SECONOMICS presentation in "TUM Fachvortrag" event

FMI 00.12.019 (MI-Building, Campus Garching)

My software has a vulnerability, should I worry? (An Empirical Study on Symantec Threats and Exploit Kits).

  • Date:
    Wednesday, 19th of December 2012, 09:30am
  • Place:
    FMI 00.12.019 (MI-Building, Campus Garching)
  • Title of the presentation:
    My software has a vulnerability, should I worry? (An Empirical Study on Symantec Threats and Exploit Kits).

Abstract:

Reported vulnerabilities are passing the 50K mark (in NVD). The industry has set up a scoring mechanism (CVSS) and the U.S. government has mandated its use for off-the-shelves security management tools.Yet, a largely open question is whether we should actually worry about a vulnerability if the CVSS says we should. In this talk I will report an empirical study on the difference between reported (i.e. in NVD), exploitable (i.e. some security expert reports an exploit in ExploitDB), exploited in the wild (i.e. seen by Symantec), and finally dark marketed (i.e. sold in some exploit kit).

In the majority of cases the existence of an exploit is not a cause of concern. Only for some rare combination you should actually worry. To put things into a wider perspective, the Triple Blood Test (routinely used by doctors to check the risk of Down syndrome) beats CVSS specificity by a large factor. Vulnerability assessment has a long road to go.

Speaker:

Prof. Fabio Massacci, University of Trento Biography:

Fabio Massacci is professor at the University of Trento, Italy. He has a PhD from Rome "La Sapienza" (in automated reasoning for modal and security logics) and worked with L. Paulson in Cambridge on formal verification of the SET Visa and Mastercard security protocols. Later he has worked with J. Mylopoulos and N. Zannone on security requirements engineering (our paper being the most cited of RE 2005). He has led a number of multi-million EU research projects with industry in the field of IT security and his last project is on Security Economics. His current interest is the empirical validation of security research, both on models to understand vulnerabilities and attacks (this talk) and to decide which methodology for security requirements to chose.