Research

Continuing our analysis of the 2014 Open Source Development and Application Security Survey, we can now discuss results as the final version has just been released. Today’s post focuses on application security related facets of the data. Several questions in the survey focused on security practices within open source development, including vulnerability tracking and who is responsibility for security. I will dive into the results in detail, sharing my perspective on where things are getting better, which results surprised me, and where I believe improvements and attention are still needed. Here we go… Who’s talking? When analyzing a survey I always start with this question. It frames many of the survey’s answers. Understanding who is responding also helps illuminate the perspective expressed on the issues and challenges discussed. When asked “What is your role in the organization?” the respondents were largely developers, at 42.78% of those surveyed. Considering that most architects, DevOps types, and build managers perform some development tasks, it is safe to say that over 50% of respondents have their hands on open source components and projects. A full 79% (include development managers) are in a position to understand the nuances of open source development, judge security, and reflect on policy issues. Is open source important? The short answer is “Hell yes, it’s important!” The (Maven) Central Repository – the largest source of open source components for developers – handled thirteen billion download requests last year. That’s more than a billion – with a ‘B’ – every month. This statistic gives you some idea of the scale of open source components used to assemble software applications today. What’s more, the Sonatype data shows open source component usage on the rise, growing 62% in 2013 over 2012, and more than doubling since 2011. When asked “What percentage of a typical application in your organization is comprised of open source components?” at least 75% of organizations rely on them in their development practices. While ‘0-20%’ was an option, I am willing to bet few were really at ‘zero’ because those people would be highly unlikely to participate in this survey. So I believe the number with some involvement (including 1-20%) is closer to 100%. The survey looked at use of open source components across verticals; they captured responses from most major industries including banks, insurance, technology/ISV, and government. Open source component usage is not relegated to a few target industries – it is widespread. The survey also asked “How many developers are in your organization?” to which almost 500 participants answered 1,000 or more. Small firms don’t have 1,000 developers, so at least 15% of responses were from large enterprises. That is a strong showing, given that only a few years ago large enterprises did not trust open source and generally refused to officially endorse its use on corporate systems. And with nearly 700 responses from organizations with 26-100 developers, the survey reflects a good balance of organizational size. Adoption continues to climb because open source have proven its worth – in terms of both quality and getting software built more quickly when you don’t try to build everything from scratch. More software than ever leverages contributions from the open source community, and widespread adoption makes open source software incredibly important. Are developers worried about security? Questions around software security were a theme of this year’s audit, which is why the name changed from years past to “Open Source Development and Application Security Survey”. A central question was “Are open source vulnerabilities a top concern in your position?”, to which 54.16% answered “Yes, we are concerned with open source vulnerabilities.” Concern among more than half of respondents is a good sign – security is seldom part of a product design specification, and has only recently become part of the design and testing phases of development. Respondents’ concerned with vulnerabilities is a positive sign. Viewed another way, 10 years ago that number was about zero, so we see a dramatic change in awareness. Outside development security practitioners get annoyed that only about 50% responded, “Yes” to this question. They zealously believe that when it comes to software development, everyone from the most senior software architect to the new guy in IT needs to consider security practices a priority. As we have seen in breaches over the last decade, failure only takes one weak link. Lending support to the argument that software development has a long way to go when it comes to security, 47.29% of respondents said “Developers know it (Security) is important, but they don’t have time to spend on it.” The response “I’m interested in security and the organization is not.” is very common across development organizations. Most developers know security is an open issue. But fixing security typically does not make its way up the list of priorities while there are important features to build – at least not until there is a problem. Developers’ growing interest in security practices is a good sign; allocation of resources and prioritization remains an issue. What are they doing about it? This year’s results offer a mixed impression of what