Can We Make Real World Software More Secure?

Date and time: 
Monday, February 6, 2017 - 16:00
220 Deschutes
Elisa Heymann
University of Wisconsin and Autonomous University of Barcelo
  • Joseph Sventek


Security is crucial to the software that we all develop and use. With the incredible growth of web, cloud, and mobile services, security is becoming even more critical. Typical security practices, such as securing your network and using software assurance tools -- tools that scan the source or binary code of a program to find weaknesses -- are your first line of defense, but they are not enough.

Every service that you deploy is a window into your data center from the outside world, and a window that could be exploited by an attacker. These issues become even more pressing for critical infrastructure, such as systems that support energy or transportation services.

To assess in depth the security of a software project I will present our First Principle Vulnerability Assessment (FPVA) methodology, which is aimed at finding vulnerabilities affecting the most critical parts of a systems, the high value assets. Security is, among other things, an economic process, so we must be able to focus our time and attention on the parts of the system would produce the greatest impact if they were exploited.

I will share our experiences gained from performing vulnerability assessments of critical middleware. Although effective, FPVA is expensive, as it is mostly a manual, analyst-drive process. Part of our current research involves automating some of the steps of FPVA, and I will describe some of these efforts. Finally, I will talk about a pioneering project bringing in-depth software assessment to a new area of critical infrastructure, that of maritime container shipping.


Elisa Heymann is a Senior Scientist on the NSF Cybersecurity Center of Excellence at the University of Wisconsin, and an Associate Professor at the Autonomous University of Barcelona, where she has graduated six Ph.D. students. She co-directs the MIST software vulnerability assessment at the Autonomous University of Barcelona, Spain.

She was also in charge of the Grid/Cloud security group at the UAB, and participated in two major Grid European Projects: EGI-InSPIRE and European Middleware Initiative (EMI). Heymann's research interests include security and resource management for Grid and Cloud environments. Her research is supported by the NSF, Spanish government, the European Commission, and NATO.

Heymann has chaired security meetings at Shonan Meeting (Japan) and acted as a reviewer for the European Commission (FP6, FP7, and H2020) and various Spanish government funding agencies. She is a member of the Safe and Secure C Study Group of ISO WG14 (C Standards). Heymann, with her colleague, Prof. Miller, has taught tutorials around the world on software vulnerability assessment, secure coding, and software assurance tools.

Heymann was a Fulbright Scholar, and received her M.S. and Ph.D. degrees in Computer Science from the Autonomous University of Barcelona (Spain).