Posted by Christiaan Brand, Product Manager, Google Cloud

Developer training has an essential role in reducing code vulnerabilities and avoiding a breach. Effective application security requires both locating security-related defects, and fixing them. But developers simply aren’t equipped with the knowledge or skills they need to fix these flaws. Veracode recently sponsored the 2017 DevSecOps Global Skills Survey from DevOps.com, and found that less than one in four developers or other IT pros were required to take a single college course on security. Meanwhile, once developers get on the job, employers aren't advancing their security training options, either. Approximately 68 percent of developers and IT pros say their organizations don't provide them adequate training in application security. The good news is that getting developers the security training they need makes a big difference. Data collected for our State of Software Security report revealed that eLearning on secure coding improved developer fix rates by 19 percent; even better, remediation coaching improved fix rates by a whopping 88 percent.

Clearly, developer training on secure coding is both needed and effective. The following are some key elements to keep in mind when establishing security-training initiatives for development teams.

Consider the channel and the content

Consider employing a variety of training types to accommodate different learning styles and preferences, time zone differences, and to allow for both quick insights and deep dives. For instance, consider both self-paced eLearning training along with periodic instructor-led training.

In terms of content, ensure the training is both role- and technology-specific. For instance, different programming languages have different security idiosyncrasies, and each has its own propensity for different vulnerability types, so it’s important that your training is specific to your language.

Train on-the-job

Reinforce traditional training with on-the-job learning. When developers get instant feedback and learn to code securely as they are actively coding, they create more secure code faster and make less security missteps going forward. And some application security testing solutions offer this option. As our director of product marketing notes in a recent blog post, “The security testing serves as a feedback loop for developers and as a gate to stop security defects escaping to production.”

A recent Forrester report, Show, Don't Tell, Your Developers How To Write Secure Code, states that “the best application security testing tools … now come with good remediation advice for developers.” They recommend to “look for tools that include clickable and brief training modules and can be inserted as early into the SDLC as possible, such as spellchecker-like plug-ins to the integrated developer environment (IDE).”

For example, Veracode Greenlight, an IDE or CI integrated continuous flaw feedback and secure coding education solution, returns scans in seconds, helping you answer the question “is my code secure?”

Greenlight provides on-the-job developer security training through:

• Remediation advice with code examples
• Positive feedback when best practices are followed
• In line education, learning as you code

Embrace security champions

Finally, one of the best ways to reinforce all your security training efforts is to employ security champions on your development teams. A security champion is a developer with an interest in security who helps amplify the security message at the team level. Security champions don’t need to be security pros; they just need to act as the security conscience of the team, keeping their eyes and ears open for potential issues. Once the team is aware of these issues, it can then either fix the issues in development or call in your organization’s security experts to provide guidance.

With a security champion, an organization can make up for a lack of security coverage or skills by empowering a member of the development team to act as a force multiplier who can pass on security best practices, answer questions, and raise security awareness.

Learn more

Get details on additional application security best practices in our new Application Security Best Practices Handbook.

And get tips and tricks on managing your AppSec program from other Veracode customers in our Community.

This blog post was updated on August 1, 2019 to include additional details uncovered as a result of the ongoing investigation associated with the Capital One data breach.

Capital One’s data breach may be one for the record books, impacting as many as 106 million U.S. and Canadian credit applicants dating back to as early as 2005. While it’s natural to want to draw parallels to the 2017 Equifax breach, there are a couple of details in this story that make it remarkably different – including Capital One’s quick response to a tip submitted through its Responsible Disclosure process.

According to multiple reports, 33-year-old Paige A. Thompson allegedly gained access to approximately 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers, and 80,000 linked bank account numbers. Other affected personal information included phone numbers and credit scores. Thompson, who is facing five years in prison and a fine of up to $250,000, was previously an employee of Amazon Web Services, which hosted the Capital One database that was breached.

“The attacker was an ex-AWS employee, which did not give her special privileges, but does go to explain expertise of the AWS platform,” said Veracode Co-Founder and CTO Chris Wysopal. “The attacker found a configuration error in a Web Application Firewall (WAF) that allowed privileged commands to be executed with the credentials of Capital One. These commands had privileges that allowed her to access the storage where the Capital One PII was stored.”

Paul Farrington, Veracode EMEA CTO, noted that WAF log files are likely to have been stored in the AWS S3 storage system, which may be how the attacker was able to access the customer data that contain PII. What’s yet to be understood is who the WAF vendor is – if this breach is indeed the result of a configuration error, this vulnerability may be undocumented and many other organizations could be at risk.

It's looking likely that CapOne was only one of many organizations whose data was obtained by the defendant in this case. CapOne may be the only one that is public so far though.

— briankrebs (@briankrebs) July 30, 2019

UPDATE: TechCrunch's Zack Whittaker has reported that, "Israeli security firm CyberInt said Vodafone, Ford, Michigan State University and the Ohio Department of Transportation may have also fallen victim to the same data breach," and that the Justice Department said Thompson may face additional charges, which suggests other companies may have been involved.  

What Does Coordinated Disclosure Have To Do With It?

Many news outlets are drawing parallels to the 2017 Equifax breach, saying that this may not have happened if adequate measures had been taken legislatively to ensure significant consequence following breaches of this magnitude. The facts of the Capital One breach are certainly alarming, particularly when you consider that this is yet another example of consumers experiencing a significant privacy breach with far-reaching consequences. Certainly, the $700 million settlement Equifax is paying sets a precedent in penalizing companies that have not adequately protected their customers’ personal information – and failed to act quickly when a breach is brought to its attention.

That’s just one of the ways in which the Capital One breach is different. If the company was indeed breached through a WAF provided to them by a third-party vendor, it could be said that Capital One was doing its diligence to ensure the security of its customer data. We could get into how complicated supply chain security can be (think back to the AMCA data breach in June) and where the fault really lies in this case, but that seems fruitless given we don’t yet have all the facts.

It’s what we do know that deserves to be highlighted, both to differentiate this breach from Equifax and to highlight a critical best practice for all organizations with software underpinning the success of their business: Capital One has a working responsible disclosure process.

Thompson was not shy or discreet about her hack into the financial institution, posting the data she exfiltrated back in March to her GitHub account, which included her full name and resume. According to Wired, she also talked openly about it on Slack. The court documents indicate that on July 17, an anonymous tipster informed Capital One about the flaw and breach by emailing the responsible disclosure address with a warning about the data as well as the GitHub link.

In a statement made on July 29, Capital One said it, “immediately fixed the configuration vulnerability that this individual exploited and promptly began working with federal law enforcement. The FBI has arrested the person responsible and that person is in custody. Based on our analysis to date, we believe it is unlikely that the information was used for fraud or disseminated by this individual. However, we will continue to investigate."

Meaning that once informed through its disclosure process, Capital One alerted the FBI, fixed the vulnerability, and the suspect was arrested – all within 12 days. Although consumers are still waiting to see if their data has been impacted, this response and resolution is much faster than others we have historically seen.

When a vulnerability in Zoom was made public earlier this month, it was done so by a security researcher who had disclosed the vulnerability to the video conferencing company 90 days before he published his blog post. At that time, they still hadn’t fixed it, and it became major news in the hours and days following the public disclosure.

The Capital One data breach could have been far worse had it not been for the openness of the hacker and the financial institution’s responsible disclosure process. Consumers may still be waiting to find out whether or not their information was breached, but it is clear that Capital One either learned from the massive breaches that came before or has a security leader hip to the value of working with outside security researchers.

The debates around responsible disclosure – now more commonly referred to as coordinated disclosure – have been going on for many, many years. We know that both businesses and the security community see the value, and that there is frustration from security researchers when they are either ignored or feel the issue isn’t being remedied fast enough. While it is important to consider how best to handle these breaches when it comes to legislative involvement, it is just as important to strengthen the relationship between enterprise and security researchers to ensure smooth reporting and resolution of flaws.

Vulnerabilities and flaws aren’t going anywhere – but we can all work together better to make sure they’re harder to exploit, and that resolution is swift after there has been a breach.

You can keep up with AppSec news like this, plus get trends and best practices, by subscribing to our content.

TL;DR We increased the Chrome Fuzzer Program bonus from $500 to $1,000 as part of our recent update of reward amounts.

Chrome Fuzzer Program is a part of the Google Chrome Vulnerability Reward Program that lets security researchers run their fuzzers at scale on the ClusterFuzz infrastructure. It makes bug reporting fully automated, and the fuzzer authors get the same rewards as if they reported the bugs manually, plus an extra bonus ($1,000 as of now) on top of it for every new vulnerability.

We run fuzzers indefinitely, and some of the fuzzers contributed years ago are still finding security issues in ever changing Chrome code. This is a win-win for both sides, as security researchers do not have to spend time analyzing the crashes, and Chrome developers receive high quality bug reports automatically.

To learn more about the Chrome Fuzzer Program, let’s talk to Ned Williamson, who’s been a participant since 2017 and now works on the Google Security team.

Q: Hey Ned! It looks like you’ve received over $50,000 by participating in the Google Chrome Vulnerability Reward Program with your quic_stream_factory_fuzzer.

A: Yes, it’s true. I wrote a fuzzer for QUIC which helped me find and report two critical vulnerabilities, each worth $10,000. Because I knew my fuzzer worked well, I submitted it to the Chrome Fuzzer Program. Then, in the next few months, I received that reward three more times (plus a bonus), as the fuzzer caught several security regressions on ClusterFuzz soon after they happened.

Q: Have you intentionally focused on the areas that yield higher severity issues and bigger rewards?

A: Yes. While vulnerabilities in code that is more critical to user security yield larger reward amounts, I actually started by looking at lower severity bugs and incrementally began looking for more severe bugs until I could find critical ones. You can see this progression by looking at the bugs I reported manually as an external researcher.

Q: Would you suggest starting by looking for non-critical bugs?

A: I would say so. Security-critical code is generally better designed and more thoroughly audited, so it might be discouraging to start from there. Finding less critical security bugs and winning bounties is a good way to build confidence and stay motivated.

Q: Can you share an algorithm on how to find security bugs in Chrome?

A: Looking at previous and existing bug reports, even for non-security crashes, is a great way to tell which code is security-critical and potentially buggy. From there, if some code looks like it’s exposed to user inputs, I’d set up a fuzzing campaign against that component. After you gain experience you will not need to rely on existing reports to find new attack surface, which in turn helps you find places that have not been considered by previous researchers. This was the case for my QUIC fuzzer.

Q: How did you learn to write fuzzers?

A: I didn’t have any special knowledge about fuzzing before I started looking for vulnerabilities in Chrome. I followed the documentation in the repository and I still follow the same process today.

Q: Your fuzzer isn’t very simple compared to many other fuzzers. How did you get to that implementation?

A: The key insight in the QUIC fuzzer was realizing that the parts of the code that handled plaintext messages after decryption were prone to memory corruption. Typically, fuzzing does not perform well with encrypted inputs (it’s pretty hard to “randomly” generate a packet that can be successfully decrypted), so I extended the QUIC testing code to allow for testing with encryption disabled.

Q: Are there any other good examples of fuzz targets employing a similar logic?

A: Another example is pdf_formcalc_context_fuzzer that wraps the fuzzing input around with a valid hardcoded PDF file, therefore focusing fuzzing only on the XFA script part of it. As a researcher, you just need to choose what exactly you want to fuzz, and then understand how to execute that code properly. Looking at the unit tests is usually the easiest way to get such an understanding.

Useful links:

• Fuzzing documentation
• Existing fuzz targets
• Fuzzing coverage dashboard
• Medium+ severity bugs reported via Chrome VRP

Happy fuzzing and bug hunting!

Dynamic analysis (DAST) is a vital part of all application security programs. Effective application security secures software throughout its entire lifecycle — from inception to production. With the speed of today’s development cycles — and the speed with which software changes and the threat landscape evolves — it would be foolish to assume that code will always be 100 percent vulnerability-free after the development phase. Code in production will always need to be tested or, in some cases, patched. Dynamic analysis plays an important role in ensuring that security spans from left to right in the SDLC.

Veracode provides dynamic scanning using a best-in-class engine that provides speed, accuracy of results, and scale. You can submit large batches of URLs for authenticated scans and expect results you can trust within a timeframe that matches your development cycles.

To ensure the most thorough coverage possible, you want authentication to go smoothly. Here are five key things to keep in mind to set yourself up for dynamic scanning success:

1. Prescan: Always allow time to run a prescan to check your authentication and ensure your connection is stable.
2. If you are using login scripts, always use Selenium IDE to create them.
3. Schedule scans to occur when you know that the sites will be up (e.g., not during a maintenance window, or leverage the Pause & Resume feature), and when there is lighter traffic.
4. If you want support for advanced frameworks (Angular, React) or single page applications, select the advanced mode option for scanning to ensure thorough coverage.
5. Take advantage of app linking: You can link the results from a dynamic analysis to an application profile to evaluate the results against policy, and see the results for all types of scans of the application aggregated in a single report.

Learn more about Veracode Dynamic Analysis on our web site. Or, get more details on the above five tips on running dynamic scans in our Veracode Community, including how-to videos.

On Wednesday, Louisiana Governor John Bel Edwards declared a state of emergency following a series of cyberattacks impacting the computer and phone systems of several of the state’s school districts. The declaration, which will remain in place for the entire state until Aug. 21, is out of concern that the attacks could spread to affect other organizations in local and state government.

According to Gov. Edwards’ office, the attacks were directed at school systems in the Sabine, Ouachita, and Morehouse districts, and are described as "severe, intentional cybersecurity breaches" that "may potentially compromise other public and private entities throughout" the state in the emergency declaration.

The declaration, which is the state’s first cybersecurity emergency activation, allows several resources to be devoted to the ongoing investigation. This includes cybersecurity experts from the Louisiana National Guard, Louisiana State Police, the Office of Technology Services – and others – to determine how best to resolve and prevent future cyberattacks. The state is also coordinating with the FBI on the issue.

According to CNN, there have been at least 22 reported breaches of public sector networks in 2019. Recently, ransomware hackers have taken over the computer systems of several cities, including Atlanta, Baltimore, Albany, and at least two cities in Florida.

In 2017, Gov. Edwards created the Louisiana Cybersecurity Commission – a 15-member board inclusive of state officials, private-sector executives, and academics – in anticipation of such attacks on its government-run organizations and systems.

“This is exactly why we established the Cyber Security Commission, focused on preparing for, responding to and preventing cybersecurity attacks, and we are well-positioned to assist local governments as they battle this current threat,” Edwards said in a statement.

The State of Software Security for Government and Education Sector

In a world where the threat landscape is always evolving, public sector agencies around the U.S. are taking steps to ensure that their technology and critical infrastructure systems have the right protections in place – just as they’re ensuring that they have the right policies and processes in place when a cyberattack cannot be prevented. A great example of this is how Colorado created the standard for best defense following the 2018 SamSam ransomware attack on its public transportation system, and additional examples of cyberattacks impacting critical infrastructure can be found in the Policymakers’ Guide to the State of Software Security.

