lecture: How risky is the software you use?
CITL: Quantitative, Comparable Software Risk Reporting
Software vendors like to claim that their software is secure, but the effort and techniques applied to this end vary significantly across the industry. From an end-user's perspective, how do you identify those vendors who are effective at securing their software? From a vendor's perspective, how do you identify those techniques which are effective at improving security? Presenting joint work with Sarah Zatko, mudge, Patrick Stach, and Parker Thompson.
Where are the longitudinal studies showing a large body of binaries with and without stack guards, or source fortification, or some other proposed best practice, and the resulting difference in exploitability? Where are the studies and reports on software content and safety, so that consumers can minimize their risk and make informed choices about what software is worth the risk it adds to an environment? We at CITL are working to fill in these blind spots, so that security professionals can back up their recommendations with solid scientific findings, and consumers can be empowered to better protect themselves. We'll be talking about the automated static analysis and fuzzing frameworks we're developing and presenting early results from our large scale software testing efforts.