Ben Calloni - Lockheed Martin
Students: Spring 2023, unless noted otherwise, sessions will be virtual on Zoom.
Vulnerability Path and Assessment
Feb 22, 2012Download: MP4 Video Size: 537.9MB
Watch on YouTube
AbstractUS Government, Department of Defense, and Enterprise computer systems must be trusted to protect data with varying levels of sensitivity / security. Affordability requirements are driving the need to incorporate many diverse commercial software products of unknown quality and pedigree into said systems. While there exist many Static Code Analysis products, the depth, rigor, and coverage of these tools is incomplete and inconsistent. In addition, finding and eliminating computer flaws or weaknesses is not the same as determining true vulnerabilities. Further there is significant cost reduction that can occur if automated support for establishing the case for trust and assurance can be achieved.
The collection of evolving standards known as the OMG Software Assurance (SwA) Ecosystem is supported and endorsed by AFRL, NIST, SEI, OSD/NII, and DHS Cyber Security Division among others. The SwA Ecosystem defines several standard protocols to enable interoperability for tools, services and security researchers in developing, exchanging and utilizing machine-readable content (e.g. vulnerability patterns, enumerations, rules) for security assurance of existing software based systems. This standard-based plug-and-play framework integrates software analysis and data mining tools and facilitates highly automated fact-oriented approach to assurance by providing traceability link between assurance claims and high-fidelity system facts as evidence to justify assurance claims. This presentation will focus on the work funded by AFRL and OSD/NII to addressing the Vulnerability Path Assessment piece of the Ecosystem.
About the Speaker
Dr. Ben Calloni is a Lockheed Martin Fellow for Software Security and a Certified Information Systems Security Professional (CISSP). He is a senior research program manager of Aeronautics Company in Fort Worth assigned to the Advanced Development Programs, formerly known as "The Skunk Works". His research interests are in the area of Software Security and Safety Assurance. He is partnered with Air Force Research Labs, the National Security Agency, and Department of Defense Networks and Information Integration office, and several commercial off the shelf suppliers, to provide international standards based, COTS product based, Multi Level Security infrastructures applicable for Department of Defense weapon systems and for the Department of Homeland Security (DHS) as well.