
Secure Software by Design

This file contains presentations from the Secure Software by Design Conference (August 6-7, 2024, in Arlington, VA). 

Presentations Include:


Is Our World Secure Yet? Are We Even Close? An Update on CISAs Secure by Design Initiative, Kirk Lawerence (Keynote Presentation)

CISA has released the Secure By Design Pledge, published six Secure by Design Alerts, and 11 Secure by Design blogs, and continues to advance Software Bill-of-Materials (SBOM) adoption across the USG and internationally, focusing on scaling and operationalizing SBOM tools to improve visibility into software products. Published an Open Source Software Security Roadmap that lays out our priorities for securing the open source software ecosystem. Worked to increase broad understanding of SbD principles in OS SW use and development. Are we secure? Where do these initiatives stand today and tomorrow? 

Accelerating Application Refactoring: AI in DevSecOps, Joel Krooswyk

Application refactoring consumes enormous amounts of time. Will AI be the key that unlocks Secure by Design benefits for legacy code? Refactoring drives buzzword benefits such as modernization, optimization, cloud migration, and application scalability, but the time requirement and cost have often resulted in de-prioritization of refactoring work. In this session, we'll discuss how AI is helping teams refactor applications to become secure by design in substantially less time, while drastically reducing code base size, eliminating classes of vulnerabilities, increasing code scalability, and removing technical debt.

Sustainable IT Is Secure IT: Building a Resilient and Responsible Digital Future, Matt "Kelly" Williams

In the midstof rapid technological innovation and growing environmental issues, including sustainability in security processes is becoming increasingly important. This session examines the main reasons why sustainability isimportant to security, emphasizing thebenefits of this integrated approach.  We'll examine how sustainable practices improve security by enhancing resource efficiency, lowering operational costs, and strengthening IT infrastructures. Energy-efficient technology, optimized software,green data centers, and responsible electronic waste management not only help to protect the environment but also strengthen our defenses against cyber threats and operational disruptions.  
Additionally, we will look at the role of sustainability in risk management and regulatory compliance. With a growing worldwide emphasis on environmental responsibility, adopting sustainable practices assists firms in mitigating legal risks and ensuring supply chain stability, which is crucial for sustaining robust security systems.  Real-world examples and case studies will demonstrate how organizations successfully incorporate sustainability into their security plans, resulting in increased public trust, innovation, and overall resilience. Attendees will gain practical insights into balancing these two imperatives in order to promote a secure and sustainable future.  Join us to learn why sustainability is more than simply a supplementary facet of security; it is a fundamental component that improves the dependability, efficiency, and integrity of our digital and physical environments.

Modern API Security (Alejandro Gomez) 

This will be a technical overview of the latest industry best practices and cutting edge research in the area of API security. We'll take a look at modern methods of authentication, encryption, access control and data integrity. Additional guidance is given on how APIs can be incorporated in a Zero-Trust environment and AI applications.

Managing Open Source Software Security in your organization, Jos Carlos Chvez

Widespread in contemporary enterprises, open source software (OSS) facilitates swift solution development by incorporating pre-built components crafted and managed by external developers. Although the utilization of OSS undeniably yields advantages, the detection of security vulnerabilities within these components can result in severe consequences. The expanding scale and intricacy of the OSS ecosystem pose specific challenges: How can one ensure the reliability of the OSS employed for business operations? How can security risks be mitigated in a DevOps environment that prioritizes speed? In this talk, we will describe lessons learned using OSS software in the core of an organization and explore best practices to make sure we can reliably use open-source software without compromising our security.

Buildings Secure Infrastructure: What Developers Need to Know, Mike McCabe

This talk will focus on teaching developers how to build secure infrastructure with Terraform by utilizing free and open-source tools. We'll cover the common uses of Terraform and how a malicious actor could abuse Terraform and even bypass security controls to execute unapproved code. Well discuss ways development teams can harden their Terraform or other IAC pipelines to ensure that infrastructure is secure.
The talk will focus on research done on Terraform implementations and ways to harden deployments. The talk will cover how Terraform works, how common Terraform security controls are applied, and multiple ways to bypass them and gain further access to environments.


