Facebook Awards $50,000 Prize For Internet Defensechicksdaddy (814965) writes "The Security Ledger reports (https://securityledger.com/2014/08/facebook-awards-internet-defense-prize-for-work-on-securing-web-apps/) on Facebook awarding its first ever monetary prize for groundbreaking work on cyber defense.
In a blog post on Wednesday, the company announced its first ever, $50,000 Internet Defense Prize was awarded to Johannes Dahse and Thorsten Holz, both of Ruhr-Universität Bochum in Germany for their work on a method for making software less prone to being hacked.(https://www.facebook.com/notes/protect-the-graph/internet-defense-prize-awarded-at-23rd-usenix-security-symposium/1491475121092634)
Dahse and Holz developed a method for detecting so-called “second-order” vulnerabilities in Web applications using automated static code analysis. Their paper (https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-dahse.pdf) was presented at the 23rd USENIX Security Symposium in San Diego.(https://www.usenix.org/conference/usenixsecurity14/technical-sessions)
In a blog post announcing the prize, John Flynn, a security engineering manager at Facebook, said the Internet Defense Prize recognizes “superior quality research that combines a working prototype with significant contributions to the security of the Internet—particularly in the areas of protection and defense.”
Second order vulnerabilities are distinct from ‘first order’ security holes like SQL injection and cross site scripting. They allow an attacker to use one of those first-order flaws to manipulate a web application and store a malicious payload on a web server. That payload, which may be stored as a shared resource on the application server, can later be used to target all users of the application.
Dahse and Holz’s work was chosen by a panel to receive the prize both on its technical merit and because panelists could “could see a clear path for applying the award funds to push the research to the next level,” Flynn wrote."
Link to Original Source