CITL — Quantitative, Comparable Software Risk Reporting

Software vendors like to claim that their software is secure, but the effort and techniques applied to this end vary significantly across the industry. From an end-user’s perspective, how do you identify those vendors who are effective at securing their software? From a vendor’s perspective, how do you identify those techniques which are effective at improving security? Where are the longitudinal studies showing a large body of binaries with and without stack guards, or source fortification, or some other proposed best practice, and the resulting difference in exploitability? Where are the studies and reports on software content and safety, so that consumers can minimize their risk and make informed choices about what software is worth the risk it adds to an environment? We at CITL are working to fill in these blind spots, so that security professionals can back up their recommendations with solid scientific findings, and consumers can be empowered to better protect themselves. We’ll be talking about the automated static analysis and fuzzing frameworks we’re developing and presenting early results from our large scale software testing efforts.

Tim Carstens, CITL Acting Director (@intoverflow) Sarah Zatko, CITL Chief Scientist Parker Thompson, CITL Lead Engineer (@m0thran) Patrick Stach, CITL Special Advisor Peiter “Mudge” Zatko, CITL Board Chairman (@dotMudge)

CITL (Cyber Independent Testing Laboratory) is a non-profit scientific research organization with the mission of advising software consumers through expert scientific inquiry into software safety and risk. We engage in scientific research to test software and computing products, and then we will publish the results of that research in a way that will best empower and educate software consumers. Our mission is to work for a fair, just, and safe software marketplace for all consumers and to empower consumers to protect themselves.

Presented by