In February 2019, Dr. David Brumley, ForAllSecure CEO, and Zach Walker, DIU project manager, discussed how Mayhem, ForAllSecure’s behavior testing solution, has helped secure the Department of Defense’s most critical platforms. The Defense Innovation Unit, also known as DIU, is a progressive group within the Department of Defense employing bleeding-edge technology to solve the nation’s defense challenges. Brumley and Walker recount their experience deploying and utilizing Mayhem within the government, lessons learned from the partnership, and what the future looks like for Mayhem.
The pain of not being able to hire enough cybersecurity people to secure software is universal.
Security is largely manual, and human effort can’t scale. This was Brumley and ForAllSecure’s motive behind Mayhem, the autonomous cyber reasoning system that won the 2016 DARPA Cyber Grand Challenge.
The Department of Defense and Brumley’s pains check out with market statistics. (ISC)2 predicts that by 2022 there will be 1.8 million open jobs in software security. It’s apparent security testing that relies on human expertise is unsustainable and unscalable.
“The purpose of autonomous cybersecurity isn’t to replace the human element”, Brumley clarifies. “The purpose is to elevate human potential. Scarce security expertise shouldn’t be wasted on boring, manual tasks, such as testing patches and shifting out false-positives. By automating these mundane tasks, we allow humans to focus on what they do best: leverage their creativity. Humans should have more creative roles in security, such as finding new attack vectors machines can’t find.”
It’s commonly unknown that risk can be inherited via vulnerable code components sourced from software supply chains.
It’s commonly assumed that security is an upstream responsibility. And, it’s true that users of open source or third-party components don’t have the flexibility, control, or insight to find and fix vulnerabilities as its developers. Yet, it is ultimately the user -- not the developer -- of the software that is liable. In some cases, it may merely be one vulnerable component, but it’s important to consider the attack surface. Every system that interfaces with or is dependent on the vulnerable component is now exposed.
Another factor to consider is that code decays over time. As modern software requires more code, it grows complex and expands its attack surface. It requires more components from the supply chain, introducing new vulnerabilities and reintroducing previously addressed vulnerabilities. Akin to dental hygiene, continuous analysis is critical to ensure that software maintains its security posture.
Continuous behavior testing is a proven and accepted practice for software security.
Brumley believes that the Sec in DevSecOps is about being continuous. “Today, the Sec in DevSecOps is secondary, and it’s asynchronous. Security should always keep happening in the background. It should never sleep. Security is, in many ways, a game and the goal is to outpace attackers,” Brumley comments.
Brumley’s statement echos similar sentiments made by technology-forward organizations. Continuous behavior testing is a proven and accepted technique that is commonly practiced by tech behemoths like Google, Microsoft, and more. However, not all organizations have the technical savvy and budget to do what they do. It simply isn’t reasonable for the average organization. As Mayhem is brought to market, its purpose is to make this advanced testing technique accessible to those outside of the academic and security researcher community. Visit https://forallsecure.com/introducing-behavior-testing/ to learn more about behavior testing.
Deploying Mayhem across the Department of Defense has provided ForAllSecure valuable insight into challenges in aerospace, automotive, critical infrastructure, and more.
The software security challenges Mayhem addresses for the Department of Defense is not unique to the Government. The DoD is a large, complex organization with multiple branches, each with their own specific needs.
“In October 2017, we had a big demonstration. This was three to four months into the project with ForAllSecure. We had people across numerous agencies try [Mayhem] out. We had the top civilian in Cyber Command say he thought this is one of the most important things Defense Innovation Unit and the nation is doing in cyber.”
- Zach Walker, Defense Innovation Unit.
Through ForAllSecure’s partnership with the DoD, Mayhem has gained widespread exposure to challenges and use cases that are transferable and relevant to the commercial market, including aerospace, automotive, critical infrastructure, and more. Brumley also shared what commercializing Mayhem entails.
“To take Mayhem to market, we’ve been focusing on Mayhem Sword, or the analysis component, first. This is a decision made after seeing tremendous market validation for this capability. Most notably, Mayhem Sword was used within the DoD to secure weapons systems. Mayhem is not a box that plugs into the network. It is a high-tech solution. Today, it supports x86, x64, and ARM on Linux, as well as compiled languages,” Brumley shares.
“Like the Mayhem prototype shown at CGC, we want to have Mayhem eventually automatically patch the vulnerabilities it finds. This is the Mayhem Shield component. As we go to market, we’ll expand our offering to include automatic patching, whether it’s our patch or a vendor’s patch.,” Brumley finishes. Visit https://forallsecure.com/early-access/ to learn more.
Walker and Brumley’s fashion sense captivates audiences.
Zach and David’s taste in shoes wows crowds. Take a close look during the fireside chat session (41:00 - 43:00). What are your thoughts? Tell us at #UnleashingMayhem: https://twitter.com/ForAllSecure/status/1101282276355141632.