On February 24, 2020, ForAllSecure competed in the RSA Innovation Sandbox (ISB) as a Top 10 Finalist. The opportunity to compete has been an extreme honor because the annual event is deemed the Oscars of cybersecurity. RSA explains that the purpose of the competition is to, “bring out cybersecurity’s boldest new innovators who have made it their mission to minimize risk.”
In this post, I will share the innovative way we aim to solve a pervading cybersecurity issue, a synopsis of our journey to today, and a glimpse into the vibrant discussion we had on the competition floor.
The Case for More Secure Software
In 2019, Satya Nadella said that every company is a software company. He predicts that in 10 years there will be no demarcation between the tech industry and other industries. Nadella is right. A brief reflection into history has shown that software has changed the trajectory of businesses -- and, at times, entire markets. In a recent podcast, ForAllSecure CEO David Brumley cites that e-commerce couldn’t have happened without the development of fundamental crypto libraries, such as TLS and SSL. Thanks to these crypto libraries, today’s online economy is the size of Spain’s GDP! Time and time again, code has proven to be the basis of innovation.
Unfortunately, too often, we get fixated on developing the latest technology -- building an autonomous car, changing the economy with crypto currency, or crowdsourcing transportation -- that we forget about the less “sexy” tasks, like maintenance.
Unfortunately, this fire and forget model is unsustainable. Developers are brilliant people, who solve the world’s toughest problems with code. And while saving the world, they’ll make mistakes which eventually turn into vulnerabilities. To make matters worse, code decays naturally over time. This means that the infrastructure businesses rest on decays too. Will Roper, Air Force Assistant Secretary of Acquisition asserts that to be competitive and dominant in the market, or at war, maintaining our software is vital: “we will lose if we can’t update the software at the speed of relevance in this century.” The point? It’s essential to take care of our software.
But, like I said, it’s unsexy and no one wants to do it. The work, which involves manual testing, manual defect discovery, manual defect validation and more manual work, is mundane and boring. Human are creative! They become stunted if they’re forced to do repetitive work day-in and day-out.
Our response to this? Let autonomous technology handle this. Statistics are constantly reminding us that there’s a scarcity in cybersecurity and development talent. Why waste them? Let’s give them more creative roles in security and development and let machines do the boring stuff.
Autonomous AppSec: The Future is Here
In 2016, DARPA challenged the world to see if autonomous security is possible. Akin to the autonomous vehicles challenges they’ve held before, they wanted to push the boundaries on cybersecurity. Seven teams competed in the DARPA Cyber Grand Challenge (CGC), but only one was left standing -- ForAllSecure.
ForAllSecure, then still a security research team at Carnegie Mellon University, built Mayhem. At its core, Mayhem leverages an advanced security testing technique known as fuzzing. Interestingly enough, fuzzing has been around for over three decades, though they are predecessors to the specific fuzzing technique Mayhem leverages. The reason why it remains largely unknown is because it remained exclusive to security researchers, academics, and tech behemoths. Essentially, those with deep pockets and access to technical experts with Ph.D.s.
In its 30 years of life, fuzzing has proven to be effective. It’s powerful, and we believe more people should be able to use it. Since our win, our goal has been to democratize this technology to help empower the world to build safe, secure, resilient software -- with less effort. By doing so, we want to adjust perspectives to look to humans for their creativity, not their mistakes. And, ultimately, make the world better.
The Oscars of CyberSecurity, Here We Come!
The buzz of competition day surged through and energized our team. It was exciting to be back on a competition floor, but what we loved more was the ability to have lively discussions around Mayhem. The discussion was vibrant and fascinating. In this section, I want to provide a glimpse into some of the discussions we had for those who missed the event. For those of you that missed David’s pitch, you can rewatch it online here.
How is ForAllSecure changing the security landscape?
ForAllSecure brings true intelligence into application security testing, paving the way for autonomous technology that will finally allow organizations to stay ahead of attackers.
Mayhem is able to autonomously detect and validate defects without any human intervention. Mayhem’s advanced fuzzing technology is able to observe the behavior of its test targets. When it identifies anomalous behaviors from the test target -- an indication of an underlying defect -- Mayhem drills in deeper by producing new variations of the previous test cases on-the-fly. Mayhem grows increasingly smarter over time. The more behaviors it observes, the more tailored its testing becomes, increasing the likelihood of triggering a defect.