It’s true that there is plenty to celebrate according to Veracode’s State of Software Security Volume 9 (SOSS Vol. 9), which showed that the Government and Education sector improved significantly over the previous report. In SOSS Vol. 8, the industry was dead last in latest scan OWASP pass rank. This year, it came in second only to healthcare.

Veracode-SOSS9-fig58-Gov_Edu_OWASP.png

In examining flaw persistence – or how long it takes to close a flaw from first discovery – the analysis curve shows that while these organizations are slower than usual out of the gate, they pick up speed with resolving vulnerabilities as they dig into the second half of remaining flaws.

Veracode-SOSS9-fig60-Gov_Edu-Flaw Persistence.png

It’s understood that the reliance on digital technologies and software will continue to increase, just as the threat landscape will remain fluid and ever-changing. With approximately one quarter of breaches occurring through web application attacks, it’s imperative that government organizations and agencies ensure their applications are protected.

After seeing the rise in data breaches at all levels of government, the State of Missouri enlisted Veracode to create and implement an application security program that fixed more than 28,000 flaws in the first year of the program, and scaled to 360+ applications within three years. Curious to learn more about how Veracode helped the State of Missouri build and scale its application security program? Read the case study – which covers the process from start to finish – by clicking here.

One of the most important parts of a web application is the authentication mechanism, which secures the site and also creates boundaries for each user account. However, during my years of testing web applications, it’s still very common to find authentication mechanisms with vulnerabilities. I currently work as a principal penetration tester on Veracode’s MPT team, and I would say nine out of 10 websites I test have at least one of the following vulnerabilities:

Weak Password Policy

It’s not uncommon to find a website that does not follow a strong password policy. Recently, I tested an application where the minimum length of the password was only five characters long. This vulnerability is very common as developers try to get the balance between security and usability correct.

It’s also not uncommon to find applications that allow end users to set weak passwords, like “password,” “qwerty,” or “1234567,” for example. These types of passwords are well known to attackers and are always found in data leaks where companies have been breached.

Another vulnerability that I have seen, but is less common, is not allowing end users to copy and paste in the password field. This does not really improve security, but hinders it, since it stops people from generating passwords of 15 characters or more.

When I find vulnerabilities like this during a penetration test, I recommend the following:

• Minimum of eight characters
• Alphanumeric characters
• Mixture of upper and lowercase
• Forbid passwords containing username or company name
• Forbid three or more identical characters, e.g., aaa or 111
• Forbid three or more consecutive characters, e.g. abc or 123
• If possible, implement a blacklist, which would stop end users entering weak and common passwords. You could also use the haveibeenpwned API to look for compromised passwords. You can find some examples on the following URL: https://haveibeenpwned.com/API/Consumers

Two-Factor Authentication (2FA)

Another very common vulnerability I come across often with web authentication mechanism is the lack of additional security measures. It’s very rare to see developers implementing two-factor authentication, especially on high-privileged accounts.

There are a number of ways to implement 2FA technology, including RSA tokens, code generators such as Google Authenticator, and Duo and SMS text messaging of one-time codes. Implementing 2FA can also present a number of challenges, especially when “regular” users and “privileged” users both log into the application using the same authentication mechanism. While I would recommend two-factor authentication whenever it is practical, it is difficult to propose across the board for privileged roles. Because there is no industry standard to recommend for applications that mix administrative and non-administrative functions together, a broader design analysis may be needed. Separating administrative functions, such as user-account management, into completely separate applications with stronger authentication schemes is a good goal.

User Enumeration

This vulnerability is usually one of the quickest and easiest vulnerabilities to prevent. It’s mainly due to the error messages being presented back to the end user. If an invalid user attempts to authenticate, the error presented back would be different from that presented to a valid user. An invalid user might be presented with the error “account not found.” As such, a change to the error message will resolve this vulnerability nine times out of 10.

This type of vulnerability can often be found in various places within a web application where a username is required, e.g., login page, forgot password, registration, etc. A good solution for user enumeration vulnerabilities would be to make sure any information presented back to the end user is generic. For example, “if your account was found in our system, you will receive an email shortly.” However, this can be a bit tricky to implement on user registration pages. In these situations, it’s best to provide the new account with a random username.

Resolving user enumeration on account registration is a bit harder. A captcha should be implemented on the page and must be filled out correctly before being able to “Submit” the form. While this does not prevent harvesting altogether, it does defeat automated attacks and limits probing to manual analysis only. An alternative method would be to assign usernames instead of letting users choose them.

Broken Password Reset

This is not that common, but every so often I test a web application that has implemented this functionality in a bad way. This is usually found in the token being used for the reset either being weak or the password being sent to the end user via email.

A common mistake a lot of developers make is thinking that base64 encoding is the same as encryption. As such, they sometimes use this method to encode sensitive data. In password reset functionality, I have seen the token to reset a password using a base64 encoded email address. By decoding this and adding another email address, it was possible to change that end user’s password as long as the account was valid.

Another vulnerability affecting password resets is sending the plaintext password back to the end user. This is bad for a number of reasons, including the fact that the password has been sent via email, which is deemed insecure. This may indicate that the password is being stored in the database without proper salting and hashing or is in a reversible format like base64. 

This is less common these days as most frameworks have built-in functions that are tried and tested. However, every so often, you do come across developers that write their own functions to implement password reset functionality. I recommend that if you're using a framework, you use the functionality within that framework. I also recommend that all passwords are stored in a secure manner using a salt and strong hashing algorithm.

Brute Force Attacks

A common attack against authentication pages is a brute force attack. A brute force attack is where an attacker will attempt multiple usernames and passwords until they obtain access to a valid account. This type of attack can be easier to perform if the application has a user enumeration or has a weak password policy. There are a number of free tools that help an attacker perform such an attack and make it relatively easy to do.

I would recommend that you track the number of failed login attempts for a user and mark the account as locked. When the number of consecutive unsuccessful login attempts reaches a reasonable threshold (typically three to five failed attempts in a row), require a user to go through the forgotten password process to remove the lock on their account.

Look for These First

As defined in the blog title, these are the most common authentication vulnerabilities I tend to find on web application penetration tests. There are a number of other vulnerabilities that affect web application authentication systems, but these are less common in my experience. It is recommended that web developers look for these common issues and resolve them before they have a penetration test. In most cases, these types of issues can be easy to resolve, and by doing so, the tester can spend his or her time on more complex vulnerabilities.

Learn more about manual penetration testing on our website.

A great AppSec program requires more than just scanning. It takes seamless processes and services designed to help developers fix flaws and write more secure code.

The following is a list of the characteristics that we have found among our customers with world-class AppSec programs.

Consider security early

In early planning phases, ensure secure architecture and design and conduct threat modeling of applications. The easiest security flaw to fix is the one that is never introduced.

Create a centralized AppSec inventory

One of the first challenges when kicking off an AppSec program is understanding where the applications are hosted, where the codebases are, who is responsible for building and maintaining them, what development languages are used, how critical are they to the organization, and so on.

In addition, organizations may not know about all of their web applications, either due to M&A activities or because they are created faster than they can track them, leaving them vulnerable to attack. Veracode Discovery quickly scans your entire web application attack surface to identify and inventory all of your web applications, giving you the best visibility into (1) where to target Dynamic Application Security Testing (DAST) scanning with Veracode Dynamic Analysis, and (2) into apps that can be decommissioned.

Learn more about prioritizing applications in this blog post.

Move beyond “business-critical” apps

A focus on business-critical apps is a good place to start, not to stop. While business-critical applications do pose a high risk because of the nature of the information they touch, cyberattackers are unconcerned with the business criticality of the applications they attack. Instead, they look for the path of least resistance into an organization, and oftentimes this can be an application whose security was overlooked because it was not deemed business critical. In the end, an effective application security program assesses the entire application landscape – including all applications internally developed, vendor-supplied, and downloaded – and considers both criticality and exploitability.

Defend in depth

There is no application security silver bullet. Effective application security combines the strengths of different testing types – both manual and automated – throughout the application lifecycle. For instance, our research showed that there are significant differences in the types of vulnerabilities you discover dynamically at runtime compared to those you’ll find when doing static testing in a non-runtime environment. In fact, two of the top five vulnerability categories we found during dynamic testing weren’t even among the top five found by static, with one not found by static at all. Cumulatively, these data points reveal that security testing, with multiple methods, remains a necessary step in securing your application layer and avoiding a damaging breach.

For more details on the different types of application security testing, see Your Guide to Application Security Solutions.

Create risk-based policies

Application security policies should always prioritize and emphasize vulnerabilities and applications that create the most risk.

For instance, rank vulnerabilities so that you are focused first and foremost on those that are actually increasing your risk. It’s important to distinguish between flaws that represent a remote risk and those that represent more substantial, real-world risks. In some cases, the likelihood of a vulnerability being exploited may be low, but the potential damage might be great. In other instances, the chance of exploit might be high, but the damage may not be substantial.

In addition, not all apps are created equal, so create different requirements for different apps. For instance, an application that has IP, is public facing, and has third-party components may require all medium to very critical flaws to be fixed. A one-page temporary marketing site may only require high/very high flaws to be fixed.

Learn more in Everything You Need to Know about Application Security Policies.

Employ developer coaching

Developer training has an essential role in reducing flaws. Effective application security requires both locating security-related defects, and fixing them. But developers simply aren’t equipped with the knowledge or skills they need to fix these flaws. Veracode recently sponsored the DevSecOps Global Skills Survey from DevOps.com, and found that less than one in four developers or other IT pros were required to take a single college course on security. Meantime, once developers get on the job, employers aren't advancing their security training options, either. Approximately 68 percent of developers and IT pros say their organizations don't provide them adequate training in application security. The good news is that getting developers the security training they need makes a big difference. Our data revealed that eLearning improved developer fix rates by 19 percent; even better, remediation coaching improved fix rates by a whopping 88 percent.

Learn more about developer training.

Allow for developer self-service

Contrary to many security professionals’ innate tendencies, it’s ideal to give your security testing tools “away for free.” Give developers a self-service portal where they can access AppSec tools, help them integrate AppSec tools into their IDEs, and make security reports visible to all.

However, governance should still sit with security. The security team should own setting policies, tracking KPIs, and providing security coaching to developers.

Learn more in The Security Professional’s Role in a DevSecOps World.

Focus on remediation and mitigation

Ultimately, your AppSec program is not effective if you’re not fixing what you find. You can scan every piece of code you write, but without adequate training and guidance, you will not create more secure code. In fact, you will delay developer timelines and still produce vulnerable code. Enabling developers with both a scanning tool and remediation and mitigation guidance is key. At Veracode, we conduct over 5,000 consultation calls a year with development teams, guiding them through fixing flaws they have never had to address before. And we’ve found that after only one to two of these calls, developers’ secure coding know-how improves dramatically.

In addition, your AppSec program also needs to be set up to enable remediation guidance.

For instance, every scan completed should be assessed against a policy — not a policy that changes how you scan or what is discovered, but rather a filter of the results to see if you passed or failed based on the parameters you set for risk tolerance. This policy should also include: how often does a team need to scan, how long do they have to fix certain flaws based on severity/criticality, and what scanning techniques must be used. In addition, you need remediation time built in between scans. Just scanning multiple times a day and pulling results into a tracking system is not useful if no one has the bandwidth to fix anything. You are better off setting a realistic scanning schedule (once a day) so developers have time to fix what they find. You can increase scan frequency as you become more secure and are passing policy on a regular basis.

Learn more in Application Security Beyond Scanning.

Integrate into the SDLC

Integrate security into the CI/CD process as early in the development lifecycle as possible. Your goal should be to minimize the gap between the discovery of a problem and the time it takes to bring the developer back in to fix it. First, because it’s much faster, cheaper and easier to ask a developer to fix something they just coded compared to something they wrote six months ago. The longer you wait, the longer it will take for the developer to get back up to speed with that particular code, assuming the developer is even still on the project. Second, because the time it takes for attackers to come up with exploits for newly discovered vulnerabilities is measured in days, and sometimes hours. Yet our most recent State of Software Security report found that one in four high and very high severity flaws are not addressed within 290 days of discovery.

Aim to conduct security testing during continuous integration. Better yet, use automation to conduct testing while the developer is writing the code, giving them instant feedback so they can make a fix before it ever becomes a problem.

Get more details on integrating AppSec on our website.

Learn more

Learn from our decade-plus of helping customers build out their AppSec programs; start with our Application Security Best Practices Handbook.

Chrome has always been built with security at its core, by a passionate worldwide community as part of the Chromium open source project. We're proud that community includes world class security researchers who help defend Chrome, and other Chromium based browsers.

Back in 2010 we created the Chrome Vulnerability Rewards Program which provides cash rewards to researchers for finding and reporting security bugs that help keep our users safe. Since its inception the program has received over 8,500 reports and paid out over five million dollars! A big thank you to every one of the researchers - it's an honor working with you.

Over the years we've expanded the program, including rewarding full chain exploits on Chrome OS, and the Chrome Fuzzer Program, where we run researchers' fuzzers on thousands of Google cores and automatically submit bugs they find for reward.

Today, we're delighted to announce an across the board increase in our reward amounts! Full details can be found on our program rules page but highlights include tripling the maximum baseline reward amount from $5,000 to $15,000 and doubling the maximum reward amount for high quality reports from $15,000 to $30,000. The additional bonus given to bugs found by fuzzers running under Chrome Fuzzer Program is also doubling to $1,000.

We've also clarified what we consider a high quality report, to help reporters get the highest possible reward, and we've updated the bug categories to better reflect the types of bugs that are reported and that we are most interested in.

But that's not all! On Chrome OS we're increasing our standing reward to $150,000 for exploit chains that can compromise a Chromebook or Chromebox with persistence in guest mode. Security bug in firmware and lock screen bypasses also get their own reward categories.

These new reward amounts will apply to bugs submitted after today on the Chromium bug tracker using the Security template. As always, see the Chrome Vulnerability Reward Program Rules for full details about the program.

In other news, our friends over at the Google Play Security Reward Program have increased their rewards for remote code execution bugs from $5,000 to $20,000, theft of insecure private data from $1,000 to $3,000, and access to protected app components from $1,000 to $3,000. The Google Play Security Reward Program also pays bonus rewards for responsibly disclosing vulnerabilities to participating app developers. Check out the program to learn more and see which apps are in scope.

Happy bug hunting!

Summer’s longer days and slower pace invite us to pick up a book, follow our questions, and try our hand at something new.

At Veracode, I get the chance to talk with our developers about the experiences that led them to the work they do today. How did they begin to cultivate the security-mindedness that they bring to their coding? Was it a book they stumbled upon, a salient moment in the wake of a security incident, the guidance of a mentor, or a podcast that drew them in? What sparked their interest in doing things differently?

We think a lot about developers, curious but unsure, staring out at the sea of information security knowledge. It can feel overwhelming trying to orient yourself to something so wide and deep. To help developers begin, we put together some of the favorite books, podcasts, blogs, and hands-on exercises of Veracoders across our development, security, and product teams. From a just-published page-turner to classic Phrack articles, there’s something here for everyone who is interested in becoming more security-minded.

