those locations.
Ad-Tech: Create new fully qualified domain names / URLs that are not on black lists so their ads are not blocked. (i.e. Fast Flux)
Ad Blocker: Crowd-source black list to keep it up-to-date and continue effectively blocking. Allow certain ‘safe’ ads through (i.e. Acceptable Ads Initiative)
Ad-Tech: Load third-party JavaScript on to the web page, which detect when, and if, ads have been blocked. If ads are blocked, deny the user the content or service they wanted.

** Current stage of the Ad Blocking Wars ***

Ad Blocker: Maintain a black list of fully qualified domain names / URL of where ad blocking detection code is hosted and block the browser from making connections to those locations.
Ad-Tech: Relocate ad or ad blocking detection code to first-party website location. Ad blockers cannot block this code without also blocking the web page the user wanted use. (i.e. sponsored ads, like found on Google SERPs and Facebook)
Ad Blocker: Detect the presence of ads, but not block them. Instead, make the ads invisible (i.e. visibility: hidden;). Do not send tracking cookies back to hosting server to help preserve privacy.
Ad-Tech: Detect when ads are hidden in the DOM. If ads are hidden, deny the user the content or service they wanted.
Ad Blocker: Allow ads to be visible, but move them WAY out of the way where they cannot be seen. Do not send tracking cookies back to hosting server to help preserve privacy.
Ad-Tech: Deliver JavaScript code that detects any unauthorized modification to browser DOM where the ad is to be displayed. If the ad’s DOM is modified, deny the user the content or service they wanted.
Ad Blocker: Detect the presence of first-party ad blocking detection code. Block the browser from loading that code.
Ad-Tech: Move ad blocking detection code to a location that cannot be safely blocked without negatively impact the user experience. (i.e. Amazon AWS).
Ad Blocker: Crawl the DOM looking for ad blocking detection code, on all domains, first and third-party. Remove the JavaScript code or do not let it execute in the browser.
Ad-Tech: Implement minification and polymorphism techniques designed to hinder isolation and removal of ad blocking detection code.
Ad Blocker: Crawl the DOM looking for ad blocking detection code, reverse code obfuscation techniques on all domains, first and third-party. Remove the offending JavaScript code or do not let it execute in the browser.
Ad-Tech: Integrate ad blocking detection code inside of core website JavaScript functionality. If the JavaScript code fails to run, the web page is designed to be unusable.

GAME OVER. Ad-Tech Wins.

The steps above will not necessarily play out exactly in this order as the war escalates. What matters more is how the war always ends. No matter how Robert and I sliced it, Ad-Tech eventually wins. Their control and access over the DOM appears dominant.

If you look at it closely, the Ad-Tech industry behaves quite similarly to the malware industry. The techniques and delivery are consistent. Ad-Tech wants to deliver and execute code users don’t want and they’ll bypass the user’s security controls to do exactly that! So it really should come as no surprise that malware purveyors heavily utilize online advertising channels to infect millions of users. And if this is the way is history plays out, where eventually users and their ad blockers lose, antivirus tools are the only options left – and antivirus is basically a coin flip.

The only recourse left is not technical… the courts.

WhiteHat Website Security Statistics Report: From Detection to Correction

2015-05-21T06:13:00.000-07:00

While web security used to be a reactionary afterthought, it has evolved to become a necessity for organizations that wish to conduct online business safely. Companies have switched from playing defense to playing offense in a game that is still difficult to win. In an effort to change the game, WhiteHat Security has been publishing its Website Security Statistics Report since 2006 in the hope of helping organizations improve web security before they become victim to an attack.

After several editions, this is by far the most data rich, educational, insightful and useful application security report I have ever read. I may be biased, but I believe this report is unique: something special and different that is an essential read for application security professionals. In creating this report, I have learned more about what works and what doesn’t work than I have learned doing anything else in my many years of working in application security. I am extremely confident that our readers will appreciate what we have created for them.

