We advocate for a centralized Bug Bounty Program of Last Resort to support critical open-source projects and smaller vendors unable to fund their own.

• Bug Bounty
• Supply Chain Security

Download

Protecting the electricity industry’s supply and value chains now requires measures beyond securing individual products, necessitating adapted roles and responsibilities from procurement to retirement.

• Supply Chain Security

Download

We outline digital supply chain risks and essential security measures for routine and critical functions in industry, government, police, and military.

• Supply Chain Security

Download

Analysis of leaked account numbers and impacts from major data breaches in Swiss industry and government, highlighting cyber threats from software vulnerabilities and insights into Swisscom’s Bug Bounty program.

• Bug Bounty
• Data Breach
• Swisscom

Download

We examine new cyber attack scenarios through emerging interactions between people, applications, and devices.

• Swisscom

Download

We examine how cyber criminals use botnets for large-scale attacks and provide advises on cyber threat intelligence.

Download

Every data breach enables cyber criminals to refine and correlate data, creating profiles that can identify millions, with severe consequences for victims. Lost data cannot be recovered.

• Data Breach

Download

Cybersecurity relies on coordinated vulnerability disclosure, but the black market offers large rewards for the same data. We explore the economics of denying cyber criminals access to new vulnerabilities.

• Bug Bounty

Download

Vulnerabilities known only to closed groups, like cyber criminals, brokers, and governments, pose a significant risk to all users of the affected software.

• Vulnerability Lifecycle

Download

Data from rigorous testing shows that 100% attack prevention is an illusion. Organizations should assume compromise and prioritize breach detection alongside prevention.

• Cyber Kill Chain
• Vulnerability Lifecycle

Download

Comparing multiple protection technologies shows a significant correlation in failures to detect exploits, with more bypasses than risk models predict when ignoring correlation.

• Cyber Kill Chain

Download

Despite massive security investments of the software industry, vulnerability disclosures have risen considerably in 2012.

Download

We correlate OSINT data on exploits and crimeware with security test results of security tools to model the kill chain and how evade enterprise security detection.

• Cyber Kill Chain
• Blackhat

Download

The Secunia Yearly Report 2011 highlights the evolution of software vulnerabilities, exploits, and the challenges in protecting private users and corporate IT infrastructures.

Download

This white paper details how cybercriminals have refined malware to systematically bypass traditional defenses, sparking an arms race with defenders.

• Vulnerability Lifecycle

Download

This paper highlights the limitations of restricting administrative access and shows how cybercriminals can still achieve their goals without it.

Download

Our analysis of a decade of software vulnerabilities reveals that extrinsic factors significantly impact vulnerability discovery rates more than intrinsic properties like software quality.

• Vulnerability Lifecycle

Download

We analyze the average user’s software portfolio using data from over two million Secunia PSI scans.

Download

We study the persistence of the use of outdated Web browsers (Firefox, Opera, Chrome and Safari) after users have been prompted to perform an update.

Download

We developed a cyber security ecosystem model to capture key players and processes, analyzing their roles and incentives using data from over 27,000 vulnerabilities.

Download

Security updates are ineffective if the update mechanism isn’t efficient. This paper analyzes the effectiveness of different web browsers’ update mechanisms using extensive Google web log data.

• Insecurity Iceberg

Download

How secure is your browser? One indicator is how frequently it’s updated. Using Google’s search logs, we analyze update patterns to compare browser security.

• Insecurity Iceberg

Download

This dissertation argues that understanding the vulnerability lifecycle helps distinguish key security processes and quantify risk exposure and its evolution on a large scale.

Download

With access to Google’s global web server logs, we offer the first in-depth global perspective on web browser insecurity, crucial for understanding threats to browser and plug-in technologies.

• Defcon
• Insecurity Iceberg

Download

We monitored security sites every 30 minutes for over 18 months, creating a unique dataset to compare CERT and private offerings.

• Vulnerability Lifecycle

Download

We analyzed the patch development process of Microsoft and Apple from 2002 to 2007, using public vulnerability data to assess potential bias in vendor information.

• Blackhat
• Vulnerability Lifecycle

Download

Analyzing over 80,000 security advisories, we identified trends in zero-day exploits and measured the gap between exploit and patch availability.

• Blackhat
• Vulnerability Lifecycle

Download

We investigated the speed of civil jet engine technology, finding it hasn’t yet reached the thermodynamic limit. A measure of airplane efficiency was derived and applied to jets of varying sizes and eras, dating back to the 1960s.

Download

Analysis of email non-delivery receipt handling by live servers revealed a common flaw that could enable new DoS attacks.

Download