My favorites on the list include the hands-on exercises recommended by Sarah Gibson, one of our application penetration testers, and a walk through some information security classics with Senior Principal Software Engineer Dan Murphy (to read the full Dive Into the Classics, please see Dan's post.

So dip your toe in or take a deep dive—happy summer and happy learning!

Shakespeare. Brontë. Dickens. In literature, the classics have long been a staple of summer reading lists. Computer security has its own share of classics – reference points that serve as a foundation for understanding the field’s ever-changing chessboard of attack and defense. This list of computer security summer reading can be enjoyed either lounging on the beach with sand beneath your toes, or curled up in bed with your face lit by the blue-filtered midnight glow of a tablet. Whether you are a new developer interested in learning more about computer security, or a seasoned practitioner looking to revisit some of the seminal works in the field, I hope that you enjoy the articles below as much as I did when I first stumbled across them!

Smashing the Stack for Fun and Profit

http://phrack.org/issues/49/14.html

Aleph One’s Smashing the Stack for Fun and Profit was truly eye-opening when it was first introduced. Sometimes the answer to “what does this block of code do?” can be “anything the caller wants it to!” This concept lives on in more modern incarnations like XSS and SQL injection, but Smashing the Stack is the granddaddy of code injection. I originally encountered it independently, and was pleasantly surprised years later when it resurfaced as legitimate assigned reading for a grad class. Taking the time to write some shell code is valuable to understanding the fundamentals of how code executes, and is a great puzzle. Check out https://travisf.net/smashing-the-stack-today for tips on recreating the environment today.

OG ODBC

http://www.phrack.org/issues/54/8.html

Under the inauspicious heading of “ODBC and MS SQL server 6.5,” this article explores a simple concept: what could happen if a web application copies the strings received from HTML form elements directly to SQL statements? We all know how that one ended. Twenty years later, there are more than 37 million Google hits for “sql injection.” By now, Bobby Tables is applying for his first job after graduating from “University’); DROP TABLE applicants; --”, and still getting results!

Dawn of XSS

https://resources.sei.cmu.edu/asset_files/WhitePaper/2000_019_001_496188.pdf

CERT advisory CA-2000-02, since consigned to PDF archive, contains the following quote: “Because one source is injecting code into pages sent by another source, this vulnerability has also been described as ‘cross-site’ scripting.” The humble window.alert() function has been igniting developers’ limbic systems ever since with joy and terror, the latter being more common if you’re seeing it in prod.  Of course, XSS is much more dangerous than simply popping modals – untold millions of cookies have been exfiltrated since the line “malicious exploitation of this vulnerability has not been reported” was written in the advisory.

Tick TOC Tick TOU

https://www.usenix.org/legacy/events/fast05/tech/full_papers/wei/wei.pdf

Another class of attacks worth some summer reading is Time-of-Check to Time-of-Use. Sometimes the security put in place to thwart an attack has a race condition that can still allow an attacker to circumvent it. TOCTTOU Vulnerabilities in UNIX-Style File Systems: An Anatomical Study is a great introduction to the concept, with some specific examples. You can get a more hands-on appreciation by doing (spoiler alert!) Level 2 of overthewire.org’s Leviathan challenge at http://overthewire.org/wargames/leviathan/. While the specifics for these classes of attacks have changed, the concepts are still very relevant: this spring (May 2019), a high-profile Docker bug – attributed to a TOCTOU flaw – allowed containers to break out and overwrite any file on the host as root (see: https://duo.com/decipher/docker-bug-allows-root-access-to-host-file-system and https://seclists.org/oss-sec/2019/q2/131).

Once Upon a Free

http://phrack.org/issues/57/9.html

Another tale of simple mistakes with direct consequences is contained within the bytes of Once Upon a Free. A dereference of an invalid pointer can be made much more insidious by controlling the contents of the memory being referenced, and how it gets used. By being aware of the implementation of an allocation scheme, an attack can predict and exploit a simple use of an invalid pointer to great effect. The write-up in https://blog.trendmicro.com/trendlabs-security-intelligence/root-cause-analysis-of-cve-2014-1772-an-internet-explorer-use-after-free-vulnerability/ goes deep on an Internet Explorer vulnerability. Earlier this year, there was a very scary Chrome zero-day that built on use-after-free: https://blog.exodusintel.com/2019/03/20/cve-2019-5786-analysis-and-exploitation/. One of the most interesting takeaways in these write-ups is the exploit code in JavaScript. You may not be writing C/C++ code, but almost all major browsers are implemented in native code, and it is important to understand what happens under the covers.

The Geometry of Innocent Flesh on the Bone

https://hovav.net/ucsd/dist/geometry.pdf

With stacks smashed and buffers overflowing with shell code, vendors introduced techniques to make stacks non-executable and limit the impact of code injection. But what it if were possible to hijack execution without injecting actual code? In The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86), Hovav Shacham shows how small gaps in the intended behavior of a system can be built upon to produce a system that produces dramatic results. There are signs in the Veracode restrooms that read “Employees must wash hands before returning to libc.” They still manage to make me grin every now and then.

The Information Commissioner’s Office (ICO) has handed British Airways what it claims is the biggest penalty – and the first to be made public under new rules – since the General Data Protection Regulation (GDPR) came into play last year. According to the ICO, 500,000 customers had their personal information compromised during the 2018 breach, and the airline needs to pay up – to the tune of £183 million.

BA data breach facilitated by poor website security. 1.5% of global turnover or £185M GDPR fine levied. https://t.co/Wsn22Jm65X

— Chris Wysopal (@WeldPond) July 8, 2019

According to the BBC, British Airways, owned by IAG, has said that it is “surprised and disappointed” by the penalty, following an attack by hackers who allegedly carried out a “sophisticated, malicious criminal attack” on its website. The airline first disclosed the incident on Sept. 6, 2018 and had initially reported roughly 380,000 transactions had been affected.

The ICO, which believes the attack began in June 2018, found that user traffic to BA’s website was re-routed to a fraudulent website that gave hackers the ability to steal customer information. As a result of the airline’s poor security posture, customer log in information, payment card and travel booking details, and names and addresses were compromised.

In a statement, Information Commissioner Elizabeth Denham said, “People's personal data is just that - personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience. That's why the law is clear - when you are entrusted with personal data, you must look after it. Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

Ensuring that your organization is in compliance with GDPR is critical for both your customers’ protection and your bottom line. To learn more about how Veracode DevOps Penetration Testing can be used to meet compliance requirements, check out this blog post.

If we have data, let's look at data. If all we have are opinions, let's go with mine." -- Jim Barksdale

The ability to report on your application security program depends on access to your AppSec data. For questions from “how can I help my board understand our current risk posture?” to “which teams are developing secure code, and which need additional AppSec training?” – data is the key. Nobody should guess when it comes to answering questions as important as “are we compliant?”

We have recently transformed how Veracode helps you answer questions regarding your AppSec program. By building an entirely new back-end infrastructure and using a cutting-edge analytics tool, we’ve been able to give our customers new insights into our data and provide a hub for AppSec analytics, right within the Veracode platform.

The goals of our new analytics

As part of our analytics re-design, we needed to support two use cases: (1) our customers’ analytics needs in the platform using the embedded BI tool, and (2) our internal sales and services staff’s analytics needs using a standalone BI tool. To provide this functionality, we needed a tool that could support our security model and multi-tenancy while providing excellent performance, scalability, flexibility, and support in a Veracode-hosted environment. 

Behind the scenes of the analytics overhaul

Our new infrastructure design started with moving data into the AWS cloud, and replicating scan, findings, and organizational data into an AWS Redshift database. This database drives our existing reporting capabilities both in the platform and in any custom reports we create, and the performance has been outstanding. From there, we use SQL transformations to take our operational schema and map the data into a “star schema.” The star schema is a simple schema designed to avoid multiple joins in queries, which thereby optimizes performance in analytics queries. We replicate this star schema into our smaller back-end Redshift databases, which feed data into two BI instances. 

analytics1.png

Our standalone BI instance, used internally at Veracode to understand our customers’ AppSec portfolios, was developed first. Internal Analytics contains scans and findings data, as well as operational and low-level data that wouldn’t be of interest to a customer but is useful for our internal analytics. Once data was available in Internal Analytics, we set up meetings with SMEs across Veracode to build standardized dashboards that would provide value across Veracode. We defined the set of questions that Veracoders wanted to answer for their customers, e.g., “are we compliant?”, “how long do our scans take?”, “how frequently do we scan?”, and built dashboards that answered those questions. This resulted in nine shared dashboards and four “explores,” which provided our internal users with the ability to answer the bulk of their questions about Veracode’s customer base. The shared dashboards provide a good starting point for our users, and then if they wish to explore data from scratch they can start at one of the pre-defined “explore” levels: Applications, Scans, Findings, or Users.

Once Internal Analytics was generally available, we turned our sights on our external BI instance, the Veracode Analytics feature, which contains a subset of the data available in Internal Analytics. We realized early on that our internal and external customers have many of the same questions, and we were able to reuse eight of the nine dashboards in our new analytics offering, which you can see under Veracode Dashboards in the Analytics section of the Veracode platform. The four predefined explores are also available in the platform for new analyses.

analytics2.png

We have designed these solutions so that the same built-in dashboards, base data, and data models are used in both internal and external analytics, which reduces both the development time and testing required for these shared dashboards. By creating automated test suites and a well-defined automated CI/CD pipeline for our dashboards and data models, we can ensure that new development in our analytics environment will not break the existing analytics. 

Security policy

Security is job #1 (and #2, and #3, and so on) at Veracode, so we hold ourselves to exceptionally high standards when it comes to security. This means we encrypt data both in transit and at rest, and focus on data security at all levels. Additionally, we “practice what we preach” here at Veracode, meaning all of our data engineering and analytics code is scanned using Veracode, and our strict policies mean we continually monitor our own policy compliance. 

Take advantage of our new capabilities

Now that the Veracode Analytics solution is live and available to all customers, I encourage you to use it to understand your AppSec risk posture. Start with our built-in dashboards, and then play around. With each tile in a dashboard, you can right click in the top left corner and choose “explore from here” to change the visualization. Data is power, and we are happy to be putting the power of AppSec data in our customers’ hands!

• As of 2017, Mr. Bejtlich generally declines press inquiries on cybersecurity matters, including those on background.


