Katie Moussouris

Last updated

Katie Moussouris
Katie Moussouris Kiwicon 9 presenter (88) (cropped).jpg
Moussoris at Kiwicon in Wellington, New Zealand in 2015
CitizenshipAmerican
Occupation(s) Security researcher, CEO, Entrepreneur
Employer(s)Luta Security
HackerOne
Microsoft
Symantec
@stake
Known for Bug bounty programs, Vulnerability disclosure

Katie Moussouris is an American computer security researcher, entrepreneur, and pioneer in vulnerability disclosure, and is best known for her ongoing work advocating responsible security research. Previously a member of @stake, she created the bug bounty program at Microsoft [1] and was directly involved in creating the U.S. Department of Defense's first bug bounty program for hackers. [2] [3] She previously served as Chief Policy Officer at HackerOne, a vulnerability disclosure company based in San Francisco, California, [4] and currently is the founder and CEO of Luta Security. [5]

Contents

Biography

Moussouris had interest in computers at a young age and learned to program in BASIC on a Commodore 64 that her mother bought her in 3rd grade. [6] [7] She was the first girl to take AP Computer Science at her high school. [6] She attended Simmons College to study molecular biology and mathematics and simultaneously worked on the Human Genome Project at the MIT Whitehead Institute. While at Whitehead she transitioned from a lab assistant to a systems administrator role, and after three years she became the systems administrator for the MIT Department of Aeronautics and Astronautics, where she helped design the computer system for a new lab that was to open in 2000. [6] During this time she also worked as the systems administrator at the Harvard School of Engineering and Applied Sciences.

She moved to California to work as a Linux developer at Turbolinux and started their computer security response program. [7] [8] She was active within the West Coast hacker scene and formally joined @stake as a penetration tester in 2002 by invitation of Chris Wysopal. [9]

Symantec

Moussouris joined Symantec in October 2004 when they acquired @stake. [10] [11] While there, she founded and managed Symantec Vulnerability Research in 2004, which was the first program to allow Symantec researchers to publish vulnerability research. [12]

Microsoft

In May 2007, Moussouris left Symantec to join Microsoft as a security strategist. [11] She founded the Microsoft Vulnerability Research (MSVR) program, announced at BlackHat 2008. [13] The program has coordinated the response to several significant vulnerabilities, including Dan Kaminsky's DNS flaw, [14] and has also actively looked for bugs in third-party software affecting Microsoft customers (subsequent examples of this include Google's Project Zero).

From September 2010 until May 2014, Moussouris was the Senior Security Strategist Lead at Microsoft, where she ran the Security Community Outreach and Strategy team for Microsoft as part of the Microsoft Security Response Center (MSRC) team. [15] She instigated the Microsoft BlueHat Prize for Advancement of Exploit Mitigations, [16] which awarded over $260,000 in prizes to researchers at BlackHat USA 2012. [17] The grand prize of $200,000 was at the time the largest cash payout being offered by a software vendor. [18] She also created Microsoft's first bug bounty program, [1] which paid over $253,000 and received 18 vulnerabilities over the course of her tenure.

ISO vulnerability disclosure standard

Moussouris has helped edit the ISO/IEC 29147 document since around 2008. In April 2016, ISO made the standard freely available at no charge after a request from Moussouris and the CERT Coordination Center's Art Manion. [19]

HackerOne

In May 2014, Moussouris was named the Chief Policy Officer at HackerOne, a vulnerability disclosure company based in San Francisco, California. [4] In this role, Moussouris was responsible for the company's vulnerability disclosure philosophy, and worked to promote and legitimize security research among organizations, legislators and policy makers.

"Hack the ..." series

While still at Microsoft, Moussouris began discussing a bug bounty program with the federal government; she continued these talks when she moved to HackerOne. [20] In March 2016, Moussouris was directly involved in creating the Department of Defense's "Hack the Pentagon" pilot program, organized and vetted by HackerOne. [21] It was the first bug bounty program in the history of the US federal government. [22]

Moussouris followed up the Pentagon program with "Hack the Air Force". HackerOne and Luta Security are partnering to deliver up to 20 bug bounty challenges over three years to the Defense Department. [23]

Luta Security

In April 2016, [24] Moussouris founded Luta Security, [25] a consultancy to help organizations and governments work collaboratively with hackers through bug bounty programs.

