software security for digital ecosystems stephen strohmeier connor leonhardt

11
Software Security for Digital Ecosystems Stephen Strohmeier Connor Leonhardt

Upload: john-stafford

Post on 29-Dec-2015

212 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Software Security for Digital Ecosystems Stephen Strohmeier Connor Leonhardt

Software Security for Digital Ecosystems

Stephen StrohmeierConnor Leonhardt

Page 2: Software Security for Digital Ecosystems Stephen Strohmeier Connor Leonhardt

Overview

1) Purpose2) Curren research3) What is a digital ecosytem4) A before and after look at

penetration testing5) Why does this need to be

changed6) How is it better7) Conclusion

Page 3: Software Security for Digital Ecosystems Stephen Strohmeier Connor Leonhardt

PurposePenetration testing in its current

state is not idealWe want to revise it to be more

robust and usefulMake testing less genericMore secure softwareBugs and flaws can actually be fixedUsing ideas from ecosystems to

revise penetration testing

Page 4: Software Security for Digital Ecosystems Stephen Strohmeier Connor Leonhardt

ResearchNatural vs. Digital Ecosystem

◦How can we apply what happens in nature to the digital world

Health and resilience of an ecosystem

Changes within the ecosystemCurrent penetration testing

Page 5: Software Security for Digital Ecosystems Stephen Strohmeier Connor Leonhardt

What is a Digital Ecosystem?An ecosystem is a biological

system consisting of all the living organisms in an area and the nonliving components with which they interact with

Digital ecosystem is an emerging field of study so it is still being defined◦It can be thought of in terms of a

natural ecosystem.

Page 6: Software Security for Digital Ecosystems Stephen Strohmeier Connor Leonhardt

Current Penetration TestingIt is performed at the end of the

SDLCOften given back to the software

development teamsOutside → In spproach“Pretend Security”

Page 7: Software Security for Digital Ecosystems Stephen Strohmeier Connor Leonhardt

Why should this be changed?Motivate individuals to find flawsTesting is limited by time

constraintsFixes are expensive resulting in

“Band-Aid” fixes instead of cures◦i.e. adjusting the firewall ruleset

So the software is more sucure

Page 8: Software Security for Digital Ecosystems Stephen Strohmeier Connor Leonhardt

Revised Penetration Testing“War game” style testing

◦Predator/pray◦Competition between developer and

security teamsPerformed throughout the SDLCTest more than once

Page 9: Software Security for Digital Ecosystems Stephen Strohmeier Connor Leonhardt

How is it better?Security and development teams

work together to properly test products

Actual fixes can be performedFixes are cheaperNot limited by time

Page 10: Software Security for Digital Ecosystems Stephen Strohmeier Connor Leonhardt

ConclusionPenetration testing needs to be

more robust and usefulThe current state of testing is full

of problemsOur revision is a step in the right

direction to where testing needs to be

Page 11: Software Security for Digital Ecosystems Stephen Strohmeier Connor Leonhardt

Questions?