This hacker is rating software security Consumer Reports-style>
CSO, from IDG – J.M. Porup
The Cyber Independent Testing Lab (CITL) is fuzzing binaries at scale and building a checklist of compile-time security best practices. Founded by l0pht hacker and former head of cybersecurity research at DARPA Peiter “Mudge” Zatko, and bankrolled with seed funding from the US Air Force, the CITL presented their methodology and some preliminary results at the 34c3 hacker conference in Leipzig, Germany a few weeks ago. To encourage vendors to prioritize security, the CITL is mass testing thousands of publicly-available binaries against their checklist, and plans to publish Consumer Reports-style ratings. Enterprise security administrators will be able to use the CITL’s ratings to identify weaknesses in their infrastructure and to demand more secure software from their suppliers. Using a custom fuzzer that is still under development, the CITL tests binaries and rates them based on their complexity, application armoring, and developer hygiene. The more complex the code, the more likely it is to contain security flaws. Developers who use the C strcpy and strcat functions, the CITL reasons, likely haven’t given security much thought. Application armoring includes compile-time defenses like stack guards, ASLR, and code signing. Critics of the CITL argue that there is a category difference between defending against manufacturing defects and against sabotage. Underwriters Laboratories (now UL) does not include malicious adversaries when they evaluate electrical appliances, nor does Consumer Reports rate the roadworthiness of cars based on the vehicle’s defenses against the mafia disabling your brakes. The threat models are different.
Link: https://www.csoonline.com/article/3247677/application-security/this-hacker-is-rating-software-security-consumer-reports-style.html?idg_eid=d5d8326c323742a4ed7bf4fd3dac54c4&email_SHA1_lc=2507a4d4ce7b65