New America fellow

During 2015-2016 and 2016-2017, Katie Moussouris served as a Cybersecurity Fellow at New America, a U.S.-based think tank. [26] [27]

Wassenaar Arrangement amendment

In 2013, the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies was amended to include "intrusion software". Moussouris wrote an op-ed in Wired criticizing the move as harmful to the vulnerability disclosure industry due to the overly-broad definition and encouraged security experts to write in to help regulators understand how to make the right changes. [28] She was invited as a technical expert to directly assist in the US Wassenaar Arrangement negotiations, and helped rewrite the amendment to adopt end-use decontrol exemptions based on the intent of the user. [29]

Exploit labor market research

Moussouris was a visiting scholar at the MIT Sloan School of Management and affiliate researcher at the Harvard Belfer Center for Science and International Affairs, where she conducted economic research on the labor market for security bugs. She coauthored a book chapter on the first system dynamics model of the vulnerability economy and exploit market, published by MIT Press in 2017. [30] [31]

Congressional testimony

In 2018, Moussouris testified in front of the U.S. Senate Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security about security research for defensive purposes. [32]

In 2021, Moussouris testified in front of the U.S. House Committee on Science, Space, & Technology about improving the cybersecurity of software supply chains. [33]

Anuncia Donecia Songsong Manglona Lab for Gender and Economic Equity

In 2021, Moussouris donated $1 million to found the Anuncia Donecia Songsong Manglona Lab for Gender and Economic Equity, at Penn State Law, named after her mother. The “Manglona Lab” will start with a gender equity litigation clinic intended to address workplace financial discrimination while promoting economic equity under the law. [34]

Awards

In 2014, SC Magazine named Moussouris to its Women in IT Security list. [12] She was also named as one of "10 Women in Information Security That Everyone Should Know," [35] and the "One To Watch" among the 2011 Women of Influence awards. [36] In 2018 she was featured among "America's Top 50 Women In Tech" by Forbes. [37]

Presentations

Publications and articles

Microsoft lawsuit

In September 2015, Moussouris filed a discrimination class-action lawsuit against Microsoft in federal court in Seattle. She alleged that Microsoft hiring practices upheld a practice of sex discrimination against women in technical and engineering roles with respect to performance evaluations, pay, promotions, and other terms and conditions of employment. [46] [47]

Related Research Articles

A white hat is an ethical security hacker. Ethical hacking is a term meant to imply a broader category than just penetration testing. Under the owner's consent, white-hat hackers aim to identify any vulnerabilities or security issues the current system has. The white hat is contrasted with the black hat, a malicious hacker; this definitional dichotomy comes from Western films, where heroic and antagonistic cowboys might traditionally wear a white and a black hat, respectively. There is a third kind of hacker known as a grey hat who hacks with good intentions but at times without permission.

A grey hat is a computer hacker or computer security expert who may sometimes violate laws or typical ethical standards, but usually does not have the malicious intent typical of a black hat hacker.

<span class="mw-page-title-main">Chris Wysopal</span> American computer security expert (born 1965)

Chris Wysopal is an entrepreneur, computer security expert and co-founder and CTO of Veracode. He was a member of the high-profile hacker think tank the L0pht where he was a vulnerability researcher.

Comodo Security Solutions, Inc., is a cybersecurity company headquartered in Bloomfield, New Jersey. Under the brand Sectigo, the company acts as a web Certificate authority (CA) and issues SSL/TLS certificates.

In computer security, coordinated vulnerability disclosure is a vulnerability disclosure model in which a vulnerability or an issue is disclosed to the public only after the responsible parties have been allowed sufficient time to patch or remedy the vulnerability or issue. This coordination distinguishes the CVD model from the "full disclosure" model.

A zero-day is a vulnerability in software or hardware that is typically unknown to the vendor and for which no patch or other fix is available. The vendor has zero days to prepare a patch as the vulnerability has already been described or exploited.

