Quantifying Risk in Consumer Software at Scale - Consumer Reports' Digital Standard

Black Hat USA 2017

Presented by: Eason Goodale, Sarah Zatko
Date: Thursday July 27, 2017
Time: 12:10 - 13:00
Location: Mandalay Bay AB

Last year Mudge and Sarah pulled back the curtains on the non-profit Cyber Independent Testing Laboratory: An organization designed to quantify the efficacy of security development practices and predict future software risks and vulnerabilities. One of the surprise discoveries was that their methodologies mapped to the pricing structure of the underground 0day market.

The first half of this talk will disclose the progress and findings since then. This includes universal fuzzers, results of new target analysis across 4 major operating systems, early results from porting their analysis to IoT architectures, and the future roadmap for this non-profit organization.

The second half of the talk focuses on the recently announced open 'Digital Standard', an effort put together by Consumer Reports, Disconnect, Ranking Digital Rights, and Cyber-ITL. The challenges in capturing and conveying meaningful information covering privacy, safety, exploitability, and consumer rights in all forms of software will be addressed by representatives from each organization.

Sarah Zatko

Sarah Zatko has a bachelor's in Math with Computer Science from MIT and a Master's in Computer Science from Boston University. She has worked in the computer security field for over a decade for government contractors such as BBN Technologies, The Institute for Defense Analysis (a Federally Funded Research and Development Center), and commercial companies like IBM or L0phtcrack, LLC. Sarah also has a strong interest in security education and has presented talks on the subject of computer science curriculum design at University of Michigan, West Point, and Shmoocon, a computer security conference held annually in Washington, DC. Sarah will be using her math and computer security experience to develop models for predicting the expected security of software systems based on their initial test results and metrics.

Eason Goodale

Eason Goodale is a lead software engineer at Disconnect, where he works on improving the state of online privacy with best-of-breed software. A long time privacy enthusiast and advocate, he focuses on delivering practical and easy to use applications that address the real and frequently underestimated threats consumers face online.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats