Title: Application Security Scoreboard in the Sky
Abstract: This presentation will discuss vulnerability metrics gathered from real-world applications. The statistics are derived from continuously updated data collected by Veracode’s cloud-based code analysis service. The anonymized data represents a total of nearly 1,600 applications submitted for analysis by large and small companies, commercial software providers, open source projects, and software outsourcers between February 2007 and January 2010. This is the first vulnerability analytics study of this magnitude that incorporates data from both static analysis and dynamic analysis.
We will compare the relative security of applications by industry and origin, and we will examine detailed vulnerability distribution data in the context of taxonomies such as the OWASP Top Ten and the CWE/SANS Top 25 Programming Errors.
Speaker Bio: Tyler Shields is a Senior Researcher for the Veracode Research Lab whose responsibilities include understanding and examining interesting and relevant security and attack methods for integration into the Veracode product offerings. In the past, Tyler has worked as a consultant for both @Stake and Symantec, delivering security assessments to fortune 500 companies, major financial institutions, institutions of higher education, and the highest levels of the U.S. government. Tyler has presented at major industry conferences including H.O.P.E , Shmoocon, and SOURCE Boston and released numerous security advisories. He also frequently contributes to major media outlets as a security subject matter expert.