"Our mandate is basically to break as many things as we can," says Chris Rohlf, who heads Yahoo's six-person penetration testing group and red team. Its mission is "to be the offense and find as many security vulnerabilities inside of Yahoo before attackers can find and exploit them to gain access to our systems," he says. "And the primary reason for this role existing is because 'you can't grade your own homework.'"
That's a quote from the book "Red Team: How to Succeed By Thinking Like the Enemy" by Micah Zenko, a senior fellow at the Council on Foreign Relations. Rohlf says the underlying ethos pervades Yahoo's approach to information security, as well as its use of penetration testing to find bugs and red teaming to improve the organization's overall security posture for its multiple brands, including Flickr and Tumblr.
Rohlf notes that the company resolves every bug report as quickly as possible. "When we find them, we treat them the same way as if someone externally had reported them. If we gain arbitrary code execution on an internal system that's sensitive, we treat it as if someone on the outside found that vulnerability, and we patch it within 24 hours."
In this interview with Information Security Media Group (see link below photo), Rohlf also discusses:
- Developing the skills required to identify bugs and other security problems.
- Applying threat modeling to identify the most likely risks to an organization.
- Using tools, techniques and procedures to test the likely effectiveness of real-life attackers.
- Blending penetration testing and red-teaming practices.
- Working with organizations when reporting code flaws, and the growth of bug bounty programs.
Rohlf, senior manager of penetration testing for Yahoo, has 10 years of experience as a security researcher, consultant, developer and engineer, and serves on the Black Hat conference content review board. He previously founded and ran information security consultancy Leaf Security Research, was a security consultant for Matasano Security as was a security researcher for the U.S. Army's Communications-Electronics Research, Development and Engineering Center.