development organizations are actually doing about security. For example one set of responses showed that developers (40.63%) are responsible for “tracking and resolving newly discovered vulnerabilities in components included in their production applications.” From a developer’s perspective this result looks legitimate. And the 2014 Verizon Data Breach Investigations Report makes clear that the application stack is where the main security issues are being exploited. But application security buying behavior does not jibe with patterns across the rest of the security industry. Understanding that the survey participants were mostly developers with an open source perspective, this number is still surprising because the vast majority of security expenditures are for network and endpoint security devices. Security, including application security, is generally bolted on rather than fixed from within. Jeremiah Grossman, Gunnar Peterson and others have all discussed the ineffectiveness of gearing security toward the network rather than applications. And the Whitehat Website Security Statistics report shows a long-term cost benefit from fixing problems within applications, but what we

Mike is out on a beach this week sunning himself (don’t think to hard about that) so Rich and Adrian join up to talk about some interesting developments in Apple privacy, and how Apple may be using it to get some competitive advantage. The audio-only version is up too. Share:

Reminder: 2014 Open Source Development Webcast this Wednesday A quick reminder: Brian Fox and I will be doing a webcast this Wednesday (June 18th) on the results of the 2014 Open Source Development and Application Security Survey. We have decided to divide the survey into a half dozen or so focus areas and discuss the results. We have different backgrounds in software development so we feel an open discussion is the best way to offer perspective on the results. Brian has been a developer and worked with the open source community for well over a decade, and I have worked with open source since the late ’90s and managed secure code development for about as long. The downside is that we were both created with the verbose option enabled, but we will be sure to leave time for comments at the end. Register for the webcast to listen in live. Talk to you Wednesday! Share:

Just in case you thought supply and demand don’t apply to our little area of the world, think again. It is interesting to read about a $5,000 malware kit targeting Android. Dan Goodin digs into the specifics of the iBanking malware kit, the breadth of its capabilities, and how it proliferates (typically against users already infected with financial malware on their PCs); and resists whitelists to evade detection and prevention. But why does this particular package warrant such a high price? Market opportunity, of course. With the number of Android phones out there, the math indicates it is probably a worthwhile investment, especially given the number of folks doing mobile banking and commerce. See? Supply and demand. Econ 101, folks. Not long ago, the so-called iBanking malware package offered little more than a way for traditional PC trojans that target online bank accounts to bypass two-factor authentication protections. While the interception of incoming and outgoing SMS messages remains the main selling point, iBanking has morphed into the Swiss Army knife of Android malware. Included in the $5,000 fee is the ability to redirect incoming voice calls, covertly capture sounds within range of the device’s microphone, track geolocation, access the file system, and remotely corral the device into sprawling mobile botnets that use either HTTP or SMS to communicate, depending on the current network status of the infected handset. There is also a free version of iBanking available, but many attackers opt for the paid version which includes updates and support. That’s awesome, and nicely illustrates that software is software and freemium is a great market-building strategy. Whatever your product does… Photo credit: “excellent visual aid” originally uploaded by arianne Share:

We all fall into the trap of adopting industry lingo to describe various functions. But when you take a step back, and think about mental cues we need to perform our best, sometimes it makes sense to look at things a bit differently. We all call the function of dealing with an attack incident response now. To be clear, respond is a better word than react because it at least implies logical thought about how to respond. But the next step is to manage incidents. Integriography has a good post about this distinction, with an analogy that will warm Rich’s heart – comparing processes to Emergency Management. I knew I have heard that before somewhere… Tornados, earthquakes, fires, automobile accidents, heart attacks, and many more emergencies happen daily. Rather than treating these as one off incidents that require all hands on deck, emergency services plan, recruit, train, and respond in a very calm, business like manner because it is their normal business. Right. Dealing with attacks is our normal business. So it’s time we start managing to that. It is probably time to update our terminology to reflect this. (h/t to grecs, who pointed me to this post.) Photo credit: “Emergency” originally uploaded by michaelgoodin Share:

