Virtualization Technology News and Information
Reaching Zero Effective Vulnerabilities: Insights from Black Hat 2023

By Pieter van Noordennen, VP of Growth, SlimAI

Black Hat is an annual six-day cybersecurity event full of specialized cybersecurity training, with a two-day conference as the central affair. This year's event, held August 5-10, featured more than 100 briefings, dozens of open-source demos, and more Las Vegas networking opportunities than you can imagine.  

This was the 26th occurrence of the event, and it seemed to be bigger than ever. Our team has attended several conferences this year, but judging from the lines at the Mandalay Bay Starbucks each morning, this was a massive event. There was a full lineup of content stemming across every relevant category that a security professional can dream of - ranging from AI, Crypto, Defense, Hardware, Privacy & Policy to Software Supply Chain Security.

Keynotes included a presentation on U.S. national cybersecurity strategy by Kemba Walden, Acting National Cyber Director; an address on AI's evolving role in cybersecurity by Maria Markstedter, founder of Azeria Labs; and a discussion about building a more resilient cybersecurity posture in Ukraine featuring the country's security leaders who experienced the crisis firsthand. 

Following are other highlights of the event from the perspective of our team.

AI was everywhere

Like other cybersecurity events this year, talk about AI was everywhere. was the winner of the Innovation Spotlight Competition, which recognizes the most promising cybersecurity startup at the event. Mobb uses predictive algorithms and, yes, AI, to find and fix security issues in source code. I caught up with Mobb's exuberant CEO Eitan Worcel, who noted how times have changed from even just a year ago, when awareness of the power of AI to help cybersecurity was minimal. 

Additionally, The AI Cyber Challenge (AIxCC) was announced as a call to top computer scientists, AI experts, and software developers to participate in the two-year competition aimed at driving innovation and creating a new generation of cybersecurity tools. The competition is bringing together leading AI companies (such as Anthropic, Google, Microsoft, and OpenAI) that will work with DARPA (Defense Advanced Research Projects Agency) to make their cutting-edge technology and expertise available to challenge competitors. 

The challenge's advisor will be the Open Source Security Foundation (OpenSSF), a project of the Linux Foundation, serving as a guide to teams in creating AI systems capable of addressing vital cybersecurity issues. The competition features both a funded and an open track. The semifinal and final competitions will return to Las Vegas to finish at DEFCON in 2024 and 2025 respectively. 

Software Supply Chain Security continues to be defined 

While specific exploits (Log4J, CodeCov, even SolarWinds) were still being talked about as individual examples, supply chain threats in aggregate are taking more mindshare among the CTOs and CISOs we talked to at our booth. There was a lot of discussion about recent government publications (such as CISA's Known Exploited Vulnerabilities Catalog) and policies (including Executive Orders and NIST guidance).

The term "software supply chain security" was broadly applied to a number of cybersecurity tasks. From SCA to SAST/DAST to CNAPP to Dependency Management, Vulnerability Remediation, and Zero Trust, the term is still being defined by the industry. As one friend said over dinner: "Supply Chain is like AI; it can mean anything these days." However, unlike past shows, this year we met many practitioners who are tasked with SSCS responsibilities, and they are actively looking for faster, automated solutions to these SSCS tasks.  

Trevor Rosen and Zach Steindler from Github had a noteworthy talk on supply chain attacks  and raising awareness to OSS maintainers on gaining visibility into the components used in their software by making signing easier. A leading example was the GitHub-sponsored npm, which is the standard package system for Javascript, and the world's largest language ecosystem by lines of code. Serving over 70 billion requests per month and accepting around 40k publish events in the average day, npm is popular enough that it's seen more than its fair share of malware attacks and supply chain trojans in the recent past. 

Mitigating these attacks requires a shift away from the implicit tradition of unwary trust in components and toward a world where we can prove that every ingredient going into our software masterpieces deserves to be there. Rosen and Steindler discussed the importance of provenance (i.e., the provable history of a software artifact) and how the project had leveraged Sigstore to improve trust for its packages.   

Vulnerability Management is becoming a common concern

Many, if not most, SSCS solutions include some form of vulnerability scanning, and organizations typically will use multiple scanners to identify vulnerabilities. What we heard at Black Hat is that organizations are struggling with what to do with the findings of these scanners. The conversations around Vulnerability Management - especially questions like, What do we do with the results? and How do we prioritize and triage the found vulnerabilities? - are definitely heating up. 

While vulnerability scanners can spit out a lot of vulnerabilities (285 for the average container, according to our 2022 Container Report), front-line DevSecOps teams need to know how to prioritize those threats, which are often found in upstream open-source packages that the team has little knowledge of. That's why we're hearing vulnerability managers talking about "Reachability" or "Exploitability" as critical context for prioritization - that is, the need to understand if vulnerable code runs and can be accessed by attackers in the way the vulnerability describes. 

Those tasked with remediating vulnerabilities need help prioritizing the vulnerabilities based on the accessibility of the components and dependencies within their software. This provides the team with the knowledge of how easily external parties can exploit their software in order to access data and systems.

The Black Hats deemed some vulnerabilities "hot," some "not"

One of the most intriguing (dare I say "fun"?) aspects of a Black Hat conference is hearing bona fide Black Hats discuss worrisome vulnerabilities. In fact, the conference is famous for being the stage where unknown vulnerabilities are revealed to the world in shocking fashion. 

This year, the Downfall vulnerability impacting Intel Core processors received a lot of attention. The general sentiment was that the risk is similar to the other recently discovered Intel chip vulnerabilities, Meltdown and Spectre. Exploiting the vulnerability requires admin-level access to the system, meaning the attacker can already access sensitive data. This exploit is quite severe, and in a cloud computing environment, it means a malicious customer could steal data and credentials from other customers by exploiting the Downfall vulnerability among those who share the same cloud computer.

One of the most eye-raising presentations came from Johannes Willbold, a PhD student researching satellite and space security at Ruhr University in Germany. He spoke about the ease of satellite hacking in his presentation, "Houston, We Have a Problem: Analyzing the Security of Low Earth Orbit Satellites." Willbold coyly admitted later that "Maybe it wasn't a good idea to give this talk." 

Already looking forward to 2024

Once again, Black Hat did not disappoint. The 2023 conference offered informative sessions, invaluable conversations, exposure to cutting-edge software tools and innovative companies, and the opportunity to hear the needs and concerns of cybersecurity professionals first-hand.

The team at Slim left Las Vegas with validation of our mission and roadmap, insightful feedback on our product demo presented with our friends at Sysdig, and the challenge to drive our much-needed solution to GA as quickly as possible. That's a great outcome, and we're already looking forward to Black Hat 2024.



Pieter van Noordennen is Vice President of Growth at Slim.AI, a startup focused on creating better developer experiences for cloud-native application development. Prior to joining Slim.AI, he led product and platform teams at Tripadvisor, building and shipping innovative, machine-learning-driven applications in high-availability, microservices-driven environments.
Published Friday, August 25, 2023 9:06 AM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<August 2023>