Blue Hat 5.0

Adam Shostack here.

Last week, we held the 5th Blue Hat conference, focused on the “Paradox of Innovation.”   BlueHat is a conference where Microsoft brings applied security researchers to campus to speak to executives and engineers.   I have both personal and professional perspectives on BlueHat.  On a personal level, I spoke on a panel at BlueHat 2 after filming a “Security 360” webcast with Microsoft’s Mike Nash. Conversations there and at BlueHat 3 were an important part of my decision to join Microsoft after a decade building security startups.

It’s fascinating to watch the interactions that happen between the speakers and the Microsofties, and consider how I see those conversations then and now.  What I didn’t see then was how the conversations tie into larger, longer term initiatives.  One of the recurring themes from speakers is “why we hack things.”  A few BlueHats ago, H.D. Moore talked about why he created Metasploit, and this time around bunnie and Felix talked about why they hack hardware (“Your Tamper-Resistant Hardware Makes a Great Sport for Hackers.”)  That’s an important message to hear from people who are investing effort in understanding hardware security.  There are a lot of people who do research for fun, and a lot who research because they want to secure their systems.  Developers also enjoy their work.  Getting security bug reports can feel like a kick in the pants, especially the way some of those reports are commented.  Hearing from the people doing research helps Microsofties understand that the researchers enjoy what they do, and the goal is usually the research and getting a problem fixed, not the kicking.”

In the MSRC blog, (“BlueHat V5 Opens!”) Andrew Cushman did a great job of explaining the goals:

          Expose senior product leaders and front line engineers to the threats and attack tools and methodologies used in the real world. Take the security threat from the theoretical/intellectual level of, ”I understand what a buffer overflow is”, to “OMG that’s what it’s like.”  BlueHat connects with employees at a visceral in order and *really* brings the message home…

          Expose security researchers (and the security community) to Microsoft engineers and business leaders… BlueHat gives us a chance to open up on our home turf and gives the researchers an opportunity to interact with all levels of the organization. They too get to experience first-hand that Microsoft does have smart, passionate engineers that do care about security.

Meanwhile, Christopher Budd said

From my point of view, this is something that makes BlueHat unique among security conferences: I don’t know of any other venue where security researchers talk to an audience that’s mainly comprised of people who consider themselves first and foremost engineering professionals rather than an audience of security professionals.

This is a really important point.  There’s a vibrant and engaged community of security researchers, and those who spoke got a chance to influence upwards of 1,200 engineers who otherwise might never hear those particular security messages.  Some of the messages I was especially happy to hear were the talks [6] from RSnake and Rob Thomas.  RSnake talked about “Death by 1,000 cuts” and Rob talked about the underground economy.  Sometimes it’s easy to focus on the pain of having to install critical updates, and miss the larger pictures of how attackers put things together to cause “death by 1,000 cuts” and the economic motivations that cause them to do so.  The SDL is focused on developing more secure products, and that includes how to make things secure by default, by design and in deployment.  We want to help our engineers and execs remember the larger security picture.  Giving them specifics of how the issues can complement each other helps catalyze that understanding.

The security research community gets to influence more change by engaging with engineers.  The SDL involves changing the way people think about developing software, and even if BlueHat isn’t a formal stage of the SDL, it’s an important complement, and it’s reflective of the way our culture is changing.

(I was also really pleased to see Katie Moussouris, Richard Johnson and Mark Novak presenting at Toorcon.  This sort of engagement with the researcher community benefits everyone but the underground.)


Join the conversation

  1. alikl

    Adam, you forgot "C" in SD3 <<C goes here>> 🙂 when mentioned "The SDL is focused on developing more secure products, and that includes how to make things secure by >d<efault, by >d<esign and in >d<eployment".

    This blog and many others (Michael Howard’s, David LeBlanc’s, J.D. Meier’s, ACE Team’s) is great effort for "C" which stands for "communication" – it is not only telling people there is another patch we, MS, issued – go ahead and install it. "C" is about proactive information we, MS, share with our customers, partners, researchers ,ourselves.

    Great stuff – keep up with this great effort. Looking forward for more insightful great content.


Comments are closed.