Intelligent and Predictive Failover: The Race Against Errors by Marching Towards Resiliency, Teja Swaroop Mylavarapu

Today, we all live in Interconnected Systems where one Service has multiple dependencies on other Services. Any downtime on these downstream Services/endpoints impacts the Upstream Services causing severe Customer impact.Intelligent and Predictive Failover is a solution/mechanism that identifies errors and failures even before the actual Customer request. It intelligently Clusters the Services and applies Proactive Monitoring with failover predictability. I will be talking about Intelligent tracking of anomalies & health checks with Threshold triggering alarms, latency-based region detection with traffic failover & failback. The focus will be on how to predict failures and reduce customer impact and improvise on previous patterns. I will deep dive on Infrastructure, Resiliency with Predictive failover mechanism, Intelligent Monitoring, Anomaly detection, Auto failover & failback Mechanisms & explain scenarios with Chaos Engineering. This talk will leverage AWS to explain the idea & can be applied to any Cloud Technologies for implementation.  This is a patent pending idea with USPTO.

08 - How I Learned to Stop Worrying and Love the Quantumpocalypse, Adam Firestone

Like other modern, geographically distributed organizations, software development teams rely on the ability to move information seamlessly and reliably across the internet, including specifications, documentation, and code.  Inherent to this is the expectation that online communications will be confidential between the parties, that the parties can trust that the information hasnt been tampered with, and that it is authentic relative to senders and receivers.

To date, this expectation has been guaranteed by protocols reliant on classical asymmetric cryptographic algorithms.  However, it is anticipated that within five years quantum computers of sufficient power to break these algorithms will be available.  As a result, the security fabric underpinning distributed and collaborative software development will be rendered obsolete, giving attackers the ability to intercept software while it is in development, and, potentially worse, change code to permit malicious exploitation  all without legitimate parties awareness.
This session discusses the elements of quantum computing and classical computing that create the emerging threat to secure software development, the current state of cryptography, and achievable, readily implementable solution paths to secure the software development ecosystem.

Automated Repair of Static Analysis Alerts, David Svoboda

Static analysis (SA) tools analyze source code for security defects and alert users to issues requiring repair. Unfortunately, there are often too many SA alerts to audit or repair them all manually. In this project we automatically repair 80% or more of each type of SA alert in a way that both preserves soundness and makes the alert disappear when the code is reanalyzed.  We are testing the efficacy of our tool by repairing 3 categories of alerts to repair and evaluating the tool's performance repairing several OSS code bases. 

Good vs. Evil: AI Attack Mitigation Strategies, Steve McGeown

Bad actors are more powerful now than ever before. Armed with AI-based technologies, unlimited compute power, encryption, password guessing tools, and substantial human and financial resources, organizations worldwide are struggling to combat their sophisticated and relentless pursuits. How do you fight an invisible enemy that hides behind untraceable IP addresses, based in countries on the other side of the world, and are seemingly unreachable due to the lack of internationally adopted legal protections? This session dives into five proven risk mitigation strategies to fight back against the criminals that are infiltrating our companies, stealing personal information, holding systems hostage, siphoning money, and more  all for personal gain, while putting property and lives at risk.

The Emerging Technology of Software Behavior Computation for Security and Correctness (Rick Linger)
In todays world, large-scale software systems of astonishing complexity have permeated society on a global scale. At the same time, software engineering is experiencing disruptive forces, include AI-generated software, AI-based autonomous systems, assembly of systems from components, fast development cycles, and escalating consequences of functional and security failures.  
These disruptions reinforce the need for fast and precise derivation of the complete behavior of software for intellectual control across the life cycle. Traditional testing and analysis cannot provide this capability. However, a new technology is emerging that can address this need: Automated computation of software behavior for verification of functional correctness and security properties. These mathematics-based computations can reveal the full domain-to-range behavior of programs, produce as-built specifications in a standard canonical form, subsume all test cases, and support verification of both human- and AI-generated software. It is well-understood that faulty software cannot be secure, and that testing can show the presence of faults but not their absence. Behavior computation can reveal faults, vulnerabilities, and malicious functionality that testing can miss. 
This presentation introduces behavior computation technology for software that is correct and secure by construction.  

