A 'Consumer Reports' for software vulnerabilities

 

Connecting state and local government leaders

The Cyber Independent Testing Lab will evaluate the security of commercial software so that users and purchasers can make quantitative comparisons among different products.

For years, organizations have struggled with understanding the potential weaknesses of the software they’re using, in part because there is no unbiased measure of comparison to help guide their choices.

At the recent Black Hat conference, long-time computer scientists Peiter 'Mudge' and Sarah Zatko discussed the Cyber Independent Testing Lab, an independent organization to benchmark commercial software security flaws. (Photo by Richard C. Hoffman)

But with the help of one emerging government-supported nonprofit, companies and government agencies alike may soon have a better handle on how software they own or are considering purchasing measures up in terms of security. During a presentation at last week’s Black Hat conference in Las Vegas, computer scientists Peiter Zatko (better known as Mudge) and Sarah Zatko discussed the independent organization they are building to impartially benchmark commercial software security flaws.

“All the certifications and evaluations that come out, they’re not about security,” said Sarah Zatko, who is chief scientist for the Cyber Independent Testing Lab and a member of the Army's Order of Thor, which recognizes contributions of cybersecurity professionals.

Meanwhile, more arcane and technical source code reviews do not help the average corporate or independent software user understand or evaluate the potential security flaws in their software. “Legislation is well-meaning,” she added, “but it typically focuses on making it illegal to look at this problem, and that is a terrible way to solve anything.”

Mudge, a longtime hacker and vulnerability specialist, left Google last year to launch and become the director of CITL after he received a call from the White House urging him to do so. A former program manager at the Defense Advanced Research Projects Agency and author of the password-cracking L0phtCrack software, Mudge is no stranger to the public- and private-sector struggles involved with evaluating the security of the software that organizations are using.

Although they are not planning to certify or offer any seals of approval on the software they test, the Zatkos said CITL aims to use a Consumer Reports-like methodology to evaluate the security of commercial software based on metrics and measurements that will allow laypeople to quantitatively compare different products.

In the year since they began their efforts, the pair and their team at CITL have been using a range of heurisitics that attackers typically use to determine whether software targets are hard or soft, meaning difficult or easy to break into with their exploits. Their metrics and testing are a combination of popular, widely known techniques and “esoteric tradecraft,” and they test software on the three most popular operating systems. So far, the lab has tested software quality and inherent vulnerabilities in more than 100,000 binary applications across Windows, Linux and OS X platforms.

So far, their work has confirmed some basic beliefs about the security of some products, particularly when run on particular operating systems, but it has also challenged conventional wisdom in some areas. Sometimes, CITL found, “the more secure product is actually ... cheaper, and quite often the [expensive] security product is the most vulnerable.”

It’s not surprising, as Mudge pointed out, that the “price tags for exploits mapped up nicely” with how hardened a product is – meaning exploits for hardened software are more expensive. “If we do this measurement for the office suites that are available,” he said, “you start to realize the level of effort an adversary has to go through.”

Mudge also noted the Microsoft Office Suite running on OS X is much softer (and open to compromise) than the same suite running on Windows, because the security Microsoft offers for its own platform is better than what is available when its software runs on competing operating systems.

CITL will start releasing its results in early 2017, the co-founders said.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.