| Towards Evidence-Based Security |
| Adam Shostack | |
| ShmooCon Ō05 | |
| Slides at | |
| http://www.homeport.org/~adam/shmoocon/ |
| Speakers |
| Crispin Cowan | |
| Al Potter | |
| Ed Reed | |
| Adam Shostack |
| Outline |
| AdamÕs 10 minutes | |||
| What is Evidence Based Security | |||
| Why we need it | |||
| What EB Security is Not | |||
| What We Need to Make EB a reality | |||
| Crispin, Ed, Al | |||
| You All | |||
| Are We Successful? |
| Morris Worm used buffer overflows, bad passwords, and sendmail to spread in 1989 | ||
| 16 years later, sendmail is fixed | ||
| Worms, phishing, spyware | ||
| Social engineering | ||
| Litany of problems gets no shorter | ||
| Origin of EB |
| A desire to do better | ||
| Question why weÕre not | ||
| Apply scientific method: | ||
| Testable hypotheses | ||
| OccamÕs Razor | ||
| Origin of the EBies |
| From medical community | ||
| Doctors got tired of folk remedies | ||
| Get outcome oriented | ||
| Apply scientific method | ||
| What Is EB? |
| Hypothesize, test, repeat | ||
| Look to real world | ||
| Normalize for deployment? | ||
| Smaller and larger tests | ||
| Deployed systems survivability time? | ||
| Does this system survive this attack? | ||
| What EB Is Not |
| Process Oriented | ||
| Stacks of paper donÕt defend systems | ||
| Al & Crispin to cover? | ||
| Proof Oriented | ||
| Computers are not mathematical systems | ||
| Proofs rarely relate to real world security | ||
| What EB Needs |
| Welcome the idea weÕre doing badly | |
| Gather data Ń Lots of it | |
| If you buy, start asking for evidence | |
| If you research, start looking for evidence |