As Rich said in last week’s Summary, the blog will be quiet this summer because we are busier than we have ever been before. The good news is that new research and Securosis offerings are usually the result. But that does not stop us from feeling guilty about our lack of blogging. With that, I leave you with a couple thoughts from my world this week on a Friday the 13th: Picture an older Formula 1 car. Blindingly fast. Pinnacle of design in its day. Maybe Stirling Moss or Ayrton Senna drove it to victory. It’s still beautiful and fast, but you can’t race it today because it’s not competitive. It can’t be. In some cases the rules of F1 change so great technologies can no longer be used (i.e., ground effects). In other cases the technologies are longer state-of-the-art. You cannot – and should not – retrofit an old chassis. So what do you do with the car? Seems a shame to relegate an F1 car to the dustbin, but you can’t compete with it any longer. As part of our day jobs we get asked to review products and make suggestions on the viability of platforms going forward. Sometimes product managers want us to vet their roadmaps; sometimes we are asked to support a due diligence effort. Whatever the case, we occasionally find cases where a great old product simply cannot compete or be retrofitted to be competitive. Don’t get emotionally attached because it was the S#!$ in its day, and best not think too much about sunk costs – just go back to the drawing board. A fresh start is your only answer. There are many alternatives to passwords. Some outfits, like nospronos.com have recycled an old idea to do away with user passwords on their World Cup web site. Users each get a ‘secret’ URL to their web page, and a public URL to share with friends. Sound familiar? Public key crypto is the gist here: the user gets a private account, the web site does not need to store or manage user passwords, and they can still share content with friends. Good idea? In the short term it’s great, because by the time the users lose or leak passwords the World Cup will be over. It’s fragile, but likely just secure enough to work just long enough. Well, it would have if they had only remembered to issue HTTPS URLs. Oh well… sans passwords and sans privacy means sans security. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Mortman quoted in “The 7 skills Ops pros need to succeed with DevOps”. Adrian quoted on Gazzang acquisition by Cloudera. Adrian to present on the Open Source and Application Security Survey next week. Favorite Securosis Posts David Mortman: Open Source development Analysis. Actually – we all selected the Open Source development Analysis this week. Wonder why? Other Securosis Posts Take our IT practices survey and win cool stuff (and free data). Incite 6/11/2014: Dizney. Summary: Summer. Cloudera acquires Gazzang. Favorite Outside Posts Rich: After Heartbleed, We’re Overreacting to Bugs That Aren’t a Big Deal. Our job isn’t to fix everything, but to manage risk and fix things in the right order. Mike Rothman: The CSO’s Failure to Lead. Is the inability to execute on a security program the fault of the CISO? Maybe. Maybe not. Causation is not correlation. Dave Lewis: ISS’s View on Target Directors Is a Signal on Cybersecurity. If you are keeping score at home we have a number of firsts: CIO dismissal, credit rating downgrade, CEO dismissal, and boardroom shakeup. That is a lot of firsts – this is a Sputnik moment for security. David Mortman: Here’s How You Pick the “Unpickable” Bike Lock. Adrian Lane: 10 things: #1 Parameterize Database Queries. Jim Bird is going through the OWASP Top 10 and explaining the whys and hows to protect against these issues. It’s a series, and this is the first post. Research Reports and Presentations Defending Against Network-based Distributed Denial of Service Attacks. Reducing Attack Surface with Application Control. Leveraging Threat Intelligence in Security Monitoring. The Future of Security: The Trends and Technologies Transforming Security. Security Analytics with Big Data. Security Management 2.5: Replacing Your SIEM Yet?. Defending Data on iOS 7. Eliminate Surprises with Security Assurance and Testing. What CISOs Need to Know about Cloud Computing. Defending Against Application Denial of Service Attacks. Top News and Posts GameOver Zeus botnet disrupted by FBI, Microsoft 14-Year Olds Hack ATM With Default Password More Fun with EMV Adobe, Microsoft Push Critical Security Fixes iOS 8 to stymie trackers and marketers with MAC address randomization ‘NSA-proof’ Protonet server crowdfunds $1m in under 90 minutes SSL/TLS MITM vulnerability CVE-2014-0224 TweetDeck wasn’t actually hacked, and everyone was silly Can You Track Me Now? Blog Comment of the Week This week’s best comment goes to Marco Tietz, in response to the Open Source Development and Application Security Analysis. That is pretty cool, looking forward to your coverage. As I’m working with Sonatype right now on a couple of things, I can confirm that they know what they are doing and that they are in fact in a pretty unique position to provide insights into open source usage and possible security implications. Share:

