Yuecel Karabulut - SAP Research
"Measuring the Attack Surfaces of Enterprise Software Systems"
Oct 08, 2008Download: MP4 Video Size: 600.7MB
Watch on YouTube
AbstractSoftware vendors have traditionally focused on improving code quality for
improving software security and quality. The code quality improvement effort aims toward reducing the number of design and coding errors in software. In principle, we can use formal correctness proof techniques to identify and remove all errors in software with respect to a given specification and hence remove all its vulnerabilities. In practice, however, building large and complex software devoid of errors, and hence security vulnerabilities, remains a very difficult task. Software vendors can minimize the risk associated with the exploitation of future vulnerabilities. One way to minimize the risk is by reducing the attack surfaces of their software. A smaller attack surface makes the exploitation of the vulnerabilities harder and lowers the damage of exploitation, and hence mitigates the security risk. We believe that a complete risk mitigation strategy requires a combination of code quality efforts and attack surface measurement. SAP and CMU collaborated to develop a new attack surface measurement method for measuring the attack surfaces of SAP software systems implemented in Java. We implemented a tool and demonstrated the feasibility of our approach by measuring the attack surface of an SAP software system. In this talk, we will present the attack surface measurement method and report on its application.
About the Speaker
Dr. Yuecel Karabulut is a Senior Research Scientist at SAP Research in Palo Alto. He is currently member of the Platforms Research Group. Before joining this group Yuecel has worked in the Security & Trust Research Program of SAP Research, Germany where he led several SAP internal technology transfer projects and external European funded large research projects including TrustCoM and ITAIDE. His main areas of expertise include Secure Service-Oriented Architectures, Secure Business Process Composition, Application-level Virtual Machine Sandboxing, Secure Web Mashups, Language Security, Application Platform Security, Software-as-a Service (SaaS) and Multitenancy, Policy & Authorization Management, Distribute Trust Management and PKI. He has a number of conference & journal publications, and holds several patents focusing on distributed information systems, security and trust issues in open, interoperable systems. Prior to joining SAP, he worked as a Research Associate at the University of Dortmund in Germany. Yuecel received his doctoral degree and his Diploma in Informatics from the University of Dortmund, and his BSc degree in Computer Engineering from Ege University, Turkey. He serves as program committee member and chair as well as reviewer at many international conferences, workshops and journals. He holds the award of DAAD's (German Academic Exchange Service) Outstanding Student of Year 2002.
Unless otherwise noted, the security seminar is held on Wednesdays at 4:30P.M. STEW G52 (Suite 050B), West Lafayette Campus. More information...