The Cloud Security Alliance (CSA) plans to hand out a $10,000 top prize during its third edition of its Hackathon event, at the RSA Conference 2015 in San Francisco this month.
The idea is to continue to test the CSA Software Defined Perimeter (SDP) Specification V.1. The $10,000 is available to the first participant to gain access to a password provided account.
Traditional enterprise security is being increasingly compromised by insecure mobile devices, cloud services and outsourcing. The CSA’s SDP research project is a collaboration among more than 100 companies and US government organizations, including household names like Coca-Cola, Verizon and the automaker Mazda, to come up with a more modern approach that takes into account the digital native reality in the workplace and in consumers’ lives.
Recent high-profile attacks, such as those at Sony and eBay, have leveraged stolen credentials to compromise systems and cause significant damage. So, the third SDP Hackathon will focus on credential theft, and aims to validate the device authentication capabilities of SDP to stop password-based attacks.
Hackathon participants will be provided the name and password to an account, which includes instructions to claim a $10,000 award. The name and password will be announced at the conclusion of the CSA Summit during RSA. Hackathon participants must bypass SDP's device authentication capabilities to gain access to the server with the account.
“The SDP specification continues to gain credibility and momentum among our Enterprise User Group,” said Bob Flores, former CTO of the CIA, managing partner at Cognitio, and co-chair of the CSA SDP Working Group. “In this Hackathon, I’ll be providing my name and password to a file server with instructions to claim $10,000. I have high confidence in the SDP to protect against one of the most devastating kinds of attacks we are seeing today.”
The prize may go unclaimed: In the previous two Hackathons, no one was able to circumvent even the first of the five SDP security controls layers (single packet authorization protocol), despite more than 5 billion packets being fired at the SDP.
The SDP specification uses a framework of security controls that mitigates network-based attacks on Internet-accessible applications by eliminating connectivity to them until devices and users are authenticated and authorized, creating dynamically provisioned perimeters for clouds, demilitarized zones, and data center infrastructures. The SDP has been designed to be highly complementary to software-defined networks (SDNs), the popular network layer construct which decouples routing and architectural decisions from the underlying equipment to create virtual networks. SDP traverses several OSI layers to tie applications and users with trusted networks, using vetted security models.
“Stolen credentials and unauthorized access should no longer be synonymous,” said Junaid Islam, CTO of Vidder and co-chair of the SDP Working Group. “We have seen that paradigm fail enterprises time and again. At the end of this Hackathon, we intend to demonstrate that organizations can and should be applying a different approach to authorization, leveraging device authentication, to reduce the ability for these types of attacks to be effective.”