Noam Rathaus has been working in the security field since the age of 13, he has written 4 books – on open source security and penetration testing, has found over 40 vulnerabilities in various software, wrote about third of the code base of Nessus when it was still Open Source and over 500 tests out of the 1000 tests it had at the that time. He has founded Beyond Security with his colleague Aviram Jenik in 1999 and has been working in the security field ever since.
I’ve noticed that you’ve been working for Beyond Security as a CTO since 1999. That’s quite a lot of
time! What’s your motivation?
My motivation is growth, I have grown with Beyond Security, both personally and business-wise. I still remember starting as a two man team in a small apartment. Over the years we have expanded our team to a worldwide operation with over 50 employees, with branches in the USA, France, Israel, India, China, Singapore and Korea. This growth has
allowed me to expand my knowledge as well as meet people from all over the world.
Your company also launched SecuriTeam Secure Disclosure. Could you tell us more about it?
Sure thing!, We launched SSD in 2007 as a platform to acquire vulnerabilities from security researchers around the world, working closely with leading vendors to responsible disclosure vulnerabilities and sharing the knowledge we gathered with the cyber security community. We are publishing on regular basis in our blog and news laters to the community.
How is the project worked out so far? What is the overall perception/feedback from the Security Researchers Community?
The project is a big success. Today we are working with leading organizations and companies such as: Microsoft, Google,Linux, WordPress and more…., and cooperating with hundreds of security researchers around the world. We participate and sponsor conferences, and not only the “big” and well known conferences like Black Hat and DEF CON, we also sponsored “small” and new conferences in different countries as a way to support the community. moreover we sponsor flights, trainings (hacking course) and conference entry to researchers that are working with us.
We also launched (in the past 2 years) hacking competitions in Code Blue conference in Japan and with more to come!
Could you tell us more about ethical issues related to SSD? How is the safety of the Security Researchers taken care of?
There are mainly 2 types of security researchers, those who want to get publicity and those how want to stay anonymous. In SSD we work with the two types of researchers.
The researchers who want to get publicity – we make sure the Vendors give credit to the research who put a lot of effort to find the vulnerability, we blogpost and promote their findings in social media and conferences.
The researchers who want to stay anonymous – there are a lot of reasons for researcher to stay anonymous. For example they work in companies and conduct their research as a hobby or after working hours. in this case we function as a middle man, we contact with the vendor and report the vulnerability. In that case the researcher get pay and stay anonymous.
From the ethical point of view – Today we acquire vulnerabilities and use them for defense purposes only. We only sell the vulnerabilities to premium, legitimate and legal organizations. We don’t deal with shady companies and organizations – the project is well known and it’s very important for us that we maintain our reputation in the market.
So what do you think makes the ideal Security Researcher?
The ideal security researcher is one that is not afraid to challenge himself to learn new things on a daily basis, conduct his research on the interesting products and most important to not give up. Let me try to explain what I mean…in the vulnerability research field you never know if you will find the vulnerability even after investing a month of research on a product, so it’s very important to believe in yourself. The “interesting” part is to conduct research on well known products:
- Operating systems: Windows / Linux / OSX / iOS / Android
- Browsers: Chrome / FireFox / Safari / Tor
- Flash
- CMS
- Network Components: Routers / Firewalls
- Databases
- Web mails
- And more
One more important characteristic is to always be updated on what’s going on. As you know every day the vendors close vulnerabilities and develop new security features for their products and the security researcher must always be updated – It’s a full time job. And most important thing is to love what you are doing!
Today the cyber security industry is a very promising field, especially vulnerability research. Every so often you can find companies that publish the price they are willing to pay for vulnerabilities and the sums can be quite high even the bug bounty programs are willing to pay decently.