Rational Survivability

This third instance of Take 5 interviews Jeremiah Grossman, Founder & CTO of Whitehat Security.

First a little background on the victim:

Jeremiah Grossman is the founder and CTO of WhiteHat Security,
considered a world-renowned expert in Web security, co-founder of the
Web Application Security Consortium, and recently named to
InfoWorld’s Top 25 CTOs for 2007.  Mr. Grossman is a frequent speaker
at industry events including the BlackHat Briefings, ISACA, CSI,
OWASP, Vanguard, ISSA, OWASP, Defcon, etc.  He has authored of dozens
of articles and white papers, credited with the discovery of many
cutting-edge attack and defensive techniques, and co-author of XSS
Attacks. Mr. Grossman is frequently quoted in major media publications such as InfoWorld, USA Today, PCWorld, Dark Reading, SC  Magazine, SecurityFocus, C-Net, SC Magazine, CSO, and InformationWeek.  Prior to WhiteHat he was an information security officer at Yahoo!

Here is Jeremiah’s blog and a new book on XSS that he co-authored.

Questions:

1) You’re probably best known for your work on JavaScript attacks,
XSS, and CSRF.  This stuff is such a mess and represents an
insidious vector for attack.  Do you think we’re ever going to be
able to get this genie back in the bottle or are we totally screwed?

Fortunately the Web the will hum along and adapt no matter how bad
the "hacker attacks" get. We know XSS and CSRF vulnerabilities are
everywhere, but the bigger problem is we don’t know exactly where
they ALL are. This is what makes the problem really hard to solve.
Short of an entire rewrite of THE WEB, we’re going to be stuck with
XSS, CSRF, and two dozen other issues for many years to come. Though
as websites are revamped with new development frameworks for business
reasons we’ll see security improve naturally.

2) Your days of securing hundreds of websites at Yahoo set the
stage for what you do today.

Yah, I left the behemoth portal and now I find myself responsible for
helping to secure more websites than ever!  🙂

What elements of today’s emerging security problems that you are
working on do you think will become another area of focus for you
in the long term.

At WhiteHat we’re delivering website vulnerability assessment (VA) on
an unprecedented scale. This is important because companies need to
constantly monitor the security of ALL their websites ALL the time.
Prior to WhiteHat the best a company could do were annual audits only
affordable on a select few websites. As websites change this process
clearly doesn’t work and the number of incidents and vulnerability
prevalence are prime indicators. We need to be able to assess
hundreds, thousands, tens of thousands of the worlds largest and most
important websites no matter how big or how often they change. This
insight will provide intelligence we need to start solving the problem.

The second phase is figuring how to “fix” the problem and prevent new
vulnerabilities from cropping up in the first place. Security inside
the SDLC has been talked about a lot and will improve software
security in the long run. In the mean time, there are a ton of
websites and even more vulnerabilities where relief is required
between now and then. Web application firewalls are a likely option.
What I’d like to see is tight integration between VA solutions and
WAF devices. Since VA knows the specific type and location of
vulnerabilities in a website technically they could communicate a
highly accurate rule or “virtual patch” to a WAF and block any
incoming attacks. This would provide security professionals more
control over the security of a websites and developers time to
address the problem.

3) What do you make of Google’s foray into security?  We’ve seen
them crawl sites and index malware.  They’ve launched a security
blog.  They acquired GreenBorder.  Do you see them as an emerging
force to be reckoned with in the security space?

I doubt Google has plans to make this a direct revenue generating
exercise. They are a platform for advertising, not a security
company. The plan is probably to use the malware/solution research
for building in better security in Google Toolbar for their users.
That would seem to make the most sense. Google could monitor a user’s
surfing habits and protect them from their search results at the same
time.

4) You recently participated in the CSI working group’s on Web
Security Research Law in which you and other experts toiled over
the legal and ethical elements of web security vulnerability and
disclosure. Given the report’s outcome of more questions than
answers, where do you stand personally on the issue of disclosure?

My personal actions probably won’t change much. I’ve been in the non-
disclosure camp for a while, unless I had a personal relationship
with the company. What has changed is my understanding on the
legalities of website vulnerability discovery. Apparently there is NO
clear-cut guidance as to what security researchers (in the US) are
legally allowed to do or not do. Once the website owner complains to
law enforcement it could quickly become a nightmare for the
researcher no matter how pure their intentions. So the unfortunate
consequence of all this will be the “good guys” will tend to stop
looking, and more importantly stop disclosing, while the bad guys get
the run of the place no matter what anyway. The net effect is bad for
website security and the consumer. Welcome to Web 2.0.

5) So you practice Jiu Jitsu in competition, you play Aussie Rules
Football (in *real* countries like NZ, we play Rugby…) and you
make the Internet safe for women and children.  Death wish,
misplaced angst or ADD?

And you say I have a death wish! I dare you to say those words on the
pitch in front of the Aussies. 🙂  Anyway, I’ve NEVER been accused of
having ADD, if anything too focused. I tend to enjoy extreme sports
and keep myself very busy, part of my personality. Unsolvable
problems are the other thing that are attractive to me. Glutton for
punishment. 🙂