• 2016
• Mr. Bejtlich was cited in the Forture story Meet the US's First Ever Cyber Chief, published 8 September 2016.
• Mr. Bejtlich was interviewed for the NPR story Cybersecurity: Who's Vulnerable To Attack?, aired 30 July 2016.
• Mr. Bejtlich was interviewed for the Washington Post story It’s not just the DNC; we all send emails we probably shouldn’t, published 25 July 2016.
• Mr. Bejtlich was interviewed for the New Scientist story NATO says the internet is now a war zone – what does that mean?, published 22 June 2016.
• Mr. Bejtlich was interviewed for the Military Times story The Pentagon's controversial plan to hire military leaders off the street, published 19 June 2016.
• Mr. Bejtlich was interviewed for the Idealog story Idealog talks with a cyber-war expert, published 6 May 2016.
• Mr. Bejtlich was cited in the New Zealand Herald story Cyber-attacks part of doing business with China - experts, published 5 May 2016.
• Mr. Bejtlich was cited in the Christian Science Monitor story Iran hacking indictment highlights US naming and shaming strategy, published 30 March 2016.
• Mr. Bejtlich was cited in the Financial Times story Defence groups take aim at cyber security, published 28 March 2016.
• Mr. Bejtlich was interviewed for the Security Management story A Chinese New Year, published 4 January 2016.
• 2015
• Mr. Bejtlich was cited in the AP story US Advised to Examine "Hack Back" Options against China, published 17 November 2015.
• Mr. Bejtlich was cited in the Reuters story Data from US agency cyber breach not on black market - researcher, published 2 November 2015.
• Mr. Bejtlich was cited in the NextGov story Creative, Audacious or Destructive: The Different Personalities of Nation-State Hackers, published 2 November 2015.
• Mr. Bejtlich was cited in the Baltimore Sun story As more devices go online, hackers hunt for vulnerabilities, published 24 October 2015.
• Mr. Bejtlich was cited in the Atlantic story Can Campus Networks Ever Be Secure?, published 12 October 2015.
• Mr. Bejtlich was cited in the Info Security story China Cuffs Hackers at Request of US Officials, published 12 October 2015.
• Mr. Bejtlich was interviewed for the Risky Business podcast, aired 2 October 2015.
• Mr. Bejtlich was cited in the NextGov story Who’s Really in Charge of Federal Cybersecurity and Is It Time for a White House CISO?, published 30 September 2015.
• Mr. Bejtlich was cited in the FCW story Time for U.S. to gut 'malware kingpins', published 29 September 2015.
• Mr. Bejtlich was cited in the South China Morning Post story Xi and Obama agree on cybercrime cooperation meetings as threat of sanctions of alleged theft of trade secrets looms, published 27 September 2015.
• Mr. Bejtlich was cited in the MIT Technology Review story Waiting for a Drop in Corporate Hacks after U.S.-China Deal, published 25 September 2015.
• Mr. Bejtlich was cited in the Foreign Policy story Will China Deliver on Its Promise to Stop Hacking American Businesses?, published 25 September 2015.
• Mr. Bejtlich was cited in the InfoWorld story U.S., China reach 'common understanding' on cyber attacks, published 25 September 2015.
• Mr. Bejtlich was cited in the Buzzfeed story The U.S. And China Are Discussing A Cyber Arms Pact, But Everyone Is Still Getting Hacked, published 23 September 2015.
• Mr. Bejtlich was cited in the CNBC story China's Xi to visit US tech—amid tepid expectations, published 23 September 2015.
• Mr. Bejtlich was cited in the USA Today story China: On cybersecurity, U.S. must not rock the boat, published 23 September 2015.
• Mr. Bejtlich was cited in the Gigaom story Considering the security implications of CloudFlare’s partnership with Baidu, published 21 September 2015.
• Mr. Bejtlich was cited in the South China Morning Post story Companies must be willing to go to war against hackers to protect sensitive data, or stop collecting it: experts, published 17 Seotember 2015.
• Mr. Bejtlich was cited in the TechRepublic story The new art of war: How trolls, hackers and spies are rewriting the rules of conflict, published 14 September 2015.
• Mr. Bejtlich was cited in the GBTimes story Cyber security: A thorn in US-China relations, published 4 September 2015.
• Mr. Bejtlich was cited in the CNBC story http://www.cnbc.com/2015/09/02/the-new-global-cyberwar-without-boundaries-or-winners.html, published 2 September 2015.
• Mr. Bejtlich was cited in the South China Morning Post story The US may have to go after the 'Great Firewall' to stop China's cyber-attacks, published 30 August 2015.
• Mr. Bejtlich was interviewed for the Dark Reading broadcast Richard Bejtlich Talks Business Security Strategy, US Security Policy, published 26 August 2015.
• Mr. Bejtlich was cited in the CBS News story Does Ashley Madison represent a new era in hacking?, published 19 August 2015.
• Mr. Bejtlich was cited in the New Economy story Firms’ lack of knowledge puts them dangerously at risk of cyber attacks, published 17 August 2015.
• Mr. Bejtlich was cited in the Washington Post story Just how secure are private e-mail servers? Hint: not very, published 13 August 2015.
• Mr. Bejtlich was cited in the USNI story Sen. Gardner: Administration Unwilling to ‘Name Names’ in Cyber Security Breaches, published 23 July 2015.
• Mr. Bejtlich was cited in the NextGov story OPM Chief’s New Cyber Defense Operation Has Potential, Private Investigators Say, published 28 June 2015.
• Mr. Bejtlich was cited in the DefenseNews story OPM Attack Raises Delicate Political Questions, published 27 June 2015.
• Mr. Bejtlich was interviewed on CNBC Asia (video), aired live 25 June 2015.
• Mr. Bejtlich was interviewed for the Risky Business podcast, aired 25 June 2015.
• Mr. Bejtlich was cited in the Federal Times story OPM breach a failure on encryption, detection, published 22 June 2015.
• Mr. Bejtlich was cited in the Dark Reading story OPM Breach Exposes Agency's Systemic Security Woes, published 10 June 2015.
• Mr. Bejtlich was interviewed on the Kojo Nnamdi Show segment The Implications of a New Federal Government Data Breach, aired live 8 June 2015.
• Mr. Bejtlich was cited in the Washington Post story Is e-mail the safest way to notify federal workers their data may have been hacked?, published 8 June 2015.
• Mr. Bejtlich appeared on a panel on the TV program Defense News, in two segments, aired 7 June 2015.
• Mr. Bejtlich was cited in the Washington Post story Why OPM should have seen the latest cyberattack coming, published 5 June 2015.
• Mr. Bejtlich was cited in the Daily Beast story New Snowden Docs Show How the NSA and FBI Became BFFs, published 4 June 2015.
• Mr. Bejtlich was cited in the Newsweek story Vladimir Putin’s Budding Bromance With China’s Xi Jinping, published 16 May 2015.
• Mr. Bejtlich was cited in the Dark Reading story What Does China-Russia 'No Hack' Pact Mean For US?, published 11 May 2015.
• Mr. Bejtlich was cited in the Tech Republic story Latest President Obama-requested cyberthreat intelligence agency may be overkill, published 1 May 2015.
• Mr. Bejtlich was cited in the Financial Times story Pentagon makes pitch to young tech-savvy individuals, published 23 April 2015.
• Mr. Bejtlich was cited in the Wall Street Journal story Five Simple Steps to Protect Corporate Data, published 19 April 2015.
• Mr. Bejtlich was cited in the China Digital Times story http://chinadigitaltimes.net/2015/04/chinese-great-cannon-identified-behind-greatfire-attacks/, published 10 April 2015.
• Mr. Bejtlich was cited in the Military Times story Does cyber corps merit its own service branch?, published 9 April 2015.
• Mr. Bejtlich was cited in the Fortune story Gasp! China admits to having cyber warriors, published 26 March 2015.
• Mr. Bejtlich was cited in The Hill story House Intel panel closing in on cyber bill, published 19 March 2015.
• Mr. Bejtlich was cited in The Hill story DOJ: 'We have no interest in prosecuting' cyber researchers, published 19 March 2015.
• Mr. Bejtlich was cited in the Washington Post story Federal government struggles to manage communication devices, published 17 March 2015.
• Mr. Bejtlich was cited in the Baltimore Sun story Defense secretary: We could create separate military force to fight cyber wars, published 13 March 2015.
• Mr. Bejtlich was cited in the Bloomberg story A BlackBerry Here, iPhone There: Clinton Reveals E-Mail Anarchy, published 12 March 2015.
• Mr. Bejtlich was cited in the Bloomberg story Most Big Firms Have Had Some Hacking: Business of Law, published 11 March 2015.
• Mr. Bejtlich was cited in the Dark Reading story Efforts To Team Up And Fight Off Hackers Intensify, published 5 March 2015.
• Mr. Bejtlich's testimony to the House Energy and Commerce committee was covered in the FierceGovernmentIT story CISOs must first define the risk, cybersecurity analyst tells Congress, published 5 March 2015, the Hill story Expert: Healthcare lacks 'top-tier' cyber defenses, published 3 March 2015, and the Pittsburgh Tribune-Review story Cyber security expert to report to Congress, published 3 March 2015..
• Mr. Bejtlich's panel at the Washington Business Journal cyber security conference was covered in the stories Want to be acquired? Get your cybersecurity in order and Does your company need cyber insurance?, published on 27 February and 2 March 2015, respectively.
• Mr. Bejtlich was interviewed for the SiriusXM POTUS channel, discussing CTIIC (audio download), aired on 27 February 2015.
• Mr. Bejtlich's panel at the Wall Street Journal CIO conference was covered in the stories Sony Attack Took Company ‘Back to the ‘80s’, Data Breaches Spark Debates on CISO, CIO Dynamic, and How the Sony Breach Changes Cybersecurity, published in early February 2015.
• Mr. Bejtlich was mentioned in the Intercept article Western Spy Agencies Secretly Rely on Hackers for Intel and Expertise, published 4 February 2015.
• Mr. Bejtlich's 28 January 2015 testimony to the Senate Homeland Security and Government Affairs Committee on Protecting America from Cyber Attacks: The Importance of Information Sharing was covered by USA Today, FierceGovernmentIT, The Daily Cardinal, SecurityWeek, and FedScoop.
• Mr. Bejtlich was interviewed for the Daily Beast story Was Sony Hit With a Second Hack?, published 8 January 2015.
• Mr. Bejtlich was cited in the Dark Reading story Using Free Tools To Detect Attacks On ICS/SCADA Networks, published 8 January 2015.
• Mr. Bejtlich was cited in the Wired story Critics Say New Evidence Linking North Korea to the Sony Hack Is Still Flimsy, published 8 January 2015.
• 2014
• Mr. Bejtlich was interviewed for the Dark Reading story Sony Hacked By N. Korea, Hacktivists, Ex-Employee, Or All Of The Above?, published 30 December 2014.
• Mr. Bejtlich was cited in the Huffington Post story As North Korea Loses Internet, Anonymous, Others Question Whether It Really Hacked Sony, published 22 December 2014.
• Mr. Bejtlich was interviewed for the CBS News story Hacking After Sony: What Companies Need to Know, published 13 December 2014.
• Mr. Bejtlich was interviewed for the SearchSecurity story Security Strategy with Richard Bejtlich, published 6 December 2014.
• Mr. Bejtlich was interviewed for the Fox Business segment US Businesses Behind on Cyber Security (video), aired 2 December 2014.
• Mr. Bejtlich was cited in the Dark Reading story FBI Warning Shows Targeted Attacks Don't Just Steal Anymore, published 2 December 2014.
• Mr. Bejtlich was cited in an excerpt from Shane Harris' book, @War, as Google’s secret NSA alliance, published 16 November 2014.
• Mr. Bejtlich was interviewed for the Fedscoop story What does the White House network breach mean for cybersecurity reform?, published 3 November 2014.
• Mr. Bejtlich was mentioned by FCW as one of 4 cybersecurity gurus to follow on Twitter, published 1 October 2014.
• Mr. Bejtlich was introduced by Sqrrl as a company advisor in Sqrrl Bolsters Cybersecurity Capabilities with New Advisors, published 22 September 2014.
• Mr. Bejtlich was interviewed for the McClatchy news bureau story Chinese hacking into critical Pentagon contractors, published 17 September 2014.
• Mr. Bejtlich was interviewed for the Ars Technica story In case of cyber attack: NATO members ready to pledge mutual defense, published 4 September 2014.
• Mr. Bejtlich was interviewed for the CSO story The hacker 'skills gap' may be more of a strategy gap, published 3 September 2014.
• Mr. Bejtlich was interviewed for the ZDNet story Cybersecurity hiring crisis: Rockstars, anger and the billion dollar problem, published 26 August 2014.
• Mr. Bejtlich was cited in the NextGov story Exclusive: Nuke Regulator Hacked by Suspected Foreign Powers, published 18 August 2014.
• Mr. Bejtlich was interviewed for the Washington Post story Chinese cyberspies have hacked Middle East experts at major U.S. think tanks, published 7 July 2014.
• Mr. Bejtlich was cited in the Foreign Policy story Supreme Court Shields Cell Phone Data, published 25 June 2014.
• Mr. Bejtlich was interviewed for the Voice of America story US Cyberfirm: China Military Continues Hacking After US Indictment, published 10 June 2014.
• Mr. Bejtlich was interviewed for the CSO story Needed: Breach Detection, published 27 May 2014.
• Mr. Bejtlich was interviewed for the ABC This Week story Cyber Spying Alert, aired 25 May 2014.
• Mr. Bejtlich was interviewed for the Dark Reading story State-Owned Chinese Firms Hired Military Hackers for IT Services, published 21 May 2014.
• Mr. Bejtlich was interviewed for the Washington Business Journal story Will China retaliate over cyber-espionage charges?, published 21 May 2014.
• Mr. Bejtlich was interviewed for the NPR story Charges Of Chinese Cybercrimes To Play Out In American Courts, aired 19 May 2014.
• Mr. Bejtlich was interviewed for the Recode story What to Expect From Charges Against Chinese Hackers: Nothing, published 19 May 2014.
• Mr. Bejtlich was interviewed for the USA Today story China's theft of business secrets is beyond espionage, published 19 May 2014.
• Mr. Bejtlich was cited in the AP story US charges Chinese officials in cyberspying case, published 19 May 2014.
• Mr. Bejtlich was interviewed for the Dark Reading story The New Normal: US Charges Chinese Military Officers With Cyber Espionage, published 19 May 2014.
• Mr. Bejtlich was interviewed for the Christian Science Monitor story US indicts five in China's secret 'Unit 61398' for cyber-spying on US firms, published 19 May 2014.
• Mr. Bejtlich was interviewed for the Hill story Holder hits China on cyber spying, published 19 May 2014.
• Mr. Bejtlich was interviewed on the Kojo Nnamdi Show segment The U.S. Criminal Hacking Case Against China, aired live 19 May 2014.
• Mr. Bejtlich was interviewed for the Daily Beast story #ShotsFired in U.S.-China Cyberwar, published 19 May 2014.
• Mr. Bejtlich was interviewed for the PCWorld story Chinese state-owned enterprises 'hired' military hacking unit, published 19 May 2014.
• Mr. Bejtlich was interviewed for the Foreign Policy story Caught Red-Handed, published 19 May 2014.
• Mr. Bejtlich was cited in the Register story Call of Duty 'fragged using OpenSSL's Heartbleed exploit', published 10 April 2014.
• Mr. Bejtlich was interviewed in the NPR story For China And U.S., An Attempt To Clarify Rules Of Cyberwarfare, aired 7 April 2014.
• Mr. Bejtlich was cited in the PBS story Opening Doors to Iran, U.S. Allows Academic Exchanges, aired 7 April 2014.
• Mr. Bejtlich was cited in the Bloomberg story SEC Probes Threat From Cyber Attacks Against Wall Street, published 25 March 2014.
• Mr. Bejtlich was cited in the Wall Street Journal story Cyberdefense Costs Mount, published 26 February 2014.
• Mr. Bejtlich was cited in the Christian Science Monitor story New US cybersecurity standards: Will they do enough? published 12 February 2014.
• Mr. Bejtlich was interviewed for the WGBH story Security Experts: Colleges Targeted For Future Cyber Attacks, published 12 February 2014.
• Mr. Bejtlich was cited in the Politico story Cybersecurity in slow lane one year after Obama order, published 9 February 2014.
• Mr. Bejtlich was interviewed for the NPR story A Possible Explanation For How U.S. Diplomat's Call Was Tapped, published 8 February 2014.
• Mr. Bejtlich was cited in the Verge story LinkedIn kills its Intro email service after less than four months, published 7 February 2014.
• Mr. Bejtlich was cited in the Fast Company story We Will Create a Stronger Internet, published 14 January 2014.
• Mr. Bejtlich was mentioned in the Quartz story Will the NSA spying revelations hurt America’s nascent cyberforensics industry abroad?, published 3 January 2014.
• Mr. Bejtlich was mentioned in the Wall Street Journal story Mandiant Purchase Proves Worth of Cybersleuthing, published 2 January 2014.
• 2013
• Mr. Bejtlich was interviewed for the NextGov story The Ten Worst Hacks of 2013, published 30 December 2013.
• Mr. Bejtlich was cited in the Newsweek story How Edward Snowden Escalated Cyber War with China, published 1 November 2013.
• Mr. Bejtlich was cited in the TechTarget story Eliminating Black Hat Bargains, published 1 November 2013.
• Mr. Bejtlich was cited in the New York Times story LinkedIn’s New Mobile App Called ‘a Dream for Attackers', published 24 October 2013.
• Mr. Bejtlich was cited in the Mother Jones story CISPA Zombie Bill Is Back, With Fewer Privacy Concerns…Maybe?, published 21 October 2013.
• Mr. Bejtlich was cited in the National Defense Magazine story Shutdown, Policy Gridlock Deal Major Blows to Cybersecurity Efforts, published 9 October 2013.
• Mr. Bejtlich was cited in the Mother Jones story John McAfee Claims He Can Protect You From the NSA for $100, published 1 October 2013.
• Mr. Bejtlich was cited in the Washington Post story After Snowden revelations, China worries about cyberdefense, hackers, published 4 September 2013.
• Mr. Bejtlich was cited in the Dark Reading story Stuxnet Expert Proposes New Framework For ICS/SCADA Security, published 4 September 2013.
• Mr. Bejtlich was cited in the Foreign Affairs story DOD's Huge Plan to Stop the Next Snowden Is Going to Take A While, published 19 August 2013.
• Mr. Bejtlich was cited in the Mother Jones story Bad News: Hackers Are Coming for Your Tap Water , published 7 August 2013.
• Mr. Bejtlich was interviewed for the CBS News story How Chinese hackers steal U.S. secrets, published 7 August 2013.
• Mr. Bejtlich was interviewed by Secure Ninja TV, aired 3 August 2013.
• Mr. Bejtlich won the Economist debate on cyber war which concluded 2 August 2013.
• Mr. Bejtlich was interviewed by Bloomberg West, aired 12 July 2013.
• Mr. Bejtlich was cited in the SC Magazine story Chalk IT up: Boardroom communication, published 03 July 2013.
• Mr. Bejtlich was cited in the Washington Post story Robert J. Samuelson commentary: Internet could be more trouble than it's worth, published 01 July 2013.
• Mr. Bejtlich was cited in the Wall Street Journal story Current Account: Cyberattacks Are Banks Latest Existential Risk, published 24 June 2013.
• Mr. Bejtlich was interviewed at the Wall Street Journal's CFO Network annual conference, recorded by C-SPAN (video), on 18 June 2013.
• Mr. Bejtlich was cited in the Wall Street Journal story China's Cyber Stonewall, published 10 June 2013.
• Mr. Bejtlich was interviewed for the NPR story Cyberspying Expected To Be Discussed At U.S.-China Summit, aired 7 June 2013.
• Mr. Bejtlich was interviewed for the Washington Post story Chinese Hackers Stealing Almost Everything, aired 7 June 2013.
• Mr. Bejtlich was interviewed for the Bloomberg West story U.S., China Prepare to Discuss Cybersecurity, aired 6 June 2013.
• Mr. Bejtlich was interviewed for the To the Point story China, Cyber Espionage and Controlling the Internet, aired 4 June 2013.
• Mr. Bejtlich was interviewed for the Politico story President Obama likely to talk softly with China on cyber-snooping, published 2 June 2013.
• Mr. Bejtlich was interviewed for the Mother Jones story Why Iran's Hackers Might Be Scarier Than China's, published 30 May 2013.
• Mr. Bejtlich was cited in the CBS News story How Chinese hackers steal U.S. secrets, published 29 May 2013.
• Mr. Bejtlich was cited in the Daily Beast story Hackers Are Spying on You, published 29 May 2013.
• Mr. Bejtlich was interviewed for the Four Corners story Hacked, aired 27 May 2013.
• Mr. Bejtlich was cited in the Voice of America story China Resumes Cyber Attacks on US, Firm Says, published 20 May 2013.
• Mr. Bejtlich was interviewed for the Federal News Radio story Cybersecurity and Crowdfunding, aired 16 May 2013.
• Mr. Bejtlich was cited in the Bloomberg story Apple, Samsung Devices Seen Raising Pentagon’s Cyber Risk, published 15 May 2013.
• Mr. Bejtlich was cited in the NextGov story A Week After it was Mysteriously Disabled, U.S. Forces-Korea Website Returns, published 8 April 2013.
• Mr. Bejtlich was cited in the Forbes story A Different Approach To Foiling Hackers? Let Them In, Then Lie To Them, published 5 April 2013.
• Mr. Bejtlich was cited in the USA Today story Pentagon seeking 'rules of engagement' for cyber-war, published 4 April 2013.
• Mr. Bejtlich was cited in the Fast Company story Hacked? Mandiant's Cyberattack Detectives Want To Know All About It, published 3 April 2013.
• Mr. Bejtlich was cited in the Bloomberg story Security Fears Give Way to Economics as Cloud Computing Grows, published 27 March 2013.
• Mr. Bejtlich was cited in the Washington Examinber story NASA chief failed to tell Congress of 118 Chinese nationals working in IT, published 25 March 2013.
• Mr. Bejtlich was cited in the PCWorld story Security experts warn about Iran and North Korea hackers, published 24 March 2013.
• Mr. Bejtlich was cited in the ThreatPost story Experts Tell Congress Serious Deterrence Needed to Impede Foreign Cyber Attacks, published 21 March 2013.
• Mr. Bejtlich was cited in the Economic Times story China spends massively on cyber spying, US Congress told, published 20 March 2013.
• Mr. Bejtlich was interviewed for the CNBC story Cybersecurity Firm Says It Is Under Attack, published 20 March 2013.
• Mr. Bejtlich was cited in the Economist story Can You Keep a Secret?, published 16 March 2013.
• Mr. Bejtlich was cited in the Dark Reading story Medical Industry Under Attack By Chinese Hackers, published 14 March 2013.
• Mr. Bejtlich was cited in the LA Times story China hacker's angst opens a window onto cyber-espionage, published 12 March 2013.
• Mr. Bejtlich was cited in the CNN story Watch where you click: International cyber attacks on the rise, published 12 March 2013.
• Mr. Bejtlich was interviewed by Soledad O'Brien for CNN, with video, aired 11 March 2013.
• Mr. Bejtlich was cited in the Nation story , published 4 March 2013.
• Mr. Bejtlich was interviewed for the Computerworld story Mandiant's Richard Bejtlich on China, IP and the new cyber war, published 27 February 2013.
• Mr. Bejtlich was cited in the SC Magazine story RSA 2013: Hackers will get in, so spend the money on pushing them out, published 27 February 2013.
• Mr. Bejtlich was interviewed on the Kojo Nnamdi show for the segment titled Tracking Chinese Hackers, aired 26 February 2013.
• Mr. Bejtlich was interviewed for the IT Web story Formulating an attack-focused security plan, published 26 February 2013.
• Mr. Bejtlich was cited in the Asian Correspondent story Analysis: Detailed China hacking report leaves little room for doubt, published 25 February 2013.
• Mr. Bejtlich was cited in the Economist story Cybercrime: Smoking Gun, published 23 February 2013.
• Mr. Bejtlich was cited in the Reuters story Mandiant goes viral after China hacking report, published 23 February 2013.
• Mr. Bejtlich was interviewed for the Forbes article The Shanghai Army Unit That Hacked 115 U.S. Targets Likely Wasn't Even China's 'A-Team', published 21 February 2013.
• Mr. Bejtlich was interviewed for the Nightly Business Report TV show, with transcript and video, aired 21 February 2013.
• Mr. Bejtlich was cited in the China Daily story US hacking into China a common problem, published 21 February 2013.
• Mr. Bejtlich was cited in the China Daily story 'Cyberattacks using US IPs' target military, published 21 February 2013.
• Mr. Bejtlich was interviewed for the Mother Jones story Chinese Cyberwarfare, Explained, published 21 February 2013.
• Mr. Bejtlich was cited in the CSO Online story Mandiant Gaines Instant Fame After Chinese Hack Report, published 21 February 2013.
• Mr. Bejtlich was cited in the Dark Reading story Attribution Delivers Questionable Security Value, published 20 February 2013.
• Mr. Bejtlich was cited in the Scotsman story Chinese military unit .behind hacking attacks, published 20 February 2013.
• Mr. Bejtlich was interviewed for the NPR story How Could The U.S. Respond To Chinese Hacking?, published 20 February 2013.
• Mr. Bejtlich was interviewed for the Digital Trends story China is waging an undeclared cyberwar on the US . but now what?, published 20 February 2013.
• Mr. Bejtlich was cited in the Voice of America story Chinese Army Rejects US Report on Cyber Hacking, published 20 February 2013.
• Mr. Bejtlich was cited in the Washington Post story Report ties cyberattacks on U.S. computers to Chinese military, published 19 February 2013.
• Mr. Bejtlich was interviewed for the Voice of America video story US Firm Links Chinese Army to Cyber Attacks, aired 19 February 2013.
• Mr. Bejtlich was interviewed on the PBS Newshour TV show, with video and transcript, aired 19 February 2013.
• Mr. Bejtlich was cited in the Associated Press story US ready to strike back against China cyberattacks, published 19 February 2013.
• Mr. Bejtlich was cited in the eWeek story Chinese Military Group Identified in Attacks on U.S. Networks: Mandiant, published 19 February 2013.
• Mr. Bejtlich was cited in the Dark Reading story Chinese Military Tied To Major Cyberespionage Operation, published 19 February 2013.
• Mr. Bejtlich was interviewed for the print and TV Sky News HD story Chinese Military's 'Global Hacking HQ Found', published and aired 19 February 2013.
• Mr. Bejtlich was cited in the American Banker story Banks Eyeing China Vulnerable to Army Cyberattack: Report, published 19 February 2013.
• Mr. Bejtlich was cited in the LA Times story Computer security firm blames cyber spying on Chinese military, published 19 February 2013.
• Mr. Bejtlich was interviewed for the Fiscal Times story Chinese Attacks Reveal an Undeclared Global Cyber War, published 19 February 2013.
• Mr. Bejtlich was cited in the Fiscal Times story Pentagon Readies a Cyber Arsenal to Fight Attackers, published 18 February 2013.
• Mr. Bejtlich was cited in the IT Pro Portal story Defence industry looks to cash in on soaring cyber-spend, published 18 February 2013.
• Mr. Bejtlich was cited in the NPR story Victims Of Cyberattacks Get Proactive Against Intruders, published 13 February 2013.
• Mr. Bejtlich was cited in the NPR story In Cyberwar, Software Flaws Are A Hot Commodity, published 12 February 2013.
• Mr. Bejtlich was a guest on the Diane Rehm Show on 12 February 2013.
• Mr. Bejtlich was cited in the Foreign Policy story What cyber security execs want to see from the government, published 11 February 2013.
• Mr. Bejtlich was citied in the Entrepreneur Magazine story Is Your Business Ready for Cyber War?, published 11 February 2013.
• Mr. Bejtlich was cited in the Washington Post story Secret Service investigating hack of Bush family e-mails, published 8 February 2013.
• Mr. Bejtlich was cited in the Bloomberg story Mandiant, the Go-To Security Firm for Cyber-Espionage Attacks, published 7 February 2013.
• Mr. Bejtlich was cited in the Defense News story DoD Faces Cyber Expert Talent Shortage, published 6 February 2013.
• Mr. Bejtlich was cited in the FCW story DOE data breach came after warnings, published 5 February 2013.
• Mr. Bejtlich was cited in the Economist story War on terabytes, published 2 February 2013.
• Mr. Bejtlich was interviewed by Australia's ABC PM radio program for their story China-based hackers attack NYT computer system, aired 1 February 2013. Audio available (.mp3)
• Mr. Bejtlich was cited in the AP story US weighs tougher action over China cyberattacks, published 1 February 2013.
• Mr. Bejtlich was cited in the Daily Beast story Is New York Times Hacking Just the Beginning?, published 1 February 2013.
• Mr. Bejtlich was cited in the CRN story Forensic Investigators Track Times Attack Step By Step, published 1 February 2013.
• Mr. Bejtlich was cited in the Krebs on Security story Source: Washington Post Also Broadly Infiltrated By Chinese Hackers in 2012, published 1 February 2013.
• Mr. Bejtlich was cited in the Wall Street Journal story Chinese Hackers Hit U.S. Media, published 31 january 2013.
• Mr. Bejtlich was interviewed for the NPR story 'New York Times' The Target Of Chinese Cyber Attack, published and aired 31 January 2013. Audio available (.mp3)
• Mr. Bejtlich was cited in the New York Times story Hackers in China Attacked The Times for Last 4 Months, published 30 January 2013.
• Mr. Bejtlich was cited in the FCW story Cybersecurity: Rejoining the battle on Capitol Hill, published 17 January 2013.
• Mr. Bejtlich was cited in the Bloomberg story A National Digital ID, Courtesy of the U.S. Postal Service?, published 11 January 2013.
• Mr. Bejtlich was cited in the Dark Reading story You Keep Using That Word, published 4 January 2013.
• Mr. Bejtlich was cited in the World Affairs article First Strike: US Cyber Warriors Seize the Offensive, published 4 January 2013.

