Microsoft BlueHat: Five Questions with Katie Moussouris

Wednesday, September 12, 2012

Fergal Glynn


Article by Neil DuPaul

One of the big stories from this year’s BlackHat conference was Microsoft’s inaugural BlueHat contest.

The contest challenged security researchers to design a novel runtime mitigation technology designed to prevent the exploitation of memory safety vulnerabilities.

We were lucky enough to grab a few minutes of Microsoft’s leader of security community outreach and strategy, Katie Moussouris’ time to answer a few of our questions on the BlueHat contest.

Veracode: How was the idea for the BlueHat contest spawned?

Katie: I had been researching Microsoft’s vulnerability reporting stats and finder motivations in order to determine the best way for us to help defend our customers while providing rewards for the security researcher community.

What I found from the data was that researchers who report Microsoft vulnerabilities tend to come to us directly, even though there are monetary rewards available to them for the same vuln if they were instead to report to us through “white hat vulnerability brokers” like the Zero Day Initiative.

Over 90% of researchers chose to come to us directly, so we figured that researchers’ motivations include more than money – it can also include the desire for recognition (either publicly or among one’s respected peers), and what I call the “pursuit of intellectual happiness”.

What I came up with was something borrowed from the aerospace industry (now that everyone is into the NASA Mohawk guy, this reference is particularly timely) – I was thinking we could align the security research community with Microsoft’s goals in improving defense by offering something like the X Prize, but for hackers instead.

Rather than asking contestants to design a space craft as in the X Prize, we’d offer a large cash reward for innovative security technology, and call it the BlueHat Prize, named for Microsoft’s security conference that has brought security researchers inside and outside Microsoft together since 2005.

Funny thing was, one of the non-qualifying entries we got for the contest *was* actually for a flying machine. Never got a prototype, though. But back to the point: you can read more about the reasoning behind the BlueHat Prize on the MSRC Ecostrat blog.

Veracode: Why was the decision made to incorporate parts of Ivan Fratric’s technology with your own before the contest was over?

Katie: We wanted to showcase some of the winning technology, so our engineers worked to incorporate it in and voila! We were excited to be able to include it in such a short timeframe from when the judging period was over. Hats off to the Microsoft Security Science team for their efforts there, and hats off to all the winners!

Veracode: What is your personal impression of the technologies that came out of the entries?

Katie: Personally, I was really happy with the turnout. Whenever you do something new, there is that worry that nobody will participate – but we got a huge number of entries (20)! I was thrilled to see so many new researchers in the mix as well – and the fact that two of the winners hailed from academia tells me we’re just at the tip of the iceberg in knowing who the next generation of talented defenders will be.

From a technology perspective, it was an interesting mix of concepts, many variations of which we had seen before – but that part was expected since we posed such a hard problem to solve. I think a lot of really talented people may have been too shy to enter or misunderstood the rules about how they could improve upon an *existing* defense and still qualify.

I think seeing all the entries this year will help people come out of their shells next time – your possibility of winning greatly exceed that of winning the Powerball lottery, so why not go for it?

Veracode: Were there any entries that you found particularly noteworthy beyond those of the 3 award winners?

Katie: There were a couple that looked very familiar in terms of research that MSR has published a couple years ago. I’ll leave it as an exercise for the reader to figure out which ones. It’s not plagiarism that I’m talking about here – it’s that great minds think alike. :-)

As I mentioned, the problem we posed for the first BlueHat Prize was a tough one, so it makes sense that some of the approaches would look similar to others, or to ideas researchers at Microsoft already had.

Veracode: BlueHat is said to be an annual contest, are there any plans in motion already for the next one? Can you share any details and is there anything else we should know about the BlueHat contest in general that you feel has been overlooked in reporting?

Katie: Oh yes, there are plans in the works for the next BlueHat Prize. But I’m on maternity leave, so they’ll have to wait! What I’d leave your readers with is this: Defense is sexy – maybe not in that Ginger (AKA exploitation/0-day) kind of way, but in that Mary Ann kind of way. ;-)

Katie Moussouris leads the Security Community Outreach and Strategy team at Microsoft. Her team’s work encompasses industry-leading programs such as Microsoft’s BlueHat Prize ( the industry’s first and largest prize for defensive security research), the BlueHat conference, security researcher outreach, and Microsoft’s Vulnerability Disclosure Policies. Ms. Moussouris also founded and runs Microsoft Vulnerability Research, which is responsible for Microsoft’s research and reporting of vulnerabilities in 3rd party software. Ms. Moussouris recently was voted the editor of a new draft ISO standard on Vulnerability Handling Processes, following her work over the past 4 years as the lead expert in the US National Body on an ISO draft standard on Vulnerability Disclosure.

Prior to working for Microsoft, Katie Moussouris was an application penetration tester for several Fortune 500 companies, as a senior security architect for @stake when it was acquired by Symantec. At Symantec, Ms. Moussouris founded and ran Symantec Vulnerability Research.

Ms. Moussouris has spoken at several security conferences including BlackHat AbuDhabi 2011, BlackHat USA 2011, 2010, and 2008, Hack In The Box Amsterdam 2011, GOVCERT.NL 2010, RSA2012, RSA2011, and RSA2010, SOURCEBoston, Shmoocon, Toorcon Seattle, and she was a keynote speaker at ShakaCon in June 2008. Katie Moussouris is the recipient of the 2011 CSO Magazine and Executive Women’s Forum Women of Influence Award in the category of One to Watch.

Cross-posted from Veracode

Possibly Related Articles:
Security Training
Information Security
Microsoft Zero Day Research Vulnerabilities Exploits Information Security Mitigation Black Hat Conference
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.