Mayhem’s approach is akin to having a penetration tester in machine form, except the test suite generated is yours to keep! Penetration testing services do not release the test suite they generated to their clients, setting a ceiling on their clients’ application security growth. Without test suites, organizations are unable to take the necessary next steps: pinpoint the issue, verify the fix, and run future regressions.
Mayhem’s approach is a far departure from how tools conduct testing today. Traditional application security testing solutions rely on a set of pre-built test suites that are programmed into the test engine, meaning each test target gets the same testing treatment -- no customization. Because these solutions take a one-size-fits-all approach, they miss use cases that are specific to the test target. This can also lead to false-positives, calling for human intervention to validate all findings before remediation efforts can progress. Overall, false-positives slow down development and continue to feed into the perception that security is a blocker.
Mayhem’s zero false-positive rate is changing the trajectory of security. Because testing no longer requires the review of a human being, security testing can now be done autonomously and automatically as a part of a CICD pipeline. With Mayhem, security happens quietly and synchronously in the background. ForAllSecure CEO Dr. David Brumley, who spent his tenure at CMU studying offensive security and how hackers operate, shared the key to blocking attackers isn’t achieving a binary state of “secure” or “insecure”. Security is a leaderboard. Security is a game and the goal is to outpace the attackers. Integrating security into CICD pipelines, so that testing happens continuously is the only way to stay at the top of the leaderboard.
I already have a backlog of vulnerabilities. I don’t need more!
We hear you and don’t blame you for groaning at the thought of more vulnerabilities. Despite the understandable resistance, it’s a fact that the best way to ensure software security is to fix the code. If there’s no entry point for attack, there is no exploit. The compromising solution we sought to employ was to help organizations achieve more with less noise.
By bringing highly accurate autonomous defect detection and validation to organizations, development and security teams are only alerted when there is a confirmed issue. Our aim is to make vulnerability management as low-touch as possible so security and development teams are enabled to focus on the strategic stuff, like developing new features, finding new attack vectors, and more.
Why would I need Mayhem if I have other tools?
When considering software security, there is a spectrum of risks that must be mitigated: known knowns, known unknowns, and unknown unknowns.
Known knowns: The known risks refer to identifiable risks that are known to lead to compromise. These risks are vulnerabilities that have a CVE ID associated with them. These vulnerabilities can be identified through scanners, such as software composition analysis tools.
Known unknowns: The known unknown risks refer to identifiable risk that could potentially lead to compromise. These risks are common patterns of weaknesses that have a CWE ID associated with them. These vulnerabilities can be identified through static analysis tools.
Unknown unknowns: The unknown unknown risks are risks that cannot be identified. They do not have any form of ID and are difficult to identify due to the little information that is available about them. These risks lie dormant waiting to be discovered. The quantity of unknown unknown threats is unknown. The only way to identify these issues is through non-deterministic or negative testing, such as fuzz testing.
While Mayhem is able to identify all three of these risks, its strength is in identifying unknown unknowns. By identifying unknown unknown risks, it is able to help organizations proactively address risk. Because software vulnerabilities can be weaponized frictionlessly, it’s best to address vulnerabilities before the window of exposure opens.
Mayhem claims to have zero false-positives. That’s a bold claim.
By definition, Mayhem has zero false-positives. In academia, “real-ness” of a bug is proven with a witness. In Mayhem’s case, the witness is the test case used to prove that the exploitation of the defect is possible. Mayhem shares test cases for all of its reported defects.
Mayhem doesn’t stop there. It also shares all of its past test cases, allowing developer and security teams to run unit and regression testing automatically.
So Much More Where That Came From!
In closing, I want to bookend this reflection with the news that ForAllSecure is making fuzzing increasingly accessible outside of the researcher and academic communities. We recently shared that Mayhem is being utilized across all warfare service branches within the Department of Defense. We also have found success outside of the Federal sector, with industry leaders such as CloudFlare, relying on Mayhem to deliver reliable services to their customers.
Not only am I proud to witness and experience ForAllSecure’s incredible growth, but I am also inspired by the adoption of fuzzing. Having been in the fuzzing market for nearly a decade, it’s exciting to see the maturity we’re exhibiting and the dedication we’re seeing from security and development teams in ensuring the software our livelihood depends on is safe, secure, and resilient.
This is only the beginning for ForAllSecure. I know there’s so much more Mayhem to be unleashed. Stay tuned!