In July 2020 the non-profit Cyber-ITL identified: 32,888 vuln/defects across 5,692 apps and libraries. No source code was used against the targets. Want the datasets? CITL is looking for paid strategic partnerships contact@cyber-itl.org Thread...
5
60
5
130
CITL’s mission: Evidence based software security Partnerships provide: Access to increasingly refined CITL datasets. Targeting suggestions / input. Funding helps mature the codebase and modeling to enable CITL to transition technology and capabilities (perhaps to you?). 2/
1
4
0
14
Even the best security teams lack data-driven consensus on what works in SDLCs. So CITL is measuring the real world impact of engineering safety and security. Any practices without measurable impact are indistinguishable from superstition. We need this field to improve! 3/
2
6
0
21
This is the dynamic analysis capability running at CITL. It is designed to be able to identify memory bugs, command injection, link traversal, library interposition, etc. Works terrifyingly well… (see first tweet) Ignore the details... just showing it’s not vaporware. 4/
1
2
0
16
CITL is refining and growing the data for their purposes but it’s already super rich and mineable (ie for data science) containing: Execution traces (good and bad) System interactions (syscalls, func() hooking args) Environment interactions Breadth-centric targets Etc. 5/
1
3
0
12
Here’s a scripted visualization from the dataset. It shows the defective program execution path for one of the 32K vulns/defects across the 5.6K target apps/libs in this first CITL data set. 6/

9:30 PM · Aug 14, 2020

3
3
0
12
Add this to CITLs existing rich static analysis (>100 feat. measured, 4M apps/libs & growing) data sets. Goal: scientifically quantify robustness of software from static and dynamic and predictive models of dynamic. Data reports from static analysis cyber-itl.org/news/blog/ 7/
2
2
0
15
From CITL dynamic analysis data, you’ll will be able to rank how robust the libraries you use actually are. 2.5k libraries already evaluated Is your production code linked against a highly fragile library? These revelations become apparent at these types of scale :) 8/
1
2
0
12
CITL wants to be behind the scenes creating the science, data, and capabilities to support evidence based security engineering. Use CITLs work yourself and help the field at large. There are lots of worthy charities. If you can, please fund CITL. contact@cyber-itl.org End/
0
5
0
17
Replying to @dotMudge
which archs are supported? can you say more about the implementation?
1
0
0
1
Static Analysis OSes: Windows, MacOS, and Linux Static Architectures: x86, Arm, Arm Thumb, MIPS, PPC, ... (32/64bit modes) Dynamic Analysis: Linux ELF. Dynamic Predictivr Modeling (not finished): hopefully all static architectures. This is one of the funding targets.
1
0
0
1
Replying to @dotMudge
Sidenote: there's no actual information here, the screenshot doesn't really show much 🤷‍♂️
0
0
0
0