Towards Evidence-Based Security |
Adam Shostack | |
ShmooCon Ō05 | |
Slides at | |
http://www.homeport.org/~adam/shmoocon/ |
Speakers |
Crispin Cowan | |
Al Potter | |
Ed Reed | |
Adam Shostack |
Outline |
AdamÕs 10 minutes | |||
What is Evidence Based Security | |||
Why we need it | |||
What EB Security is Not | |||
What We Need to Make EB a reality | |||
Crispin, Ed, Al | |||
You All |
Are We Successful? |
Morris Worm used buffer overflows, bad passwords, and sendmail to spread in 1989 | ||
16 years later, sendmail is fixed | ||
Worms, phishing, spyware | ||
Social engineering | ||
Litany of problems gets no shorter |
Origin of EB |
A desire to do better | ||
Question why weÕre not | ||
Apply scientific method: | ||
Testable hypotheses | ||
OccamÕs Razor |
Origin of the EBies |
From medical community | ||
Doctors got tired of folk remedies | ||
Get outcome oriented | ||
Apply scientific method |
What Is EB? |
Hypothesize, test, repeat | ||
Look to real world | ||
Normalize for deployment? | ||
Smaller and larger tests | ||
Deployed systems survivability time? | ||
Does this system survive this attack? |
What EB Is Not |
Process Oriented | ||
Stacks of paper donÕt defend systems | ||
Al & Crispin to cover? | ||
Proof Oriented | ||
Computers are not mathematical systems | ||
Proofs rarely relate to real world security |
What EB Needs |
Welcome the idea weÕre doing badly | |
Gather data Ń Lots of it | |
If you buy, start asking for evidence | |
If you research, start looking for evidence |