September 20-21, 2023 | Bilbao, Spain + Virtual
View More Details & Registration

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for Linux Security Summit Europe 2023 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

This schedule is automatically displayed in Central European Summer Time (UTC +2). To see the schedule in your preferred timezone, please select from the drop-down menu to the right above "Filter by Date."

IMPORTANT NOTE: The timing of sessions is subject to change.

Back To Schedule
Wednesday, September 20 • 11:00 - 11:45
Estimating Security Risk Through Repository Mining - Tamas K. Lengyel, Intel

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Can we calculate the security risk of a software repository based on its software development practices? A well-maintained project with a CI system, code-reviews & lots of users would be reasonably expected to be less risky than a project without those qualities. Software repositories contain a myriad of information that can be used to quantify these properties, and this forms the bases of the Open Source Security Foundation’s Scorecard project: distill it all into an easy-to-comprehend “Security Score” to quickly judge the potential risk of any open-source project. But do we really get software that’s less risky if it gets a high score on the Scorecard? How would we know? We argue that the metrics the Scorecard factors into its scoring system are equally applicable to predicting bugs in software. Since we have solid tools for finding bugs in C and C++ we can check to a certain degree if there is a connection between the two! We conducted automated scans on thousands of the most popular repositories on GitHub with a variety of state-of-the-art bug finding tools to see if we can find a relationship. In this talk we'll go through the details of our analysis and discuss the results.

avatar for Tamas K Lengyel

Tamas K Lengyel

Sr Security Researcher, Intel
Tamas works at Intel as a Senior Security Researcher. He presented before at leading security conferences like BlackHat, DEFCON and Linux Security Summit. He is maintainer of several open-source projects, including the Xen hypervisor, DRAKVUF and KF/x.

Wednesday September 20, 2023 11:00 - 11:45 CEST
Room 5A