1 / 9

Towards Evidence-Based Security

Towards Evidence-Based Security. Adam Shostack ShmooCon ‘05 Slides at http://www.homeport.org/~adam/shmoocon/. Speakers. Crispin Cowan Al Potter Ed Reed Adam Shostack. Outline. Adam’s 10 minutes What is Evidence Based Security Why we need it What EB Security is Not

gloria-todd
Download Presentation

Towards Evidence-Based Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Towards Evidence-Based Security • Adam Shostack • ShmooCon ‘05 • Slides at • http://www.homeport.org/~adam/shmoocon/

  2. Speakers • Crispin Cowan • Al Potter • Ed Reed • Adam Shostack

  3. Outline • Adam’s 10 minutes • What is Evidence Based Security • Why we need it • What EB Security is Not • What We Need to Make EB a reality • Crispin, Ed, Al • You All

  4. Are We Successful? • Morris Worm used buffer overflows, bad passwords, and sendmail to spread in 1989 • 16 years later, sendmail is fixed • Worms, phishing, spyware • Social engineering • Litany of problems gets no shorter

  5. Origin of EB • A desire to do better • Question why we’re not • Apply scientific method: • Testable hypotheses • Occam’s Razor

  6. Origin of the EBies • From medical community • Doctors got tired of folk remedies • Get outcome oriented • Apply scientific method

  7. What Is EB? • Hypothesize, test, repeat • Look to real world • Normalize for deployment? • Smaller and larger tests • Deployed systems survivability time? • Does this system survive this attack?

  8. What EB Is Not • Process Oriented • Stacks of paper don’t defend systems • Al & Crispin to cover? • Proof Oriented • Computers are not mathematical systems • Proofs rarely relate to real world security

  9. What EB Needs • Welcome the idea we’re doing badly • Gather data — Lots of it • If you buy, start asking for evidence • If you research, start looking for evidence

More Related