Measuring the Attack Surfaces of Enterprise Software Systems
Yuecel Karabulut - SAP Research
Oct 08, 2008Size: 600.7MB
Download: MP4 Video
Watch in your Browser Watch on YouTube
AbstractSoftware vendors have traditionally focused on improving code quality for
improving software security and quality. The code quality improvement effort aims toward reducing the number of design and coding errors in software. In principle, we can use formal correctness proof techniques to identify and remove all errors in software with respect to a given specification and hence remove all its vulnerabilities. In practice, however, building large and complex software devoid of errors, and hence security vulnerabilities, remains a very difficult task. Software vendors can minimize the risk associated with the exploitation of future vulnerabilities. One way to minimize the risk is by reducing the attack surfaces of their software. A smaller attack surface makes the exploitation of the vulnerabilities harder and lowers the damage of exploitation, and hence mitigates the security risk. We believe that a complete risk mitigation strategy requires a combination of code quality efforts and attack surface measurement. SAP and CMU collaborated to develop a new attack surface measurement method for measuring the attack surfaces of SAP software systems implemented in Java. We implemented a tool and demonstrated the feasibility of our approach by measuring the attack surface of an SAP software system. In this talk, we will present the attack surface measurement method and report on its application.
About the SpeakerDr. Yuecel Karabulut is a Senior Research Scientist at SAP Research in Palo Alto. He is currently member of the Platforms Research Group. Before joining this group Yuecel has worked in the Security & Trust Research Program of SAP Research, Germany where he led several SAP internal technology transfer projects and external European funded large research projects including TrustCoM and ITAIDE. His main areas of expertise include Secure Service-Oriented Architectures, Secure Business Process Composition, Application-level Virtual Machine Sandboxing, Secure Web Mashups, Language Security, Application Platform Security, Software-as-a Service (SaaS) and Multitenancy, Policy & Authorization Management, Distribute Trust Management and PKI. He has a number of conference & journal publications, and holds several patents focusing on distributed information systems, security and trust issues in open, interoperable systems. Prior to joining SAP, he worked as a Research Associate at the University of Dortmund in Germany. Yuecel received his doctoral degree and his Diploma in Informatics from the University of Dortmund, and his BSc degree in Computer Engineering from Ege University, Turkey. He serves as program committee member and chair as well as reviewer at many international conferences, workshops and journals. He holds the award of DAAD's (German Academic Exchange Service) Outstanding Student of Year 2002.
The views, opinions and assumptions expressed in these videos are those of the presenter and do not necessarily reflect the official policy or position of CERIAS or Purdue University. All content included in these videos, are the property of Purdue University, the presenter and/or the presenter’s organization, and protected by U.S. and international copyright laws. The collection, arrangement and assembly of all content in these videos and on the hosting website exclusive property of Purdue University. You may not copy, reproduce, distribute, publish, display, perform, modify, create derivative works, transmit, or in any other way exploit any part of copyrighted material without permission from CERIAS, Purdue University.