Good programmers write code, great programmers reuse" is one of the most well known truisms of software development. But what does that mean for security? For over 30 years software engineering has focused on writing the perfect code and reusing it as often as they can, believing if they can just get the bugs out, the system will be secure. In our talk we will demonstrate how the most prominent doctrine of programming is deadly for security. Analysis of software vulnerability data, including a full decade of data for several versions of the most popular operating systems, server applications and user applications (both open and closed source), shows that properties extrinsic to the software play a much greater role in the rate of vulnerability discovery than do intrinsic properties such as the actual software quality. We show that (at least in the first phase of a product's existence), software vulnerabilities have different properties from software defects.
Our analysis of popular exploits shows that the attacker's learning curve can help determine when and which particular products are likely to be attacked. Improvements in those tools affect the frequency of attack, and the ultimate result is point-and-click usability. I will demonstrate that the more familiar an attacker is with your product, the more likely you are to be attacked and the more likely an attacker will succeed.
Sandy Clark (Mouse) has been taking things apart since the age of two, and still hasn't learned to put them back together. An active member of the hacker community, her professional work includes an Air Force Flight Control computer, a simulator for NASA, singing at Carnegie Hall, and a minor in history. She is currently fulfilling a childhood dream, pursuing a Ph.D. in C.S. at the University of Pennsylvania. A founding member of Toool-USA, she also enjoys puzzles, toys, Mao (the card game), and anything that involves night vision goggles. Her research explores human scale security and the unexpected ways that systems interact.