We work for a fair, just, and safe software marketplace for all consumers, empowering consumers to protect themselves.

Our Goals

1. Remain independent of vendor influence
2. Automated, comparable, quantitative analysis
3. Act as a consumer watchdog
4. Always bring data to the conversation

Not our goals

• Non-goal: find and disclose vulnerabilities
• Non-goal: tell software vendors what to do
• Non-goal: perform free security testing for vendors

Comparing Results:
The State of IoT

When we compare use of common safety features and software hygiene practices in major brands of smart TVs (Samsung UN55KS9000 and LG 55UH8500) to a reasonably secure Linux install, we can see the sorry state that IoT is currently in.

“Security” can be hard to define.

When asked if an application is secure, a security expert might ask:

1. Are passwords and keys correctly handled?
2. Are there any backdoors or hidden functionality?
3. Are there any bugs that can be exploited to allow code execution?

These sorts of questions can’t be answered in an automated fashion, due to theoretical obstructions ("undecidability") first identified by Alan Turing.

Thus, to measure security in a practical fashion, we employ heuristics.

Predicting Security
Using Heuristics

We don’t need to find any specific vulnerabilities in order to assess how secure software is. Instead, we can observe the software’s safety features, build quality, complexity, and other heuristics.

Some heuristics directly impact software security, while others might just be properties of software that are generally only found in cases where development teams know what they’re doing. As long as they correlate, it doesn’t matter.

Our scientists and engineers are building the machinery to both study the efficacy of these heuristics and also to apply them at-scale.