Thursday, September 21, 2023
HomeSoftware EngineeringRust, DevSecOps, AI, and Penetration Testing

Rust, DevSecOps, AI, and Penetration Testing


As a part of an ongoing effort to maintain you knowledgeable about our newest work, this weblog put up summarizes some latest publications from the SEI within the areas of provide chain assaults, penetration testing, model-based design for cyber-physical programs, Rust, the unified extensible firmware interface (UEFI), DevSecOps, community movement information, and synthetic intelligence. These publications spotlight the newest work of SEI technologists in these areas. This put up features a itemizing of every publication, creator(s), and hyperlinks the place they are often accessed on the SEI web site.

Figuring out and Stopping the Subsequent Photo voltaic Winds
by Greg Touhill

On this SEI podcast, Gregory J. Touhill, director of the SEI CERT Division, talks with principal researcher Suzanne Miller concerning the 2020 assault on Photo voltaic Winds software program and the best way to forestall a recurrence of one other main assault on key programs which might be in widespread use. Photo voltaic Winds is the title of an organization that offered software program to the U.S. federal authorities. In late 2020, information surfaced a few cyberattack that had already been underway for a number of months and that had reportedly compromised 250 authorities businesses, together with the Treasury Division, the State Division, and nuclear analysis labs. Along with compromising information, the assault resulted in monetary losses of greater than $90 million and was in all probability one of the vital harmful fashionable assaults on software program and software-based companies and authorities businesses within the latest previous. The SolarWinds incident demonstrated the challenges of securing programs when they’re the product of complicated provide chains. On this podcast, Touhill discusses matters together with the necessity for programs to be safe by design and safe by default, the significance of transparency within the reporting of vulnerabilities and anomalous system conduct, the CERT Acquisition Safety Framework, the necessity to safe information throughout a variety of disparate gadgets and programs, and ways and techniques for people and organizations to safeguard their information and the programs they depend on each day.
View the podcast.

A Penetration Testing Findings Repository
by Marisa Milder and Samantha Chaves

On this podcast, the SEI CERT Division’s Marisa Midler and Samantha Chaves, a cybersecurity engineer and penetration tester, respectively, speak with principal researcher Suzanne Miller about an open-source penetration testing findings repository that they created. The repository is a supply of knowledge for lively listing, phishing, cellular expertise, programs and providers, internet functions, and mobile-technology and wireless-technology weaknesses that might be found throughout a penetration check. The repository is meant to assist assessors present experiences to organizations utilizing standardized language and standardized names for findings, and to save lots of assessors time on report era by having descriptions, commonplace remediations, and different sources accessible within the repository for his or her use.

The repository is presently an open-source doc hosted on the Cybersecurity and Infrastructure Safety Company (CISA) GitHub web site at https://github.com/cisagov/pen-testing-findings.
View the podcast.

You Can’t Watch for ROI to Justify Mannequin-Primarily based Design and Evaluation for Cyber Bodily Techniques’ Embedded Computing Assets
by Alfred Schenker and Jerome Hugues

The sensible, pragmatic advantages of constructing early architectural fashions of the embedded computing sources for cyber-physical programs (CPS) have been documented and demonstrated. Nonetheless, the speed of adoption of this observe by the contractor group has been gradual. Empirically, now we have noticed skepticism with respect to the elevated price of constructing these fashions, as being of ample worth to justify their expense. This paper elaborates the the explanation why utilizing conventional strategies, corresponding to return on funding (ROI), to justify the elevated expense (of constructing and sustaining these digital fashions) is insufficient. Alternate methods to quantify and rationalize the advantages are mentioned, however in the end the choice to undertake could require a leap of religion.

We start by describing the issue area and developments within the design and implementation of the embedded computing sources for CPS. We talk about the proposed course of change we search: utilizing model-based strategies to cut back integration and check threat. We talk about the potential results of that change on CPS, in addition to our ideas on ROI and the problems that may come up when utilizing ROI. Lastly, we advocate how organizations can transfer ahead with a model-based strategy within the absence of stable ROI information.
Learn the convention paper.

