We see a lot of bad news in security: hacks, attacks, breaches, bad choices—tiny flaws that lead to significant failures. As part of a community that’s naturally wary of wins, it can be a battle to remember how much progress we’ve made as an industry, and how exponentially that progress scales across a user population of billions. In the spirit of Thanksgiving, I asked a group of Rapid7 leaders and experts to name security improvements that have made computing safer over the years—for users, practitioners, researchers, and the myriad points of intersection among them.
Here are the security technologies, practices, and policies a small slice of Rapid7 staff are thankful for this year. It’s safe to say we could probably list many more.
Derek Abdine, Rapid7 Labs Director
People. I'm thankful for security researchers and practitioners who have been the catalyst for change by discovering and reporting new issues as technology has become more pervasive, especially over the past decade.
Tod Beardsley, Director of Research
Modern secure development practices, combined with ASLR + DEP. These two developments in software engineering have made huge strides to keep people safe from disastrous vulnerabilities. All major software development organizations today have some in-house documentation on how to write code securely (e.g., Microsoft's, Apple's, CA Veracode's, Mozilla's, and the Software Engineering Institute's). The fact is, major software vendors are much, much better at producing solid, secure code today than they were ten years ago. Bugs still get shipped, but they're often less severe and harder to exploit than they used to be.
One reason why these bugs are hard to exploit is the other major advent in software engineering: ASLR+DEP (more verbosely, Address Space Layout Randomization and Data Execution Prevention). I'd say ASLR+DEP is the single most effective innovation in making the practical exploitation of mature software as difficult as it is today. Since we're still dealing with software that didn't (and doesn't) get written with modern secure development practices, and is deployed on platforms that don't have ASLR+DEP enabled (ahem, IoT), the world of general purpose computing would be much scarier today without these backing practices and technologies.
Rebekah Brown, Threat Intelligence Lead
Multi-factor authentication. It works on a ton of different accounts and online services, it's easy to implement, and everyone from my kids to my hippie neighbors can understand why it helps secure accounts. It adds a lot of complexity for attackers to get around without making it too complicated for end users.
Brent Cook, Metasploit Senior Engineering Manager
The pledge(2) system call. While there are many ways for applications to self-restrict their operations (Capsicum, AppArmor, seccomp, SElinux), they are generally complex and difficult to use. pledge is a significant advance in ease of use, allowing developers to simply restrict classes of operations rather than requiring them to have deep technical knowledge of operating system details. A security mitigation is only impactful if it is used widely (and this is).
Ross Dickey, Senior Software Engineer
Password managers! (Enough said.)
Harley Geiger, Director of Public Policy
Moves toward permanent legal protection for security researchers. For the first time, the Copyright Office called for permanent (and long overdue) legal protections for security researchers in its policy study on DMCA Sec. 1201. The study also announced new changes that will make the process of obtaining future exemptions for security testing less burdensome.
Bethany Hertel, Threat Intelligence Manager
The public policy work currently being done to prevent OEMs from having to build backdoors into their technology. While technological golden keys might seem beneficial to certain government entities, they would present a tremendous risk to the general public, many of whom would be unaware of potential repercussions.
Katie Ledoux, Trust and Security Governance Manager
Easy-to-digest information about security best practices. I’m thinking about two-factor authentication as an obvious example, but it’s hardly the only one. It’s getting a lot “trendier” to make security hygiene approachable and digestible to everyone, including consumers. We’re getting better at letting go of our collective ego and leveling with users who need information they can understand quickly and easily.
Bob Rudis, Chief Security Data Scientist
Secure DNS. DNSsec and other security layers on top of DNS (like OpenDNS and Quad9) make it easy to have privacy and safety in ways we could not have had before they came along.
Brendan Watters, Senior Security Researcher
Open-source firewalls. For almost a decade, open-source firewalls have given users simple, reliable, robust protection at a price and performance point that’s accessible and impressive. Thanks to these bad boys, a person can easily and cheaply build what would have been an enterprise-class firewall five years ago. Network segmentation and basic policing of home networks has never been more important, and thanks to these new open-source firewall “appliances,” securing your network has never been easier.
Greg Wiseman, Lead Software Engineer
The HTTPS Everywhere browser extension. By default, browsers load web pages using HTTP. However, as HTTPS adoption keeps rising, it's quite handy to have my connection upgraded without having to explicitly request encryption. This was especially helpful when the extension was released back in 2011, when HTTPS was typically only used while logging in, and not enforced for regular browsing of sites like Facebook or Google Search.
For my part, I'll happily call out the role of modern web browsers in hardening security for the average internet-loving consumer. Click-to-play (lookin' at you, Flash and Java), malicious site warnings, and easy access to plugins like AdBlock and Ghostery have significantly improved security for users without requiring a complex foundation of technical knowledge.
Have a security practice, policy, or technology you’re thankful for? Hit us in the comments below—we’d love to hear it. We’ll be back tomorrow with security tips for the holiday season (Cyber Monday, anyone?), but until then, a very happy Thanksgiving to you and yours.