Papers / Feb, 2021
Bug Bounty Program of Last Resort
We advocate for a centralized Bug Bounty Program of Last Resort to support critical open-source projects and smaller vendors unable to fund their own.
Read more about this entry
Papers / Nov, 2020
Cyber Resilience in the Electricity Ecosystem
Protecting the electricity industry’s supply and value chains now requires measures beyond securing individual products, necessitating adapted roles and responsibilities from procurement to retirement.
Read more about this entry
Papers / Sep, 2019
Analysis and measures to secure the digital supply chain
We outline digital supply chain risks and essential security measures for routine and critical functions in industry, government, police, and military.
Read more about this entry
Papers / Apr, 2017
Data Breaches & Bug Bounties
Analysis of leaked account numbers and impacts from major data breaches in Swiss industry and government, highlighting cyber threats from software vulnerabilities and insights into Swisscom’s Bug Bounty program.
Read more about this entry
Papers / Sep, 2015
Current Threat Status and its Development
We examine new cyber attack scenarios through emerging interactions between people, applications, and devices.
Read more about this entry
Papers / Aug, 2014
Cyber Crime Threat Intelligence - Turkey
We examine how cyber criminals use botnets for large-scale attacks and provide advises on cyber threat intelligence.
Read more about this entry
Papers / Mar, 2014
Why Your Data Breach is My Problem
Every data breach enables cyber criminals to refine and correlate data, creating profiles that can identify millions, with severe consequences for victims. Lost data cannot be recovered.
Read more about this entry
Papers / Dec, 2013
International Vulnerability Purchase Program (IVPP)
Cybersecurity relies on coordinated vulnerability disclosure, but the black market offers large rewards for the same data. We explore the economics of denying cyber criminals access to new vulnerabilities.
Read more about this entry
Papers / Dec, 2013
The Known Unknowns in Cyber Security
Vulnerabilities known only to closed groups, like cyber criminals, brokers, and governments, pose a significant risk to all users of the affected software.
Read more about this entry
Papers / May, 2013
Cyber Kill Chain vs. Defense Effectiveness
Data from rigorous testing shows that 100% attack prevention is an illusion. Organizations should assume compromise and prioritize breach detection alongside prevention.
Read more about this entry
Papers / May, 2013
Correlation Of Detection Failures
Comparing multiple protection technologies shows a significant correlation in failures to detect exploits, with more bypasses than risk models predict when ignoring correlation.
Read more about this entry
Papers / Feb, 2013
Vulnerability Threat Trends 2012
Despite massive security investments of the software industry, vulnerability disclosures have risen considerably in 2012.
Read more about this entry
Papers / Dec, 2012
Modeling Exploit Evasions in Layered Security
We correlate OSINT data on exploits and crimeware with security test results of security tools to model the kill chain and how evade enterprise security detection.
Read more about this entry
Papers / Feb, 2012
Secunia Yearly Report 2011
The Secunia Yearly Report 2011 highlights the evolution of software vulnerabilities, exploits, and the challenges in protecting private users and corporate IT infrastructures.
Read more about this entry
Papers / Jun, 2011
How to Secure a Moving Target with Limited Resources
This white paper details how cybercriminals have refined malware to systematically bypass traditional defenses, sparking an arms race with defenders.
Read more about this entry
Papers / Apr, 2011
Cybercriminals do not need administrative users
This paper highlights the limitations of restricting administrative access and shows how cybercriminals can still achieve their goals without it.
Read more about this entry
Papers / Dec, 2010
Familiarity Breeds Contempt
Our analysis of a decade of software vulnerabilities reveals that extrinsic factors significantly impact vulnerability discovery rates more than intrinsic properties like software quality.
Read more about this entry
Papers / Mar, 2010
The Security Exposure Of Software Portfolios
We analyze the average user’s software portfolio using data from over two million Secunia PSI scans.
Read more about this entry
Papers / Mar, 2010
Quantification of deviations from rationality with heavy-tails in human dynamics
We study the persistence of the use of outdated Web browsers (Firefox, Opera, Chrome and Safari) after users have been prompted to perform an update.
Read more about this entry
Papers / Jun, 2009
Modelling the Security Ecosystem
We developed a cyber security ecosystem model to capture key players and processes, analyzing their roles and incentives using data from over 27,000 vulnerabilities.
Read more about this entry
Papers / May, 2009
Why Silent Updates Boost Security
Security updates are ineffective if the update mechanism isn’t efficient. This paper analyzes the effectiveness of different web browsers’ update mechanisms using extensive Google web log data.
Read more about this entry
Papers / Jan, 2009
Firefox (In)Security Update Dynamics Exposed
How secure is your browser? One indicator is how frequently it’s updated. Using Google’s search logs, we analyze update patterns to compare browser security.
Read more about this entry
Papers / Jan, 2009
Security Econometrics - The Dynamics of (In)Security
This dissertation argues that understanding the vulnerability lifecycle helps distinguish key security processes and quantify risk exposure and its evolution on a large scale.
Read more about this entry
Papers / Aug, 2008
Understanding The Web Browser Threat
With access to Google’s global web server logs, we offer the first in-depth global perspective on web browser insecurity, crucial for understanding threats to browser and plug-in technologies.
Read more about this entry
Papers / Jul, 2008
Putting Private And Government CERT's To The Test
We monitored security sites every 30 minutes for over 18 months, creating a unique dataset to compare CERT and private offerings.
Read more about this entry
Papers / Mar, 2008
Exposing Vendors (In)security Performance (0-Day Patch)
We analyzed the patch development process of Microsoft and Apple from 2002 to 2007, using public vulnerability data to assess potential bias in vendor information.
Read more about this entry
Papers / Sep, 2006
Large-Scale Vulnerability Analysis
Analyzing over 80,000 security advisories, we identified trends in zero-day exploits and measured the gap between exploit and patch availability.
Read more about this entry
Papers / Jun, 2006
Technology Speed of Civil Jet Engines
We investigated the speed of civil jet engine technology, finding it hasn’t yet reached the thermodynamic limit. A measure of airplane efficiency was derived and applied to jets of varying sizes and eras, dating back to the 1960s.
Read more about this entry
Papers / Apr, 2004
DDoS Attacks through Non Delivery Messages
Analysis of email non-delivery receipt handling by live servers revealed a common flaw that could enable new DoS attacks.
Read more about this entry