back

How risky is the software you use?

CITL: Quantitative, Comparable Software Risk Reporting

If you suspend your transcription on amara.org, please add a timestamp below to indicate how far you progressed! This will help others to resume your work!

Please do not press “publish” on amara.org to save your progress, use “save draft” instead. Only press “publish” when you're done with quality control.

Video duration
00:58:50
Language
English
Abstract
Software vendors like to claim that their software is secure, but the effort and techniques applied to this end vary significantly across the industry. From an end-user's perspective, how do you identify those vendors who are effective at securing their software? From a vendor's perspective, how do you identify those techniques which are effective at improving security? Presenting joint work with Sarah Zatko, mudge, Patrick Stach, and Parker Thompson.

Where are the longitudinal studies showing a large body of binaries with and without stack guards, or source fortification, or some other proposed best practice, and the resulting difference in exploitability? Where are the studies and reports on software content and safety, so that consumers can minimize their risk and make informed choices about what software is worth the risk it adds to an environment? We at CITL are working to fill in these blind spots, so that security professionals can back up their recommendations with solid scientific findings, and consumers can be empowered to better protect themselves. We'll be talking about the automated static analysis and fuzzing frameworks we're developing and presenting early results from our large scale software testing efforts.

Talk ID
9225
Event:
34c3
Day
1
Room
Saal Adams
Start
3:15 p.m.
Duration
01:00:00
Track
Ethics, Society & Politics
Type of
lecture
Speaker
Tim Carstens & Parker Thompson
Talk Slug & media link
34c3-9225-how_risky_is_the_software_you_use

Talk & Speaker speed statistics

Very rough underestimation:
175.7 wpm
969.3 spm
177.1 wpm
977.6 spm
100.0% Checking done100.0%
0.0% Syncing done0.0%
0.0% Transcribing done0.0%
0.0% Nothing done yet0.0%
  

Work on this video on Amara!

Talk & Speaker speed statistics with word clouds

Whole talk:
175.7 wpm
969.3 spm
softwarethingssecuritydatatalkquestiongoodworkfuzzingconsumerstuffpiecemodelthingpeopleexamplebasicfindengineaheadthreetechnicalbitanalysisperspectiveprocesstypevulnerabilitieshandtimetheorydiamondsprobabilityreportssecurequestionsworkingbasicallypointtimtalkingbuildinganalyzerseffectivelyunderstandsetmajoraslrtoolskinds
Tim Carstens & Parker Thompson:
177.1 wpm
977.6 spm
softwarethingssecuritydatatalkgoodfuzzingstuffquestionworkthingpeoplebasicaheadpieceenginefindconsumertechnicalbitprocessanalysisthreetypeexamplevulnerabilitiesperspectivetheoryprobabilitydiamondsbuildinganalyzerseffectivelymodelhandbasicallysecurebugstimemajorworkinglinuxscoresingleunderstandgreataslrbigstaticzatko's