Published on: October 10, 2024
In today’s interview by Safety Detectives, I sat down with Dr. Melanie Rieback, CEO and co-founder of Radically Open Security (ROS), the world’s first computer security consultancy that donates 90% of its profits to the development of open-source projects. She is also the creator of Post Growth Entrepreneurship and is recognized as one of the 9 most innovative women in the European Union.
Before founding ROS, she served as Assistant Professor of Computer Science at the Free University of Amsterdam (VU), where she conducted influential research on RFID security, notably developing the RFID Virus and RFID Guardian. Her research garnered international attention and won multiple awards, including the IEEE Percom Best Paper and the USENIX Lisa Best Paper awards. She has also held managing positions in top tech firms like Citrix, and ING Bank, where she led their Cyber Crime Expertise and Response Team (CCERT) and oversaw the ING Core Threat Intelligence Project.
We discussed her reasons for choosing the non-profit model, ethical concerns in the cybersecurity industry, ROS’s unique approach to penetration testing, and the challenges and opportunities she sees in the future of cybersecurity.
Radically Open Security is a non-profit organization. What made you decide to go down that route?
I wasn’t particularly happy with how some cybersecurity companies operate in the industry. Many of them engage in unethical practices, such as hacking activists or selling surveillance systems to developing countries, and when the hacker community asks these companies to stop, they don’t. I wanted to create a social enterprise in the cybersecurity space to tackle this.
We adopted a church-based business model in the Netherlands, known as a fiscal fundraising institution. This model requires us to donate 90% of our profits to charity. By doing this, we’ve created what I believe is a pure impact business. The remaining 10% of profits serve as a cash flow buffer to ensure payroll, but we donate all non-reinvested profits.
Over the past ten years, we’ve donated just over a million euros to the NLnet Foundation. NLnet is a Dutch charitable foundation that funds open source, digital civil rights initiatives, and the open Internet. For over 20 years they have supported projects that make the internet a better place, including GNU, Tor, Jitsi, Wireguard, DNSSEC, and many more.
In her TED Talk, Melanie explains what is wrong with the traditional entrepreneurship model taught in many schools and turned into a mantra by Silicon Valley.
So it’s not just about transparency but also ethics in cybersecurity.
Exactly! It’s primarily about ethics. Many companies in the cybersecurity industry are extremely commercial, to the detriment of both businesses and society. We wanted to create a company that not only advocates a non-commercial style of business but leads by example. And it worked!
Our core principles of “no sketchy stuff”, “teach to fish” and “open-source” are popular selling points that most of our competitors cannot match because it runs counter to their chosen business model.
Your company is focused on penetration testing (pentesting). Can you explain what’s unique in your approach?
We use a workflow called “peek over our shoulder”. We invite the customer into the chat room where our penetration testers work, allowing them to watch the process in real time. This way, we’re open and transparent, teaching our clients how we work and involving them in the process.
This openness helps our clients think along when breaking into their systems, which helps them to adopt a hacker mindset. It’s an educational process, and that’s a big part of why we’ve become so popular. We’re cracking open the traditional black box of proprietary pentesting.
💡 Key Takeaway:
The “Peek Over Our Shoulder” workflow not only enhances the effectiveness of penetration testing through shorter communication lines but also contributes to client satisfaction and trust through transparency and education. Its collaborative nature helps build a partnership rather than a simple vendor-client relationship, which is crucial for fostering long-term trust.
What are the most common misconceptions about penetration testing that should be dispelled ASAP?
First, people should know that white-box or crystal-box pentesting is much more effective and cost-efficient than black-box pentesting. While black-box testing might mimic a real-world attack more accurately, white-box testing is more efficient, allowing us to access source code, infrastructure, and configurations. This enables us to find more problems within a given timebox. You don’t need to pay real-world attackers by the hour and they have all the time in the world, but when using paid consultants efficient usage of time and budget is critical.
Second, there’s a big difference between bug bounty programs, vulnerability disclosures, and pentesting. For instance, automated scans like Nessus are not the same thing as a pentest. Unfortunately, many small businesses don’t realize this and may assume that a “basic scan” or bug bounty program is sufficient. Bug bounty hunters are mostly junior-level people, frequently based in developing countries. Simply put, experienced hackers are hard to find, and they don’t work for small payouts or a t-shirt. Bug bounty hunters also tend to (repeatedly) report the same low-impact findings, putting a communications demand on the company.