In this year’s report, we examine the activities of real-world application security programs along with the most prevalent vulnerabilities based on data collected from more than 30,000 websites under WhiteHat Sentinel management. From there, we can then determine how many vulnerabilities get fixed, the average time it takes to fix them, and how every application security program can measurably improve. Our research provides insights into how organizations can better determine which security metric to improve upon.

We’ve learned that vulnerabilities are plentiful, that they stay open for weeks or months, and that typically only half get fixed. We have become adept at finding vulnerabilities. The next phase is to improve the remediation process. In order to keep up with the increase in vulnerabilities, we need to make the remediation process faster and easier. The amount of time companies are vulnerable to web attacks is much too long – an average of 193 days from the first notification. Increasing the rate at which these vulnerabilities are remediated is the only way to protect users.

The best way to lower the average number of vulnerabilities, speed up time-to-fix, and increase remediation rates is to feed vulnerability results back to development through established bug tracking or mitigation channels. This places application security at the forefront of development and minimizes the need for remediation further down the road. The goal is more secure software, not more security software.

For security to improve, organizations need to set aside the idea of ‘best practices’ and not stop at compliance controls. Multiple parts of the organization must determine which teams should be held accountable for their specific job function. Organizations that don’t hold specific teams accountable have an average remediation rate of 24% versus 33% for companies that do. When you empower those who are also accountable, the organization has a higher likelihood of being effective.

In this year’s edition, the WhiteHat Website Security Statistics Report drives home the point that we now have a very clear understanding of what vulnerabilities are out there. Based on that information, we must create a solid, measurable remediation program to remove those vulnerabilities and increase the safety and security of the web.

To view the full report, click here. I would also invite you to join the conversation on Twitter at #WHStats @whitehatsec.

Hack Yourself First: National and Economic Security

2014-12-22T06:14:00.000-08:00

It’s safe to say most countries are investing in their cyber-offense capabilities or will be very soon. Even the smallest countries can wreak havoc on the most powerful with very little money. And while you consider the ramifications of this, here’s a quote to help it sink in.

“National security is no longer about tanks. National security is increasingly about economic well-being, internet security, and issues that allow us to live on a daily basis. We’re not worried today about the soviets blowing us up with nukes, but we are worried that our kids will be able to enjoy a quality of life vaguely related to our own.” -Ian Bremmer

How can a corporation — even the largest, let alone small businesses and individuals — possibly defend against armies of well-funded nation-state sponsored hackers? These hackers are professionally trained, with no reason to fear our laws, physically distant from their victims, and operate 24 hours a day, 7 days a week, 365 days a year. Remember, the Internet does not recognize or respect geographic borders. The Internet is particularly adept at routing around country-by-country laws and regulations that impeded traffic.

Many people in positions of power have expressed concern about the Internet being brought down. I’m more worried about what happens if the majority of people lose confidence in the system – the security of the Internet – and either stop or limit their use of the Internet. I’m worried about the long-term economic damage this causes, the loss of our ability to innovate, the failure to take advantage of the opportunities that the Internet provides.

New laws against criminal hacking are not going to help. Conventional warfare tactics are not much good either. Governments are largely unable to protect the private sector from international cyber-attack, nor should they be expected to. The perpetrators can be located anywhere, are extremely difficult to identify, prove attribution, and track down, even harder extradite, and even if identified, located, and extradited, difficult to successfully prosecute. And then, if they are found to be spies, the likelihood of them getting traded for our own spies is high – so they go back to what they were doing. Not to mention foreign governments are highly unlikely to turn over their own cyber-warriors. Every CEO in America must understand — in cyber-security you’re on your own.

The reality is that a problem as diverse and wide reaching as cyber-crime cannot be solved by any one thing; but I’ll tell you this — protecting the Internet requires a completely new way of thinking. While our cyber-defense ability is severely lacking, one thing we all clearly know how to do extremely well is cyber-offense.