• 2012
• Mr. Bejtlich was cited in the Register story US: We'll drag cyber-spies into COURT from their hideouts, published 20 December 2012.
• Mr. Bejtlich was cited in the Mother Jones story Defense Contractors Don't Want to Say When They've Been Hacked, published 13 December 2012.
• Mr. Bejtlich was cited in the SearchSecurity story Many in industry at odds over pending cybersecurity executive order, published 3 December 2012.
• Mr. Bejtlich was cited in The Week story Obama's war on hackers: 5 things you need to know, published 27 November 2012.
• Mr. Bejtlich was cited in the Global Security Newswire story DOE Facilities Still Have Cyber Weak Spots: IG, published 19 November 2012.
• Mr. Bejtlich was cited in the Foreign Policy story Dozens of cyber vulnerabilities found at Department of Energy facilities, published 16 November 2012.
• Mr. Bejtlich was cited in the Mother Jones story Is Obama About to Take Over the Internet?, published 16 November 2012.
• Mr. Bejtlich was cited in the Defense News story New Cyber Group Aims To Spread Basic Security, published 14 November 2012.
• Mr. Bejtlich was cited in the ComputerWorld story On the Internet, no one knows you're an authoritarian government, published 8 November 2012.
• Mr. Bejtlich was cited in the Foreign Policy story The new cyber vulnerability: Your law firm, published 7 November 2012.
• Mr. Bejtlich was cited in the Foreign Policy story Cyber Threat of the Week, published 6 November 2012.
• Mr. Bejtlich was cited in the SC story Monster Breach Hits SC Taxpayers, published 26 October 2012.
• Mr. Bejtlich was cited in the Slate story Republicans Warn Obama: Cybersecurity Executive Order Will Practically Destroy the Internet, published 15 October 2012.
• Mr. Bejtlich was cited in the Navy Times story Panetta outlines new cyber doctrine for DoD, published 13 October 2012.
• Mr. Bejtlich was cited in the Slashdot story U.S. Defense Secretary Warns of a Possible 'Cyber-Pearl Harbor', published 13 October 2012.
• Mr. Bejtlich was cited in the AP story US warning reflects fears of Iranian cyberattack, published 12 October 2012.
• Mr. Bejtlich was cited in the PC Advisory story Huawei: Separating Fact from Fiction, published 10 October 2012.
• Mr. Bejtlich was cited in the Dark Reading story Congressional Intelligence Committee Warns Against Doing Business With Chinese Telecom Firms, published 8 October 2012.
• Mr. Bejtlich was cited in the Info Security story http://www.infosecurity-magazine.com/view/28481/the-ten-security-issues-guaranteed-to-cause-a-flamewar, published 27 September 2012.
• Mr. Bejtlich was cited in the CRN story The Paradox Of Apple Security: Does Secrecy Make You Safer?, published 21 September 2012.
• Mr. Bejtlich was cited in the Associated Press story Panetta talks computer hacking issues with Chinese, published 20 September 2012.
• Mr. Bejtlich was cited in the Dark Reading story The Data Annihilation Attack Is Back, published 12 September 2012.
• Mr. Bejtlich was cited in the Federal Computer Week story Federal data breaches: How long is too long to inform victims?, published 10 September 2012.
• Mr. Bejtlich was cited in the New York Review of Books story Are Hackers Heroes?, published 7 September 2012.
• Mr. Bejtlich was interviewed for the TV program This Week in Defense News with Vago Muradian, broadcast 1 September 2012.
• Mr. Bejtlich was cited in the Federal Computer Week story Is the government dropping the ball on cybersecurity?, published 23 August 2012.
• Mr. Bejtlich was interviewed in the HP story Transform Your Puny Weakling Tech Muscles into InfoSec BRAWN!, published 8 August 2012.
• Mr. Bejtlich was cited in the Defense News story Experts: Cloud Brings Vulnerabilities, published 30 July 2012.
• Mr. Bejtlich was cited in the SearchSecurity story Network threat detection moves beyond signatures, published 3 July 2012.
• Mr. Bejtlich was cited in the Dark Reading story The Enterprise Strikes Back, published 25 June 2012.
• Mr. Bejtlich was cited in the Dark Reading story The Intersection Between Cyberespionage And Cybercrime, published 21 June 2012.
• Mr. Bejtlich was cited in the Newsweek story The Stuxnet Leak Was a Valuable Warning Shot, published 18 June 2012.
• Mr. Bejtlich was cited in the DefenseNews story Building Better Red Teams, published 14 June 2012.
• Mr. Bejtlich was cited in the CRN story Apple To Make First Official Appearance At Black Hat Next Month, published 11 June 2012.
• Mr. Bejtlich was cited in the Dark Reading story Companies See Business In 'Doxing' The Adversary, published 31 May 2012.
• Mr. Bejtlich was cited in the Associated Press story Iran, other Mideast states hit by computer virus, published 29 May 2012.
• Mr. Bejtlich was cited in the Dark Reading story Selling a Secure Internet Domain, published May 17 2012.
• Mr. Bejtlich was interviewed for the NPR story Cybersecurity Firms Ditch Defense, Learn To 'Hunt', aired May 10 2012.
• Mr. Bejtlich was interviewed for the NPR story Cyber Briefings 'Scare The Bejeezus' Out Of CEOs, aired May 9 2012.
• Mr. Bejtlich was cited in the New York Times story Nissan Is Latest Company to Get Hacked, published 24 Apr 2012.
• Mr. Bejtlich was cited in the ThreatPost story E-Mail, Source Code From VMWare Bubbles Up From Compromised Chinese Firm, published 24 Apr 2012.
• Mr. Bejtlich was interviewed by BBC Radio 5 Live, aired 7 Apr 2012.
• Mr. Bejtlich was cited in the Government Computer News story Best defense? Start by admitting hackers will get in anyway, published 5 Apr 2012.
• Mr. Bejtlich was cited in the Dark Reading story Damage Mitigation As The New Defense, published 5 Apr 2012.
• Mr. Bejtlich was interviewed for the NPR story 'Anonymous' Hacking Group Threatens The Internet, aired 30 Mar 2012.
• Mr. Bejtlich was cited in the Wall Street Journal story US Outgunned in Hacker War, updated 28 Mar 2012.
• Mr. Bejtlich was cited in the Dark Reading story 'Anonymous' Legacy: Hacktivists Stole More Data Than Organized Crime In 2011 Breaches Worldwide. published 22 Mar 2012.
• Mr. Bejtlich was cited in the Wall Street Journal story Alert on Hacker Power Play, published 21 February 2012, and repeated within NSA chief fears Anonymous could hit power grid: report.
• Mr. Bejtlich was interviewed for the NPR story U.S. Not Afraid To Say It: China's The Cyber Bad Guy, aired 18 Feb 2012.
• Mr. Bejtlich was cited in the ThreatPost story Did A Decade-Long Hack Trigger Nortel's Demise?, published 15 Feb 2012.
• Mr. Bejtlich was cited in the Globe and Mail story Reported hacking of Nortel fuels concerns, skepticism, published 14 Feb 2012.
• Mr. Bejtlich was cited in the Dark Reading story Six-Year-Old Breach Comes Back To Haunt Symantec, published 26 Jan 2012.
• Mr. Bejtlich was cited in the Bloomberg story DuPont, Makhteshim, Kodak, News Corp: Intellectual Property published 11 Jan 2012.
• Mr. Bejtlich was cited in the Bloomberg story SEC Push May Yield New Disclosures of Company Cyber Attacks published 10 Jan 2012.
• Mr. Bejtlich was cited in the Popular Mechanics story Digital Spies: The Secret War, appearing in the Jan 2012 issue.

