Fortify has been doing surveys at conferences and claiming results as isolated. I thought it made more sense to put them together, or at least do a comparison of results. They had a survey at an InfoSec Europe conference, to start with, this past June that claimed IT Professionals Are Hacking Their Own Enterprises To Keep Intruders Out
Half of the respondents admitted to hacking, with 73% of these respondents doing so to test the strength of their own network’s defences, 13% for fun or out of curiosity, and 3% targeting their efforts at the competition.
This number of 50% was down significantly from a survey at the RSA North America conference in March
Eighty-eight percent of respondents admitted to doing some hacking themselves — mostly for work purposes, they said.
Thus, while half of the attendees at the first conference admit to hacking, the second conference has almost ninety percent. They just announced a new survey result, based on only 100 attendees at DefCon that pushes the number higher…as you might expect.
an overwhelming 96 percent of the respondents to the Fortify Software-sponsored poll said they believed the cloud would open up more hacking opportunities for them.
This is being driven, says Barmak Meftah, chief products officer with the software assurance specialist, by the belief from the hackers, that cloud vendors are not doing enough to address the security issues of their services.
“89 percent of respondents said they believed this was the case and, when you analyze this overwhelming response in the light of the fact that 45 percent of hackers said they had already tried to exploit vulnerabilities in the cloud, you begin to see the scale of the problem,” he said.
This is a good example of how the term “cloud” gets thrown into something IT related to generate interest. I am confident that if you survey attendees at any security conference anywhere they the vast majority are going to say not enough is being done to address security issues. That is not really a cloud point. The more interesting question would be what is lacking, since this would force a more thoughtful response and give some clues into what needs to be done. Even a multiple choice of what in security is lacking would get a more accurate response than just “is enough being done, yes/no”.
The DefCon survey also seems to ask more about future and potential opportunities rather than present hacking practices, found in the first two surveys. That slight change also pushes the percentage higher and makes results read differently.
That is why I say the headline is not so much about a giant new opportunity for hacking the cloud, given the past two surveys as reference, but instead about attendee attitudes at different conferences. More attendees at DefCon openly admit that they will hack, while attendees at other security conferences often (nearly 25%) refused to comment or refused to admit hacking in the past. The one problem with this theory is that only 45% at DefCon admitted to a past hack, about 5% lower than InfoSec Europe. Perhaps that gives us reason to say DefCon attendees are more hopeful to try and find an exploit in the future (they call them opportunities) but other conference attendees are more likely to be working on finding them now.