The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)
Center for Education and Research in Information Assurance and Security

Yuecel Karabulut - SAP Research

Students: Spring 2024, unless noted otherwise, sessions will be virtual on Zoom.

Measuring the Attack Surfaces of Enterprise Software Systems

Oct 08, 2008

Download: Video Icon MP4 Video Size: 600.7MB  
Watch on Youtube Watch on YouTube

Abstract

Software vendors have traditionally focused on improving code quality for
improving software security and quality. The code quality improvement effort aims toward reducing the number of design and coding errors in software. In principle, we can use formal correctness proof techniques to identify and remove all errors in software with respect to a given specification and hence remove all its vulnerabilities. In practice, however, building large and complex software devoid of errors, and hence security vulnerabilities, remains a very difficult task. Software vendors can minimize the risk associated with the exploitation of future vulnerabilities. One way to minimize the risk is by reducing the attack surfaces of their software. A smaller attack surface makes the exploitation of the vulnerabilities harder and lowers the damage of exploitation, and hence mitigates the security risk. We believe that a complete risk mitigation strategy requires a combination of code quality efforts and attack surface measurement. SAP and CMU collaborated to develop a new attack surface measurement method for measuring the attack surfaces of SAP software systems implemented in Java. We implemented a tool and demonstrated the feasibility of our approach by measuring the attack surface of an SAP software system. In this talk, we will present the attack surface measurement method and report on its application.

About the Speaker

Dr. Yuecel Karabulut is a Senior Research Scientist at SAP Research in Palo Alto. He is currently member of the Platforms Research Group. Before joining this group Yuecel has worked in the Security & Trust Research Program of SAP Research, Germany where he led several SAP internal technology transfer projects and external European funded large research projects including TrustCoM and ITAIDE. His main areas of expertise include Secure Service-Oriented Architectures, Secure Business Process Composition, Application-level Virtual Machine Sandboxing, Secure Web Mashups, Language Security, Application Platform Security, Software-as-a Service (SaaS) and Multitenancy, Policy & Authorization Management, Distribute Trust Management and PKI. He has a number of conference & journal publications, and holds several patents focusing on distributed information systems, security and trust issues in open, interoperable systems. Prior to joining SAP, he worked as a Research Associate at the University of Dortmund in Germany. Yuecel received his doctoral degree and his Diploma in Informatics from the University of Dortmund, and his BSc degree in Computer Engineering from Ege University, Turkey. He serves as program committee member and chair as well as reviewer at many international conferences, workshops and journals. He holds the award of DAAD's (German Academic Exchange Service) Outstanding Student of Year 2002.


Ways to Watch

YouTube

Watch Now!

Over 500 videos of our weekly seminar and symposia keynotes are available on our YouTube Channel. Also check out Spaf's YouTube Channel. Subscribe today!