• 2011
• Mr. Bejtlich was cited in the Dark Reading Story Dastardly Dozen: A Few APT Groups Carry Out Most Attacks published 19 Dec 2011.
• Mr. Bejtlich was cited in the Bloomberg story China-Based Hacking of 760 Companies Shows Cyber Cold War published 14 Dec 2011.
• Mr. Bejtlich was cited in the Dark Reading story APT Or Not APT? Discovering Who Is Attacking The Network published 21 Nov 2011.
• Mr. Bejtlich was cited in the CSO Online story Experts advise caution, information sharing in wake of alleged utility attacks published 21 Nov 2011.
• Mr. Bejtlich was cited in the SearchSecurity story Confusion over APT attacks leads to misguided security effort published 15 Nov 2011.
• Mr. Bejtlich was interviewed for the SearchSecurity story Marcus Ranum chat: Information security monitoring published 1 Nov 2011.
• Mr. Bejtlich was cited in the ComputerWorld story Hard to fully assess Duqu threat yet, researchers say published 21 Oct 2011.
• Mr. Bejtlich was cited in the Canadian Business story Spies Like Them published 20 Oct 2011.
• Mr. Bejtlich was interviewed for the Financial Times video report The expanding cyber industrial complex published 11 Oct 2011.
• Mr. Bejtlich was cited in the DefenseNews story Ex-CIA Chief Calls for Less Cyber Secrecy published 6 Oct 2011.
• Mr. Bejtlich was cited in the Dark Reading story A Call To Disarm Black Hat Hackers In China published 21 Sep 2011.
• Mr. Bejtlich was cited in the Dark Reading story APT Attackers Hit Japan's Biggest Defense Contractor published 19 Sep 2011.
• Mr. Bejtlich was cited in the New York Times story Hacker Rattles Security Circles published 11 Sep 2011.
• Mr. Bejtlich was cited in the Network World story Peeling the Security Onion, published 10 September 2011.
• Mr. Bejtlich was cited in the Dark Reading story To Catch an APT published 8 Sep 2011.
• Mr. Bejtlich was cited in the SC Magazine story Advanced persistent threats call for a reality check published 7 Sep 2011.
• Mr. Bejtlich was cited in the SC Magazine story Breaking the next case published 1 Sep 2011.
• Mr. Bejtlich was interviewed in the Dark Reading video MANDIANT CSO Talks Threats To His Company and His Clients, published 10 Aug 2011.
• Mr. Bejtlich was cited in the Dark Reading story APT Attackers Used Chinese-Authored Hacker Tool To Hide Their Tracks, published 3 Aug 2011.
• Mr. Bejtlich was cited in the Dark Reading story High-Profile Hacks Prompt High-Powered Hires, published 23 Jun 2011.
• Mr. Bejtlich was cited in the Dark Reading story Richard Bejtlich To Join MANDIANT As Chief Security Officer, Security Services Architect, published 17 Mar 2011.
• 2010
• Mr. Bejtlich was cited in the Reuters story Special report: The Pentagon's new cyber warriors, published 5 Oct 2010.
• Mr. Bejtlich was interviewed by Gary McGraw for the Silver Bullet Podcast, published 23 Aug 2010.
• Mr. Bejtlich was cited in the Wired magazine article Security Watch: Beware the NSA’s Geek-Spy Complex, published in Mar 2010.
• Mr. Bejtlich was interviewed for the PaulDotCom Podcast on 18 Mar 2010.
• 2009
• Mr. Bejtlich was interviewed for the Security Justice Podcast on 7 Nov 2009.
• Mr. Bejtlich interviewed colleague Ken Bradley for SANS on 2 Nov 2009.
• Mr. Bejtlich was cited in the Wired article Air Force Establishes ‘Reduced’ Cyber-War Command by David Axe on 18 Aug 2009.
• 2008
• Mr. Bejtlich was cited in the Economist article Marching Off to Cyberwar in the 4 Dec 2008 issue.
• Mr. Bejtlich was cited in the Wired article Estonia, Google Help 'Cyberlocked' Georgia by Noah Schachtman on 11 Aug 2008.
• Mr. Bejtlich was cited in the CSO article Cost-Cutting Through Green IT Security: Real or Myth? by Bill Brenner on 25 Jun 2008.
• Mr. Bejtlich featured as the cover story of the May 2008 issue of CSO Magazine with an article titled Incident Detection, Response, and Forensics.
• 2007
• Bill Brenner commented on Mr. Bejtlich's decision to become Director of Incident Response for General Electric in the article Richard Bejtlich: I'm Not Dead.
• Mr. Bejtlich was interviewed for the Sites Collide podcast.
• 2006
• Mr. Bejtlich was cited in the story Sourcefire IPO Could Fuel Snort, Users Say.
• Mr. Bejtlich was interviewed for the CyberSpeak Podcast.
• Mr. Bejtlich was interviewed for the Network Security Podcast.
• Mr. Bejtlich was interviewed for the Threat Chaos Podcast.
• Mr. Bejtlich was interviewed for the Run Your Own Server Podcast.
• The July 2006 issue of Information Security magazine features Mr. Bejtlich's first book, The Tao of Network Security Monitoring, as one of their Top Ten Books.
• Mr. Bejtlich was cited in the June 2006 issue of Information Security magazine, in the article Today's Attackers Can Find the Needle.
• Mr. Bejtlich was interviewed for the BSDTalk Podcast.
• Mr. Bejtlich was quoted by Processor.com.
• 2000-2005
• Mr. Bejtlich's comments on Renesys were reported in the Manchester Union Leader.
• Bookpool published Mr. Bejtlich's favorite 10 computer books of the past 10 years.
• Reuters reporter Andy Sullivan asked Mr. Bejtlich to comment for his 22 February 2005 story Paris Hilton Exposed on Web After Phone Hacked.
• Mr. Bejtlich was quoted by Shawna McAlearney of SearchSecurity.com in her 16 December 2004 article Nessus No Longer Free.
• Net Optics published a press release describing their products in the context of Mr. Bejtlich's books.
• The new Syngress book Security Sage's Guide to Hardening the Network Infrastructure mentions Mr. Bejtlich and the TaoSecurity Blog in relation to Snort.
• Dru Lavigne mentioned the TaoSecurity Blog in her article Interesting New Ports at the O'Reilly BSD Devcenter.
• Anton Chuvakin wrote this blog entry profiling TaoSecurity Blog.
• Mr. Bejtlich reviewed a draft of the Honey Project's book, Know Your Enemy: Revealing the Security Tools, Tactics, and Motives of the Blackhat Community. He is mentioned in the preface as a reviewer.
• Lance Spitzner was kind enough to mention Mr. Bejtlich in the preface to his latest book, Honeypots: Tracking Hackers.
• Stephen Northcutt and Judy Novak were kind enough to mention Mr. Bejtlich in the third edition of Network Intrusion Detection.
• Mr. Bejtlich reviewed two drafts of Hack I.T.: Security Through Penetration Testing, and he is mentioned in the acknowledgements.
• Two of Mr. Bejtlich's letters to the editor of Information Security magazine were published in the June 2002 issue. 'Name withheld upon request' is Mr. Bejtlich as well.
• Sandra Lowe-Sanchez interviewed Mr. Bejtlich and asked for his opinion of Turillion's web server protection product. Note his name is spelled "Bejtlick" in this 11 January 2002 article.
• Ed Tittel mentioned one of Mr. Bejtlich's Amazon.com reading lists in this article at TechTarget.com.
• Paul Innella wrote a history of intrusion detection systems that mentions the Automated Security Incident Measurement (ASIM) technology Mr. Bejtlich used in the Air Force.
• Deseret News, a Salt Lake City-based newspaper, interviewed Mr. Bejtlich on 24 August 2001 regarding security threats to Air Force networks. Incidentally, that day an Associated Press story reported a retired Air Force sergeant was accused of espionage after allegedly stealing classified data.
• NewsBytes, once a division of The Washington Post Company, interviewed Mr. Bejtlich after he posted a warning of the Code Red worm on 15 July 2001.
• A San Antonio Business Journal story from 29 June 2001 described Mr. Bejtlich's responsibilities at BATC, including network security monitoring and incident response.
• Congressman Lamar Smith visited BATC's network security operations center in June 2001. Mr. Bejtlich demonstrated how he might compromise his web server while coworker Bamm Visscher demonstrated how our network security monitoring service detects similar events. This story gives a few more details. Congressman Smith cited his visit to BATC while speaking on the House floor.
• The summer 2001 issue of 2600 magazine featured Mr. Bejtlich's photograph of a phone in Kusadasi, Turkey.
• On 29 May 2001 Mr. Bejtlich's work on interpreting network traffic was mentioned in an article by Duane Dunston at LinuxSecurity.com.
• On 30 September 2000 The Learning Channel aired a show called Best Kept Secrets of the US Military that featured the AFCERT (taped 19 May 2000). (.mpg, 49 MB)
• The inside cover of Network Intrusion Detection, 2nd Edition quotes Mr. Bejtlich regarding the usefulness of the book. This Amazon.com page features that quote, listed as "From the Inside Flap."

• Please visit Academia.edu for Mr. Bejtlich's most recent research.

• Seven Tips for Small Business Security, in the Huffington Post, 18 June 2014
• Strategy, Not Speed: What Today's Digital Defenders Must Learn From Cybersecurity's Early Thinkers, for the Brookings Institution, 7 May 2014
• What Federal Cyber Breach Notifications Really Mean for Business, for the Brookings Institution, 25 March 2014
• Don't Underestimate Cyber Spies: How Virtual Espionage Can Lead to Actual Destruction in Foreign Affairs, 2 May 2013
• Become a Hunter in the targeted-threat-centric Information Security Magzine, July-August 2011 (.pdf)
• Directions in Incident Detection and Response (.pdf) in the January/February 2011 issue of IEEE Security and Privacy magazine
• Understanding the Advanced Persistent Threat in Information Security Magazine, July 2010
• Traffic Talk issues 1, 2, 3, 4, 5, 6, 7, 8, 9, 10
• Snort Report issues 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22
• Keeping FreeBSD Applications Up-to-Date in BSD Magazine
• Keeping FreeBSD Up-To-Date: OS Essentials in BSD Magazine
• Computer Incident Detection, Response, and Forensics in CSO Online
• Tuning Snort, in the August 2006 Sys Admin magazine
• Network Security Monitoring: Beyond Intrusion Detection, in Volume 8, No. 4 of the IA Newsletter
• Keeping FreeBSD Up to Date, in the February 2006 Sys Admin magazine
• Engineering Disasters in the December 2005 issue of Information Security Magazine.
• Using Attack Responses to Improve Intrusion Detection
• Structured Traffic Analysis in the October 2005 (IN)SECURE magazine (.pdf)
• More Tools for Network Security Monitoring, in the February 2005 Sys Admin magazine
• Keeping FreeBSD Applications Up-To-Date, also published in the December 2004 and January 2005 issues of Daemon News.
• Keeping FreeBSD Up-To-Date, also published in the November 2004 issue of Daemon News.
• Sguil Installation Script
• Considering Convergence? .pdf, published as an Addison-Wesley-sponsored supplement to the November 2004 issue of Dr. Dobb's Journal
• Integrating the Network Security Model (.pdf, .ps), in the April 2004 Sys Admin magazine
• Simplicity and Awareness: Keys to Network Security for the World Markets Research Centre's Global InfoSecurity 2002 report. (The article is a bit formal, and features a small amount of creative editing by the WMRC staff. Mr. Bejtlich certainly didn't intend for "UNIX" to be defined as a "Uniplexed Information and Computer System!")
• Network Intrusion Detection of Third Party Effects, published 05 September 2000
• Interpreting Network Traffic: A Network Intrusion Detector's Look at Suspicious Events, originally published 28 October 1999

• 2017
• • Mr. Bejtlich led a podcast titled Threat Hunting: Past, Present, and Future, in early July 2017. He interviewed four of the original six GE-CIRT incident handlers. The audio is posted on YouTube. Thank you to Sqrrl for making the reunion possible.
  • Mr. Bejtlich's latest book was inducted into the Cybersecurity Canon.
  • Mr. Bejtlich is doing limited security consulting. See this blog post for details.
• 2016
• • Mr. Bejtlich organized and hosted the Management track (now "Executive track") at the 7th annual Mandiant MIRCon (now "FireEye Cyber Defense Summit") on 29-30 November 2016.
  • Mr. Bejtlich delivered the keynote to the 2016 Air Force Senior Leaders Orientation Conference at Joint Base Andrews on 29 July 2016.
  • Mr. Bejtlich delivered the keynote to the FireEye Cyber Defense Live Tokyo event in Tokyo on 12 July 2016.
  • Mr. Bejtlich delivered the keynote to the New Zealand Cyber Security Summit in Auckland on 6 May 2016.
  • Mr. Bejtlich delivered the keynote to the Lexpo Summit in Amsterdam on 21 April 2016. Video posted here.
  • Mr. Bejtlich discussed cyber security campaigns at the 2016 War Studies Cumberland Lodge Conference near London on 30 March 2016.
  • Mr. Bejtlich offered a guest lecture to the Wilson Center Congressional Cybersecurity Lab on 5 February 2016.
  • Mr. Bejtlich delivered the keynote to the SANS Cyber Threat Intelligence Summit on 4 February 2016. Slides and video available.
• 2015
• • Mr. Bejtlich spoke on a panel at the DefenseOne Summit on 2 November 2015.
  • Mr. Bejtlich spoke on a panel at the AEI Internet Strategy event on 27 October 2015.
  • Mr. Bejtlich organized and hosted the Management track at the 6th annual Mandiant MIRCon on 13-14 October 2015.
  • Mr. Bejtlich testified to the House Foreign Affairs Committee on 7 October 2015.
  • Mr. Bejtlich testified to the House Armed Services Committee on 30 September 2015.
  • Mr. Bejtlich delivered a keynote at the 2015 Army Cyber Institute Cyber Talks on 22 September 2015 in Washington, DC.
  • Mr. Bejtlich delivered a keynote at the 2015 Security Onion Conference on 11 September 2015 in Augusta, GA.
  • Mr. Bejtlich delivered a keynote at the 2015 World Services Group Conference on 10 September 2015 in New York, NY.
  • Mr. Bejtlich delivered a keynote at the CoBank 2015 Communications Industry Executive Forum on 19 August 2015 in Colorado Springs, CO.
  • Mr. Bejtlich delivered a keynote at the Black Hat USA 2015 CISO Summit on 4 August 2015 in Las Vegas, NV.
  • Mr. Bejtlich participated in an panel hosted by AEI on 22 July 2015, with video.
  • Mr. Bejtlich spoke on a panel at the Chatham House Cyber 2015 event, 2-3 July 2015 in London, UK.
  • Mr. Bejtlich participated in a panel hosted by the National Journal on 24 June 2015.
  • Mr. Bejtlich testified to the House Committee on Financial Services Subcommittee on Oversight and Investigations on 16 June 2015.
  • Mr. Bejtlich spoke on a panel at the Cyber Summit USA on 3 June 2015.
  • Mr. Bejtlich testified to the House Permanent Select Committee on Intelligence on 19 March 2015.
  • Mr. Bejtlich testified to the House Oversight and Government Reform Subcommittee on Information Technology on 18 March 2015.
  • Mr. Bejtlich testified to the House Energy and Commerce Committee on 3 March 2015.
  • Mr. Bejtlich spoke on a panel at the Washington Business Journal cyber conference on 26 February 2015.
  • Mr. Bejtlich spoke on a panel at the Wall Street Journal CIO Network conference on 3 February 2015.
  • Mr. Bejtlich testified to the Senate Committee on Homeland Security and Government Affairs on 28 January 2015.
• 2014
• • Mr. Bejtlich taught Network Security Monitoring 101 at Black hat Trainings 2014: 8-9 December 2014 / Potomac, MD.
  • Mr. Bejtlich organized and hosted the Management track at the 5th annual Mandiant MIRCon on 8-9 October 2014.
  • Mr. Bejtlich delivered the keynote address at the inaugural Security Onion conference on 12 September 2014 in Augusta, GA.
  • Mr. Bejtlich delivered the keynote address (video) at the inaugural ArchC0n conference on 6 September 2014 in St Louis, MO.
  • Mr. Bejtlich taught Network Security Monitoring 101 at Black Hat USA 2014: 4-5 August 2014 / Las Vegas, NV.
  • Mr. Bejtlich spoke at the US Cyber Crime Conference on 29 April 2014. Video online at Youtube.
  • Mr. Bejtlich recorded a Webcast titled Defining and Justifying an Advanced Security Program for FireEye on 17 March 2014.
  • Mr. Bejtlich participated in a podcast titled Ukraine Crisis, Target Breach, and Edward Snowden: What's Next for U.S. Cyber Policy? for the Brookings Institution on 13 March 2014.
  • Mr. Bejtlich participated on a panel hosted by the Center for National Policy on Building a cybersecurity roadmap: A Monitor, Center for National Policy seminar on 12 February 2014.
  • Mr. Bejtlich spoke about digital security at the Boston Infragard quarterly meeting on 11 February 2014.
  • Mr. Bejtlich delivered a lecture on digital security at West Point on 15 January 2014.
  • Mr. Bejtlich spoke about digital security at seminars supporting the DoD Minerva Initiative at MIT and Harvard Kennedy School on 7-8 January 2014.
• 2013
• • Mr. Bejtlich taught Network Security Monitoring 101 at Black Hat Seattle 2013: 9-10 December 2013 / Seattle, WA.
  • Mr. Bejtlich offered a guest lecture on digital security at George Washington University on 23 November 2013.
  • Mr. Bejtlich spoke about digital security at the Mid-Atlantic CIO Council on 21 November 2013.
  • Mr. Bejtlich was a panelist at the Brookings Institute on 19 November 2013.
  • Mr. Bejtlich offered several guest lectures on digital security at the Massachusetts Institute of Technology on 18 November 2013.
  • Mr. Bejtlich was a panelist at the Atlantic Council on 15 November 2013.
  • Mr. Bejtlich organized and hosted the Management track at the 4th annual Mandiant MIRCon on 5-6 November 2013.
  • Mr. Bejtlich was a panelist at the Free Thinking Film Festival on 2 November 2013.
  • Mr. Bejtlich offered the keynote at the Cyber Ark user conference on 30 October 2013.
  • Mr. Bejtlich was a panelist at the Indiana University Center for Applied Cybersecurity Research on 21 October 2013.
  • Mr. Bejtlich spoke at the national ISSA conference on 10 October 2013.
  • Mr. Bejtlich was a panelist at the Politico Cyber 7 event on 8 October 2013.
  • Mr. Bejtlich offered the keynote at the BSides August 2013 conference on 14 September 2013.
  • Mr. Bejtlich taught Network Security Monitoring 101 at Black Hat USA 2013: 27-28 and 29-30 July 2013 / Las Vegas, NV.
  • Mr. Bejtlich was a panelist at the Chatham House Cyber Security Conference in London, England on 10 June 2013.
  • Mr. Bejtlich appeared in the documentary Hacked, first available 7 June 2013.
  • Mr. Bejtlich was interviewed at the Center for National Policy, with video archived, on 15 May 2013.
  • Mr. Bejtlich delivered a keynote at the IT Web Security Summit in Johannesburg, South Africa on 8 May 2013.
  • Mr. Bejtlich was a panelist at The George Washington University and US News & World Report Cybersecurity Conference on 26 April 2013.
  • Mr. Bejtlich testified to the House Committee on Foreign Affairs on 21 March 2013.
  • Mr. Bejtlich testified to the House Committee on Homeland Security on 20 March 2013.
  • Mr. Bejtlich testified to the Senate Armed Services Committee on 19 March 2013.
  • Mr. Bejtlich shared his thoughts on the APT1 report with the Federalist Society on 12 March 2013. The conference call was recorded as Cybersecurity And the Chinese Hacker Problem - Podcast.
• 2012
• • Mr. Bejtlich taught TCP/IP Weapons School 3.0 at Black Hat Abu Dhabi 2012: 3-4 Dec / Abu Dhabi, UAE.
  • Mr. Bejtlich spoke at a Mandiant breakfast event in Calgary, AB on 28 Nov 2012.
  • Mr. Bejtlich spoke at AppSecUSA in Austin, TX on 26 Oct 2012. The talk Incident Response: Security After Compromise is posted as a video (42 min).
  • Mr. Bejtlich organized and hosted the Management track at the 3rd annual Mandiant MIRCon on 17-18 October 2012.
  • Mr. Bejtlich spoke at a SANS event in Baltimore, MD on 5 Oct 2012.
  • Mr. Bejtlich spoke at a Mandiant breakfast event in Dallas, TX on 13 Sep 2012.
  • Mr. Bejtlich taught TCP/IP Weapons School 3.0 at Black Hat USA 2012: 21-22 and 23-24 Jul / Las Vegas, NV.
  • Mr. Bejtlich taught a compressed version of TCP/IP Weapons School 3.0 at a U.S. Cyber Challenge Summer Camp in Ballston, VA on 28 Jun 2012.
  • Mr. Bejtlich participated on a panel titled Hackers vs Executives at the Forrester conference in Las Vegas on 25 May 2012.
  • Mr. Bejtlich spoke at the Cyber Security for Executive Leadership: What Every CEO Should Know event in Raleigh, NC on 11 May 2012.
  • Mr. Bejtlich participated on a panel titled SEC Cyber Security Guidelines: A New Basis for D&O Exposure? at the 8th Annual National Directors & Officers Insurance ExecuSummit in Uncasville, CT on 8 May 2012.
  • Mr. Bejtlich delivered the keynote to the 2012 National Cyber Crime Conference in Norwood, MA on 30 Apr 2012.
  • Mr. Bejtlich spoke at the FOSE conference on a panel discussing new attacks on 4 Apr 2012.
  • Mr. Bejtlich testified to the US-China Economic and Security Review Commission on 26 Mar 2012.
  • Mr. Bejtlich spoke at the Air Force Association CyberFutures conference (audio mp3) on 23 Mar 2012.
  • Mr. Bejtlich delivered the keynote to the IANS Research Mid-Atlantic conference on 21 Mar 2012.
  • Mr. Bejtlich spoke at a Mandiant breakfast event with Secretary Michael Chertoff in New York, NY on 15 Mar 2012.
  • Mr. Bejtlich spoke to the Augusta, GA ISSA chapter on 8 Mar 2012.
  • Mr. Bejtlich participated on a panel about digital threats at the RSA Executive Security Action Forum on 27 Feb 2012.
  • Mr. Bejtlich spoke at a Mandiant breakfast event with Gen (ret.) Michael Hayden in Washington, DC on 22 Feb 2012.
  • Mr. Bejtlich spoke at the ShmooCon Epilogue conference on 30 Jan 2012.
  • Mr. Bejtlich spoke at a Mandiant breakfast event with Secretary Michael Chertoff in Houston, TX on 12 Jan 2012.
• 2011
• • Mr. Bejtlich taught TCP/IP Weapons School 3.0 at Black Hat Abu Dhabi 2011: 12-13 Dec / Abu Dhabi, UAE.
  • Mr. Bejtlich organized and hosted the Management track at the 2nd annual Mandiant MIRCon on 5-6 November 2011.
  • Mr. Bejtlich taught TCP/IP Weapons School 3.0, 26-27 Oct 2011 in McLean, VA.
  • Mr. Bejtlich offered the keynote at the HawaiianTel 2011 Business Security Conference on 7 Sep 2011 in Honolulu, HI.
  • Mr. Bejtlich participated in a panel titled Why Bad Breaches Happen To Good Companies on 25 Aug 2011.
  • Mr. Bejtlich taught TCP/IP Weapons School 3.0 at USENIX Security: 8-9 Aug / San Francisco, CA.
  • Mr. Bejtlich taught TCP/IP Weapons School 3.0 at Black Hat USA 2011: 30-31 Jul and 1-2 Aug / Las Vegas, NV.
  • Mr. Bejtlich participated in the Attacking Cyber Security Marketecture panel at BSidesSanFrancisco: 1100-1145 15 Feb / San Francisco, CA. Video available at Livestream with the talk starting at 12:35.
  • Mr. Bejtlich participated in a panel at the e10+ Experienced Security event at RSA Conference USA 2011: 0730-1200 14 Feb / San Francisco, CA.
  • Mr. Bejtlich presented "Cooking the Cuckoo's Egg" at the DoJ Cybersecurity Conference: 1100-1145 08 Feb / Washington, DC.
  • Mr. Bejtlich presented Building a Fortune 5 CIRT Under Fire (twice) and participated in an APT panel at DoD Cybercrime: 26 Jan 2011 / Atlanta, GA.
  • Mr. Bejtlich taught TCP/IP Weapons School 3.0 at Black Hat DC 2011: 16-17 Jan 2011 / Arlington, VA.
• 2010
• • Mr. Bejtlich presented to the TechTarget Emerging Threats forum on 16 Nov 2010 / New York, NY.
  • Mr. Bejtlich participated in the MANDIANT MirCon Wrap-Up Webcast on 19 Oct 2010.
  • Mr. Bejtlich spoke on the Incident Response Dream Team Panel at the first annual Mandiant MIRCon, 12-13 Oct 2010 / Alexandria, VA.
  • Mr. Bejtlich offered a guest lecture on digital security at Loyola University Maryland on 11 Oct 2010.
  • Mr. Bejtlich presented to the TechTarget Emerging Threats forum on 28 Sep 2010 / Seattle, WA.
  • Mr. Bejtlich delivered the VizSec 2010 keynote on 14 Sep 2010, and then attended RAID 2010 15-17 Sep 2010 / Ottawa, Canada.
  • Mr. Bejtlich taught TCP/IP Weapons School 2.0 at Black Hat USA 2010: 24-25 and 26-27 Jul 2010 / Las Vegas, NV.
  • Mr. Bejtlich presented CIRT-Level Response to APT at
  • SANS WhatWorks in Incident Response and Forensic Solutions 2010: 8-9 Jul 2010 / Washington, DC
  • Mr. Bejtlich presented Building a Fortune 5 CIRT Under Fire at FIRST 2010 18 Jun 2010 / Miami, FL
  • Mr. Bejtlich taught TCP/IP Weapons School 2.0 at Black Hat Europe 2010: 12-13 Apr 2010 / Barcelona, Spain.
  • Mr. Bejtlich offered a guest lecture on digital security at Georgetown University on 22 March 2010.
  • Mr. Bejtlich offered a guest lecture on digital security at the United States Naval Academy on 2 March 2010.
  • Mr. Bejtlich taught TCP/IP Weapons School 2.0 at Black Hat DC 2010: 31 Jan - 1 Feb 2010 / Arlington, VA.
• 2009
• • Mr. Bejtlich organized and led the SANS WhatWorks in Incident Detection Summit 2009, 9-10 Dec 09 / Washington, DC.
  • Mr. Bejtlich offered a keynote and participated in panels at DojoCon, 6-7 Nov 09 / MD
  • Mr. Bejtlich offered a keynote and class at the Information Security Summit, 29-30 Oct 09 / Corporate College East, Warrensville Heights, OH.
  • Mr. Bejtlich participated in a panel titled The Laws of Vulnerabilities at Black Hat USA 2009 on 29 July 2009.
  • Mr. Bejtlich taught TCP/IP Weapons School 2.0 at Black Hat USA 2009: 25-26 and 27-28 July 2009 / Caesars Palace, Las Vegas, NV.
  • Mr. Bejtlich delivered the keynote at the SANS WhatWorks Summit in Forensics and Incident Response 2009, 6-7 July 2009 / The Fairmont Washington, Washington, DC.
  • Mr. Bejtlich offered a guest lecture on digital security at the United States Air Force Academy on 1 May 2009.
  • Mr. Bejtlich taught TCP/IP Weapons School 2.0 at Black Hat Europe 2009 Training: 14-15 April 2009 / Moevenpick Hotel Amsterdam City Centre, Amsterdam, The Netherlands.
  • Mr. Bejtlich taught TCP/IP Weapons School 2.0 at Black Hat DC 2009 Training: 16-17 February 2009 / Hyatt Regency Crystal City, Arlington, VA.
  • Mr. Bejtlich presented Network Security Monitoring Using FreeBSD at DC BSDCon 2009, 6 February 2009 / Washington Marriott Wardman Park, Washington, DC.
• 2008
• • Mr. Bejtlich delivered the keynote at the 1st ACM Workshop on Network Data Anonymization (NDA 2008), 31 October 2008 / Hilton Alexandria Mark Center, Alexandria, VA.
  • Mr. Bejtlich offered a guest lecture on digital security at Johns Hopkins University on 20 October 2008.
  • Mr. Bejtlich delivered the keynote on the second day of the SANS WhatWorks in Incident Response and Forensic Solutions Summit 2008, 13-14 October 2008 / Caesars Palace, Las Vegas, NV.
  • Mr. Bejtlich taught TCP/IP Weapons School at Black Hat USA 2008 Training: 2-3 and 4-5 August 2008 / Caesars Palace, Las Vegas, NV
  • Mr. Bejtlich provided the keynote ate Detection of Intrusions and Malware & Vulnerability Assessment: 10-11 July 2008 / France Telecom R&D / Orange Labs, Issy les Moulineaux, near Paris, France
  • Mr. Bejtlich taught Network Security Operations at TechnoSecurity 2008: 31 May 2008 / Myrtle Beach Marriott Resort, Myrtle Beach, SC
  • Mr. Bejtlich taught TCP/IP Weapons School at Black Hat DC 2008: 18-19 February 2008 / Westin Hotel, Washington, DC
• 2007
• • Mr. Bejtlich offered a guest lecture on digital security at George Mason University on 29 November 2007.
  • Network Security Operations: 27-29 August 2007 / public 3 day class / Chicago, IL
  • Mr. Bejtlich spoke to the Chicago Electronic Crimes Task Force and the Chicago Snort Users Group on 30 and 29 August 2007, respectively.
  • Mr. Bejtlich taught Network Security Operations on 21-23 August 2007 / Cincinnati, OH
  • Mr. Bejtlich taught TCP/IP Weapons School (layers 4-7) at USENIX Security 2007: 6-7 August 2007 / Boston, MA.
  • Mr. Bejtlich taught TCP/IP Weapons School at Black Hat USA 2007: 28-29 and 30-31 July 2007 / Caesars Palace, Las Vegas, NV.
  • USENIX 2007: 20-22 June 2007 / Network Security Monitoring and TCP/IP Weapons School (Layers 2-3) tutorials / Santa Clara, CA
  • Mr. Bejtlich briefed GFIRST 2007: 25-26 June 2007 / Network Incident Response and Forensics (two half-day tutorials) and Traditional IDS Should Be Dead conference presentation / Orlando, FL
  • Mr. Bejtlich taught TCP/IP Weapons School (Layers 2-3) and briefed Open Source Network Forensics at Techno Security 2007: 5-7 June 2007 / / Myrtle Beach, SC.
  • Mr. Bejtlich briefed Open Source Network Forensics at ISS World Spring 2007: 31 May 2007 / Washington, DC
  • Mr. Bejtlich briefed Network Incident Response and Forensics at AusCERT 2007: 23-24 May 2007 / Gold Coast, Australia.
  • Mr. Bejtlich taught Network Security Monitoring: 25 May 2007 / Sydney, Australia.
  • Mr. Bejtlich briefed at CONFIDENCE 2007: 13 May 2007 / Krakow, Poland.
  • Mr. Bejtlich briefed at ShmooCon: 24 March 2007 / Washington, DC; video here.
• 2006
• • Mr. Bejtlich presented a special two evening training class, Enterprise Network Instrumentation, on 14-15 December 2006, at SANS CDI East 2006. More details are posted here.
  • Mr. Bejtlich presented TCP/IP Weapons School Part 2 on 9-10 December 2006, after USENIX LISA in Washington, DC.
  • Mr. Bejtlich taught days one and two of TCP/IP Weapons School on 3 and 4 December 2006 at USENIX LISA in Washington, DC. He also taught Network Security Monitoring with Open Source Tools on 8 December 2006.
  • Mr. Bejtlich appeared on the Tenable Webinar at 1000 ET on Friday 17 November 2006.
  • Mr. Bejtlich participated in the DE Communications Inside Job Webinar at 11 ET on Thursday 9 November 2006.
  • Mr. Bejtlich spoke at the Net Optics Think Tank in Fairfax, VA on Tuesday, 26 September 2006 from 1215-1315.
  • Mr. Bejtlich spoke at the 2006 FFIEC Information Technology Conference in Arlington, VA on Wednesday, 23 August 2006 from 0830-1000.
  • Mr. Bejtlich taught TCP/IP Weapons School at USENIX Security 2006 in Vancouver, BC on 31 July and 1 August 2006.
  • Mr. Bejtlich spoke at the 2006 FIRST Conference in Baltimore, MD on Friday, 30 June 2006 from 1500 to 1530.
  • Mr. Bejtlich spoke at the 2006 Techno Security Conference in Myrtle Beach, SC on Tuesday, 6 June 2006. From 0800-0930 he presented Enterprise Network Instrumentation Fundamentals. From 1000-1200 he presented Enterprise Network Instrumentation: Advanced Topics. At 1530 he joined Ron Gula, Marcus Ranum, Ross Rogers, and Johnny Long for a security panel discussion.
  • Mr. Bejtlich taught a one day course on Network Security Monitoring with Open Source Tools at the USENIX 2006 Annual Technical Conference in Boston, MA on Friday, 2 June 2006.
  • Mr. Bejtlich offered a guest lecture at the University of Cambridge Computer Laboratory Security Group Seminar Series in Cambridge, UK, on Friday 19 May 2006 on network security monitoring.
  • Mr. Bejtlich spoke at the 2006 Computer and Enterprise Investigations Conference in Lake Las Vegas, NV on Thursday, 4 May 2006 from 1400-1530 on Network Forensics.
  • Mr. Bejtlich spoke at the US-CERT 2006 GFIRST Conference in Orlando, FL on Monday, 1 May 2006 from 1030-1200 on Network Incident Response.
  • Mr. Bejtlich spoke at the Network Security 2006 Conference in Reston, VA on Monday, 17 April 2006 from 1845 to 1945.
  • Mr. Bejtlich spoke at the 2006 Rocky Mountain Information Security Conference in Denver, CO on Wednesday, 5 April 2006 on Network Incident Response.
  • Mr. Bejtlich spoke at the RSA Conference 2006 in San Jose, CA on Tuesday, 14 February 2006 from 1735 to 1825. The subject was Traffic-Centric Incident Response and Forensics.
  • Mr. Bejtlich spoke at ShmooCon 2006 in Washington, DC on Saturday, 14 January 2006 at 1600. The subject was Network Security Monitoring with Sguil.
  • Mr. Bejtlich delivered presentations on network incident response and network forensics at the 2006 DoD Cybercrime Conference in Palm Harbor, FL on 11 January 2006.
• 2005
• • Mr. Bejtlich presented three full-day tutorials at USENIX LISA 2005 in San Diego, CA, from 6-8 December 2005. He taught network security monitoring, incident response, and forensics.
  • Mr. Bejtlich spoke at the Cisco Fall 2005 System Engineering Security Virtual Team Meeting in San Jose, CA on 10 October 2005.
  • Mr. Bejtlich spoke at the Net Optics Think Tank at the Hilton Santa Clara in Santa Clara, CA on 21 September 2005. He discussed network forensics, with a preview of material in his next book Real Digital Forensics.
  • Mr. Bejtlich taught network security monitoring to security analysts from the Pentagon with Special Ops Security on 23 and 24 August 2005 in Rosslyn, VA.
  • Mr. Bejtlich spoke at the InfraGard 2005 National Conference on 9 August 05 in Washington, DC on the basics of network forensics.
  • Mr. Bejtlich taught a one day course on network incident response, with his forensics book as the background material, at USENIX Security 05 on 1 August 2005 in Baltimore, MD.
  • Mr. Bejtlich taught a one day course on network security monitoring, with his NSM book as the background material, at USENIX Security 05 on 31 July 2005 in Baltimore, MD.
  • Mr. Bejtlich offered a guest lecture on digital security at George Washington University on 23 June 2005.
  • Mr. Bejtlich spoke at the Techno Security 2005 conference on 13 June 2005 in Myrtle Beach, CA. He was invited by Tenable Security to appear at their evening social event.
  • Mr. Bejtlich spoke at the Net Optics Think Tank on 18 May 2005 in Sunnyvale, CA.
  • Mr. Bejtlich presented Keeping FreeBSD Up-To-Date and More Tools for Network Security Monitoring at BSDCan 2005 on 13 May 2005.
  • Mr. Bejtlich spoke to the Pentagon Security Forum on 19 April 2005.
  • Mr. Bejtlich taught a one day course on network security monitoring, with his book as the background material, at USENIX 05 on 14 April 2005 in Anaheim, CA.
  • Mr. Bejtlich spoke to the Government Forum of Incident Response and Security Teams (GFIRST) on 5 April 2005 in Orlando, FL.
  • Mr. Bejtlich spoke to the Information Systems Security Association of Northern Virginia (ISSA-NoVA) on 17 February 2005 in Reston, VA.
  • Mr. Bejtlich spoke at the 2005 DoD Cybercrime Conference on 13 January 2005 in Palm Harbor, FL.
• 2004
• • Mr. Bejtlich spoke to the DC Systems Administrators Guild (DC-SAGE) on 21 October 2004 about Sguil.
  • Mr. Bejtlich spoke to the DC Linux Users Group on 15 September 2004 about Sguil.
  • Mr. Bejtlich spoke to the High Technology Crime Investigation Association International Conference and Expo 2004 on 13 September 2004 in Washington, DC about Sguil.
  • Mr. Bejtlich taught a one day course on network security monitoring, with his first book as the background material, at USENIX Security 04 on 9 August 2004 in San Diego.
  • Mr. Bejtlich spoke to the DC Snort User's Group on 24 Jun 2004 about Sguil.
  • Mr. Bejtlich presented Network Security Monitoring with Sguil (.pdf) at BSDCan on 14 May 2004.
  • Mr. Bejtlich spoke to the SANS Local Mentor program in northern Virginia for two hours on 11 May 2004 about NSM using Sguil. Joe Bowling invited him.
  • Mr. Bejtlich gave a lightning talk demo of Sguil at CanSecWest 04 on 22 April 2004.
• 2003
• • Mr. Bejtlich spoke to ISSA-CT about network security monitoring on 9 December 2003.
  • Mr. Bejtlich taught Foundstone's Ultimate Hacking Expert class at Black Hat Federal 2003 in Tyson's Corner, 29-30 September 2003.
  • Mr. Bejtlich recorded a second webcast on network security monitoring for SearchSecurity.com. He posted the slides here.
  • Mr. Bejtlich taught the first day of Foundstone's Ultimate Hacking Expert class at Black Hat USA 2003 Training in Las Vegas on 28 July 2003.
  • Mr. Bejtlich spoke on 21 July 2003 in Washington, DC at the SANS NIAL conference.
  • Mr. Bejtlich discussed digital security in Toronto on 13 March 2003 and in Washington, DC on Tuesday, 25 March 2003 at the request of Watchguard.
  • Mr. Bejtlich taught days four, five, and six of the SANS intrusion detection track in San Antonio, Texas from 28-30 January 2003.
• 2002
• • Mr. Bejtlich recorded a webcast on network security monitoring (PDF slides) with his friend Bamm Visscher for SearchSecurity.com and answered questions submitted by listeners. A SearchSecurity editor commented on the talk as well.
  • Mr. Bejtlich helped teach Foundstone's Ultimate Hacking class at Black Hat USA 2002 Training in Las Vegas on 29-30 July 2002.
  • Mr. Bejtlich taught days one, two, and three of the SANS intrusion detection track in San Antonio, Texas from 15-17 July 2002.
  • Mr. Bejtlich taught day four of the SANS intrusion detection track in Toronto, Ontario on 16 May 2002.
  • On 11 April 2002 Mr. Bejtlich briefed the South Texas ISSA chapter on Snort.
  • Mr. Bejtlich helped teach day four of the SANS intrusion detection track in San Antonio, Texas on 14 March 2002 after Marty Roesch was unable to teach the class.
• 2000-2001
• • On 24-25 October 2001 Mr. Bejtlich spoke to the Houston InfraGard chapter at their 2001 conference.
  • In August and September 2001 Mr. Bejtlich briefed analysts at the AFCERT on Interpreting Network Traffic.
  • On 19 October 2000 Mr. Bejtlich was invited back to speak at the SANS Network Security 2000 Technical Conference.
  • During 14-16 August 2000 Mr. Bejtlich participated in the Cyber Summit 2000 sponsored by the Air Intelligence Agency. Mr. Bejtlich was a captain in the AFCERT. You will find him in the middle of this picture.
  • In June 2000 Mr. Bejtlich signed a letter protesting the Council of Europe draft treaty on Crime in Cyberspace.
  • In June 2000 Mr. Bejtlich briefed FIRST on third party effects. This predated CAIDA's 2001 USENIX "backscatter" paper.
  • On 25 March 2000 Mr. Bejtlich presented Interpreting Network Traffic: A Network Intrusion Detector's Look at Suspicious Events at the SANS 2000 Technical Conference.