A Developers Guide to Making a Deal with Security, Larry Maccherone

There is the way development really functions and there is the way security believes development functions. In most organizations, the two dont match. The speaker details an enlightening guide - tried and tested with scaling security in 600 dev teams - that security can use to make a deal with engineering so the two functions can align more closely. You will hear thoughts on how true Developer-First Security could look like; what practices and tools provide better risk reductions; how productivity doesnt need to be hampered by security and how security can be scaled in engineering terms.

Microservices and API Risks and Mitigations, McKinley Sconiers-Hasan

APIs (Application Programming Interfaces) are a common attack vector. The connective nature of APIs means that they are meant to be exposed to users, third parties, or other entities for usage which often makes them a prime target for malicious activity. And with the usage of APIs rising along with microservice architectures in enterprise networks over the past decade, it is important to be aware of the common API risks and vulnerabilities. This session will explain why the rise of microservices architectures impacts API design and usage, define some common API risks and vulnerabilities, and provide recommendations on how to help mitigate them.

The Call Is Coming from Inside the House: API Abuse by Authenticated Users, Amir Sharif

Modern cloud-based applications face significant threats from Broken Object Level Authorization (BOLA) and Broken Function Level Authorization (BFLA).  These vulnerabilities emerge from inadequately tested and undocumented APIs, which are primarily designed for frontend frameworks to manage state synchronization between client devices and application servers.
Attackers exploit these vulnerabilities by reverse-engineering these APIs and manipulating data payloads. This process enables them to uncover authorization flaws, permitting them to use legitimate credentials to access privileged information from unrelated accounts.
Currently, the challenge is exacerbated by AI-driven 'agents.' These programs autonomously interact with applications on users' behalf, increasing the potential for BOLA/BFLA exploitation.


Using LLMs to Adjudicate Static-Analysis Alerts, Lori Flynn and Will Klieber

Software analysts use static analysis as a standard method to evaluate the source code for potential vulnerabilities, but the volume of findings is often too large to review in their entirety. Large Language Models (LLMs) are a new technology that show promising initial results for automation of alert adjudication and rationales. This has the potential to enable more secure code, support mission effectiveness, and reduce support costs. This paper discusses techniques for using LLMs to handle static analysis output, initial tooling we developed and our experimental results, related work by others, and additional work needed.



Contract Programming: Formalizing APIs, Alex Vesy 

This presentation covers the topic of API contracts and addresses the question of how APIs can be written more formally. The presentation provides an overview of what a contract is, the theoretical underpinnings, and implications for usability and security of APIs. Practical examples of API contracts and enabling technologies are introduced.

Protecting APIs with Zero Trust Overlay Mesh Networks, Clint Dovholuk\

Protecting APIs from cyber threats and attacks is critical. A cutting-edge approach to a robust security solution is embedding the principles of zero trust networking directly into your application, making your app immediately secure by design. This approach embeds key principles of zero trust: end-to-end encryption, continual authorization, authorize before connect, and least-privilege access directly into your application. It also allows connectivity for any use case, without the need to open holes in your firewalls.
Adopting a zero trust overlay is the next evolution of security, moving beyond TLS and mTLS into a zero-trust-enabled architecture is the future. This presentation will feature code written in Go and CLI commands to demonstrate how to configure an overlay mesh using open source tools.
 
Meeting Challenges of Software Assurance and Supply Chain Risk Management, Carol Woody

Systems today are primarily assemblies of reused components many of which are Open-Source software.  The reuse of software has enabled faster fielding of systems since common components, but all software comes with vulnerabilities, and attackers have expanded their capabilities to exploit them in products that have broad use especially Open Source.  How should an organization make appropriate trade-off choices among cost, schedule, and cybersecurity?

The Software Engineering Institute (SEI) has explored many aspects of software measurement.  Over the history of software engineering, we have learned that software metrics for both the process and the product are needed. We have also explored many aspects of cybersecurity measurement and determined that we must be able to measure the processes for developing and using software and how those measurement results affect the products cybersecurity. It is insufficient to measure only operational code, its vulnerabilities, and the attendant risk of successful hacks.  Relying on the assumption that many eyeballs looking at the software ensures better security is of little value without an understanding of what was analyzed and how knowledgeable were those performing the analysis.


