Last week’s nineteenth annual Black Hat kicked off with a keynote by technologist Dan Kaminsky with a dire warning that the Internet, “the greatest driver of economic energy since the industrial revolution,” is broken and that an ‘institutional’ approach, akin to the National Institutes of Health approach to medical research, is needed to turn things around.
We heard a similar cry from Amit Yoran when he opened the RSA Conference in February, calling the security industry broken. A common thread across these very different events was the human factor and need for human intelligence.
Beyond the keynote and among the deep tech insights across the event, there were other interesting takeaways — here are a few more of those insights:
- The nature of Black Hat evolves: Walking the expo floor it was evident that while Black Hat retains its strong grassroots security tech foundation, it has added a more commercial and corporate layer.
- Risk conversations are more prevalent: In the 2016 Black Hat Attendee Survey*, the percentage of respondents who say they have “no doubt” that they will need to respond to a major security breach in the next 12 months (15%), trending higher than 2015. Compounding this problem, the InfoSec community is still facing an alarming shortage of resources. 74 percent of survey respondents said they do not have enough staff to face threats they anticipate for the coming year. This means more risk to businesses, and the industry is finally starting to talk in terms of “risk” when it comes to how they evaluate security solutions. “Will this solution help me manage the risk to my business?”
- Application Security in the spotlight: More evidence in the form of live demos of real-time hacks, is leading to greater understanding of the role that application-level vulnerabilities are playing in some of today’s most serious threats and breaches. As cloud, mobility and IoT further define and complicate today’s “app-centric” business environment, organizations across all industries are coming around to the need to prioritize application security.
As found in the 2016 Black Hat Attendee Survey*, 20 percent of respondents replied that security vulnerabilities introduced by an internal development team were of great concern. This recognition of AppSec and the importance of DevSecOps was reflected in the Black Hat briefing schedule, as many training sessions and presentations were dedicated to application security topics and trends.
- Partner integrations are a top priority: Security has never been a one-size-fits-all solution. With organization-specific challenges, security professionals are looking for solutions that solve their problems, and deliver a reliable outcome. In response, we’ve noticed that organizations have matured in their understanding of – and value of – cross-vendor product integrations to meet their complex and unique needs. For our team, this played out at Black Hat (and continues long after the show) through our partnership with F5, and the integration of F5’s BIG-IP ASM Web Application Firewall with our WhiteHat Sentinel application security platform to protect customers from software vulnerabilities and prevent breaches. During Black Hat, we had the opportunity to present the findings from our 2016 Web Applications Security Statistics Report in the F5 booth, fielding excellent questions from the audience and further validating the need for a combined application security and WAF solution that not only finds vulnerabilities, but mitigates them as they are discovered.
As Black Hat continues to grow in prominence, we look forward to seeing security expand from the security researcher’s agenda to the top of the agenda for developers and the C-suite too. If you attended Black Hat this year, we’d be interested in hearing some of your top takeaways.
* “The Rising Tide of Cybersecurity Concern.” Survey. Black Hat. UBM, July 2016. Accessed online.