“We have to figure out what new tools we can give to developers to enable them to write code the way they want to.”
Instead, this year he offered attendees a macro view of security and insight on the potential effects on the economy and national security if the current state of affairs in information security isn’t reversed.
“We have to fix this,” Kaminsky told the packed session hall. “And we’re not going to fix it by dogma.”
Primarily, Kaminsky focused on the need for better code writing and secure software development, not only for Web applications, but also OS kernel development. Kaminsky also proposed new technical means for improving the time it takes to find bugs, as well as a pitch for net neutrality, a cause he's championed in the past, and the censorship of data and traffic by Internet service providers (ISPs).
Kaminsky said developers are the key to righting the security ship. He said developers want their code to work, they don’t want data to escape and they want simple tools that don’t impede performance, or deadlines.
“Developers are in charge, not the architects, academics or management; security is not in charge either,” Kaminsky said. “We have to give them useful stuff. [Developers] like their code to work.”
Kaminsky held SQL injection vulnerabilities up as the example of continued coding issues that are exploited with great success -- and could have been fixed with equal success.
“We have to stop making fun of these attacks,” Kaminsky said, noting that the sheer number of successful SQL injection attacks have numbed security teams to their seriousness. “The majority of these attacks are used to steal stuff, and they’re killing us. They’re not [elite], and they are effective.”
For example, attackers used a blind SQL injection attack last year to take down mysql.com and expose data. Research from the Privacy Rights Clearinghouse released last year said 83% of hacking-related data breaches were executed via SQL injection attacks. Additional research from Redwood Shores, Calif.-based data protection vendor Imperva Inc. put the number of Web applications vulnerable to SQL injection at 115 million.
“We can say that we’re fixing these problems, but if they’re getting fixed, this would not be so pernicious,” Kaminsky said. “We have to figure out what new tools we can give to developers to enable them to write code the way they want to.”
More from Black hat
For all the news, analysis, commentary and video interviews from Las Vegas, visit SearchSecurity.com's Black Hat 2012 special coverage page.
Kaminsky’s anti-censorship efforts continue as well. Last year at Black Hat, he announced a new tool he called N00ter, which is essentially a filter that screens out routers that could alter the path and delivery time of traffic packets, leaving just ISPs to source paths.
“The Internet is less flat every day. Content is changing based on where you are, and not because of those running websites. It’s because ISPs and governments are altering content,” he said. “Sometimes this is silently done.”
Kaminsky said he’s working with privacy and civil liberties organizations such as the Electronic Frontier Foundation to counter Internet censorship by giving them the data streams generated by N00ter and other tools, solely as a data source, rather than a data manager.
“I want to give them a mechanism to see what’s available and what’s being blocked,” Kaminsky said.