While security research and white-hat hacking is core to getting arms around the never-dwindling onslaught of cybercrime, defensive work that prevents vulnerabilities and reduces the effectiveness of attacks is often overlooked when it comes to handing out laurels. Facebook is looking to change that, and has awarded its first Internet Defense Prize.
Facebook awarded $50,000 to Johannes Dahse and Thorsten Holz, two researchers from Ruhr-Universität Bochum in Germany, for their paper, “Static Detection of Second-Order Vulnerabilities in Web Applications.”
According to a Facebook post, the researchers used static analysis to detect “second-order vulnerabilities” in web applications that are used to inflict harm after being stored on the web server ahead of time.
“In addition to their impressive results, the committee responded well to their implementation approach,” said John Flynn, a security engineering manager at Facebook who served on the Award Committee for the Internet Defense Prize. “The technical merit of the paper was strong, and the committee could see a clear path for applying the award funds to push the research to the next level in order to produce broader impact and encourage people to implement the technology. We're very excited to see what they do next. We'll be getting a status report in about a year.”
Facebook approached USENIX to help with evaluating the submissions it received this year, with the goal of recognizing superior quality research that combines a working prototype with significant contributions to the security of the internet – particularly in the areas of protection and defense.
“It's no secret that online security has room to improve,” said Flynn. “Headlines about corporate data breaches or government surveillance pop up and make people wonder what's being done to make it all better. The reality is that building a more secure web requires us to go beyond our own software and to focus on parts of the web that are under resourced.”
He added, “One of the biggest hurdles we identified was that offensive security work (hacking into this or that) and theoretical academic research often get more recognition than We decided to focus on creating greater opportunities and incentives for researchers to produce work that actually protects people.”
Facebook is inviting researchers to submit their work for consideration to be a future recipient of the Internet Defense Prize, and said that the award amount may grow larger if an idea is particularly strong, or it may hold onto the funds if no project meets the bar.
Facebook has been steadily ramping up its security efforts. “In the last few years, we've awarded over $3 million and built important relationships with security researchers from around the world who reported software bugs to us,” said Flynn. “Applying that model beyond Facebook, we've also helped create the Internet Bug Bounty to reward bugs found in open source software projects, contributed to initiatives like the Core Infrastructure Initiative that fund critical security software needs, and released open source software to help other developers incorporate security by default (Conceal, MIDAS).”