By Pieter van Noordennen, VP of Growth, SlimAI
Black
Hat is an annual six-day cybersecurity event full of specialized cybersecurity
training, with a two-day conference as the central affair. This year's event,
held August 5-10, featured more than 100 briefings, dozens of open-source
demos, and more Las Vegas networking opportunities than you can imagine.
This
was the 26th occurrence of the event, and it seemed to be bigger
than ever. Our team has attended several conferences this year, but judging
from the lines at the Mandalay Bay Starbucks each morning, this was a massive
event. There was a full lineup of content stemming across every relevant
category that a security professional can dream of - ranging from AI, Crypto,
Defense, Hardware, Privacy & Policy to Software Supply Chain Security.
Keynotes
included a presentation on U.S. national cybersecurity strategy by Kemba
Walden, Acting National Cyber Director; an address on AI's evolving role in
cybersecurity by Maria Markstedter, founder of Azeria Labs; and a discussion
about building a more resilient cybersecurity posture in Ukraine featuring the
country's security leaders who experienced the crisis firsthand.
Following
are other highlights of the event from the perspective of our team.
AI was everywhere
Like other
cybersecurity events this year, talk about AI was everywhere. Mobb.dev was the winner of the
Innovation Spotlight Competition, which recognizes the most promising
cybersecurity startup at the event. Mobb uses predictive algorithms and, yes,
AI, to find and fix security issues in source code. I caught up with Mobb's
exuberant CEO Eitan Worcel, who noted how times have changed from even just a
year ago, when awareness of the power of AI to help cybersecurity was
minimal.
Additionally, The
AI Cyber Challenge (AIxCC) was announced as a
call to top computer scientists, AI experts, and software developers to
participate in the two-year competition aimed at driving innovation and
creating a new generation of cybersecurity tools. The competition is bringing
together leading AI companies (such as Anthropic, Google, Microsoft, and OpenAI)
that will work with DARPA (Defense Advanced Research Projects Agency) to make
their cutting-edge technology and expertise available to challenge
competitors.
The challenge's
advisor will be the Open Source Security Foundation (OpenSSF), a project of the
Linux Foundation, serving as a guide to teams in creating AI systems capable of
addressing vital cybersecurity issues. The competition features both a funded
and an open track. The semifinal and final competitions will return to Las
Vegas to finish at DEFCON in 2024 and 2025 respectively.
Software
Supply Chain Security continues to be defined
While specific
exploits (Log4J, CodeCov, even SolarWinds) were still being talked about as
individual examples, supply chain threats in aggregate are taking more
mindshare among the CTOs and CISOs we talked to at our booth. There was a lot
of discussion about recent government publications (such as CISA's
Known Exploited Vulnerabilities Catalog) and policies (including Executive Orders and
NIST guidance).
The term
"software supply chain security" was broadly applied to a number of
cybersecurity tasks. From SCA to SAST/DAST to CNAPP to Dependency Management,
Vulnerability Remediation, and Zero Trust, the term is still being defined by
the industry. As one friend said over dinner: "Supply Chain is like AI; it can
mean anything these days." However, unlike past shows, this year we met many
practitioners who are tasked with SSCS responsibilities, and they are actively
looking for faster, automated solutions to these SSCS tasks.
Trevor Rosen and
Zach Steindler from Github had a noteworthy talk on supply
chain attacks
and raising awareness to OSS maintainers on gaining visibility into the
components used in their software by making signing easier. A leading example
was the GitHub-sponsored npm, which is the standard package system for
Javascript, and the world's largest language ecosystem by lines of code.
Serving over 70 billion requests per month and accepting around 40k publish
events in the average day, npm is popular enough that it's seen more than its
fair share of malware attacks and supply chain trojans in the recent
past.
Mitigating these
attacks requires a shift away from the implicit tradition of unwary trust in
components and toward a world where we can prove that every ingredient going
into our software masterpieces deserves to be there. Rosen and Steindler
discussed the importance of provenance (i.e., the provable history of a
software artifact) and how the project had leveraged Sigstore to improve trust
for its packages.
Vulnerability Management is becoming a common concern
Many,
if not most, SSCS solutions include some form of vulnerability scanning, and
organizations typically will use multiple scanners to identify vulnerabilities.
What we heard at Black Hat is that organizations are struggling with what to do
with the findings of these scanners. The conversations around Vulnerability
Management - especially questions like, What do we do with the results?
and How do we prioritize and triage the found vulnerabilities? - are
definitely heating up.
While
vulnerability scanners can spit out a lot of vulnerabilities (285 for the
average container, according to our 2022 Container Report), front-line DevSecOps
teams need to know how to prioritize those threats, which are often found in
upstream open-source packages that the team has little knowledge of. That's why
we're hearing vulnerability managers talking about "Reachability" or
"Exploitability" as critical context for prioritization - that is, the
need to understand if vulnerable code runs and can be accessed by attackers in
the way the vulnerability describes.
Those
tasked with remediating vulnerabilities need help prioritizing the
vulnerabilities based on the accessibility of the components and dependencies
within their software. This provides the team with the knowledge of how easily
external parties can exploit their software in order to access data and
systems.
The Black Hats deemed some vulnerabilities "hot," some "not"
One
of the most intriguing (dare I say "fun"?) aspects of a Black Hat conference is
hearing bona fide Black Hats discuss worrisome vulnerabilities. In fact, the
conference is famous for being the stage where unknown vulnerabilities are
revealed to the world in shocking fashion.
This year, the
Downfall vulnerability impacting Intel Core processors received a lot of
attention. The general sentiment was that the risk is similar to the other
recently discovered Intel chip vulnerabilities, Meltdown and Spectre. Exploiting
the vulnerability requires admin-level access to the system, meaning the
attacker can already access sensitive data. This exploit is quite severe, and
in a cloud computing environment, it means a malicious customer could steal
data and credentials from other customers by exploiting the Downfall
vulnerability among those who share the same cloud computer.
One of the most
eye-raising presentations came from Johannes Willbold, a PhD student
researching satellite and space security at Ruhr University in Germany. He
spoke about the ease of satellite hacking in his presentation, "Houston, We
Have a Problem: Analyzing the Security of Low Earth Orbit Satellites." Willbold
coyly admitted later that "Maybe it wasn't a good idea to give this
talk."
Already looking forward to 2024
Once again, Black
Hat did not disappoint. The 2023 conference offered informative sessions,
invaluable conversations, exposure to cutting-edge software tools and
innovative companies, and the opportunity to hear the needs and concerns of
cybersecurity professionals first-hand.
The team at Slim
left Las Vegas with validation of our mission and roadmap, insightful feedback
on our product demo presented with our friends at Sysdig, and the challenge to
drive our much-needed solution to GA as quickly as possible. That's a great
outcome, and we're already looking forward to Black Hat 2024.
##
ABOUT THE AUTHOR
Pieter van Noordennen is
Vice President of Growth at Slim.AI, a startup focused on creating better
developer experiences for cloud-native application development. Prior to
joining Slim.AI, he led product and platform teams at Tripadvisor, building and
shipping innovative, machine-learning-driven applications in high-availability,
microservices-driven environments.