Cigital

Building Versus Breaking: A White Hat goes to Blackhat

Posted On August 9, 2011 by gem

Is Blackhat worth attending? Kinda.

My philosophy of software security and security in general has plenty of room for the art of the exploit. The icon that I have adopted to “brand” my work, the yin/yang with cowboy hats includes a black hat for a reason! Here’s what I said about the icon in the Preface of Software Security:

Fundamental material is covered under this icon (which also adorns the cover of the book). The Yin/Yang is the classic Eastern symbol describing the inextricable mixing of standard Western Polemics (black/white, good/evil, Heaven/Hell, create/destroy, et cetera). Eastern philosophies are described as holistic because they teach that reality combines polemics in such a way that one pole cannot be sundered from the other. In the case of software security, two distinct threads—black hat activities and white hat activities (offense/defense, construction/destruction)—intertwine to make up software security. A holistic approach, combining yin and yang (mixing black hat and white hat approaches) is what is required.

The White Hat + Black Hat approach informs three of my books and the entire Addison-Wesley Software Security Series:

Building Secure Software (BSS), the white hat book, seems to have touched off a revolution. Security people who once relied solely on firewalls, intrusion detection, and anti-virus mechanisms came to understand and embrace the necessity of better software. BSS provides a coherent and sensible philosophical foundation for the blossoming field of software security.

Exploiting Software (ES), the black hat book, provides a much needed balance, teaching about how to break software and how malicious hackers write exploits. ES is meant as a reality check for software security, ensuring that the good guys address real attacks and invent and peddle solutions that actually work. The two books are in some sense mirror images.

Software Security unifies the two sides of software security—attack and defense, exploiting and designing, breaking and building—into a coherent whole. Like the yin and the yang, software security requires a careful balance.

It may come as a surprise to you that I have never attended the famed Blackhat conference until this year. There are a couple of reasons for this, not the least of which my two time co-author Greg Hoglund has “covered” Blackhat most admirably for a decade. More generally, I guess my bias is definitely toward building systems properly and security engineering than it is towards penetration testing and throwing rocks at existing systems.

Blackhat and its sister con Defcon have always had reputations as “hackerboy” conferences populated by l33t “researchers” bent on breaking systems in spectacular fashion. I suppose Blackhat has over the years evolved into something more commercial, with a major shift in emphasis coming when it was purchased by UBM. Many of my associates in security have said that Blackhat attendance has shifted toward the corporate end of the spectrum and that it was looking more like the RSA Conference attendance-wise. As a consultant to large corporations taking software security seriously, this perceived shift is not to be ignored. That’s why I went to see for myself what’s up with Blackhat.

(I suppose I should throw in a quick aside here to point out that in my view being sentenced to spend time in Las Vegas is second only to the pain of spending time in Orlando. Just not my bag and a definite personal bias.)

Bottom line? Blackhat appears to be populated by plenty of security vendors mostly presenting to each other. I found a handful of Cigital customers at the show, but far more security practitioners who work for vendors than any other category of attendee. That probably makes Blackhat a reasonable show to attend if you’re interested in hiring pen testers and understanding something about the latest flavors of attacks. There were certainly some very superb people presenting at the show (Litchfield, Laurie, and Russinovich pop immediately to mind), but Blackhat seems to be more about after hours parties than security content—especially when it comes to engineering. That leaves me feeling conflicted about its value.

At this point in the life of software security as a field, I think we need to spend less time thinking about breaking systems and finding vulnerabilities than about fixing systems and mitigating vulnerabilities. (Not none, mind you, just less.) There were a couple of presentations and panels on the agenda that touched on software security basics, but a vast majority of the content is about (gleefully) breaking things. Incidentally, that’s why it was interesting to me that Microsoft announced its new security engineering Bluehat prize at the show. Seems like they might get better traction with that at Usenix Security, ISOC NDSS, or even RSA?!

There is certainly networking to be done at Blackhat, but nowhere near at the same scale or caliber as the networking at RSA (the security tradeshow that absolutely everybody attends). If you’re not up for late nights, loud dance music, bad well drinks, and club-based Vegas mayhem, Blackhat may not be your scene. Maybe I’m just getting old.