Eleni Gessiou (Security Engineer, Facebook), Natalie Silvanovich (Security Researcher, Google), Nadia Heninger (Magerman Term Assistant Professor, UPenn), Sandy Clark/Mouse (PhD student/Senior Research Staff, UPenn)
Moderator: Sarah Harvey (Security Software Engineer, Square)
This session was a path-breaker in its own way, because security wasn't a subject that was talked about much at previous Grace Hoppers. Each of the panelists gave a brief introduction, talking about what she does in the security field. Nadia's main area of research is applied crypto, particularly in breaking crypto :-). Most of her work involves network security and sometimes, applied mathematics. She loves the fact that security/crypto span the whole CS stack, giving her the opportunity to work on a broad swath of problems. Eleni, who is a security engineer at Facebook, works on detecting suspicious behavior on FB. Natalie works at Google, on Project Zero, where her main task is to find zero-day attacks. She got into security quite by accident – first through a high-school project and then by applying for a junior hacker position while at university. Sandy Clark (whose hacker handle is Mouse) has had a long-standing interest in ethical hacking and cybersecurity in general. Her interests are wide-ranging, but to sum up, she spends her time figuring out how systems actually work as opposed to how they were designed to work.
Sarah kicked off the discussion by asking the panelists about the social/technical challenges they face in the field of security/privacy. Mouse is concerned about how to measure security – there are no laws to figure out how to use technology in a sufficiently secure way while benefiting individuals. There are a ton of security problems other than just "Is there a bug in my code that someone can exploit?". One of the things that Natalie finds in her day-to-day work is that finding zero-day exploits is incredibly taxing and difficult. On a larger scale, code is error-prone; that's just a fact; but how to make sure that developers avoid making security bugs and how orgs can teach their developers this is something that hasn't been fleshed out. In her work at Facebook. Eleni has to deal with people from different backgrounds and cultures, and finds that it becomes difficult to make sure that bugs are effectively communicated. Often. Facebook ends up having to provide tailored solutions for each problem, rather than providing a holistic solution. Nadia's main concern is the field of crypto. For a while, folks were complacent about crypto, believing that we had good algorithms that were hard to break. But the Snowden docs revealed that there's a lot more to the security/crypto field than just that. There has been at least one crypto standard that was revoked in the recent past because of allegations that there were backdoors introduced by the NSA. So now the question is what do we do if those algorithms that we thought were fool-proof actually have backdoors? What do we tell users, and how do we get governments to do the right thing?
Sarah's next question was what the biggest vulnerability in authentication protocols that are used on the Internet is. Mouse's answer – users. Natalie believes that the biggest problem is when people try to roll their own crypto. Eleni and Nadia trump for phishing and passwords.
The next question was what the central themes in security are in terms of job opportunities. Natalie's answer: product security folks (review people's code, try to secure products), product managers (who work with customers to figure out security requirements), customer response engineers, security development, etc. Eleni added that there are also teams that work on protecting corporate assets vs those who try to protect users. Mouse believes that there are several areas of interest – social engineering, bio-hacking, hardware hacking, malware detection, etc. Sarah added that pen testers also play a big role in securing products.
An audience member asked if there's a way to bridge the gap between security developers and policy makers. Nadia and Mouse find that crypto conferences are usually very effective in doing this, since security researchers, companies and government agents all tend to fore-gather. Mouse also suggests that anyone who is interested should get in touch with local politicians to become a technical advisor in the field of security.
Another audience question was how to make sure that there's a balance between the amount of data that's given out and keeping that data secure. Nadia believes that crypto's not the answer, but regulation is. Mouse is currently involved in research in this very area, and recently wrote a law review paper on this. She believes that regulation is necessary to bring together the 3 different stake-holders – individuals who give out the data, companies that collect the data for their business model, and the government.
Some security hygiene principles that the panelists recommend: using secure passwords for every site, disk encryption, using 2-factor authentication, ensuring that communication is encrypted end-to-end, and updating to security patches on a regular basis.
Another question was how security can best be incentivized – should products be given security ratings? Nadia answered that at some point, security policy is going to have to become like health policy. This is a long-term problem that only govts can solve – perhaps the FTC can start going after organizations that are notoriously lax in security practices. Natalie agrees, and believes that coming up with security metrics is going to be a difficult and long-drawn-out process.
The panelists were then asked to name what they love, and what they hate most about their jobs. Mouse said that she has had to get used to failing a lot and being frustrated – but all of that is dwarfed by the awesomeness of getting things to work. Natalie loves that she gets to play with lots of cool new technology – but then the stressful part is filing bugs and having to deal with people who are frustrated by those bugs :-). Eleni finds it fulfilling that she gets to use her tech skills to actually do good for other people. Nadia likes being able to break crypto – something that's a total breakaway from her image as a quiet, good kid back in school :-). She finds it especially rewarding that as an academic, she actually gets to talk openly about all the research that she gets to do.
To get into the security field, the panelists recommended taking courses (even online ones), attending hackercons, or participating in bug bounty programs (the best part – you get paid for finding bugs! :-)). One could also start contributing to open-source software, or even just apply for a job in the field.