Our new S&P paper Hardening Java’s Access Control by Abolishing Implicit Privilege Elevation is now available online. It is a follow-up work to our previous CCS’16 paper An In-Depth Study of More Than Ten Years of Java Exploitation. In this former paper we classified a large number of history Java exploits. In doing so, we found that the largest class of exploits was made possible by shortcuts in Java’s implementation of access control. In the S&P paper we now show that it is possible to go without those shortcuts, without any loss of performance. We also discuss the usability implications that this removal of shortcuts would have.
Steven, Siegfried and I have just completed our invited paper for MOBILESoft’17. The paper The Soot-based Toolchain For Analyzing Android Apps summarizes for the first time the Soot-based tool chain for analyzing Android apps that we have built up over the past years. We hope you will enjoy the read!
And if you attend ICSE, maybe consider attending MOBILESoft as well, and you will be able to attend my keynote talk.
The local television interviewed me today on Smart Home Security. You can watch the video here. Skip to about 9 minutes.
This year I am co-organizing Heise devSeC(), a new developer conference on secure software engineering. We welcome your submission by May 8th!
Over the past years, Soot has seen a larger and larger user base. It makes us happy that so many people find Soot useful, and we particularly enjoy also the help we have received in terms of feedback, bug reports, bug fixes or even newly contributed features. Thanks for giving back!
Early 2017 we plan to apply for government funding to aid the future development and maintenance of Soot.
Sounds great? Then please support us by filling out this little web form.
That way you can help us in two ways:
- By letting us know how we can improve Soot you can directly help us prioritize newly planned features.
- By stating your name and affiliation you help us showcasing Soot’s large user base.
We have now released the IT-security agenda which Thorsten Holz, Norbert Pohlmann, Matthew Smith and Jörg Hoffmann have proposed for our state of North-Rhine Westphalia. As one of the probably first major research endeavours worldwide it will put the humans into the focus of the IT-security research. The agenda is available for download here.
Harvester has scored 1st place at this year’s German IT-Sicherheitspreis! Every two years, the Horst Görtz Foundation awards EUR 200,000 to the three winners, with the first place being awarded EUR 100,000. More at Heise (in German)
Many thanks to the judges and the foundation! Harvester will is planned to be available soon as a plugin into our CodeInspect framework. We are further thinking of providing a command-line version to interested customers.
The workshop was an opportunity to share experiences and ideas about developing secure software using the agile processes. Hasan Yasar from the Software Engineering Institute (SEI), CMU opened the sessions with a keynote talk on the experience of SEI in integrating security to DevOps for its clients. He talked about on how DevOps principles were applied to develop secure applications, from idea to delivery of a completed application to production environment, also including operational support and incident response. He explained how to address application security concerns at early development lifecycle and how to address threats at different decisions point using integrated DevOps platforms. He emphasized the value of reference architecture, team collaboration, organization’s culture, considering security through development lifecycle, and continuous feedback.
The keynote was followed by a talk given by Vaishnavi Mohan, who discussed the aspects that SecDevOps authors have been discussing in the literature. Tosin Daniel Oyetoyan reported, in the second session, about his study on the relationships between software security skills, usage and training needs in Agile settings in two Norwegian companies. They observed that there is a positive linear relationship between the practice of security activities in software development projects and the skills and knowledge of the participating developers about software security. This suggests, if confirmed with more studies, that training developers on developing secure software leads to the production of secure software. Next Kalle Rindell gave an overview about the experience he has with his colleagues in building secure identity management system in an agile environment for the Finnish government. Lotfi ben Othmane discussed in the third talk the study they had on incremental security assurance for the e-commerce software, Zen Cart.
In the afternoon session Chad Heitzenrater discussed the application of economic utility functions within the negative use case development process to help development managers decide on the alternatives to mitigate the abuse cases. The presentation was followed by the talk of Daniela S. Cruzes, who reported about a study they performed to identify the factors that influence testing of nonfunctional requirements in agile teams, which are priority, culture, awareness, time pressure, cost, and technical issues.
The full ARES program, including the workshop program is available here
The second paper resulting from our collaboration with SAP on developing models for estimating the time to fix security issues is published by the Data Science and Engineering journal, Springer. We investigate, in this paper, quantitatively the major factors that impact the time it takes to fix a given security issue based on data collected automatically within SAP’s secure development process, and we show how the issue fix time could be used to monitor the fixing process. The work shows that the time it takes to fix an issue seems much more related to the component in which the potential vulnerability resides, the project related to the issue, the development groups that address the issue, and the closeness of the software release date. This indicates that the software structure, the fixing processes, and the development groups are the dominant factors that impact the time spent to address security issues. The models could be used to implement a continuous improvement of the secure software development processes and to measure the impact of individual improvements. The paper is published as open source and is available here.