The numbers are depressing. An estimated 700 million data records were stolen in 2015. But despite the billions spent on computer security, flaws that allow such attacks are fixed slowly. A June report found that financial companies, for example, take on average over five months to fix known online security vulnerabilities.
“The security industry gets $75 billion every year to try to secure things, and what you get for that is everybody is hacked all the time,” said Jeremiah Grossman, chief of security strategy at SentinelOne, speaking at the Black Hat security conference in Las Vegas on Wednesday.
Yet Grossman and some other veterans of the security industry have lately become more optimistic. They see a chance that companies will soon have much stronger financial incentives to invest in securing and maintaining software.
A new nonprofit called the Cyber Independent Testing Laboratory (CITL) has developed ways to score and compare the security of software products such as Web browsers and operating systems. The aim is to help consumers and companies choose the most secure products, and to shame those putting our data at risk into doing better.
That effort comes at a time insurance companies have begun to take an interest in understanding the risks for security breaches, something that could create new financial incentives for companies to pay attention to security. Insurers could pressure companies in a similar way to the industry’s role in advancing auto and electrical safety. PwC reported last year that companies are being forced to rely more heavily on cyber insurance because the costs of corporate data breaches are growing fast.
CITL was established by high-profile hacker Peiter Zatko, also known as Mudge, and his wife, Sarah, who is also a security researcher. The pair presented their first results at the Black Hat conference Wednesday, showing how analysis methods they had developed can assign a range of security scores to different software programs.
CITL is modeled on Consumer Reports, and will publish scores aimed at non-experts as well as more detailed assessments for industry insiders.