Evidence-Based Security
Adam Shostack
ShmooCon Ō05
Slides at

Crispin Cowan
Al Potter
Ed Reed
Adam Shostack

AdamÕs 10 minutes
What is Evidence Based Security
Why we need it
What EB Security is Not
What We Need to Make EB a reality
Crispin, Ed, Al
You All

Are We Successful?
Morris Worm used buffer overflows, bad passwords, and sendmail to spread in 1989
16 years later, sendmail is fixed
Worms, phishing, spyware
Social engineering
Litany of problems gets no shorter

Origin of EB
A desire to do better
Question why weÕre not
Apply scientific method:
Testable hypotheses
OccamÕs Razor

Origin of the EBies
From medical community
Doctors got tired of folk remedies
Get outcome oriented
Apply scientific method

What Is EB?
Hypothesize, test, repeat
Look to real world
Normalize for deployment?
Smaller and larger tests
Deployed systems survivability time?
Does this system survive this attack?

What EB Is Not
Process Oriented
Stacks of paper donÕt defend systems
Al & Crispin to cover?
Proof Oriented
Computers are not mathematical systems
Proofs rarely relate to real world security

What EB Needs
Welcome the idea weÕre doing badly
Gather data Ń Lots of it
If you buy, start asking for evidence
If you research, start looking for evidence