Bug bounty programs, vulnerability disclosures, and penetration testing (pentesting) have unique characteristics, methodologies, and objectives:
- Bug bounty programs are crowdsourced initiatives where organizations invite ethical hackers to discover and report vulnerabilities in their systems. Participants are rewarded based on the severity and validity of the vulnerabilities they identify.
- Vulnerability disclosure refers to the process through which individuals report security flaws to an organization. This can occur through formal channels or informal communication.
- Pentesting involves hiring security professionals like ROS to simulate cyberattacks on an organization’s systems to identify vulnerabilities. This is typically a structured and time-bound engagement.
Speaking of smaller businesses, do you think they face specific challenges when it comes to cybersecurity?
Small businesses frequently don’t consider penetration testing until they face a crisis, like a ransomware attack. It may be too expensive for them, plus they often don’t realize they need it until it’s too late. Larger companies, on the other hand, are more proactive because of compliance requirements and larger budgets.
I recommend that SMEs find an external security partner who can work by the hour. Small companies might not have the resources to hire full-time security staff, but having a professional they can call when needed can make a big difference. Even a single security audit can help them to prioritize risks and address at least some key vulnerabilities.
What vulnerabilities do you find most often during your penetration tests?
We often find issues like a lack of software updates, incorrect configurations, poor password management, and lack of input sanitization, leading to script injection, buffer overflows, and other OWASP Top 10 attacks. These are the usual suspects that remain consistent across most of the pentests we conduct.
New attack categories are emerging, like prompt injection and dataset poisoning in Large Language Models (LLMs). However, the main classes of security vulnerabilities have remained largely the same since the 1980s. It’s primarily the technology and application domains that have evolved since then.
Could you walk us through what the process looks like when a customer starts working with Radically Open Security?
When a customer requests a pentest or another ethical hacking service, the first step is an intake call where we discuss their needs. After that, we onboard them into our online chat environment (Rocketchat) and pair them with one or two pentesters whose skills match the project. The pentesters work with the customer to scope the assignment, define and prioritize the work, and create a timebox and budget that align with the customer’s needs.
Once the scope is agreed upon, the customer can decide whether or not to proceed. If they sign the quotation, we start the pentesting process, keeping them involved through our “peek over our shoulder” method. This way, the client is directly involved with the process from start to finish.
In the report provided, we include management summaries, technical descriptions, and detailed recommendations for fixing each vulnerability. We don’t perform the actual fixes — that’s up to the customer. They know their systems best and can address the issues most quickly and effectively. We do sometimes retest to verify that the issues have been resolved and, in some cases, can help customers to set up unit tests for their DevOps pipelines, to prevent future regressions.
“We tasked the Netherlands-based security firm Radically Open Security (ROS) with performing the third audit towards our VPN infrastructure… We asked them to focus solely on VPN servers that run from RAM, one OpenVPN, and one WireGuard server… ROS discovered a number of new findings, and we would like to thank them for their thorough and detailed report.”
Mullvad VPN, August 9, 2023
You mentioned large language models (LLMs). How do you think emerging technologies like LLMs will impact the future of cybersecurity?
LLMs are good at doing things quickly, but not always well. For example, they can generate great phishing pretexts or spam emails effortlessly. However, when it comes to code audits or more nuanced cybersecurity tasks, they’re not quite there yet. We’ve experimented with using LLMs internally for parts of the report writing process, but we’re careful not to compromise on quality. That said, the IT landscape is changing and we’re moving along with it.
We’ll continue to test and use AI tools to see where they make sense, but I don’t see them fully replacing human pentesters any time soon. These tools are helpful, but they need human oversight to be truly effective.
Lastly, what advice would you give companies looking to improve their security without breaking the bank?
Pay attention to your basic security hygiene. Promptly install all security updates, provide security trainings for staff, and manage your passwords wisely. Use tools like “Have I Been Pwned” to check if your data has been involved with breaches. Be honest when you don’t have the internal capacity to manage your IT properly, and ask for help when you need it.
Password managers are helpful, but have their strengths and weaknesses. The primary weakness is that they are single points of failure – if your master password gets phished (or forgotten) the situation is total loss. But the real question is: “what’s the alternative?”. Writing passwords in unencrypted text files, putting sticky notes on your monitor, or reusing the same password everywhere isn’t a great idea. I won’t recommend any specific commercial password manager, I prefer to promote free and open-source solutions. Lastly, magic links and passkeys can also provide a good alternative way forward.
Follow Dr. Melanie Rieback
Linkedin: https://nl.linkedin.com/in/mrieback