Offense can inform defense.

I call this approach Hack Yourself First, a concept that is critical to our self-defense. Internet security can be thought of as a race between the bad guys who find and exploit security weaknesses (we call them vulnerabilities) and the good guys who find and fix them. I felt so strongly about this that I built a company, WhiteHat Security, around this idea. At WhiteHat, we get paid by companies doing business online to hack into them and explain how we did so.

In no time flat we’re able locate digital doorways to take over some or all of their the systems, steal whatever sensitive data they have, access their customers accounts, or steal data they have on the system — all the things that could have made headlines like those you’ve probably seen recently. And let me make something else perfectly clear. These are systems owned by the largest and most well known organizations in the world. You know them. You do business with them. Collectively, they constitute billions of end-user accounts. In short, we’re probably already protecting you. Every vulnerability we find and our customers fix is one less hack that happens.

“Hack Yourself First” is also the reason why we teach other people how to hack, hundred and thousands of them. We teach all sorts of ways to hack into banks, retail websites, social networks, government systems, and more. We teach people how this can be done from anywhere across the Internet.

Many wonder why teaching people how to hack is a good thing. I know hacking is often stereotyped as illegal or nefarious activity — but this is not always the case. Teaching people how to hack — building up our cyber-offense skills — is absolutely essential. Only if we have hacking skills can we focus these skills inward at ourselves BEFORE the bad guys do. The idea of “Hack Yourself First” is critical to national security and to ensuring our long-term economic well-being.

Remember, security is optional, but so is survival.

5 Characteristics of a ‘Sophisticated’ Attack

2014-11-15T06:16:00.000-08:00

When news breaks about a cyber-attack, often the affected company will [ab]use the word ‘sophisticated’ to describe the attack. Immediately upon hearing the word ‘sophisticated,’ many in the InfoSec community roll their eyes because the characterization is viewed as nothing more than hyperbole. The skepticism stems from a long history of incidents in which breach details show that the attacker gained entry using painfully common, even routine, and ultimately defensible methods (e.g. SQL Injection, brute-force, phishing, password reuse, old and well-known vulnerability, etc).

In cases of spin, the PR team of the breached company uses the word ‘sophisticated’ in an to attempt convey that the company did nothing wrong, that there was nothing they could have done to prevent the breach because the attack was not foreseeable or preventable by traditional means, and that they “take security seriously,” — so please don’t sue, stop shopping, or close your accounts.

One factor that allows this deflection to continue is the lack of a documented consensus across InfoSec of what constitutes a ‘sophisticated’ attack. Clearly, some attacks are actually sophisticated – Stuxnet comes to mind in that regard. Not too long ago I took up the cause and asked my Twitter followers, many tens of thousands largely in the InfoSec community, what they considered to be a ‘sophisticated’ attack. The tweets received were fairly consistent. I distilled the thoughts down to set of attack characteristics and have listed them below.

5 Characteristics of a ‘Sophisticated’ Attack:

The adversary knew specifically what application they were going to attack and collected intelligence about their target.
The adversary used the gathered intelligence to attack specific points in their target, and not just a random system on the network.
The adversary bypassed multiple layers of strong defense mechanisms, which may include intrusion prevention systems, encryption, multi-factor authentication, anti-virus software, air-gapped networks, and on and on.
The adversary chained multiple exploits to achieve their full compromise. A zero-day may have been used during the attack, but this alone does not denote sophistication. There must be some clever or unique technique that was used.
If malware was used in the attack, then it had to be malware that would not have been detectable using up-to-date anti-virus, payload recognition, or other endpoint security software.

While improvements can and will be made here, if an attack exhibits most or all of these characteristics, it can be safely considered ‘sophisticated.’ If it does not display these characteristics and your PR team still [ab]uses the word ‘sophisticated,’ then we reserve the right to roll our eyes and call you out.