Bugtraq was an electronic mailing list dedicated to issues about computer security. On-topic issues are new discussions about vulnerabilities, vendor security-related announcements, methods of exploitation, and how to fix them. It was a high-volume mailing list, with as many as 776 posts in a month, and almost all new security vulnerabilities were discussed on the list in its early days. The forum provided a vehicle for anyone to disclose and discuss computer vulnerabilities, including security researchers and product vendors. While the service has not been officially terminated, and its archives are still publicly accessible, no new posts have been made since January 2021.

The Pwnie Awards recognize both excellence and incompetence in the field of information security. Winners are selected by a committee of security industry professionals from nominations collected from the information security community. Nominees are announced yearly at Summercon, and the awards themselves are presented at the Black Hat Security Conference.

A bug bounty program is a deal offered by many websites, organizations, and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to security exploits and vulnerabilities.

HackerOne is a company specializing in cybersecurity, specifically attack resistance management, which blends the security expertise of ethical hackers with asset discovery, continuous assessment, and process enhancement to find and close gaps in the digital attack surface. It was one of the first companies to embrace and utilize crowd-sourced security and cybersecurity researchers as linchpins of its business model; pioneering bug bounty and coordinated vulnerability disclosure. As of December 2022, HackerOne's network had paid over $230 million in bounties. HackerOne's customers include The U.S. Department of Defense, General Motors, GitHub, Goldman Sachs, Google, Hyatt, Lufthansa, Microsoft, MINDEF Singapore, Nintendo, PayPal, Slack, Twitter, and Yahoo.

Project Zero is a team of security analysts employed by Google tasked with finding zero-day vulnerabilities. It was announced on 15 July 2014.

JASBUG is a security bug disclosed in February 2015 and affecting core components of the Microsoft Windows Operating System. The vulnerability dated back to 2000 and affected all supported editions of Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1.

<span class="mw-page-title-main">Benjamin Kunz Mejri</span> German IT security specialist and penetration tester

Benjamin Kunz Mejri is a German IT security specialist and penetration tester. His areas of research include vulnerabilities in computer systems, bug bounties, the security of e-payment payment services and privacy protection. Mejri is known for uncovering new zero-day vulnerabilities and making them transparent to the public.

MLT, real name Matthew Telfer, is a cybersecurity researcher, former grey hat computer hacker and former member of TeaMp0isoN. MLT was arrested in May 2012 in relation to his activities within TeaMp0isoN, a computer-hacking group which claimed responsibility for many high-profile attacks, including website vandalism of the United Nations, Facebook, NATO, BlackBerry, T-Mobile USA and several other large sites in addition to high-profile denial-of-service attacks and leaks of confidential data. After his arrest, he reformed his actions and shifted his focus to activities as a white hat cybersecurity specialist. He was the founder of now-defunct Project Insecurity LTD.

<span class="mw-page-title-main">Synack</span>

Synack is an American technology company based in Redwood City, California, United States. The company uses a crowdsourced network of white-hat hackers to find exploitable vulnerabilities and a SaaS platform enabled by AI and machine learning to identify these vulnerabilities. Customers include government agencies and businesses in retail, healthcare, and the manufacturing industry.

<span class="mw-page-title-main">Rafay Baloch</span> Pakistani ethical hacker and security researcher (born 1993)

Rafay Baloch is a Pakistani ethical hacker and security researcher. He has been featured and known by both national and international media and publications like Forbes, BBC, The Wall Street Journal, The Express Tribune and TechCrunch. He has been listed among the "Top 5 Ethical Hackers of 2014" by CheckMarx. Subsequently he was listed as one of "The 15 Most Successful Ethical Hackers WorldWide" and among "Top 25 Threat Seekers" by SCmagazine. Baloch has also been added in TechJuice 25 under 25 list for the year 2016 and got 13th rank in the list of high achievers. Reflectiz, a cyber security company, released the list of "Top-21 Cybersecurity Experts You Must Follow on Twitter in 2021" recognizing Rafay Baloch as the top influencer. On 23 March 2022, ISPR recognized Rafay Baloch's contribution in the field of Cyber Security with Pride for Pakistan award. In 2021, Islamabad High court designated Rafay Baloch as an amicus curia for a case concerning social media regulations.

