Software Engineering

Rust, DevSecOps, AI, and Penetration Testing


As part of an ongoing effort to keep you informed about our latest work, this blog post summarizes some recent publications from the SEI in the areas of supply chain attacks, penetration testing, model-based design for cyber-physical systems, Rust, the unified extensible firmware interface (UEFI), DevSecOps, network flow data, and artificial intelligence. These publications highlight the latest work of SEI technologists in these areas. This post includes a listing of each publication, author(s), and links where they can be accessed on the SEI website.

Identifying and Preventing the Next Solar Winds
by Greg Touhill

In this SEI podcast, Gregory J. Touhill, director of the SEI CERT Division, talks with principal researcher Suzanne Miller about the 2020 attack on Solar Winds software and how to prevent a recurrence of another major attack on key systems that are in widespread use. Solar Winds is the name of a company that provided software to the U.S. federal government. In late 2020, news surfaced about a cyberattack that had already been underway for several months and that had reportedly compromised 250 government agencies, including the Treasury Department, the State Department, and nuclear research labs. In addition to compromising data, the attack resulted in financial losses of more than $90 million and was probably one of the most dangerous modern attacks on software and software-based businesses and government agencies in the recent past. The SolarWinds incident demonstrated the challenges of securing systems when they are the product of complex supply chains. In this podcast, Touhill discusses topics including the need for systems to be secure by design and secure by default, the importance of transparency in the reporting of vulnerabilities and anomalous system behavior, the CERT Acquisition Security Framework, the need to secure data across a wide range of disparate devices and systems, and tactics and strategies for individuals and organizations to safeguard their data and the systems they rely on daily.
View the podcast.

A Penetration Testing Findings Repository
by Marisa Milder and Samantha Chaves

In this podcast, the SEI CERT Division’s Marisa Midler and Samantha Chaves, a cybersecurity engineer and penetration tester, respectively, talk with principal researcher Suzanne Miller about an open-source penetration testing findings repository that they created. The repository is a source of information for active directory, phishing, mobile technology, systems and services, web applications, and mobile-technology and wireless-technology weaknesses that could be discovered during a penetration test. The repository is intended to help assessors provide reports to organizations using standardized language and standardized names for findings, and to save assessors time on report generation by having descriptions, standard remediations, and other resources available in the repository for their use.

The repository is currently an open-source document hosted on the Cybersecurity and Infrastructure Security Agency (CISA) GitHub website at https://github.com/cisagov/pen-testing-findings.
View the podcast.

You Can’t Wait for ROI to Justify Model-Based Design and Analysis for Cyber Physical Systems’ Embedded Computing Resources
by Alfred Schenker and Jerome Hugues

The practical, pragmatic benefits of building early architectural models of the embedded computing resources for cyber-physical systems (CPS) have been documented and demonstrated. However, the rate of adoption of this practice by the contractor community has been slow. Empirically, we have observed skepticism with respect to the increased cost of building these models, as being of sufficient value to justify their expense. This paper elaborates the reasons why using traditional methods, such as return on investment (ROI), to justify the increased expense (of building and maintaining these virtual models) is inadequate. Alternate ways to quantify and rationalize the benefits are discussed, but ultimately the decision to adopt may require a leap of faith.

We begin by describing the problem space and advancements in the design and implementation of the embedded computing resources for CPS. We discuss the proposed process change we seek: using model-based methods to reduce integration and test risk. We discuss the potential effects of that change on CPS, as well as our thoughts on ROI and the issues that can arise when using ROI. Finally, we recommend how organizations can move forward with a model-based approach in the absence of solid ROI data.
Read the conference paper.

