Cybersecurity:How to Use What We Already Know Jean Yang Privacy. Security. Risk. October 1, 2015 @jeanqasaur
@jeanqasaur Our Future Runs on Software Smart homes Driverless cars Automatic dating But first we need to “solve” security!
State of the Art @jeanqasaur Research Industry Undo mechanisms Encrypted databases Program analyses Provably secure software Firewalls The big question: How can we take advantage of research ideas in practice?
This Talk @jeanqasaur Companies Venture capital Startups Academia Policy makers Consumers How can we connect researchers to everyone else?
Part I:What Do Researchers Know? @jeanqasaur
Jean Yang / Jeeves 6 State of the art. The Programming Perspective:We Still Live in the 1970s Permissions checks are required across the code.
Policy-Agnostic Programming @jeanqasaur My PhD work. Programs attach policies to data. The rest of the code may be policy-agnostic. Programming model provides mathematical guarantees. Implementation strategy scales for real-world programs. jeeveslang.org
Policy-Agnostic Programming for Our 21st Century Security Concerns @jeanqasaur Model View Controller Without automatic policy enforcement With Jacqueline, a policy-agnostic web framework that extends Python’s Django jeeveslang.org
Part II:How Can We Use Research to Build Secure Software? @jeanqasaur
Barriers to Industry Adoption Managers need to fight status quo. Programmers need to manage legacy code. @jeanqasaur What about the startup route to tech transfer?
Security is no Tindog @jeanqasaur The Hot New Silicon Valley Startup Startup that Helps Us Build Secure Software Fun concept. Slick design. Toddler nephew can use it. Integrates with your life. Technical concept. Verifiable by experts. Requires infrastructure change.
Unique Challenges for Security Startups @jeanqasaur Justin Somaini, Chief Trust Officer Concept is highly technical. No flashy demos. Adoption requires client expertise and/or trust. Solving a technical problem != building a product.
Cybersecurity Factory $20,000 @jeanqasaur Raj Shah Office space Focused mentorship A network David Ting An 8-week accelerator I started that gives teams: Legal support Maxwell Krohn cybersecurityfactory.com
Part III:How To Motivate Customers to Pay for Security? @jeanqasaur
Insecurity is Expensive “A report released this month by the Atlantic Council and Zurich Insurance Group estimated that by 2030, an insecure Internet would reduce global economic net benefit by $90 trillion. In contrast, a completely secure Internet would result in a global net gain of $190 trillion.” -Jeff Kosseff, cybersecurity law professor @jeanqasaur
The Security “Prisoner’s Dilemma” @jeanqasaur Lack of individual incentive: Requires more employee training. Requires more programmer effort. Doesn’t currently provide competitive advantage.
Creating a Culture Around Caring Consumer Example: Snapchat @jeanqasaur Numerous privacy violations, but valued at $16 billion with 100 million users. Policy Example: Dentists Common to email records in violation of HIPAA, but HHS does not audit.
Summary: How to Secure Software @jeanqasaur Ask smart people to come up with technical solutions. Put solutions into practice. Iterate. @jeanqasaur jeanyang.com Connect research with industry. Change incentives for security. Communicate and educate!