Thanks to the cloud, mobility, and emerging practices like DevOps, I don’t think anyone would argue we aren’t in one of the most rapidly evolving IT eras since the emergence of the World Wide Web. Like it, hate it, or anywhere in between, everyone I speak with knows the winds have changed. Personally I believe these disruptions are more impactful than our first tenuous connections to the Internet but that’s fodder for another post. It is clear we don’t yet know fully how these advances will change existing IT practices across different kinds of organizations. That’s why we are partnering with JumpCloud to get a better sense of these evolving technologies; along with the impact of, and approaches to, internal practices and DevOps. This isn’t a vendor-licensed or -sponsored study. JumpCloud is on the operations side, Securosis on the security side, and we are both looking for a better idea of what’s going on out there, so we decided to partner up. You can take the survey here. As usual, we will release all the raw data (anonymized, of course) back to the community. We are also giving away cool stuff to random winners who complete the entire survey (and leave contact info). An Amazon Fire TV, Samsung Gear 2 Neo Smartwatch, or a Fitbit Flex. (We decided to change things up from the usual Apple giveaway). So please spread the word and take the survey. Share:

This week I will take a page from Adrian’s Friday Summary approach, and just offer a stream of consciousness about the recent trip the family and I took to DisneyWorld. We went down there to watch the girls dance in Downtown Disney. Their dance company does this every other year, which means we are down in Orlando doing the Disney thing every two years. Trying to be more present and aware in my daily life was interesting in a place like Disney. So let me start with a few observations. First of all, it’s expensive to hang out with the Mouse. We get a great deal on tickets to the parks and it still costs a metric crap ton of coin to be there for a couple days. Then you throw in food, bottled water, and the bargain $8 ponchos (which are a bargain during the 20 minute daily downpours) – and it’s not a cheap vacation. Next you have people of all shapes, sizes, nationalities, languages, cultures, etc. If you think America in general is a great melting pot, spend a little time at Disney. You see young and old. Extended families. Those from the US and those not. Newlyweds. Bachelorette parties and all sorts of other groups. Most of these families have group t-shirts on. I just don’t get that. Do you think they wear that T-shirt any other time? Okay, don’t answer that. Actually the best shirts we saw all week were on a family that said, “We don’t believe in family trip t-shirts.” On all 20 of them. Hilarious. The diversity you see is really cool. The downside for me is varying levels of hygiene. I have a pretty sensitive nose and it can get a little steamy in June in Orlando. So standing on line for 40 minutes to ride Peter Pan (I’m still peeved at XX1 about that) next to a group that don’t get deodorant is unpleasant to say the least. You can also see the impact of mobile technology. We let XX1 roam around EPCOT with her dance friends one of the days. We always knew how to get in touch with her. The expectation was that she would check in every hour or so. And worst case we could always use Find My Friends to see where she was. I noticed loads of people with heads down on mobile devices as they walked the park. They were missing the experience, but that’s the culture today. Same goes for folks who watch rides or their kids dancing through the viewfinder of a camera. That doesn’t work for me but it’s common. One dude got it right and had a GoPro camera affixed to his kid’s stroller. I guess to record the reactions to seeing Mickey and the like. That was pretty cool – like a second set of eyes. I didn’t see anyone with Google Glasses on, so there’s that. Last summer I rued missing XX1’s first experience riding a big roller coaster. I did make amends by doing the Rock and Roller Coaster with both the girls and then the Tower of Terror. The girls couldn’t be more different. XX1 was cursing up a storm on both rides (though she did ask before spewing profanity – manners first). I wonder where she got that from? The Daredevil (XX2) was laughing throughout both rides. And best of all, I was right next to the Boy as we rode the Everest coaster in Animal Kingdom. He was scared, like I was the first time I rode a coaster. Which was a little curious given he has no issue doing a 5-story drop at the water park. He cried a little as we boarded the car, much to the chagrin of the family behind us – who thought I was a monster forcing my son onto the ride. I was in his ear the whole time assuring him it was going to be great. As we made the first climb, he ducked a little to not see much of anything. Then we were off, and as he squeezed my hand through the backwards drop and as we pulled a G or 2 through the curves and drops. You know what? He survived. And he loved it! I loved being there right next to him as he experienced it. That’s what being a Dad is all about. The reason we went to Orlando also worked out marvelously. Despite raining pretty much all day, the sun came out and shined during their performance. And the girls shined as well. I have mentioned there are few things more gratifying than seeing your kids excel at something they are passionate about. So as long as they want to dance in Disney, I’ll be down there every two years, contributing to the Mouse economy and riding roller coasters with all my kids. And loving every minute of it. –Mike Photo credit: “Mickey Mouse Magician” originally uploaded by Alain The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the conference this year. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back. Securosis Firestarter Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail. June 2 – Sputnik or Sputnot May 19 – Wanted Posters and SleepyCon May 12 – Another 3 for 5: McAfee/OSVDB, XP Not Dead, CEO head rolling May 5 – There Is No SecDevOps April 28 – The Verizon DBIR April 14 – Three for Five March 24 – The End of Full Disclosure March 19 – An Irish Wake March 11 – RSA Postmortem Feb 21 – Happy Hour – RSA 2014 Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed

Earlier this year I participated in the 2014 Open Source Development and Application Security Survey, something I have participated in the last couple years. As a developer and former development manager – and let’s face it, an overtly opinionated one – I am always interested in adding my viewpoint to these inquiries, even if I’m just one developer voice among thousands. But I have also benefitted from these surveys – looking at the stuff my peers are using, and even selecting open source distributions based on these shared data points. Crazy, I know, but it’s another way to leverage the community. But I am equally interested in the survey questions asked, as they hint at what the sponsors are most interested in learning about their community. The organization that conducts this survey is Sonatype, and the 2014 survey was their 4th annual review of open source usage. This year’s survey was co-sponsored by Contrast Security, Rugged Software, NEA, and the Trusted Software Alliance. What piqued my interest is that this year is that I noticed more questions regarding security and vulnerabilities than in previous years. Even the name of the survey changed. But another interesting facet is that the survey was conducted right when OpenSSL’s Heartbleed vulnerability was discovered. It takes a lot for a security vulnerability to make mainstream news, but Heartbleed managed it. For any of you reading this who were not aware of it, OpenSSL is an open source implementation of the SSL protocol. The disclosure simultaneously illustrated that open source components are in use just about everywhere – across industries and organizations of all sizes – and disrupted IT practitioners’ blind faith in this ubiquitous cryptographic module. But Heartbleed is not the story here – the more interesting thing is how it affected people’s understanding of open source software and security. My question was “Did the vulnerability change the survey results?” In past years Sonatype provided us with a pre-briefing before they announced the survey results, and this year was no different. And after going through the survey myself I was extremely interested in the results. As we went through the data and discussed what it all meant, Sonatype said they were interested in getting someone to perform an independent analysis of the data. You don’t have to ask me twice – I jumped at the chance! As a security practitioner who has built software and managed development teams for a couple decades, I could offer some perspective. And we are beginning to see changes in developer attitudes and participation with security, not to mention a disruption of development approaches with DevOps, so I am eager to go through the data to better understand what developers are doing and what issues they face – in both security and product development. So over the next couple days I will discuss the results, with a focus on two key areas: Security Trends Analysis: The survey poses several questions about security and open source policies as they relate to security, vulnerability tracking, and responsibilities. We will examine tools usage, with trending data from prior years where applicable. Because the survey was conducted during the Heartbleed and Struts vulnerability disclosures, we can examine the data for important differences between responses, before and after disclosure. Development Trends and Operations Management: The survey data contains several important questions on development policies around open source management and use. These trends may not have specific security implications, but they impact how teams manage open source and the general quality of their releases. I will discuss trends in open source policy management, licensing, and security testing approaches; as well as where security testing occurs within the development process. I will highlight key takeaways and make recommendations. Finally, for those of you in security who are not familiar with Sonatype, think Apache Maven and Nexus. Their founder built Maven, which is probably the most widely used build automation tool out there. The company also builds the Nexus repository manager, used by over 40,000 organizations for storing and organizing binary software components, including management of policies for their use and automated health checks for security vulnerabilities. As the steward of the Central Repository, which handled over 13 billion requests for open source components last year, they are in a unique position to monitor use of open source development components – including version management, license characteristics, update frequencies, and known security vulnerabilities. This perspective helped them formulate the survey and reach the 3,300+ development professionals who participated. Next week I will cover the report’s security trend analysis. And if you’re interested I will also do a webcast with Brian Fox of Sonatype to discuss the highlights, comparing and contrasting our views on the results. Check it out! Share:

