Black Hat Q&A: Erez Yalon, Head of Security Research, Checkmarx
Jul 27, 2020 Jessica Bettencourt
The impact of Black Hat’s virtual format on information sharing among the security research community
After more than two decades of bringing together the world’s leading information security professionals -- from cybersecurity marketers to threat researchers -- in Las Vegas, Black Hat USA is now going virtual for the first time in its history. For many, the in-person industry event provides a chance to network with peers. For threat researchers specifically, it’s an ideal forum for information sharing, which is critical to bolstering cybersecurity efforts worldwide.
Today I am thrilled to be joined by Erez Yalon, director of security research at Checkmarx, a software security company and InkHouse client, to discuss his views on Black Hat’s new virtual format and how it impacts researchers’ ability to share information. Erez is also the co-founder of AppSec Village, an application security event launched last year as part of DEF CON, and has recent, first-hand experience pivoting to a virtual event format in record time.
Erez and his research team work tirelessly to ensure that the software we use on a regular basis is secure. When his team finds security flaws, they alert vendors and work closely with them until patches are made -- ultimately, keeping us all safer from cyberattacks. Most notably, in late 2019, the Checkmarx research team found a vulnerability in Google and Samsung Android apps, which had the potential to impact hundreds of millions of Android users. As a side note, our team raised awareness of Checkmarx’s research capabilities, and specifically this Android vulnerability, which earned the InkHouse Checkmarx team a Bell Ringer Award from the PR Club of New England.
Below, Erez shares his thoughts on Black Hat’s virtual format, how it impacts information sharing from a security researcher perspective and lessons learned in making AppSec Village a virtual event this year:
JB: Erez, thanks for joining me today. What are you most looking forward to this year at Black Hat, and what are your thoughts on the new virtual format?
EY: Black Hat, DEF CON and many other events are going virtual. This crazy “new normal” is changing the way we are going to take part in conferences and brings many challenges. Unfortunately, I think it is going to be harder for the attendees to keep engaged in online talks. For speakers, I know as a speaker myself, it is sometimes difficult to talk to a camera without getting live feedback from people sitting in front of you and without “feeling the crowd.” Also, one of the best aspects of conferences is the opportunity to meet peers and colleagues face-to-face, which is going to be missed.
On the other hand, being remote will enable many people from the security community, who usually cannot travel to these conferences, to join, attend, and even share their ideas and knowledge as speakers. Personally, being able to attend talks in pajamas without the 15-hour plane flight is also a plus to consider."
JB: As the head of a security research team, you know firsthand the critical role that the research community plays in supporting a cyber secure world. We know how important information sharing is in cybersecurity, and researchers are at the forefront of this effort. How is your research team furthering this mission of securing society when you have cybercriminals capitalizing on COVID-19, there’s a high demand for security professionals and now Black Hat and other industry events can’t happen in-person? Do these factors impact strategies, information sharing or relationship building for security researchers?
EY: The relationship between security professionals and cybercriminals is often described as a “cat-and-mouse game.” One reason that criminals are staying one step ahead is the fact they are very agile and responsive to change. While the industry needed some time to adjust to the changes COVID-19 forced on it, malicious actors continued as usual and managed to use the industry lag as an advantage. A key characteristic of hacker culture is the sharing of information. While malicious hackers do it all the time, both for success and for failure, the research community (the benevolent hackers) are sometimes limited in the information that can be shared. The best places to share this information is in blogs and face-to-face talks, so security conferences are very important. These conferences also give the opportunity to meet peers and discuss with people who are usually not accessible. Many conference participants will attest that they find casual meetings in the halls and queues more important than the talks themselves. So although we cannot have halls and queues this year, keeping the platforms of knowledge sharing is very important.
Internally, with my team at Checkmarx, we continue to prioritize sharing successes and failures - perhaps more now than ever. In order to share our findings with our industry peers, we’re publishing blogs, technical write-ups, collaborative community projects, and open-source knowledge resources and sharing it with our network, in hopes it brings that element of information sharing that’s missing from not attending in-person conferences this year.
JB: What are some trending topics you think will take center stage this year at Black Hat?
EY: With around 100 talks, we can expect many topics to be covered -- I think we’ll see a trend in topics like election security as well as 4G/5G networks. Current technology trends will also cover software composition security, AI, and everything in the vast field of Cloud-Native computing like containers, clouds, Everything-as-a-Service, and other infrastructure topics.
JB: Along with heading the security research group at Checkmarx, you’re also the co-founder of AppSec Village, which is part of DEF CON. What was it like planning the event virtually this year?
EY: This was a hard decision for us. Since we do not have much experience in organizing online events, we weren’t sure that we would even do it this year. When DEF CON announced #SafeMode this year, we decided to go with the flow and join the trend with our own virtual AppSec Village. We had to learn new skills and repurpose many of our plans, but I think the result will be great. Together, with the other volunteer leaders of the village (Liora Herman from Kryon, Joe Christian from Zappos, and Tiffany Long), we are spending a great amount of time making sure this is going to be an event to remember. Thanks to our many volunteers and the sponsors we are dependent on, I am convinced we will succeed.
JB: Why should our readers attend AppSec Village? What are you most looking forward to about the virtual event this year?
EY: We have two amazing keynote speakers this year: Maddie Stone and Fredrick "Flee" Lee. I can’t wait to hear what they have to say. We know that there are many application security resources out there, so the aim of AppSec Village at DEF CON is to emphasize the hacker perspective through more exploit-centered talks, hands-on workshops, and an amazing Capture the Flag contest. I believe this year, we will be able to give the stage to people who were not able to participate in a physical event because of travel limitations.
Erez, thank you so much for your time. For readers looking to virtually attend AppSec Village, more information can be found here.