As long as people write code, they will write code with flaws, says Katie Moussouris, former Senior Security Strategist Lead at Microsoft Security Response Center and, as of today, Chief Policy Officer of HackerOne, the company that partially hosts the Internet Bug Bounty.
But security researchers should empathize with them, not just tell them that their “baby” is ugly and flawed, she noted. They should note and praise the things they did good and point them towards ways of making their code better and more secure.
We should all consider the other side, and go out of our comfort zone and take more than just a peek, she said in the keynote she delivered at the Hack in the Box conference today. Hackers and breakers should consider trying to fix things, and defenders should try to attack and breach their own defenses (or those of others, after having secured the permission for doing so).
Security researchers should try to do something more meaningful with their security knowledge, for the greater good. Yes, they should educate and help their friends and family and, yes, they should help vendors and point them to standards they could use and to the things they could do to improve their security stance, but they should also diversify their interests and try hacking and think of ways to fix things, especially the “everyday tech” – the Internet of Things as it is and as it develops.
She brought attention to I Am The Cavalry, the organization that is focused on issues where computer security intersects public safety and human life (the medical and automotive field, as well as the public infrastructure and home tech), and of which she is a supporter.
But she also mentioned that in addition to all of this, it is high time for the chain of influence to be “fuzzed” – there is a great need to make law makers and policy makers understand the issues and importance of computer and information system security as the technology develops in leaps and bounds.
Pretty soon, she says, the Internet of Things will simply become the Internet, and we should all work towards making it more secure.