Research Can Help Strengthen Our Defenses
Offensive security work often gets the glory, so companies should encourage defensive research
There are major funding gaps for security research generally, particularly when it comes to defensive security practices and tools that will contribute to the protection and defense of the internet. Recognizing that the glory tends to go to exploits and offensive security work that wins keynotes and crowds and conferences, Facebook decided in 2014 to take an active role in promoting and rewarding the less well-publicized research efforts with the potential to meaningfully make the internet more secure.
In partnership with USENIX, we created the Internet Defense Prize and every year have awarded five or six figures in prize money to the best submissions presented at the USENIX Security Symposium, one of the most respected academic conferences in the security industry. When selecting the winners, we look for top quality research that includes a working prototype with significant contributions to the security of the Internet — particularly in preventing vulnerabilities or reducing the effectiveness of attacks. For example, last year’s winners identified an important emerging class of security issues for C++ programs and suggested a novel technique for detecting bad type casts by combining both static and dynamic analysis. The year before, the authors of the prize paper introduced an automated static code analysis approach to detect “second-order vulnerabilities” in web applications that are used to inflict harm after being stored on the web server ahead of time.
We won’t pretend that one prize will tip the scales back to where they should be on the balance between offensive and defensive security research, but this is the kind of investment that we hope to see from companies to help encourage talented researchers to pursue defensive solutions with high impact. If you’re interested in submitting a paper and being considered for this year’s prize, check out the submission process and get your paper in by Thursday, February 18, 2016 at 9:00pm Eastern Time.
The Future of Security Roundtable is a Google-sponsored initiative that brings together thought leaders to discuss how we can best protect ourselves from the data breaches and security risks of tomorrow. Panelists are not affiliated with Google, and their opinions are their own. Read the post that kicked off the roundtable here and feel free to join in the conversation.