The State of Security

Presented at Summercon 2017, June 23, 2017, 11 a.m. (50 minutes).

The security field suffers from a lack of hard data. Too often, security professionals have to give recommendations based on what feels true or what seems to be true, rather than real ground truth. At the Cyber ITL, a nonprofit research organization, we're working to replace such truthiness with hard data. We're also focusing on binary analysis, as the field's focus on source code analysis has left some major blind spots in security reviews of software products.

Parts of their methodologies have now been adopted by Consumer Reports and rolled into their Digital Standard for evaluating safety, security, and privacy, in a range of consumer devices. The standard defines important consumer values that must be addressed in product development, with the goal of enabling consumer organizations to test, evaluate, and report on whether new products protect consumer security, safety, and privacy

Presenters:

• Sarah Zatko
  Sarah Zatko is the Chief Scientist at the Cyber Independent Testing Lab (CITL), where she develops testing protocols to assess the security and risk profile of commercial software. She also works on developing automated reporting mechanisms to make such information understandable and accessible to a variety of software consumers. The CITL is a non-profit organization dedicated to empowering consumers to understand risk in software products. Sarah has degrees in Math and Computer Science from MIT and Boston University. Prior to her position at CITL, she worked as a computer security professional in the public and private sector. @Cyber ITL

Links:

• https://www.summercon.org/archives/2017/presentations.html#state-of-security

Similar Presentations:

• DEF CON 24 (2016) / Project CITL
• DEF CON 25 (2017) / CITL and the Digital Standard - A Year Later
• Black Hat USA 2017 / Quantifying Risk in Consumer Software at Scale - Consumer Reports' Digital Standard