Thoughts from the Winners of Inaugural Internet Defense Prize

The awarding of the inaugural Internet Defense Prize, sponsored by Facebook, at the Wednesday evening reception of USENIX Security '14 has created quite the buzz. Click here for more details about the $50,000 prize.

The winners of the inaugural prize, Johannes Dahse and Thorsten Holz, both researchers at Ruhr-Universität Bochum in Germany, received the award for their paper, "Static Detection of Second-Order Vulnerabilities in Web Applications". They were gracious enough to sit down with me for a brief Q&A.


HH: How did you come to research second-order vulnerabilities?
JD: I built a security vulnerability scanner. My first idea was to find the vulnerabilities in Capture The Flag, the online gaming contest. You are stressed by time and have to find vulnerabilities very quickly. I've been working on that part of this research idea since 2007.
TH: The whole framework was presented this year, in 2014. For the USENIX paper, we focused on one specific topic. In February a prototype was introduced and now we’re fleshing out the program and adding more vulnerabilities.

HH: How long have you been working on this research and paper?
JD/TH: Research began academically in 2011 and work on the paper began in October 2013.

HH: What were your reactions when you found out that you were receiving this award from Facebook?
JD/TH: “Awesome.” It’s an honor to have such high recognition from such an important company. Very simply, “Awesome”.

HH: How did the owners/managers of the sites respond when you notified them of the vulnerabilities?
JD/TH: They responded differently; some software vendors were really responsive and thankful and fixed the vulnerabilities immediately. We also got no response from one vendor. One vendor acknowledged the problem, but hasn’t fixed it. We're not surprised by the variety of responses.

HH: What are your plans now that you’ve won this award--does this change anything?
JD/TH: The plan before the award was to develop the content and roll it out to other vulnerabilities. The award will help to get more people involved in the research. Right now, there are only two of us working on it, so progress is quite slow, but now we can have more students and workers added to the group, which will help accelerate the process.