New Paper in IEEE: Continuous Verification of Open Source Components in a World of Weak Links

I published a research paper^[1] titled “Continuous Verification of Open Source Components in a World of Weak Links” available through IEEE.

The paper addresses security risks in open source software, noting that 99% of today’s software utilizes open source. These next-generation supply chain attacks have increased 430% in the last year. The work presents six continuous verification controls that enable organizations to make data-driven decisions and mitigate breaches. In case studies, the controls identified high levels of risk immediately even though the package is widely used and has over 7 million downloads a week.

Abstract:

We are heading for a perfect storm, making open source software poisoning and next-generation supply chain attacks much easier to execute, which could have major im-plications for organizations. The widespread adoption of open source (99% of today’s software utilizes open source), the ease of today’s package managers, and the best practice of implementing continuous delivery for software projects provide an unprece-dented opportunity for attack. Once an adversary compromises a project, they can deploy malicious code into production under the auspicious of a software patch. Downstream projects will ingest the compromised patch, and now those projects are potentially running the malicious code. The impact could be implementing backdoors, gathering intelligence, delivering malware, or denying a service. According to Sonatype, a leading commercial software security company, these next-generation supply chain attacks have increased 430 % in the last year and there is not a good way to vet or monitor an open-source project prior to incorporating the project. In this paper, we analyzed two case studies of compromised open source components. We propose six continuous verification controls that enable organizations to make data-driven decisions and mitigate breaches, such as analyzing community metrics and project hygiene using scorecards and monitoring the boundary of the software in production. In one case study, the controls identified high levels of risk immediately even though the package is widely used and has over 7 million downloads a week. In both case studies we found that the controls could have prevented malicious actions despite the project breaches.

Dissertation Proposal Defended

Today I defended my dissertation proposal at the University of Colorado at Colorado Springs^[1], where I am a Ph.D. candidate in the Computer Science Department^[2]. Below is a snippet from my abstract.

We are heading for a perfect storm, making open source software poisoning and next-generation supply chain attacks much easier to execute, which could have major implications for organizational security postures. The widespread adoption of open source (99% of today’s software utilizes open source)^[3], the ease of today’s package managers, and the best practice of implementing continuous delivery for software projects provide an unprecedented opportunity for attack. Once an adversary compromises a project, they can deploy malicious code into production under the auspicious of a software patch. Downstream projects will ingest the compromised patch, and now those projects are potentially running the malicious code. The impact of which could be implementing backdoors, gathering ingintelligence, delivering malware, denying a service, or destroying hardware, as we witnessed with Stuxnet^[4]. These types of attacks show no sign of slowing down. According to Sonatype, a leading commercial software security company, these next-generation supply chain attacks have increased 430% in the last year^[5].

My Top 5 Research Tools for Computer Science

I’ve spent the last four years in graduate school and I’ve learned about some interesting tools for research and wanted to share. Many of these would have come in handy for my undergrad program as well.

1. Zotero^[1]
   Zotero provides an easy way to manage bibliographies and includes easy export for Bibtex. It really is a great research assistant.
2. Overleaf^[2]
   Overleaf is a great tool for working with LaTex. It provides a web based editor for individuals or teams to work on documents. Overleaf also provides export capabilities to GitHub for team collaboration.
3. GitHub^[3]
   GitHub provides Git repositories for team collaboration. Microsoft just announced that GitHub will allow unlimited private repos for free.
4. Student Developer Pack^[4]
   The student developer pack from GitHub provides tons of goodies from companies like Amazon Web Services, Data Dog, Digital Ocean and others.
5. Google Scholar^[5]
   Last but definitely not least… Google Scholar provides great resources for researchers. Everything from research papers to H-index and conference rankings. Google Scholar has it all.

Cost of Securing IEEE 802.11s Mesh Networks Using CJDNS

Abstract - The Internet is weak, it is broken, and we are not doing anything to fix it. The Internet can be affected by natural disasters, wars, governments, and surveillance. It is running out of address space and the internet service providers are not incentivized to fix it. Mesh networks, using the IEEE standard 802.11s, may one day provide a more robust and resilient infrastructure. Although mesh networking is not a new idea or a new concept, wireless mesh networking is stripping previous barriers to entry. IEEE 802.11s makes mesh networks a reality for users who otherwise would never have been able to setup such a distributed network. Applications like cjdns are making it easier than ever to create secure wireless mesh network among communities. This paper will look at the system costs associated with using cjdns. How much performance are we willing to sacrifice for ease of use and security?

Full Paper: Cost of Securing IEEE 802.11s Mesh Networks Using CJDNS^[1]