Neil Daswani Reveals His Process for Security Research
Neil Daswani is the Co-Founder and Chief Technology Officer at Dasient. He is a highly regarded Internet technology expert, and has served in a variety of research, development, teaching, and managerial roles at Google, Stanford University, DoCoMo USA Labs, Yodlee, and Bellcore (now Telcordia Technologies).
His areas of expertise include security, wireless data technology, and peer-to-peer systems. He has published extensively in these areas, frequently gives talks at industry and academic conferences, and has been granted several U.S. patents. He is also the author of
Foundations of Security: What Every Programmer Needs to Know, which teaches new and current software professionals state-of-the-art software security design principles, methodology, and concrete programming techniques they need to build secure software systems.
While at Stanford, he co-founded the Stanford Center for Professional Development’s Software Security Certification Program, which has become an important tool for educating software programmers, architects, developers, engineers, IT managers, chief information officers (CIOs), and chief security officers (CSOs) about security issues and designing secure programs.
What motivates you to find security vulnerabilities?
At Dasient, we care about the safety and security of the online business. The Internet has grown to become a communications platform that has enriched the lives of hundreds of millions of people around the world. Unfortunately, just as the Internet has been adopted as a tool to help better our lives, it has also been adopted as a tool that cybercriminals use for nefarious purposes. Just as with any technology, the Internet can be used for both good and malicious purposes, and we seek to help organizations prevent, detect, monitor, contain, and recover from cybercriminal activity. Since we started, we’ve been focused on addressing malware threats on the web, as malware is one of the key tools that cybercriminals use in carrying out their attacks. We’d like to see the Internet continue to grow undeterred as a communications platform that helps us communicate, collaborate, and conduct commerce.
What are the primary tools do you use, and how do you use them?
In providing our web anti-malware and anti-malvertising services, we primarily use a lot of proprietary technology that we have developed in-house, but we also do use a variety of third-party and open-source tools.
How do you choose your target of investigation? Do you pick your target application and look for bugs, or look for a genre of bug in many different applications?
At Dasient, in addition to our products and services, we have also built out “telemetry” that monitors millions of sites online. So, to an extent, the entire web is our target of investigation, and we seek to find malware wherever cybercriminals are propagating it. Our telemetry operates independently of targeting specific applications of types of bugs. We have our telemetry add new web malware infections that we detect to our infection library — which has to-date cataloged over 200,000 unique web malware infections.
How do you handle disclosure? Which vendors have been good to work with and which have not?
We believe in using responsible vulnerability disclosure protocols. We have worked with a variety of organizations, and in our interactions, the safety of users is one of the driving factors that we keep in mind. Once we inform an organization of an issue, whether it be a vulnerability, or an infection on their web site, or a malvertisement on their ad network, we provide as much detailed information and forensics as we possibly can to assist them with remediation. Often, we’ll deploy web malware and anti-malvertising scanning for them for free for a limited time to help. We’ve found that some organizations are very receptive, while others are not as receptive. We view our role as to provide information, data, and forensics, and to assist when possible.
What are you working on currently?
We could tell you, but then we would have to kill you. 😉 Just kidding. We are working on a variety of things:
- We’re in the process of extending our web anti-malware and anti-malvertising telemetry to cover larger and larger parts of the internet;
- We’re regularly publishing research on web malware and malvertising in our quarterly research reports — for instance, in our Q4 2010 malware research report , we estimated that over three million malvertising impressions are served per day;
- We’re working together with ad networks to measure and reduce the impact of malvertising (for instance, by scanning ads before they are placed online, and by reducing amount of time that malvertising campaigns run when legitimate ad campaigns get hijacked)
How are people supposed to protect their apps and websites as more and more technology goes wireless and/or mobile?
We believe that web site developers and operators are often in the best position to help protect users and that wireless carriers and mobile “appstores” are well-positioned to curtail malware threats on behalf of their customers. In particular, wireless carriers and mobile “appstores” are “choke points” from a security perspective that can mediate access to potentially malicious resources or applications on the mobile web.
As social media has become more popular, it has become a more popular vector for malware distribution. What can end users and companies do to protect themselves?
In our Q4 2010 malware research report, we spent some time looking at malware distribution through social media sites. End-users of social media sites can take the following precautions:
- Use a browser that has anti-malware protections — Chrome, Firefox, and Safari check all URLs to see if they are on Google’s Safe Browsing list; IE 8 or above has a SmartScreen filter that checks URLs against a variety of threats.
- Use client-side anti-virus — choose one that doesn’t just do signature checks, but that also does some behavioral checking.
- Write to the sites that you use and ask them what they can do to help protect you from web malware, drive-by-downloads, and fake-antivirus. Some social networks in the past, for instance, have partnered up with anti-virus providers and offered anti-virus for free to their users.
Social media sites can take the following precautions:
- Check links posted against public lists of malicious sites.
- Scan links posted to find “zero-day” attacks that could affect users.
- Use a secure development life cycle process for product development.
- Monitor for web malware as well as other abuses and threats.
In the end, is it up to the end user/consumer/browser or the content provider/site owner to provide safer browsing?
Over the long-term, the responsibility to provide for safer browsing could fall more and more upon the content providers, instead of expecting “every man to defend himself” via gateway, client-side, or endpoint solutions. Content providers and site owners whose sites get compromised and infected can get flagged or blacklisted by popular search engines and browsers, as well as by client-side anti-virus packages that warn users away from infected sites.