Jack Cable is an American computer security researcher and software developer who currently serves as a Senior Technical Advisor at the Cybersecurity and Infrastructure Security Agency. He is best known for his participation in bug bounty programs, including placing first in the U.S. Department of Defense's Hack the Air Force challenge. Cable began working for the Pentagon's Defense Digital Service in the summer of 2018.

Bugcrowd is a crowdsourced security platform. It was founded in 2012, and in 2019 it was one of the largest bug bounty and vulnerability disclosure companies on the internet. Bugcrowd runs bug bounty programs and also offers a range of penetration testing services it refers to as "Penetration Testing as a Service" (PTaaS), as well as attack surface management.

Zero Day Initiative (ZDI) is an international software vulnerability initiative that was started in 2005 by TippingPoint, a division of 3Com. The program was acquired by Trend Micro as a part of the HP TippingPoint acquisition in 2015.

<span class="mw-page-title-main">John Jackson (hacker)</span> Security researcher

John Jackson also known as Mr. Hacking, is an American security researcher and founder of the white-hat hacking group Sakura Samurai.

References

  1. 1 2 "Ex-Microsoft Bug Bounty dev forced to decrypt laptop for Paris airport official". The Register . Retrieved April 4, 2016.
  2. "Pentagon Launches the Feds' First 'Bug Bounty' for Hackers". WIRED. Retrieved April 4, 2016.
  3. "Hack The Pentagon: DoD Launches First-Ever Federal Bug Bounty Program". Dark Reading. March 2, 2016. Retrieved April 4, 2016.
  4. 1 2 "HackerOne Secures $9 Million, Appoints Katie Moussouris Chief Policy Officer | SecurityWeek.Com". www.securityweek.com. May 29, 2014. Retrieved April 4, 2016.
  5. "Luta Security". Luta Security, Inc. Retrieved June 17, 2017.
  6. 1 2 3 "GeekGirl of the Week - July 1999". GirlGeeks. Retrieved April 13, 2019.
  7. 1 2 McGraw, Gary (July 2015). "Silver Bullet Talks with Katie Moussouris". IEEE Security and Privacy. 13 (4): 7–9. doi:10.1109/MSP.2015.89.
  8. Moussouris, Katie. "Penetration Testing is Dead! Long Live Penetration Testing!" (PDF). HackFest 2014. SANS Institute. Retrieved April 13, 2019.
  9. Fisher, Dennis (March 9, 2018). "'Nothing's Going to Last Forever': An Oral History of the LØpht, Part Four". Decipher. Duo Security. Retrieved April 13, 2019.
  10. Rashid, Fahmida (August 15, 2014). "Sisters in Security: Katie Moussouris' Leaps of Faith". PCMagazine. Retrieved September 23, 2017.
  11. 1 2 Naraine, Ryan. "Symantec vulnerability research founder joins Microsoft". Zero Day. ZDNet. Retrieved September 23, 2017.
  12. 1 2 "2014 Women in IT Security: Katie Moussouris". SC Magazine. August 4, 2014. Retrieved April 4, 2016.
  13. Kaplan, Dan (August 8, 2008). "BLACK HAT: Microsoft to work with third parties over vulns". SC Media US. Haymarket Media, Inc. Retrieved September 24, 2017.
  14. Lemos, Robert. "Alliance forms to fix DNS poisoning flaw". SecurityFocus. Retrieved September 24, 2017.
  15. Leggio, Jennifer. "100 Brains: Microsoft's Katie Moussouris makes security accessible". ZDNet. Retrieved April 4, 2016.
  16. DuPaul, Neil. "Microsoft BlueHat - 5 Questions with Katie Moussouris". Veracode. Retrieved September 23, 2017.
  17. Smith (pseudonym), Ms. (July 27, 2012). "Microsoft BlueHat Prize Winners". CSO Online. IDG Communications, Inc. Retrieved September 23, 2017.
  18. Kamath, Maya (August 8, 2015). "Here is list of world's biggest 'Bug Bounty' payouts by tech companies". TechWorm. TechWorm.net. Retrieved September 23, 2017.
  19. Saarinen, Juha. "ISO vulnerability disclosure standard now free". iTnews. nextmedia Pty Ltd. Retrieved September 24, 2017.