Securing UEFI: An Underpinning Technology for Computing
by Vijay S. Sarvepalli

Most modern computers have firmware based on a standard known as the Unified Extensible Firmware Interface (UEFI). A typical UEFI-based firmware is composed of software components from several suppliers, code from open-source projects, and components from an original equipment manufacturer, such as a laptop manufacturer. The software components are primarily written in low-level programming languages like C that facilitate direct access to the hardware and physical memory. These software components require high-privilege access to the central processing unit. The Chain of Trust model in the UEFI standard is designed to enable secure cryptographic verification of these components, establishing assurances that only trusted software is executed during the early boot cycle. But after the boot cycle is complete, UEFI still provides an interface to the operating system to enable configuration changes or software updates to the firmware. Unlike the operating system, UEFI software remains invisible to most of us, despite its critical role in the functioning of a modern system. Because of its criticality and invisibility, vulnerabilities in UEFI-related software attract attackers and pose high risks to system security. This paper highlights the technical efforts to secure the UEFI-based firmware that serves as a foundational piece of modern computing environments.
Read the white paper.
Read the SEI Blog post: UEFI: 5 Recommendations for Securing and Restoring Trust.

Understanding Vulnerability Analysis in the Rust Programming Language
by David Svoboda and Garret Wassermann

While the memory safety and security features of the Rust programming language can be effective in many situations, Rust’s compiler is very particular on what constitutes good software design practices. Whenever design assumptions disagree with real-world data and assumptions, there is the possibility of security vulnerabilities–and malicious software that can take advantage of those vulnerabilities. In this podcast, David Svoboda and Garret Wassermann, researchers with the SEI’s CERT Division, explore tools for understanding vulnerabilities in Rust whether the original source code is available or not. These tools are important for understanding malicious software where source code is often unavailable, as well as commenting on possible directions in which tools and automated code analysis can improve.
View the podcast.

Top 5 Challenges to Overcome on Your DevSecOps Journey
by Hasan Yasar and Joseph D. Yankel

Historically, a lot of discussion in software security focused on the project level, emphasizing code scanning, penetration testing, reactive approaches for incident response, and so on. Today, the discussion has shifted to the program level to align with business objectives. In the ideal outcome of such a shift, software teams would act in alignment with business goals, organizational risk, and solution architecture and would understand that security practices are integral to business success. However, the shift from project- to program-level thinking brings lots of challenges. In this webcast, Hasan Yasar and Joe Yankel discuss the top 5 challenges and barriers to implementing DevSecOps practices and describe some solutions for overcoming them.
View the webcast.
Read the SEI Blog post 5 Challenges to Implementing DevSecOps and How to Overcome Them.

Improving Analytics Using Enriched Network Flow Data
by Timothy J. Shimeall and Katherine Prevost

Classic tool suites that are used to process network flow records deal with very limited detail on the network connections they summarize. These tools limit detail for several reasons: (1) to maintain long-baseline data, (2) to focus on security-indicative data fields, and (3) to support data collection across large or complex infrastructures. However, a consequence of this limited detail is that analysis results based on this data provide information about indications of behavior rather than information that accurately identifies behavior with high confidence. In this webcast, Tim Shimeall and Katherine Prevost discuss how to use IPFIX-formatted data with detail derived from deep packet inspection (DPI) to provide increased confidence in identifying behavior.

What attendees will learn:

  • trade-offs involved in collecting various levels of detailed network data
  • an example of analysis showing the application of DPI in identifying network behaviors
  • the value of working in data analysis environments, leveraging the power of such processing environments, and the availability of language features and libraries that facilitate analysis

View the webcast.

During this webcast, Mike Mattarock, technical director for mission and engagement in the SEI’s AI Division, discusses some of the primary quality attributes guiding design, and how a next generation architecture can facilitate an integrated future state.

As artificial intelligence permeates mission-critical capabilities, it is paramount to design modular solutions to ensure rapid evolution and interoperability. During this webcast, we discuss some of the primary quality attributes guiding such design, and how a next generation architecture can facilitate an integrated future state.

What attendees will learn:

  • current challenges facing AI engineering
  • approaches to promoting interoperability across AI solutions
  • considerations for facilitating modularity and reuse in design

View the webcast.