Software Security for Digital Ecosystems

Stephen StrohmeierConnor Leonhardt

Overview

1) Purpose2) Curren research3) What is a digital ecosytem4) A before and after look at

penetration testing5) Why does this need to be

changed6) How is it better7) Conclusion

PurposePenetration testing in its current

state is not idealWe want to revise it to be more

robust and usefulMake testing less genericMore secure softwareBugs and flaws can actually be fixedUsing ideas from ecosystems to

revise penetration testing

ResearchNatural vs. Digital Ecosystem

◦How can we apply what happens in nature to the digital world

Health and resilience of an ecosystem

Changes within the ecosystemCurrent penetration testing

What is a Digital Ecosystem?An ecosystem is a biological

system consisting of all the living organisms in an area and the nonliving components with which they interact with

Digital ecosystem is an emerging field of study so it is still being defined◦It can be thought of in terms of a

natural ecosystem.

Current Penetration TestingIt is performed at the end of the

SDLCOften given back to the software

development teamsOutside → In spproach“Pretend Security”

Why should this be changed?Motivate individuals to find flawsTesting is limited by time

constraintsFixes are expensive resulting in

“Band-Aid” fixes instead of cures◦i.e. adjusting the firewall ruleset

So the software is more sucure

Revised Penetration Testing“War game” style testing

◦Predator/pray◦Competition between developer and

security teamsPerformed throughout the SDLCTest more than once

How is it better?Security and development teams

work together to properly test products

Actual fixes can be performedFixes are cheaperNot limited by time

ConclusionPenetration testing needs to be

more robust and usefulThe current state of testing is full

of problemsOur revision is a step in the right

direction to where testing needs to be

Questions?