Skip to main content

Distinguished Seminar:  Using Malware Analysis Results to Identify Overlooked Security Requirements

Date:April 25, 2016 
Talk Title:Using Malware Analysis Results to Identify Overlooked Security Requirements
Speaker:Nancy Mead
Time & Location:12:00pm - 1:00pm
DEC, CIC Building, Pittsburgh

Abstract

Despite the reported attacks on critical systems, operational techniques such as malware analysis are not used to inform early lifecycle activities, such as security requirements engineering.  In our CERT research, we speculated that malware analysis reports (found in databases such as Rapid 7), could be used to identify misuse cases that pointed towards overlooked security requirements.  If we could identify such requirements, we thought they could be incorporated into future systems that were similar to those that were successfully attacked.  We defined a process, and then sponsored a CMU MSE Studio Project to develop a tool.   We had hoped that the malware report databases were amenable to automated processing, and that they would point to flaws such as those documented in the CWE and CAPEC databases.  It turned out to not be so simple.  This talk will describe our initial proposal, the MSE Studio project and tool, student projects at other universities, and the research remaining to be done in both the requirements and architecture areas.  

Speaker Bio

Nancy R. Mead is a Fellow and Principal Researcher at the Software Engineering Institute (SEI).  Mead is an Adjunct Professor of Software Engineering at Carnegie Mellon University.  She is currently involved in the study of security requirements engineering and the development of software assurance curricula.  She also served as director of software engineering education for the SEI from 1991 to 1994. Her research interests are in the areas of software security, software requirements engineering, and software architectures.

Prior to joining the SEI, Mead was a senior technical staff member at IBM Federal Systems, where she spent most of her career in the development and management of large real-time systems.  She also worked in IBM's software engineering technology area and managed IBM Federal Systems' software engineering education department.  She has developed and taught numerous courses on software engineering topics, both at universities and in professional education courses.

Mead authored more than 150 publications and invited presentations. She is a Fellow of the Institute of Electrical and Electronic Engineers, Inc. (IEEE) and the IEEE Computer Society, and is a Distinguished Educator of the Association of Computing Machinery. She received the 2015 Distinguished Education Award from the IEEE Computer Society Technical Council on Software Engineering. The Nancy Mead Award for Excellence in Software Engineering Education is named for her and has been awarded since 2010, with Mary Shaw as the first recipient.

Education

PhD in mathematics from the Polytechnic Institute of New York

BA and an MS in mathematics from New York University.