Facebook teamed up with computer-industry association USENIX to launch the Internet Defense Prize, aimed at highlighting research that could significantly improve the security of the Web, and the inaugural winners, Johannes Dahse and Thorsten Holz, researchers from Ruhr-Universität Bochum in Germany, were awarded $50,000 for a paper titled, “Static Detection of Second-Order Vulnerabilities in Web Applications.”
Facebook Security Engineering Manager John “Four” Flynn, who served on the award committee for the Internet Defense Prize, described the work by Dahse and Holz in a note on the Protect the Graph page:
The researchers used static analysis to detect “second-order vulnerabilities” in Web applications that are used to inflict harm after being stored on the Web server ahead of time. In addition to their impressive results, the committee responded well to their implementation approach. The technical merit of the paper was strong, and the committee could see a clear path for applying the award funds to push the research to the next level in order to produce broader impact and encourage people to implement the technology. We’re very excited to see what they do next.
Flynn also detailed the story behind the Internet Defense Prize:
Recently, we started asking ourselves how we could do more to make the Web secure and have a greater impact. One of the biggest hurdles we identified was that offensive security work (hacking into this or that) and theoretical academic research often get more recognition than defensive work that prevents vulnerabilities and reduces the effectiveness of attacks. We decided to focus on creating greater opportunities and incentives for researchers to produce work that actually protects people.
Our answer is the Internet Defense Prize, an award to recognize superior quality research that combines a working prototype with significant contributions to the security of the Internet — particularly in the areas of protection and defense. To kick things off, we approached USENIX, an organization respected for its depth in the academic community and commitment to meaningful security research. After receiving an enthusiastic response from USENIX, we assembled members of the award committee for the annual USENIX Security Symposium to join me in evaluating the submissions they received this year.
Looking forward, we want to invite researchers to submit their work for consideration to be a future recipient of the Internet Defense Prize. More details about the timing and specifics will be available at a later date, but in the meantime, you can send questions to email@example.com. We expect that the award amount may grow larger if an idea is particularly strong, or we may hold onto the funds if no project meets the bar.
USENIX Executive Director Casey Henderson said in an emailed statement to AllFacebook:
USENIX is thrilled to collaborate with Facebook on this significant award, which shines a light on the importance of securing the Internet by identifying critical vulnerabilities and preventing their exploitation. We thank Facebook for supporting the researchers who publish at the USENIX Security Symposium so that they can continue their crucial work.
USENIX Security 2014 Awards Committee Chair Ben Ransford of the University of Washington added:
Despite researchers’ best intentions, too many research projects are abandoned in the prototype phase before they have a chance to make an impact outside academic circles. This award is meant to help bring a promising research project much closer to a large number of people who can benefit from it, and it provides an extra incentive for researchers to think about the real-world applicability of their work. In partnering with USENIX, the most progressive and forward-looking organization of computer scientists, Facebook is making a clear statement on behalf of Internet users: Cutting-edge security and privacy research is critical to the Internet’s success.