Software systems are replete with bugs and exploitable vulnerabilities. Eliminating such bugs or reducing the harm that could result is a complex, multi-faceted problem for a large variety of software systems (cloud, IoT, etc.). One recent development in the security research community offers some ways to help balance the risk inherent in building complex software systems. To quote from http://langsec.org/bof-handout.pdf: ...more »
Open Ideation Forum
A Trusted Cyber Future:
Protecting Privacy, Commerce, and Community
What are your ideas for how we can work together to establish an underlying digital infrastructure that will be self-detecting, self-protecting, and self-healing? How should we work toward a future where users will trust that information is protected, illegal use is deterred, and privacy is not compromised?
HOW TO SUBMIT YOUR IDEAS!
Consider your thoughts on the following questions to help frame your ideas. To post your ideas, just click the “Submit New Idea” button at the top of the screen (on the right!).
- Is a shift needed in the way the government approaches cyber research?
- What will be the most pertinent cyber concerns of the next five years?
- As the Internet of Things (IoT) ecosystem grows, how do we protect and secure the supporting cyber infrastructure?
- How can the government and the research community maximize the impact of cyber research?
- What areas should cybersecurity research focus on over the next five years?
- What needs to be done to accelerate the transition of cybersecurity solutions into the marketplace?
- What will be the biggest key to improving cybersecurity over the next five years?
If you have any questions, send us an email.
One of the driving factors in cyber risk is that software/systems vendors rush new capabilities to market without considering or sufficiently addressing the cyber risk posed by such capabilities. This is most often done in the name of convenience or consumer demand. One only need look at all the mobile apps, wearable compute devices, and embedded medical devices (not to mention, automobiles) to see examples of this practice. ...more »
DHS is funding SWAMP to provide a set of free-to-use software assurance tools to aid in vulnerability discovery. This is a great start, but isn't sufficient to secure our nation's cyber future. It is completely possible to take secure components and assemble them in a way that creates new vulnerabilities -- this is known as the composition problem. What ideas might folks have for creating system design assurance tools ...more »
The Internet of Things (IoT) presents huge opportunities in every aspect of our daily lives. Therefore, establishing a trusted cyber future is contingent upon how the IoT ecosystem is secured. What are your ideas on how technology innovators, industry, and the public can work together to secure IoT in the areas of design, production, installation, operations and maintenance, and/or disposal?
Security is all about controlling and managing access. System and product evaluations need to include a complete list of accesses, controls, and partially or completely unaddressed risks. Tools and processes could be developed for each phase of a development process that helps to enumerate all access points, identifies protections, questions assumptions and abstractions, and results in a better understanding of risks. ...more »
Software execution in current production environments has limited auditability and accountability, which leads to difficulties in cyber attack detection, forensics, and recovery. Production applications for mission-critical enterprises typically generate coarse-grained, high-level logs, such as web proxy log, mail server log, and file access log. Such log data, while useful in access auditing and anomaly detection, do ...more »
An increasing number of organizations are migrating their critical information technology services, from healthcare to business intelligence, into public cloud computing environments. However, even if cloud technologies are continuously evolving, they still have not reached a maturity level that allows them to provide users with high assurance about the security of their data beyond existent service level agreements (SLAs). ...more »
We will never stem the tide of vulnerabilities when we produce upwards of 40,000 new programmers every year and none of them have been instructed in the basics of writing secure applications.
The history of software architecture and design engineering has seen a variety of tools ranging from Computer-Aided Software Engineering (CASE) to heavy reliance on Commercial Off-The-Shelf (COTS) product configuration. In addition, Threat Modeling has been met with varying degrees of success in various phases of the Software Development Life Cycle (SDLC). Modeling tools in one phase of development may or may not be capable ...more »
In many ways cyber defenders are a lot like scientists but without the formal scientific methods and procedures. Consider the following definition of "science" from our favorite personal assistant Google. Science - the intellectual and practical activity encompassing the systematic study of the structure and behavior of the physical and natural world through observation and experiment. "The world of science and technology" ...more »
One of the largest challenges for real-time predictive systems is that private data is often a necessity, but modern analytics engines and tools have focused on performability, often at the expense of privacy. Work needs to be expanded for the private processing of large data sets, with a focus on allowing the use of untrusted components to support modern industrial practices of cloud computing and outsourcing. Building ...more »
The Cybersecurity community has traditionally coupled cyber security & privacy together under the 3 pillars of cyber security: confidentiality, integrity, and availability. This has been a convenient way of looking at data handling in a world of stove piped systems and where data was housed in a centralized location. However, the world has changed, and system boundaries are blurring. While there is certainly overlap, ...more »
We live in a world in which almost every computer and communication system has already experienced compromises or is potentially compromisible. We clearly need systems that are much more trustworthy, especially where security, privacy, and survivability are essential. At the same time, government agencies are seeking exceptional access to cryptographic keys or even access to plain text. Is it possible to satisfy the ...more »
A topic that has been increasingly critical involves the ability to build systems (and indeed systems of systems) by composing components and subsystems that have been carefully analyzed. Predictably trustworthy composition relates to requirements (which may interfere with one another), specifications, algorithms, implementations, and evaluations (formal or otherwise). This deserves some discussion in this forum. I ...more »