Understanding and Minimizing The Gap Between Secure Coding Theory and Practice

All entities touching credit card information must comply with the payment card industry (PCI) data security standard (DSS). Our recent study on measuring the baseline security in the payment card industry (PCI) revealed a worrisome reality. We found that there is a big gap between the specifications and their real-world enforcement. Our measurement on 1,203 e-commerce websites shows that 86% of the websites have at least one type of vulnerability that should disqualify them as non-compliant. Assisting developers to write secure code is an important direction that can help to improve the baseline security. Various software libraries and frameworks provide a variety of APIs to support secure coding. However, misusing these APIs and libraries have been a major source of vulnerabilities over the years. Producing automatic API misuse vulnerability detection tools has been a popular and important line of research. In this talk, first, I will talk about our experience and the understanding of the baseline security of the payment card industry. Then, I will talk about our state-of-the-art solutions to detect API misuse vulnerabilities and experiences with scanning several high-profile opensource projects.

Speaker Bio:
Sazzadur Rahaman is a Ph.D. candidate from the department of computer science at Virginia Tech. His research focus is to understand and minimize the gap between the theory and the practice of secure coding. Specifically, performing internet measurements to understand the security status, building program analysis tools to find vulnerabilities, inventing practical cryptographic primitives are his primary interests. Sazzadur's works have been published in top-tier security conferences (i.e., ACM CCS, PETS) and Journals (i.e., TDSC). 
Prior to joining Virginia Tech, he worked as a software engineer. He has 3.5+ years of industry experience in OOP, AOP, Spring, and other JavaEE technologies as well as smart card and payment based solutions. He received his B.Sc. degree in computer science at Bangladesh University of Engineering and Technology (BUET). Sazzadur is an active member of the security research community serving as a shadow and external reviewer for top-tier security conferences and journals. He received Bitshare Fellowship and Pratt Fellowship at Virginia Tech. Sazzadur is also among the top 7% users on StackOverflow with 5300+ reputation from 200+ posts.