28 Apr 2016 - Alastair Beresford
Abstract
Writing vulnerability-free code is currently impossible. The best we can hope for is whack-a-mole security. In other words, fixing bugs and updating Internet-enabled devices before remote exploitation occurs. Unfortunately, security updates are not always delivered in a timely fashion, or at all. Drawing on data gathered about the Android ecosystem, we find that, over a four year period, 87.7% of Android devices are, on average, exposed to at least one of 11 known critical operating system vulnerabilities. The story at the app level is also worrying, where we predict that the fix for the Java-to-JavaScript bridge flaw will take over 5 years to reach 95% of devices. The talk finishes with a discussion on how to improve incentives to encourage better performance in the production and delivery of security updates for Internet-enabled devices.
28 Apr 2016 - Alastair Beresford
Informatics Forum room 4.31/33