Abstract - Automated software checking for security is a challenging problem with a remarkable impact. Most of the solutions are hindered by the practical difficulty of reducing false positives without compromising analysis quality. In this talk, I will share my experiences with building high precision tools and methodologies for software security checking (i.e., detecting software non-compliance and vulnerabilities). In the first part, I will present my work on building robust methodologies to evaluate the payment card industry (PCI) data security standard (DSS) certification process for e-commerce websites. Our study confirms that 86% of the websites have at least one PCI DSS violation that should have disqualified them as non-compliant. In the second part, I will talk about our solution for high precision (98.61%) detection of cryptographic API misuse vulnerabilities massive-sized (e.g., millions of LoC) programs. Oracle has implemented this in its internal code analysis platform, Parfait and found new issues that were previously unknown. I will also share my insights on secure coding in the light of our findings in several high-profile opensource projects.
About the candidate - Sazzadur Rahaman is a Ph.D. candidate from the department of computer science at Virginia Tech. His research focus is to minimize the gap between the theory and the practice of software security. Sazzadur's works have been published in top-tier security conferences (i.e., ACM CCS, PETS) and Journals (i.e., TDSC). As the recognition of his work, he received several fellowships (Bitshare fellowship and Pratt fellowship) at Virginia Tech.Prior to joining Virginia Tech, he worked as a software engineer. He has 3.5+ years of industry experience in building health care, payment, and financial technology solutions. He received his B.Sc. in computer science at Bangladesh University of Engineering and Technology (BUET). Sazzadur is also among the top 7% users on StackOverflow with 6000 reputations from 200+ posts.
Read More