Some of you may not realize that Research In Motion has a rather large security response and research team. RIM historically has been almost silent on the way that it handles product security and vulnerabilities. But that’s beginning to change, in large part perhaps because the security response team at RIM is full of veterans of Microsoft’s Security Response Center, who learned the value of communication the hard way.
Microsoft’s much-discussed metamorphosis from security punching bag to example of how to handle security internally and externally has been built in many ways on the company’s security response process. While RIM never had the security image problem that Microsoft did, the officials now running the show there are applying those lessons and trying to build better relationships with security researchers, other vendors and members of the security community. In an interview at the Black Hat conference here, Adrian Stone, director of security response at RIM, and a former MSRC official, discussed the lessons learned at Microsoft, how RIM can protect its huge user base and what the key security challenges are for the company.
Dennis Fisher from Threat Post had the opportunity to do a Q&A with Adrian Stone:
Dennis Fisher: The thing that changed the security culture at Microsoft was that the message came from the top. Is that the case at RIM?
Stone: Security has always been core to the product with BlackBerry. We’re starting from a good base, whereas at Microsoft there was ten years of scar tissue there. From top down, it’s understood that security is core to all of this. We’ve had tremendous support from the entire organization.
Fisher: What kind of things have you implemented to try to make RIM more of a part of the conversation in the security community?
Stone: Well, we just had our first internal security summit in June. It was like the Blue Hat summits that Microsoft does, just a way to get researchers engaged with us and thinking about us. BlackBerry has been really evolving in terms of communication, engagement and engineering. If you get an engineer talking to another engineer, code wins. They understand each other. Opening the dialog is our main interest, and there are a number of ways to do that. Aside from the summit, we also are sponsoring Mobile Pwn2Own at EUSecWest. It’s the first one and we want to be involved. We’ve been doing some of this stuff for a while, but we’re doing it with a greater degree of transparency and more resources to help support the researchers.
Fisher: So is just a case of being more public about what you’ve been doing?
Stone: Yes, there’s always been a lot of stuff there but we didn’t talk about it. The rise of mobile computing has caused a shift. Recognizing that the environment is changing is what we’ve looked at. The platform is evolving and users expect to have all of their features on mobile that they have on their desktops. So that’s the challenge for us.
Fisher: BlackBerry still has an enormous user base, and a lot of it is in the enterprise with a lot of data to protect.
Stone: When you look at our customer base, it’s not only enormous, but it’s also high-value. You start at the White House and work your way down. We start with the code and work our way up from there. The end-to-end security premise of BlackBerry is real. We always have to be vigilant. We look at things from everywhere. We’re going through a platform change and as you move away from one, you take the best of it with you. There’s a demand for a rich user experience and we’re building the platform to account for that.
Fisher: How has the rise of the app store model changed the way you handle security?
Stone: Apps is an interesting area. We’re working with ecosystem partners and our own engineers to help secure that environment. It’s about giving customers control of the app environment. We build in enterprise level controls that build in access controls. There are app-level controls. It’s a multi-tiered approach. The apps present a tremendous opportunity for customers and researchers. The integration of the platform comes into play. We are building from the ground up and giving control of it to the customers so they can define permissions. They can whitelist apps, control apps on a specific basis and there’s the honoring of the personal and work spaces, as well.