By Sean Michael Kerner
February 19, 2008
WASHINGTON, D.C. -- The name "Black Hat" for years has been synonymous
with shadowy hacker activities. Many also know that the term refers to
the popular annual security conference of the same name, long held in
Sin City itself -- Las Vegas.
This week, however, the Black Hats aren't flocking to Vegas. Instead,
they're meeting in the heart of the federal government: Washington,
D.C., a setting that makes for a very different type of security
[cob:Related_Articles]"It's almost the 'white hat' Black Hat, with much
more focus on defense than offense," said Brian Chess, founder and chief
scientist at enterprise security player Fortify Software.
Chess is no stranger to either Black Hat or Washington. His firm is a
partner with the government-funded Computer Emergency Response Team
(CERT) on automated compliance checking.
At the last Black Hat Las Vegas event, Chess also ran the famed Iron
Chef Black Hat hacking challenge.
This week, he's expected to speak once more on security issues. This
time around, Chess will be talking about software testing and using
functionally tests to find vulnerabilities.
"It's about how you build software right, as opposed to how you break
something," Chess told InternetNews.com. "We'll be talking about some of
the less-than-ideal ways that people go about finding security
vulnerabilities in their code."
In Chess' view, developers often fail to do a great job of security
testing simply because they don't have to. Since plenty of bugs can be
found easily, they typically feel little incentive to undertake a more
rigorous and thorough search that might find all bugs, he said.
On the flip side, "if you actually want to build something that is
secure, there actually is a lot you can do," Chess said.
Not surprisingly, the security conference's inside-the-Beltway setting
also means it will have a special focus on government. Among the week's
sessions are a talk on phishing and the Internal Revenue Service (IRS),
and a discussion of potential cyber-threats to the 2008 presidential
The government focus is also reflected in the background of some of the
speakers at the event. The only keynote of the Black Hat D.C. event is
being delivered by Jerry Dixon, a former deputy director of US-CERT and
the founding director of the IRS's Computer Security Incident Response
A former U.S. spy is also on the speakers list. In a talk about social
engineering, Peter Earnest, a 35-year veteran of the Central
Intelligence Agency, will discuss his experiences in espionage.
While this week's conference will offer a different perspective compared
to its larger, more free-for-all Las Vegas counterpart, followers of the
goings-on at Black Hat can still expect much of the same.
"It's still Black Hat," Chess said. "The reason why people come out for
Black Hat is they want to get a taste for what's going on from a
technical, vulnerability-researcher point of view. So I expect the
presentation style will be about the same."
Subscribe to InfoSec News