Epidemiology of Software Vulnerabilities: A Study of Attack Surface Spread

Presented at Black Hat USA 2014, Aug. 7, 2014, 9 a.m. (25 minutes).

Many developers today are turning to well established third-party libraries to speed the development process and realize quality improvements over creating an in-house proprietary font parsing or image rendering library from the ground up. Efficiency comes at a cost though: a single application may have as many as 100 different third party libraries implemented. The result is that third-party and open source libraries have the ability to spread a single vulnerability across multiple products, exposing enterprises and requiring software vendors and IT organizations to patch the same vulnerability repeatedly. How big of a problem is this? What libraries are the biggest offenders for spreading pestilence? And what can be done to minimize this problem? This presentation will dive deep into vulnerability data and explore the source and spread of these vulnerabilities through products, as well as actions the security research community and enterprise customers can take to address this problem.


Presenters:

  • Jake Kouns - Risk Based Security
    Jake Kouns is the CISO for Risk Based Security and the CEO of the Open Security Foundation, that oversees the operations of the Open Sourced Vulnerability Database (OSVDB.org). Mr. Kouns has presented at many well-known security conferences including RSA, DEF CON, CISO Executive Summit, EntNet IEEE GlobeCom, FIRST, CanSecWest, SOURCE and SyScan. He has briefed the DHS and Pentagon on Cyber Liability Insurance issues and is frequently interviewed by the media. Mr. Kouns is the co-author of the book Information Technology Risk Management in Enterprise Environments, Wiley, 2010 and The Chief Information Security Officer, IT Governance, 2011. He holds both a Bachelor of Business Administration and a Master of Business Administration with a concentration in Information Security from James Madison University. In addition, he holds a number of certifications including ISC2's CISSP, and ISACA's CISM, CISA and CGEIT.
  • Kymberlee Price - Synack
    Kymberlee Price is the Director of Ecosystem Strategy at Synack, where she leads the team responsible for Synack Red Team community management, security response, and vulnerability metrics analysis programs. Prior to Synack, Kymberlee worked in the BlackBerry Security Incident Response Team where she handled all Webkit and certificate related vulnerability cases in BlackBerry products. She has also worked in the Trustworthy Computing group at Microsoft where she founded the Security Researcher Outreach team, defining 1:1 and 1:few programs to engage the research community and drive down the operational cost of response for Microsoft.

Links:

Similar Presentations: