Build Better Defenses
October 29–30, 2017: Training
October 30–November 1, 2017: Tutorials & Conference
New York, NY

Secure coding practices and automated assessment tools

Bart Miller (University of Wisconsin-Madison), Elisa Heymann (University of Wisconsin-Madison)
9:00am–12:30pm Monday, October 30, 2017
Teachable moments
Location: Sutton North Level: Beginner

Who is this presentation for?

  • Anyone involved with the development, deployment, assessment, or management of critical software

Prerequisite knowledge

  • A basic understanding of the software development process
  • A working knowledge of at least one of the C, C++, Java, or scripting programming languages

What you'll learn

  • Understand the types of vulnerabilities that occur in real code and techniques to prevent them
  • Learn how to use automated analysis tools to detect flaws in your software

Description

Drawing from their experience performing vulnerability assessments of critical middleware, Bart Miller and Elisa Heymann walk you through the programming practices that can lead to security vulnerabilities and demonstrate how to automate tools for finding security weaknesses. You’ll learn skills critical for software developers and analysts concerned with security. If you want to minimize the security flaws in the software that you develop, this tutorial is for you.

Outline:

  • Basic vocabulary and key concepts (attack surface, impact surface, vulnerability, exploit, mitigation, etc.)
  • Thinking like an attacker
  • The most common vulnerabilities found in middleware and services and how to mitigate or eliminate them
  • Automated assessment tools
  • Control flow analysis and data flow analysis
  • How to use different commercial and open source tools for C/C++ and Java and how to process the tools’ output
  • The Software Assurance Marketplace (SWAMP), an open facility that allows users to scan their software with different tools without the burden of dealing with tool acquisition, installation, and configuration
Photo of Bart Miller

Bart Miller

University of Wisconsin-Madison

Barton Miller is a professor of computer sciences at the University of Wisconsin, the chief scientist for the DHS Software Assurance Marketplace research facility, and software assurance lead on the NSF Cybersecurity Center of Excellence. Barton also codirects the MIST software vulnerability assessment project in collaboration with his colleagues at the Autonomous University of Barcelona and leads the Paradyn Parallel Performance Tool project, which is investigating performance and instrumentation technologies for parallel and distributed applications and systems. In 1988, Barton founded the field of fuzz random software testing—the foundation of many security and software engineering disciplines. In 1992, Barton (working with his then-student Jeffrey Hollingsworth), founded the field of dynamic binary code instrumentation and coined the term “dynamic instrumentation,” which forms the basis for his current efforts in malware analysis and instrumentation. His research interests include systems security, binary and malicious code analysis and instrumentation of extreme-scale systems, parallel and distributed program measurement and debugging, and mobile computing. Barton’s research is supported by the US Department of Homeland Security, the Department of Energy, the National Science Foundation, NATO, and various corporations.

Photo of Elisa Heymann

Elisa Heymann

University of Wisconsin-Madison

Elisa Heymann is a senior scientist within the NSF Cybersecurity Center of Excellence at the University of Wisconsin and an associate professor at the Autonomous University of Barcelona, where she codirects the MIST software vulnerability assessment. Elisa was also in charge of the Grid/Cloud security group at the UAB and participated in two major European grid projects: EGI-InSPIRE and the European Middleware Initiative (EMI). Elisa’s research interests include security and resource management for grid and cloud environments. Her research is supported by the NSF, the Spanish government, the European Commission, and NATO.

Leave a Comment or Question

Help us make this conference the best it can be for you. Have questions you'd like this speaker to address? Suggestions for issues that deserve extra attention? Feedback that you'd like to share with the speaker and other attendees?

Join the conversation here (requires login)