Wednesday 30 September 16:30 - 17:00, Red room
Clint Gibler (NCC Group Domain Services)
download slides (PDF)
In order to augment and scale limited in-house security expertise, many organizations rely on automated security scanning tools to find misconfigurations, services that need to be patched, and web application vulnerabilities. While much research has been done into detecting new types of vulnerabilities and finding known ones more precisely, there has been disappointingly little examination of how successful these techniques are in practice and, more importantly, how effective these tools are in making companies more secure.
We will discuss insights gained from analysing the results of running a commercial security scanner on 100 international companies across 10 industry verticals from Februrary 2014 until May 2015, collectively representing over 900,000 findings. We examine questions such as: what are the common types of vulnerabilities in real companies today? Does it vary by industry? For a given type of vulnerability, how long does it take companies to remediate issues? Does the time to fix depend on one or more of: the type of the vulnerability, its severity, or merely on its solution? Do companies or industries tend to fix the same types of vulnerabilities in a similar time frame or is there significant variation?
We aim to provide industry professionals with objective data against which they can compare their company's performance, and security researchers with insights into impactful areas they can focus on in their future work.
Clint Gibler is a software security engineer at NCC Group Domain Services where his responsibilities include performing secure code reviews, building security critical software components, and pursuing security research projects. Prior to joining NCC Group, Clint received a Ph.D. in computer science from the University of California, Davis, where he specialized in mobile security. Clint has been involved in a number of research projects presented at conferences including: using static analysis to detect leaks of private information in Android apps, automatically detecting Android app piracy, analysing the impact of app piracy on Android markets and developers, and Android emulator detection. In general, Clint enjoys building tools to analyse or break software. Outside of security, Clint enjoys improv and sketch comedy.