Innovation Labs – How Security Research Drives Identity Security
One of SecureAuth’s unique strengths is the company’s deep-seated roots (or DNA) in security research and how we use that research to detect and prevent against new threats as well as drive new areas of product innovation.
As the lead of SecureAuth Innovation Labs, the team responsible for security research, a question I got asked quite often is “Why does SecureAuth do offensive security research?” With Github’s recent call for feedback regarding their policy around security research, malware and exploits, the timing seems right to dive into this question in a bit more detail.
We, like many in the security research community, use GitHub to host our Open Source tools. As some of our tools are offensive security focused, this discussion triggered internal conversations about the nature of those and got us re-asking ourselves this same question.
So, Why are We Doing Offensive Security Research?
The main reason for us, as an identity security company, to perform security research and publish offensive security tools can be thought as threefold:
First, our mission is to deliver the most secure and flexible authentication experience across both workforce and customer identities. We believe in that if it’s not usable, it’s not secure, but at the same time our vision is to never compromise on security.
Second, you cannot have privacy without security. The way employees, users and customers interact with applications and their data is defined by the Identity Security mechanisms in place.
Third, we understand that offensive security is one of the most important means to define how we secure our users, customers, and their data. To advance the state of effective and efficient Identity Security measures and controls we need to understand the threats we’re fighting against.
Putting all this together, developing and actively maintaining offensive security tools, as well as contributing to external open source efforts, enable us to not be mere observers of how threat actors evolve and innovate their tactics and techniques, but instead take part of the process of learning how those innovations are conceived, the motivations behind those, and try be ahead in the game.
Our Commitment to Open Security Research and Knowledge Sharing
As part of the broader information security community, we aim at help defenders thrive and allow security professionals to access and develop the right knowledge. The spirit of our offensive security research efforts is to establish a platform where researchers and practitioners can collaborate and share identity security and vulnerability-related know-how and intelligence.
In a context where no rules can be enforced on threat actors, we will support efforts to narrow down and limit the malicious abuses of such knowledge and tools, as long as those don’t put the security community at a disadvantage and potentially censor content that can be considered dual use.
As we continue to monitor the developments on this front, we reinforce our commitment to open security research and knowledge sharing that can drive us forward to a more engaging and safer Identity Security.
We’d love to hear if you have any feedback on this issue and encourage you to participate in Github’s call for feedback.