• United States




Cyber security researchers in high demand

Apr 06, 20174 mins

Now more than ever, bug researchers are needed to defend against zero day exploits

cyber research find
Credit: Thinkstock

Miami-Immunity Inc. founder Dave Aitel welcomed the largest crowd ever to this year’s Infiltrate 2017, proof that “Offensive is not going anywhere,” said Aitel.

Even though this particular security conference is geared toward those who are honing their offensive hacking skills, Aitel also welcomed the defensive partners and gave props to the immigration officials who allowed entry into the conference hall to those who traveled from foreign lands.

Despite the silence in the room, I appreciated the sarcasm and pithy comments. One thing I also appreciated at this year’s con (aside from the welcome reception, the delicious breakfast, and the dinner reception on La Cote lawn at Fountainbleu) was the T-shirts in the goodie bag. 

A solid black with three thick gold chains printed on the front, one with a ‘CYBER’ charm, the other two charms reads ‘KILL’ and ‘CHAIN’. The cyber gangster. Besides the T-shirt, the bag also included a handful of pamphlets from companies like Amazon and Zerodium — all looking to hire researchers.

The good news for those who are interested in security is that there is no dearth of opportunity for you, especially if you are a skilled researcher. Need proof?

+ MORE FROM INFILTRATE: Antivirus headaches that compromise browser security +

The keynote address, presented by Justin Schuh, engineering lead for Chrome Security at Google, was titled, “Beset on all sides: A realistic take on life in the defensive trenches.”

I’ll be covering the talk in more detail in a different story, but it certainly sets a tone for the challenges that trouble the security industry every day. Following Schuh’s talk was the first pair of speakers, Georgi Geshev and Robert Miller talking about “Logic Bug Hunting in Chrome and Android.”

“Fuzzing has become mainstream,” Geshev said. “Everyone is fuzzing. Probably the reason for that is there are all kinds of tools for fuzzing. There is a good chance you’ll find some bugs using these products.”

Unfortunately, the proliferation of tools also poses the potential of lots of people using the same tool to discover the same bug in the same target. So, what does one need to do in order to be the unique researcher who discovers bugs that others can’t easily find?

There are some differences that hunters should be aware of in memory corruptions versus logic flaws. “Logic flaws you can not really mitigate with a general technique or approach. Killing a single logic flaw doesn’t really give you knowledge of how to kill singular bugs,” Geshev said.

Logic flaws, said Geshev, are “Equally beautiful and hilarious vectors, and the actual exploits might be somewhat convoluted.” Because of these features, Geshev said, “Logic flaws are far superior.”

In order to be successful, though, the hunter has to know the target. Finding logic flaws requires some extensive research on the target. 

“Much like President Trump, our favorite target is Samsung,” Geshev said.

Sure, their favorite device started to go up in flames, resulting in it being replaced, but that only provided a new platform fresh for picking. Mastering technology will continue to be the case as the attack surface expands.

Bottom line, if I had any technical skills at all, I’d be moonlighting as a bug researcher.  Because most developers still aren’t focused on security, it remains an afterthought. The hope is that there will either be no bugs, or some talented researcher will discover a vulnerability before too much harm is done.

As I look around the room at the community of attendees that arrive from around the world, I’m reminded that these are the good guys. These are the folks that are actually trying to find the vulnerabilities not so that they can exploit them for bad.

They actually are willing to reveal their work in order to have the vulnerabilities fixed before cyber criminals are able to exploit the flaw and cause significant damage.

Infiltrate 2017 exists for this reason, but it is also evidence that developers need to bring security to the forefront lest enterprise security will always be at the mercy of those who are smart enough to win the hunt.


Kacy Zurkus is a freelance writer for CSO and has contributed to several other publications including The Parallax, and K12 Tech Decisions. She covers a variety of security and risk topics as well as technology in education, privacy and dating. She has also self-published a memoir, Finding My Way Home: A Memoir about Life, Love, and Family under the pseudonym "C.K. O'Neil."

Zurkus has nearly 20 years experience as a high school teacher on English and holds an MFA in Creative Writing from Lesley University (2011). She earned a Master's in Education from University of Massachusetts (1999) and a BA in English from Regis College (1996). Recently, The University of Southern California invited Zurkus to give a guest lecture on social engineering.

The opinions expressed in this blog are those of Kacy Zurkus and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author