Annual Computer Security Applications Conference (ACSAC) 2016

Full Program »

Don’t Bug Me to Death… “Focusing on Improving Software Assurance Capabilities in A Buggy Bug World…”

Thursday, 8 December 2016
13:30 - 15:00

Sierra D

Chair: Kevin Greene

Abstract:

We are living in a buggy bug world where software bugs are exposing vulnerabilities in our software connected world. The danger is that software not only powers our critical infrastructure, but also our daily lives. We all become vulnerable and susceptible to poorly designed and developed software. With the constant uphill battle to combat malware, and defend against the emergence of ransomware and other malicious threats, we need to focus our attention on improving software assurance capabilities to remove attack vectors that are used to exploit vulnerabilities in software that can potentially harm us. Findings bugs in software is no easy task given that modern software is more complex, and current state-of-the-art software assurance tools are shallow – which often lead to an overwhelming rate of false-positives, and considerable amount of potential vulnerabilities that are not undetected.

With the growing emergence of agile software development methodologies and practices in organizations, developers are integrating and delivering software at a rapid pace, and there is a dire need to perform “security at-speed” to ensure security is built into the early stages of the development process. Unfortunately, many of today’s software assurance tools and capabilities are clogging up the CI/CD pipelines, forcing developers to remove these tools to meet deadlines. As a result, software bugs are moving through the software development process undetected.

This talk will discuss the innovative approaches DHS S&T is taking to create a safer, less buggy bug world through innovation, tech transition, and research collaboration. DHS S&T has taken a leadership role in the R&D community to reinforce the need for improved software assurance tools, technologies and capabilities to keep pace with the evolution in modern software. DHS S&T addresses the growing challenges for improvements with two new research projects; Static Tool Analysis Modernization Project (STAMP), and Application Security Threat and Attack Modeling (ASTAM), while leveraging the investments in the Software Assurance Marketplace (SWAMP). The SWAMP provides a continuous assurance platform that enables significant improvements in software assurance tools, while encouraging broader adoption of software assurance methodologies and capabilities.

About the Speakers:

Photo: Kevin Greene

Kevin Greene is a program manager in the Cyber Security Division (CSD) in DHS S&T. Greene is responsible for the Software Quality Assurance and Software Assurance Marketplace projects, which includes creating improvements for testing, analysis and evaluation techniques used in software quality assurance tools.

Prior to his position in the CSD, Greene held various IT security roles at the National Academies, the government of the District of Columbia, and industry positions where he gained in-depth knowledge and experience in designing, managing and implementing vulnerability management programs, data protection strategies, intrusion detection systems and firewall solutions. He earned his bachelor’s and master’s degrees from the New Jersey Institute of Technology.

Photo: Robert McGraw

Dr. Robert McGraw

Dr. McGraw is co-founder and Chief Technology Officer of RAM Laboratories. His research interests lie in the areas of cyber security, analytics and modeling and simulation. He is a past member of the Board of Directors for the International Society of Modeling and Simulation and is currently a Board Member for the International Test and Evaluation Association's San Diego Chapter. He received his Ph.D. in Electrical Engineering from the University of Virginia with an emphasis on Computer Engineering. He has a M.S. in Electrical Engineering from UVa as well as a BS in Electronics Engineering and Physics from the University of Scranton.

Photo: Joshua Garcia

Joshua Garcia, Associate Project Scientist, Institute for Software Research, UC Irvine

Joshua Garcia is an Associate Project Scientist at the Institute for Software Research at the University of California, Irvine (UCI) and the Software Engineering and Analysis Lab (SEAL) at UCI’s Department of Informatics. His current research interests include mobile security, testing, and analysis—and addressing problems of software architectural drift and erosion. Before joining UCI, he was a Postdoctoral Research Fellow at George Mason University’s Department of Computer Science. He received three degrees from the University of Southern California: a B.S. in computer engineering and computer science, an M.S. in computer science, and a Ph.D. in computer science. His industrial experience includes software-engineering or research positions at the NASA Jet Propulsion Laboratory, the Southern California Earthquake Center, and Xerox Special Information Systems.

 

Powered by OpenConf®
Copyright©2002-2016 Zakon Group LLC