Embed Size (px)
Citation preview
Cybersecurity:How to Use What
We Already KnowJean Yang
Privacy. Security. Risk.October 1, 2015
@jeanqasaur
@jeanqasaur
Our Future Runs on Software
Smart homes Driverless cars Automatic dating
But first we need to “solve” security!
@jeanqasaur
State of the ArtResearch Industry
Undo mechanism
s
Encrypted databases
Program analyses
Provably secure
software
Firewalls
The big question:How can we take
advantage of research ideas in practice?
@jeanqasaur
This Talk
Companies
Venture
capital
Startups
Academia
Policy makers
Consumers
How can we connect
researchers to everyone else?
@jeanqasaur
Part I:What Do Researchers Know?
Jean Yang / Jeeves 6
State of the art.
The Programming Perspective:We Still Live in the 1970s
Permissions checks are required across the code.
@jeanqasaur
Policy-Agnostic ProgrammingMy PhD work. Programs attach policies to data. The rest of the code may be policy-agnostic.
Programming model provides mathematical
guarantees.
Implementation strategy scales for real-world
programs.jeeveslang.org
@jeanqasaur
Policy-Agnostic Programming for Our 21st Century Security Concerns
Model View ControllerWithout
automatic policy enforcement
With Jacqueline, a policy-agnostic web framework that extends Python’s
Djangojeeveslang.org
@jeanqasaur
Part II:How Can We Use Research to Build Secure Software?
Barriers to Industry Adoption•Managers need to fight status quo.•Programmers need to manage legacy code.
@jeanqasaur
What about the startup route to tech transfer?
@jeanqasaur
Security is no TindogThe Hot New Silicon Valley
Startup
Startup that Helps Us Build
Secure Software
Fun concept. Slick design. Toddler nephew can use it. Integrates
with your life.
Technical concept. Verifiable by experts.
Requires infrastructure change.
Unique Challenges for Security Startups
@jeanqasaur
Justin Somaini, Chief Trust Officer
•Concept is highly technical.•No flashy demos.•Adoption requires client expertise and/or trust.•Solving a technical problem != building a product.
Cybersecurity Factory
$20,000
@jeanqasaur
Raj Shah
Office space Focused mentorship
A network David Ting
An 8-week accelerator I started that gives teams:
Legal support
Maxwell Krohn
cybersecurityfactory.com
@jeanqasaur
Part III:How To Motivate Customers to Pay for Security?
@jeanqasaur
Insecurity is Expensive“A report released this month by the Atlantic Council and Zurich Insurance Group estimated that by 2030, an insecure Internet would reduce global economic net benefit by $90 trillion. In contrast, a completely secure Internet would result in a global net gain of $190 trillion.”
-Jeff Kosseff, cybersecurity law professor
@jeanqasaur
The Security “Prisoner’s Dilemma”
Lack of individual incentive:•Requires more employee training.•Requires more programmer effort.•Doesn’t currently provide competitive advantage.
@jeanqasaur
Creating a Culture Around CaringConsumer Example: Snapchat
Numerous privacy violations, but valued at
$16 billion with 100 million users.
Policy Example: Dentists
Common to email records in violation of HIPAA, but HHS does
not audit.
@jeanqasaur
Summary: How to Secure Software
1. Ask smart people to come up with technical solutions.
2. Put solutions into practice.
3. Iterate.
@jeanqasaurjeanyang.co
m
Connect research with industry.
Change incentives for security.
Communicate and educate!
