In-brief: A White House-backed effort to develop a system for rating software security is set to launch at this week’s Black Hat briefings with famed hacker Peiter Zatko (aka “Mudge”) at the helm.
A year ago, we wrote about a White House effort to launch a kind of “Underwriters Lab” for the software industry. The Obama Administration tapped famed hacker Peiter Zatko (aka “Mudge”) to leave Google and head up a new project aimed at developing an “underwriters’ lab” for cyber security.
One year later, that effort – which Zatko dubbed a kind of CyberUL – is ready to launch. As Kim Zetter points out in this article for The Intercept, Zatko and his wife Sarah, a former NSA mathematician, are pulling the covers off their creation, which Zetter describes as a “first-of-its-kind method for testing and scoring the security of software.”
The new method for assessing software security is inspired partly by Underwriters Laboratories, and will be called the Cyber Independent Testing Lab. According to the article, the new tool will assess
From The Intercept:
The Zatkos’ operation won’t tell you if your software is literally incendiary, but it will give you a way to comparison-shop browsers, applications, and antivirus products according to how hardened they are against attack. It may also push software makers to improve their code to avoid a low score and remain competitive.
A number of firms including Veracode, Codenomicon and WhiteHat Security offer services that will audit the underlying application code and can identify security holes. The Zatkos’ approach is somewhat different. Rather than search for vulnerabilities in the code, algorithms developed by Sarah Zatko will will look for evidence that the application was built securely.
The technique involves, in part, analyzing binary software files using algorithms created by Sarah to measure the security hygiene of code. During this sort of examination, known as “static analysis” because it involves looking at code without executing it, the lab is not looking for specific vulnerabilities, but rather for signs that developers employed defensive coding methods to build armor into their code.
“To use the car analogy, does it have seat belts, does it have air bags, does it have anti-lock brakes? All the things that are going to make [a hacker’s] life more difficult,” Mudge says.
Unlike the Underwriters’ Lab, however, the new program, dubbed CITL (Cyber Independent Testing Labs) will not offer certifications or seals of approval. Rather, the goal is to offer quantitive ratings of software security that make it easy to evaluate the relative security of different software, even for non-technical users.
Their evaluation system uses what they describe as “a wide range of heuristics that attackers use” to identify “soft targets” for hackers. as been codified, refined, and enhanced. “Some of these techniques are quite straightforward and even broadly known, while others are esoteric tradecraft,” according to a description of the program posted on the web site of the Black Hat Briefings.
To date, no one has applied all of these metrics uniformly across an entire software ecosystem before and shared the results. For the first time, a peak at the Cyber Independent Testing Lab’s metrics, methodologies, and preliminary results from assessing the software quality and inherent vulnerability in over 100,000 binary applications on Windows, Linux, and OS X will be revealed. All accomplished with binaries only.
Mr. and Mrs. Zatko will present their new system on Wednesday at The Black Hat Briefings, a leading cyber security gathering that takes place in Las Vegas.