back

How risky is the software you use?

CITL: Quantitative, Comparable Software Risk Reporting

If you suspend your transcription on amara.org, please add a timestamp below to indicate how far you progressed! This will help others to resume your work!

Please do not press “publish” on amara.org to save your progress, use “save draft” instead. Only press “publish” when you're done with quality control.

Video duration: 00:58:50
Language: English
Abstract: Software vendors like to claim that their software is secure, but the effort and techniques applied to this end vary significantly across the industry. From an end-user's perspective, how do you identify those vendors who are effective at securing their software? From a vendor's perspective, how do you identify those techniques which are effective at improving security? Presenting joint work with Sarah Zatko, mudge, Patrick Stach, and Parker Thompson.

Where are the longitudinal studies showing a large body of binaries with and without stack guards, or source fortification, or some other proposed best practice, and the resulting difference in exploitability? Where are the studies and reports on software content and safety, so that consumers can minimize their risk and make informed choices about what software is worth the risk it adds to an environment? We at CITL are working to fill in these blind spots, so that security professionals can back up their recommendations with solid scientific findings, and consumers can be empowered to better protect themselves. We'll be talking about the automated static analysis and fuzzing frameworks we're developing and presenting early results from our large scale software testing efforts.

Talk ID: 9225
Event:: 34c3
Day: 1
Room: Saal Adams
Start: 3:15 p.m.
Duration: 01:00:00
Track: Ethics, Society & Politics
Type of: lecture
Speaker: Tim Carstens & Parker Thompson
Talk Slug & media link: 34c3-9225-how_risky_is_the_software_you_use