Software security rating system debuts at Black Hat Las Vegas
A consumer-style rating system assessing the level of cyber-security protection included in various software products will be unveiled at this year’s Black Hat conference in Las Vegas.
The project of Peiter Zatko, a known hacker and network security expert, the system will attempt to put pressure on software manufacturers to do more to hack-proof their products. So far, Zatko said, there has been no unbiased, consistent method for rating the security of programs – a major gap that needs addressing.
Zatko, who told the US Congress 20 years ago that he could take down the internet in 30 minutes, has developed the system together with his wife, former National Security Agency mathematician Sarah Zatko.
"We need a nutritional label," Zatko told Reuters ahead of the conference. "You might care more about sugar, or carbohydrates, or protein, but if we tell you about all of it, a nutritionist can help you come up with the appropriate diet."
The preliminary analysis reportedly revealed that Apple's Mac computers are relatively difficult to hack. On the other hand, Apple’s Safari web browser is more vulnerable than Google's Chrome, but more secure than Firefox. Many Microsoft products have scored quite well so far, but its Office suite for Mac performed poorly, Reuters reported.
The system has been licensed indefinitely to a new non-profit organisation.
Enforcing liability for software vulnerabilities has been complicated. Courts have held that software is licensed, not sold, so no product liability lawsuits can be brought for defective goods.
For corporate and other large customers, the only existing option is to order third-party code audits. The process, however, is cumbersome and needs to be repeated with every purchase.
Government and private certification programmes often give an incentive to develop software that meets minimum requirements and penalises those who spend more to make it safer.
The Zatkos' approach begins by analysing the digital outputs, or binaries, of the code, which instruct computers what to do.
"Source code is the theory, while binary is the practice,” said Sarah Zatko. “It makes a huge difference in how secure the actual product is."
The main focus is on the compilers, which turn source code into binary.
The Zatkos hope the system will give consumers a tool to put pressure on software makers to do a better job.
Among the people most interested in the fine-grained results of the software ratings are insurance companies, which have been hard-pressed to estimate reasonable premiums for insurance against hackers.
Peiter Zatko, also known as Mudge, was a member of pioneering Boston hacking group the L0pht. More recently, he headed a grant programme for the computer security projects of the US Defense Department.