Blog

Hacker in Residence, on Black Hat USA 2023

August 24, 2023 | 3 MIN READ

by Cequence Security Team

Black Hat USA 2023 Recap

Attending many of the HackerSummerCamp activities involves attending a bunch of small meetups and social gatherings. Much of my peer group have become leadership within the organizations where they work and often, we discuss hard problems to solve. Some of my most memorable this year involved ChatGPT, Building Security Champions and discussing why some organizations have really started moving the needle in their security programs.

Security Champions, developers that have dedicated their time/resources/life to becoming not only “secure coding” experts but also foster a desire to teach others, were discussed. The best ways to build champions, how to bring on new disciplines, and lots of discussion around grass roots ways to help create secure code. A few of the folks that are building these types of programs were looking for where to start. We all seemed to agree that a great place is OWASP but also by simply looking for good testing solutions for applications that they can use and interface with. Building Security Champions takes having a desire to learn and teach others; there are a few that fit the criteria in every dev team and finding them has become the next step.

Many organizations are against ChatGPT. The fear is that putting corporate IP into a tool like this is really an uncontrolled release of IP into the public internet, which is valid, but many organizations use open-source components in the software they write. ChatGPT could be used to fix areas of that code and the organizations that are making money off the code could improve it for everyone else by sending those fixes back to those various projects.

Solution-based products were on many people’s minds this year. I think we are getting to the point where some real questions need to be asked about every security product out there. Do you solve my problem once you find it? I think for many years now, we have focused on finding if the system has a vulnerability, then we spent a bunch of years figuring out how to prioritize the billion findings in the systems, and we now need the next step. Addressing the issue needs to be the priority. If the code has a flaw, just simply give me the code that fixes the flaw. If the system needs patched, apply the patch and virtual patch until the reboot that is needed. Remove the need to fret the reboot. Similarly, application security seems to have reached this point. We all said, “shift left” and “embed security,” but we didn’t create ways to test to see if this worked. As we pondered what the struggles really are we landed on “we just aren’t focused on solutions.” We focus on problems and finding problems but that isn’t getting us to the next level; we must solve the problems we find.

Working for a company that is focused on the solution means I could see this trend emerging during our discussions as colleagues, solutions providers, and practitioners. What if we could change “Found a billion unpatched systems, thousands of lines of bad code, piles of open doors”, to “Patched a billion systems, thousands of lines of secure code implemented, closed piles of open doors?” Many of the vendors out there aren’t solution-based products, and the challenge when you solve problems is providing enough insight into how many problems you are solving.

Cequence Security Team

Author

Cequence Security Team

Related Articles