Making Open Work
May 8–9, 2017: Training & Tutorials
May 10–11, 2017: Conference
Austin, TX

Secure coding practices and automated assessment tools

Bart Miller (University of Wisconsin-Madison), Elisa Heymann (University of Wisconsin-Madison)
9:00am12:30pm Monday, May 8, 2017
Security
Location: Meeting Room 9
Level: Beginner
Average rating: ****.
(4.38, 8 ratings)

Who is this presentation for?

  • Developers and managers of critical software

Prerequisite knowledge

  • Familiarity with the process of developing software
  • A working knowledge of at least one of the following: C, C++, Java, or a scripting programming language

Materials or downloads needed in advance

  • A WiFi-enabled laptop

What you'll learn

  • Understand security issues
  • Learn specific techniques for writing secure code
  • Explore tools that can help improve the security of your code

Description

Securing your network is not enough. Every service that you deploy is a window into your data center from the outside world—a window that could be exploited by an attacker. Bart Miller and Elisa Heymann explain how to minimize the security flaws in the software you develop or manage.

Bart and Elisa focus on the programming practices that can lead to security vulnerabilities and automated tools for finding security weaknesses. Using interactive secure coding quizzes—synthesized versions of vulnerabilities found in real grid/cloud software—you’ll be challenged to find as many vulnerabilities as you can in short code fragments. Bart and Elisa then dive into what you find (or don’t).

Topics include:

  • Basic vocabulary (attack surface, impact surface, vulnerability, exploit, and mitigation)
  • The most common vulnerabilities found in middleware and services
  • Descriptions of each type of vulnerability (presented in C, C++, Java, Python, and Perl)
  • Programming and design techniques to mitigate or eliminate vulnerabilities
  • Different types of analysis tools: How these tools work, their outputs, and their limitations
  • Control flow analysis and data flow analysis
  • Using commercial and open source tools for C/C++ and Java (simple test applications extracted from the NIST/NSA Juliet test suite)
Photo of Bart Miller

Bart Miller

University of Wisconsin-Madison

Barton Miller is the Vilas Distinguished Achievement Professor and the Amar and Belinder Sohi Professor in Computer Sciences at the University of Wisconsin-Madison, the chief scientist for the DHS Software Assurance Marketplace research facility, and software assurance lead on the NSF Cybersecurity Center of Excellence. Milleralso codirects the MIST software vulnerability assessment project in collaboration with his colleagues at the Autonomous University of Barcelona and leads the Paradyn Parallel Performance Tool project, which is investigating performance and binary code instrumentation and analysis technologies. In 1988, Miller founded the field of fuzz random software testing—the foundation of many security and software engineering disciplines. In 1992, Miller (working with his then-student Jeffrey Hollingsworth), founded the field of dynamic binary code instrumentation and coined the term “dynamic instrumentation,” which forms the basis for his current efforts in malware analysis and instrumentation. His research interests include systems security, binary and malicious code analysis and instrumentation of extreme-scale systems, parallel and distributed program measurement and debugging, and mobile computing. Barton’s research is supported by the US Department of Homeland Security, the Department of Energy, the National Science Foundation, NATO, and various corporations. Miller is a Fellow of the ACM

Photo of Elisa Heymann

Elisa Heymann

University of Wisconsin-Madison

Elisa Heymann is a senior scientist within the NSF Cybersecurity Center of Excellence at the University of Wisconsin and an associate professor at the Autonomous University of Barcelona, where she codirects the MIST software vulnerability assessment. Elisa was also in charge of the Grid/Cloud security group at the UAB and participated in two major European grid projects: EGI-InSPIRE and the European Middleware Initiative (EMI). Elisa’s research interests include security and resource management for grid and cloud environments. Her research is supported by the NSF, the Spanish government, the European Commission, and NATO.