Securing UEFI: An Underpinning Expertise for Computing
by Vijay S. Sarvepalli

Most fashionable computer systems have firmware based mostly on a normal often called the Unified Extensible Firmware Interface (UEFI). A typical UEFI-based firmware consists of software program parts from a number of suppliers, code from open-source initiatives, and parts from an authentic gear producer, corresponding to a laptop computer producer. The software program parts are primarily written in low-level programming languages like C that facilitate direct entry to the {hardware} and bodily reminiscence. These software program parts require high-privilege entry to the central processing unit. The Chain of Belief mannequin within the UEFI commonplace is designed to allow safe cryptographic verification of those parts, establishing assurances that solely trusted software program is executed throughout the early boot cycle. However after the boot cycle is full, UEFI nonetheless gives an interface to the working system to allow configuration adjustments or software program updates to the firmware. In contrast to the working system, UEFI software program stays invisible to most of us, regardless of its crucial function within the functioning of a contemporary system. Due to its criticality and invisibility, vulnerabilities in UEFI-related software program appeal to attackers and pose excessive dangers to system safety. This paper highlights the technical efforts to safe the UEFI-based firmware that serves as a foundational piece of contemporary computing environments.
Learn the white paper.
Learn the SEI Weblog put up: UEFI: 5 Suggestions for Securing and Restoring Belief.

Understanding Vulnerability Evaluation within the Rust Programming Language
by David Svoboda and Garret Wassermann

Whereas the reminiscence security and safety features of the Rust programming language might be efficient in lots of conditions, Rust’s compiler may be very specific on what constitutes good software program design practices. At any time when design assumptions disagree with real-world information and assumptions, there may be the potential of safety vulnerabilities–and malicious software program that may benefit from these vulnerabilities. On this podcast, David Svoboda and Garret Wassermann, researchers with the SEI’s CERT Division, discover instruments for understanding vulnerabilities in Rust whether or not the unique supply code is offered or not. These instruments are essential for understanding malicious software program the place supply code is usually unavailable, in addition to commenting on potential instructions through which instruments and automatic code evaluation can enhance.
View the podcast.

High 5 Challenges to Overcome on Your DevSecOps Journey
by Hasan Yasar and Joseph D. Yankel

Traditionally, quite a lot of dialogue in software program safety centered on the mission stage, emphasizing code scanning, penetration testing, reactive approaches for incident response, and so forth. At present, the dialogue has shifted to this system stage to align with enterprise goals. Within the perfect final result of such a shift, software program groups would act in alignment with enterprise objectives, organizational threat, and answer structure and would perceive that safety practices are integral to enterprise success. Nonetheless, the shift from project- to program-level considering brings numerous challenges. On this webcast, Hasan Yasar and Joe Yankel talk about the highest 5 challenges and limitations to implementing DevSecOps practices and describe some options for overcoming them.
View the webcast.
Learn the SEI Weblog put up 5 Challenges to Implementing DevSecOps and Find out how to Overcome Them.

Enhancing Analytics Utilizing Enriched Community Movement Information
by Timothy J. Shimeall and Katherine Prevost

Traditional software suites which might be used to course of community movement information cope with very restricted element on the community connections they summarize. These instruments restrict element for a number of causes: (1) to keep up long-baseline information, (2) to give attention to security-indicative information fields, and (3) to assist information assortment throughout massive or complicated infrastructures. Nonetheless, a consequence of this restricted element is that evaluation outcomes based mostly on this information present details about indications of conduct reasonably than info that precisely identifies conduct with excessive confidence. On this webcast, Tim Shimeall and Katherine Prevost talk about the best way to use IPFIX-formatted information with element derived from deep packet inspection (DPI) to supply elevated confidence in figuring out conduct.

What attendees will be taught:

  • trade-offs concerned in accumulating varied ranges of detailed community information
  • an instance of research exhibiting the applying of DPI in figuring out community behaviors
  • the worth of working in information evaluation environments, leveraging the ability of such processing environments, and the supply of language options and libraries that facilitate evaluation

View the webcast.

Throughout this webcast, Mike Mattarock, technical director for mission and engagement within the SEI’s AI Division, discusses a few of the main high quality attributes guiding design, and the way a subsequent era structure can facilitate an built-in future state.

As synthetic intelligence permeates mission-critical capabilities, it’s paramount to design modular options to make sure speedy evolution and interoperability. Throughout this webcast, we talk about a few of the main high quality attributes guiding such design, and the way a subsequent era structure can facilitate an built-in future state.

What attendees will be taught:

  • present challenges going through AI engineering
  • approaches to selling interoperability throughout AI options
  • issues for facilitating modularity and reuse in design

View the webcast.

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular

Recent Comments