  20. Zetter, Kim. "Bug Bounty Guru Katie Moussouris Will Help Hackers and Companies Play Nice". WIRED. Retrieved September 24, 2017.
  21. Shinkman, Paul D. (April 1, 2016). "To Modernize Military, Pentagon Turns to Hackers". U.S. News & World Report. Retrieved April 4, 2016.
  22. "'Hack the Pentagon' Pilot Program Opens for Registration". US Department of Defense News. US Department of Defense. March 31, 2016. Retrieved September 24, 2017.
  23. O'Neill, Patrick Howell (April 26, 2017). "U.S. launches 'Hack the Air Force' bug bounty program - Cyberscoop". Cyberscoop. Retrieved September 24, 2017.
  24. Brook, Chris (April 14, 2016). "Katie Moussouris On Hack The Pentagon,Embracing Hackers". Threat Post. Retrieved August 15, 2016.
  25. "Luta Security". Luta Security.
  26. "The 2016-2017 Cybersecurity Fellows". New America 2016-2017 Cybersecurity Fellows. Retrieved June 19, 2017.
  27. "The 2015-2016 Cybersecurity Fellows". 2015-2016 Cybersecurity Fellows.
  28. Stevenson, Alastair (July 22, 2015). "A tiny change to this obscure arms dealing agreement could kill the cyber security industry". Business Insider. Retrieved April 13, 2019.
  29. Waterman, Shaun (December 20, 2017). "The Wassenaar Arrangement's latest language is making security researchers very happy". CyberScoop. Retrieved April 13, 2019.
  30. "Katie Moussouris". National Security Institute. George Mason University. Archived from the original on April 13, 2019. Retrieved April 13, 2019.
  31. Ellis, Ryan; Huang, Keman; Siegel, Michael; Moussouris, Katie; Houghton, James (January 26, 2018). "Fixing a Hole: The Labor Market for Bugs" . New Solutions for Cybersecurity: 129–160. doi:10.7551/mitpress/11636.003.0006. ISBN   9780262346641.
  32. "U.S. SENATE HEARING - DATA SECURITY AND BUG BOUNTY PROGRAMS: LESSONS LEARNED". Hacker One Blog. February 6, 2018.
  33. "On SolarWinds and Beyond: Improving the Cybersecurity of Software Supply Chains" (PDF).
  34. "Cybersecurity pioneer gives $1 million for Penn State Law gender equity lab | Penn State University". news.psu.edu. Retrieved March 6, 2021.
  35. "Mischel Kwon". www.eweek.com. Retrieved April 4, 2016.
  36. Editor, Joan Goodchild and Senior (December 19, 2011). "2011 Women of Influence award winners named". CSO Online. Retrieved April 4, 2016.{{cite web}}: |last= has generic name (help)
  37. "Katie Moussouris". Forbes .
  38. "NCSC". Archived from the original on September 24, 2017. Retrieved September 24, 2017.
  39. "The Wolves of Vuln Street: The 1st Dynamic Systems Model of the 0day Market - USA 2015 - RSA Conference". www.rsaconference.com.
  40. "Black Hat USA 2015". www.blackhat.com.
  41. "Talks | Kiwicon 8". Archived from the original on February 24, 2015. Retrieved May 6, 2016.
  42. Moussouris, Katie (April 2016). "Not All Hackers Are Evil". Time . Time Magazine. Retrieved June 19, 2017.
  43. Moussouris, Katie. "Hackers Can Be Helpers". The New York Times. Retrieved June 19, 2017.
  44. Moussouris, Katie (January 31, 2017). "Administration should continue to seek changes to international cyber export controls". thehill.com. The Hill. Retrieved June 19, 2017.
  45. Moussouris, Katie (April 15, 2016). "The Time Has Come to Hack the Planet". Threatpost. Retrieved September 24, 2017.
  46. Jane Mundy (September 21, 2015). "Microsoft Accused of Discrimination against Women". Lawyersandsettlements.com. Retrieved December 11, 2015.
  47. "Microsoft Sued in Class Action Alleging Sex Discrimination". Reuters.com. September 16, 2015. Archived from the original on December 10, 2015. Retrieved December 11, 2015.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.