Rich here, When I grew up in New Jersey, summer didn’t really start until June 25th, the day we got out of school. It was weird to me when I moved to Colorado and school ended in May and started in August, but people also used the word “pop” to describe soda, so I figured it was a wacky cultural thing. These days I live in Arizona. Today is June 5 and the temperature should hit 110F. Yesterday it was over 90F by the time I finished breakfast. This. Is. Wrong. I think summer for us started somewhere around the end of January. We have since moved on to a fifth season I fondly call “Ohforfu**’ssakeum”. It isn’t in the books but I am working up a Wikipedia entry. Summer for my children will be very different than I what I grew up with. There’s no simple wandering around the neighborhood looking for your friends, because within a block their shoes will melt and adhere them to the middle of the street, only to be run over by an Amazon delivery truck or one of the 950 landscapers patrolling the area. They’ll get plenty of time at the pool but we need to keep a close eye on them and make sure they jump out every now and then to cool off in the air-conditioned bathroom. Arizona isn’t all bad. For most of the year the weather is about as perfect as you could want. Plus you save a lot on winter clothes. On the downside I miss sweatshirts, and the nearly 20 years I spent cultivating a fleece-based fashion identity is totally wasted. We will be spending a lot of time outside the state this summer. A trip to the Irish festival in Lawler, Iowa (no, I’m not kidding). Then the month of July in Boulder. Then Black Hat and DEF CON for me, and kindergarten for my oldest a week after I get back. But I’m sad for my kids. Summers growing up in Jersey could get pretty hot and muggy, but you could still wander around the neighborhood looking for other kids without having to refill your Camelback 8 times. Then again, rumor is no one lets their kids wander around and experience life any more, so I suppose it won’t make much difference that mine will do the same overly-structured activities as everyone else, but with better air conditioning. But if you make it up to the Irish fest, let me know, and vote for my kids in the Little Lass and Laddie contest. On to the Summary: A quick note: Our posting volume is down to balance some pretty insane demand for our services against family summer time. Don’t worry, we have cool things in store for you coming up. Besides, we still write more than pretty much anyone else who doesn’t get paid by page views. Webcasts, Podcasts, Outside Writing, and Conferences I wrote an article for Macworld on what I learned about upcoming Apple security from WWDC. Favorite Securosis Posts Adrian Lane: Firestarter: Sputnik or Sputput. Sputnik? Nyet! Mike Rothman: Firestarter – Even though I wasn’t there, the show must go on. And it did – admirably. Rich: Cloudera acquires Gazzang. Because it’s good analysis. And the only other thing we posted. Favorite Outside Posts Adrian Lane: Peek Inside a Professional Carding Shop. It’s a good read and I can’t help laugh at the clever use of the McDonalds meme. Mike Rothman: A Hacker Looks at 40. Really good post by Shack. Great to see gratitude, not whining. And there is no question Shack knows exactly who he is. Rich: Rob Graham asks Can I drop a pacemaker 0day? Very well thought out as usual, and hard questions society probably isn’t ready to deal with. Dave Lewis: John Oliver’s net neutrality rant may have caused FCC site crash. You really need to watch it – pure genius. David Mortman: Lego to produce female scientist minifig set. Finally. Gunnar Peterson: Adam Carolla versus patent trolls going after podcasters. Bonus outside link: it takes a minute, but pure awesome once you figure it out. Behold, this is the greatest GitHub software repository of all time. Research Reports and Presentations Defending Against Network-based Distributed Denial of Service Attacks. Reducing Attack Surface with Application Control. Leveraging Threat Intelligence in Security Monitoring. The Future of Security: The Trends and Technologies Transforming Security. Security Analytics with Big Data. Security Management 2.5: Replacing Your SIEM Yet? Defending Data on iOS 7. Eliminate Surprises with Security Assurance and Testing. What CISOs Need to Know about Cloud Computing. Defending Against Application Denial of Service Attacks. Top News and Posts Another big OpenSSL bug. Violet Blue has good details. GameOver Zeus botnet disrupted by FBI. Network Security, Build To Fail. Mounties join crack down on Russian cyber crime. Pirate Bay Founder’s Computer Was “Hacked”, Investigation Reveals. US cybercrime laws being used to target security researchers. DARPA Cyber Grand Challenge Finale Set For DEF CON 2016. Share: