Professor in CSSE earns two NSF grants to research software security weaknesses

Published: Jan 31, 2023 7:33 AM

By Joe McAdory

Akond Rahman, assistant professor in computer science and software engineering, was awarded two National Science Foundation (NSF) awards as lead principal investigator totaling $332,000 in grant funding.

His projects, “Authentic Learning Modules for DevOps Security Education” and “Enhanced Security Static Analysis for Detecting Insecure Configuration Scripts,” not only focus on the development of techniques and tools what will automatically detect security weaknesses in configuration scripts but will educate students – future professionals – on the consequences of security weaknesses commonplace in development and operations (DevOps) software and how to mitigate them.

“DevOps is the state-of-the-art process to develop software,” Rahman said. “The market value of DevOps is expected to reach $12.8 billion USD by 2025. If there are unmitigated security weaknesses in DevOps artifacts, that will create large-scale consequences now and in the future. As a firm believer of equipping students with practical knowledge, I have focused my academic efforts to learn about security weaknesses in DevOps artifacts.”

Where do potential security weaknesses exist? Simple. “Hard-coded usernames and passwords in source code,” Rahman said.

“Almost every other month, we hear about a large-scale security breach because of security weaknesses related to software. Remember the Solar Winds hack? That occurred due to a security weakness in the software supply chain. Fortunately, U.S. federal agencies are considering secure software development very seriously. The White House Executive Order on Software Bill of Materials is one example of such an initiative, which advocates for pro-active detection and mitigation of security weaknesses. We, as software engineering researchers, are thrilled about this opportunity to directly contribute to these efforts and make an impact in securing the nation’s cyber infrastructure.”

His research is a three-pronged thrust for one of the NSF-funded projects. First, qualitative analysis will be applied to determine a comprehensive list of security weaknesses for multiple configuration script languages and devise static analysis techniques for automatically identifying each category of security weakness. Next, grammar-based parsing and formal method techniques will be applied, evaluated and integrated into the derived static analysis so that false positives are reduced.

“Finally, the development context of practitioners from the open source and proprietary domain will be systematically mined to generate actionable alerts and suggestions, which will enable practitioners to fix security weaknesses,” Rahman said. 

Rahman will use authentic learning techniques in the classroom.

“This method helps students to learn about a practical problem, which has industry relevance,” he said. “Students get hands-on exposure to state-of-the-art concepts, such as event-driven static analysis, fuzzing, and automated secret management.

“In the case of configuration scripts, practitioners will apply static analysis to find security weaknesses early. As part of one of my NSF projects, my students and I have developed tools that practitioners can download and use right away. We are also working directly with a company on how to better mitigate security weaknesses. We are very excited about DevOps as this area has lots of potential to do impactful research.”

Media Contact: Joe McAdory, jem0040@auburn.edu, 334.844.3447

Recent Headlines