software security for digital ecosystems stephen strohmeier connor leonhardt
TRANSCRIPT
Software Security for Digital Ecosystems
Stephen StrohmeierConnor Leonhardt
Overview
1) Purpose2) Curren research3) What is a digital ecosytem4) A before and after look at
penetration testing5) Why does this need to be
changed6) How is it better7) Conclusion
PurposePenetration testing in its current
state is not idealWe want to revise it to be more
robust and usefulMake testing less genericMore secure softwareBugs and flaws can actually be fixedUsing ideas from ecosystems to
revise penetration testing
ResearchNatural vs. Digital Ecosystem
◦How can we apply what happens in nature to the digital world
Health and resilience of an ecosystem
Changes within the ecosystemCurrent penetration testing
What is a Digital Ecosystem?An ecosystem is a biological
system consisting of all the living organisms in an area and the nonliving components with which they interact with
Digital ecosystem is an emerging field of study so it is still being defined◦It can be thought of in terms of a
natural ecosystem.
Current Penetration TestingIt is performed at the end of the
SDLCOften given back to the software
development teamsOutside → In spproach“Pretend Security”
Why should this be changed?Motivate individuals to find flawsTesting is limited by time
constraintsFixes are expensive resulting in
“Band-Aid” fixes instead of cures◦i.e. adjusting the firewall ruleset
So the software is more sucure
Revised Penetration Testing“War game” style testing
◦Predator/pray◦Competition between developer and
security teamsPerformed throughout the SDLCTest more than once
How is it better?Security and development teams
work together to properly test products
Actual fixes can be performedFixes are cheaperNot limited by time
ConclusionPenetration testing needs to be
more robust and usefulThe current state of testing is full
of problemsOur revision is a step in the right
direction to where testing needs to be
Questions?