CERIAS - Center for Education and Research in Information Assurance and Security

Skip Navigation
CERIAS Logo
Purdue University - Discovery Park
Center for Education and Research in Information Assurance and Security

Vulnerability Path and Assessment

Ben Calloni - Lockheed Martin

Feb 22, 2012

Size: 537.9MB

Download: Video Icon MP4 Video  
Watch in your Browser   Watch on Youtube Watch on YouTube

Abstract

US Government, Department of Defense, and Enterprise computer systems must be trusted to protect data with varying levels of sensitivity / security. Affordability requirements are driving the need to incorporate many diverse commercial software products of unknown quality and pedigree into said systems. While there exist many Static Code Analysis products, the depth, rigor, and coverage of these tools is incomplete and inconsistent. In addition, finding and eliminating computer flaws or weaknesses is not the same as determining true vulnerabilities. Further there is significant cost reduction that can occur if automated support for establishing the case for trust and assurance can be achieved.

The collection of evolving standards known as the OMG Software Assurance (SwA) Ecosystem is supported and endorsed by AFRL, NIST, SEI, OSD/NII, and DHS Cyber Security Division among others. The SwA Ecosystem defines several standard protocols to enable interoperability for tools, services and security researchers in developing, exchanging and utilizing machine-readable content (e.g. vulnerability patterns, enumerations, rules) for security assurance of existing software based systems. This standard-based plug-and-play framework integrates software analysis and data mining tools and facilitates highly automated fact-oriented approach to assurance by providing traceability link between assurance claims and high-fidelity system facts as evidence to justify assurance claims. This presentation will focus on the work funded by AFRL and OSD/NII to addressing the Vulnerability Path Assessment piece of the Ecosystem.

About the Speaker

Dr. Ben Calloni is a Lockheed Martin Fellow for Software Security and a Certified Information Systems Security Professional (CISSP). He is a senior research program manager of Aeronautics Company in Fort Worth assigned to the Advanced Development Programs, formerly known as “The Skunk Works". His research interests are in the area of Software Security and Safety Assurance. He is partnered with Air Force Research Labs, the National Security Agency, and Department of Defense Networks and Information Integration office, and several commercial off the shelf suppliers, to provide international standards based, COTS product based, Multi Level Security infrastructures applicable for Department of Defense weapon systems and for the Department of Homeland Security (DHS) as well.

Unless otherwise noted, the security seminar is held on Wednesdays at 4:30P.M. STEW G52, West Lafayette Campus. More information...

Disclaimer

The views, opinions and assumptions expressed in these videos are those of the presenter and do not necessarily reflect the official policy or position of CERIAS or Purdue University. All content included in these videos, are the property of Purdue University, the presenter and/or the presenter’s organization, and protected by U.S. and international copyright laws. The collection, arrangement and assembly of all content in these videos and on the hosting website exclusive property of Purdue University. You may not copy, reproduce, distribute, publish, display, perform, modify, create derivative works, transmit, or in any other way exploit any part of copyrighted material without permission from CERIAS, Purdue University.