Vendors who wish to provide software or services to large corporations and governments must often obtain numerous certificates of compliance. Each certificate asserts that the software satisfies a compliance regime, like SOC or the PCI DSS, to protect the privacy and security of sensitive data. Manual compliance audits of source code (the industry standard) are expensive, error-prone, partial, and prone to regressions.
We propose \emph{continuous compliance} to guarantee that the codebase stays compliant on each code change using lightweight verification tools. Continuous compliance increases assurance and reduces cost in the domain of source-code compliance.
We evaluated continuous compliance by building and deploying verification tools for five common audit controls related to data security: cryptographically unsafe algorithms must not be used, keys must be at least 256 bits long, credentials must not be hard-coded into program text, HTTPS must always be used instead of HTTP, and cloud data stores must not be world-readable. We report on our experience deploying these verification tools at a large company, where they are integrated into the compliance process (including auditors accepting their output as evidence) and have been run on over 68 million lines of code. We open-sourced our tools and applied them to over 5 million lines of open-source software. Compared to other publicly-available tools for detecting misuses of encryption, only ours are suitable for continuous compliance.
Wed 23 Sep Times are displayed in time zone: (UTC) Coordinated Universal Time
01:10 - 02:10: Software Security and Trust (1) Research Papers / NIER track / Tool Demonstrations at Platypus Chair(s): Christoph CsallnerUniversity of Texas at Arlington | |||
01:10 - 01:30 Talk | Continuous ComplianceExperience Research Papers Martin KelloggUniversity of Washington, Seattle, Martin SchäfAmazon Web Services, Serdar TasiranAmazon Web Services, Michael D. ErnstUniversity of Washington, USA | ||
01:30 - 01:50 Talk | SADT: Syntax-Aware Differential Testing of Certificate Validation in SSL/TLS Implementions Research Papers Lili QuanCollege of Intelligence and Computing,Tianjin University, Qianyu GuoCollege of Intelligence and Computing, Tianjin University, Hongxu ChenResearch Associate, xiexiaofei , Li XiaohongTianJin University, Yang LiuNanyang Technological University, Singapore, Jing HuTianjin Key Laboratory of Advanced Networking (TANK), College of Intelligence and Computing,Tianjin University | ||
01:50 - 02:00 Talk | A Hybrid Analysis to Detect Java Serialisation Vulnerabilities NIER track | ||
02:00 - 02:10 Talk | EXPRESS: An Energy-Efficient and Secure Framework for Mobile Edge Computing and Blockchain based Smart Systems Tool Demonstrations |