Industry Observations-Vulnerabilities-Web Application Security

An idea to help secure U.S. cybersecurity…

… and looking for the right person to show us how to do so.

A few years back I was watching a presentation given by General Keith B. Alexander, who was at the time Commander, U.S. Cyber Command and previously Director of the National Security Agency (NSA). Gen. Alexander’s remarks focused on the cybersecurity climate from his perspective and the impact on U.S. national and economic security. One comment he made caught my attention, specifically that the Department of Defense has 15,000 networks to protect. As an application security person I can only imagine how many total websites, a favorite target among hackers, that equates to. I’d bet very few of DoD’s websites by percentage get professionally assessed for vulnerabilities. Anyway, from this it became clear the General understands big picture cybersecurity problems in terms of scale.

At about 1:05:00 into the video the General opened the floor to questions and the most interesting one came from a Veteran. He said there are a lot of Veterans that would like to help with the country’s cybersecurity efforts, and asked if there were any programs available enabling them to do so. The General answered that he didn’t know for sure, but he didn’t think so. I did some research and according to a Bureau of Labor Statistics report from Sep, 2015, — there are roughly 449,000 unemployed veterans. This was fascinating to me: as I see it, this is a ready-and-willing labor force that perhaps at least a small percentage of which could apply their skills to cybersecurity.

This got me thinking and an idea hit me, but before sharing it, I need to explain a bit how WhiteHat works internally for it to make sense.

WhiteHat assesses websites for vulnerabilities. If customers fix those issues, they are far less likely to get hacked. Simple. What makes WhiteHat different is we’re able to perform these assessments at scale. And, I’m not talking just basic scanning, but true quality assessments with business logic tests carried out by real experts, a strict requirement. The challenge is that AppSec skills are extremely scarce and sought after. Ask any hiring manager. Recognizing the severe skill shortage more than a decade ago, WhiteHat created it’s Threat Research Center — our Web hacker army. TRC is specifically equipped, complete with a training program and unparalleled playground of permission-to-hack websites, to hire eager entry-level talent and turn them into experienced professionals quickly. Age and background of the applicants doesn’t matter. Today, WhiteHat has proven itself to be the best – and only – place for newcomers to get into the industry.

President Obama addressed the nation’s military on September 11, 2015 and mentioned the increasingly challenging state of cyber warfare: “What we’ve seen by both state and non-state actors is the increasing sophistication of hacking, the ability to penetrate systems that we previously thought would be secure. And it is moving fast.” The same website vulnerability issues that we’ve addressed in the private sector are felt in the defense realm.

This is where the idea comes in…

Let’s say the DoD launched a cybersecurity program to assess all of its websites for vulnerabilities. The result would be fewer breaches that are much harder to carry out. To do this the DoD would obviously need a scalable vulnerability scanning technology, but more importantly, the necessary AppSec manpower. This is where WhiteHat would come in as we have all the pieces. Financial issues aside, WhiteHat would be able to conduct all these assessments, continuously, and could do so using veteran labor — exclusively. We have the tech, the hiring process, the training program, pretty close to everything the program would require. All we need is a DoD program to partner up with.

If such a plan and program existed, everyone would win.

  • The DoD would be able to increase their cybersecurity defenses at scale and better protect the nation.
  • A large number of U.S. military veterans could be put to work towards a common cause, protecting the country’s cybersecurity, while acquiring InfoSec skills in the highest demand. Something the President said he wanted to do.
  • WhiteHat continues to grow its Web hacker army. Indeed, we already employ several veterans in the TRC who represent many of our best and brightest.

Of course there are details that need to be addressed, like how the DoD’s website vulnerability data would be safeguarded and the security of WhiteHat’s infrastructure would have to be closely audited (but considering who we already count as customers, I’m confident we’d be able to satisfy any reasonable standard). Or maybe installed onto one of their networks, which is fine too. And then those doing the work, veterans whose backgrounds are already vetted and more trusted than the average “Johnny pen-tester.”

So, the question is … now what?

Over the past 3 years I’ve discussed this idea with dozens of people, both inside and outside the government, and while everyone agrees it’s a good idea, getting traction has been difficult to say the least. Some cybersecurity training programs exist for veterans, but they tend to be either small, dormant, or not something that really protects U.S. cybersecurity.

Referring to emerging cyberthreats in a lecture at Stanford in June 2015, Secretary of Defense Ashton Carter said, “We find the alignment in open partnership, by working together. Indeed, history shows that we’ve succeeded in finding solutions to these kinds of tough questions when our commercial, civil, and government sectors work together as partners.” It would seem that even the highest levels of leadership in the DoD agree that this is the only path forward that makes sense for securing the nation’s digital assets.

At this point, the best path forward is to simply put the idea out there for open discussion, and hopefully the “right person” will see it. Someone in the government who can help us carry it forward and contact us. If you are such a person, or know who is, we welcome the opportunity to talk — leaders within the VA, the DoD, or other parts of government. And hey, if you think the idea is crazy, stupid, or not viable for some reason… I am also interested in hearing why you think so (twitter: @jeremiahg).

Tags: application security, whitehat security