Vulnerability Path and Assessment
Ben Calloni - Lockheed Martin
Feb 22, 2012Size: 537.9MB
Download: MP4 Video
Watch in your Browser Watch on YouTube
AbstractUS Government, Department of Defense, and Enterprise computer systems must be trusted to protect data with varying levels of sensitivity / security. Affordability requirements are driving the need to incorporate many diverse commercial software products of unknown quality and pedigree into said systems. While there exist many Static Code Analysis products, the depth, rigor, and coverage of these tools is incomplete and inconsistent. In addition, finding and eliminating computer flaws or weaknesses is not the same as determining true vulnerabilities. Further there is significant cost reduction that can occur if automated support for establishing the case for trust and assurance can be achieved.
The collection of evolving standards known as the OMG Software Assurance (SwA) Ecosystem is supported and endorsed by AFRL, NIST, SEI, OSD/NII, and DHS Cyber Security Division among others. The SwA Ecosystem defines several standard protocols to enable interoperability for tools, services and security researchers in developing, exchanging and utilizing machine-readable content (e.g. vulnerability patterns, enumerations, rules) for security assurance of existing software based systems. This standard-based plug-and-play framework integrates software analysis and data mining tools and facilitates highly automated fact-oriented approach to assurance by providing traceability link between assurance claims and high-fidelity system facts as evidence to justify assurance claims. This presentation will focus on the work funded by AFRL and OSD/NII to addressing the Vulnerability Path Assessment piece of the Ecosystem.
About the SpeakerDr. Ben Calloni is a Lockheed Martin Fellow for Software Security and a Certified Information Systems Security Professional (CISSP). He is a senior research program manager of Aeronautics Company in Fort Worth assigned to the Advanced Development Programs, formerly known as “The Skunk Works". His research interests are in the area of Software Security and Safety Assurance. He is partnered with Air Force Research Labs, the National Security Agency, and Department of Defense Networks and Information Integration office, and several commercial off the shelf suppliers, to provide international standards based, COTS product based, Multi Level Security infrastructures applicable for Department of Defense weapon systems and for the Department of Homeland Security (DHS) as well.
The views, opinions and assumptions expressed in these videos are those of the presenter and do not necessarily reflect the official policy or position of CERIAS or Purdue University. All content included in these videos, are the property of Purdue University, the presenter and/or the presenter’s organization, and protected by U.S. and international copyright laws. The collection, arrangement and assembly of all content in these videos and on the hosting website exclusive property of Purdue University. You may not copy, reproduce, distribute, publish, display, perform, modify, create derivative works, transmit, or in any other way exploit any part of copyrighted material without permission from CERIAS, Purdue University.