LAS VEGAS—The opening keynote for Black Hat USA on Aug. 7 had a strong message, there is a better way to do security than simply fixing one bug at a time.
Jeff Moss, founder of Black Hat said that modern cyber-security technologies tend to favor offense and the time has now come to change the momentum in favor of defense, which is theme that was echoed by Parisa Tabriz, director of engineering at Google.
“We have to stop playing whack-a-mole and we have to be more ambitious, strategic and collaborative in our approach to defense,” Tabriz said.
Tabriz helps to oversee security efforts at Google including managing the Project Zero research team which reports vulnerabilities and works with vendors to help fix flaws. She said that there have been lots of times in her career where she felt like she was working a real world version of the whack-a-mole arcade game where a plastic mole pops up and the player has to hit it with a hammer. Tabriz said that she is annoyed when she sees media reports on software vulnerabilities that the industry has known about but just haven’t had time to address.
“Computer security is increasingly the security of the world and we have to do more to solve problems,” Tabriz said. “It’s up to us.”
Tabriz didn’t just come to Black Hat to tell attendees that things have to improve; she also came with a three-step process for how to improve the state of cyber-security.
The first step advocated by Tabriz is to tackle root causes of security vulnerabilities rather than just fix surface issues. Next, she suggests that organizations need to be more intentional in their cyber-security investments and pick milestones that can be achieved. Finally she suggests that it’s important to build a coalition of champions and supporters to help ensure the success of security efforts.
“We can’t be satisfied with only isolated fixes,” Tabriz said.
To that end she suggests that whenever a bug is found developers should dig deep to understand why the bug occurred. That can lead to an understanding on why a certain type of defect testing is or isn’t being done. Tabriz suggested that by asking deeper questions about why bugs occur, it’s possible to highlight the structural and organizational root causes that have to change.
Shorten bug disclosure deadlines
One of the methods used by Google to improve security has been in tightening up the disclosure period for vulnerabilities. Tabriz said that over the past four years, Google Project Zero has found more than 1,400 vulnerabilities across different targets.
Project Zero has a 90-day disclosure policy that gives software vendors 90 days from the time a bug is privately reported until the time Google publicly discloses the issue. Tabriz said that the deadline-driven approach to disclosure has caused some short term pain for organizations, but it has helped to improve industry responses overall.
“Sticking to deadlines has resulted in vendors rallying and investing in making structural changes both technically and at an organization level—that wasn’t happening previously,” Tabriz said.
According to Tabriz, vendors now routinely have faster responses to Google Project Zero. In one case, she said that a major vendor doubled the number of security updates it releases each year while another large vendor improved their patch response time by as much as 40 percent.
“In total, 98 percent of issues reported by Project Zero are fixed within 90 days,” she said.
Tabriz said that at Black Hat and other security conferences, people talk about new problems and attacks. In her view, she emphasized that it’s now time to think differently and not focus on just solving individual problems.
“We want to tackle root causes and stop playing whack a mole,” she said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.