Hinweis: Die aktuelle OOP-Konferenz finden Sie hier!

Konferenzprogramm

Unsere Empfehlung: Die Virtual Deep Dives

Mehr als 30 Jahre OOP-Erfahrung trifft auf moderne Innovation: Taucht mit uns tief in die wichtigsten Themen gegenwärtiger Software-Architektur ein – auf den "Virtual Deep Dives | powered by OOP".

Diese Konferenz versteht sich als Online-Ergänzung zur OOP München und bietet die Möglichkeit, sich intensiv und interaktiv mit den neuesten Trends und Best Practices in der Software-Architektur auseinanderzusetzen. Unsere Expert:innen und Branchenführer werden tiefe Einblicke in ihre Arbeitsweise geben und wertvolles Wissen teilen, das Sie direkt in Ihre Projekte integrieren können.

» Zu den Virtual Deep Dives

Rückblick auf das Programm der OOP München 2024

Die im Konferenzprogramm der OOP 2024 angegebenen Uhrzeiten entsprechen der Central European Time (CET).

Generative AI for Cybersecurity

Security engineering from TARA and security requirements to security testing demand mechanisms to generate, verify, and connect the resulting work products. Traditional methods need lots of manual work and yet show inconsistencies and imbalanced tests. Generative AI allows novel methods with semi-automatic cyber security requirements engineering, traceability, and testing. In this industry presentation, we show two promising approaches with NLP and transformers and how to embed them into an industry-scale security pipeline from TARA to test.

Target Audience: Test Engineers, QA Experts, Security Experts, Requirements and Systems Engineers
Prerequisites: Some background on security and testing. We will hands-on introduce the AI methods.
Level: Advanced

Extended Abstract:
Security engineering from TARA and security requirements to security testing demand mechanisms to generate, verify, and connect the resulting work products. Traditional methods need lots of manual work such as for traceability and yet show little impact when looking at the many inconsistencies and imbalanced tests. NLP especially transformers allow novel methods with semi-automatic cyber security requirements engineering, traceability, and testing.
We focus here on using generative AI with NLP because they can support the methods described in the standard while there is no need to change the form of representation from what is required by cybersecurity standards and respective stakeholders. Especially the use of Large Language Models (LLM) for text generation, aggregation, and classification has recently proven promising to improve the efficiency and effectiveness of security analysis and tests.
Grey Box Penetration Testing is an approach where only publicly available information is used to perform an attack on the SUT. This often requires massive research effort. Threat catalogs were known and often used threats are recorded can increase the performance while testing. To provide additional aid we are currently working towards building an AI-supported threat catalogue. Therefore, we use a special transformer model which is specialized in searching and summarizing information. When fed with known information about the SUT this model searches all available databases like CVE or CAPEC, previously recorded attack patterns, and other contextual information available and gives the penetration test engineer an initial idea of how to approach an attack on the SUT.
Using the AI to generate both grey and white box attack paths is an approach to check how much information about the system or components such as libraries and dependencies which are used in the SUT are available. Having introduced these methods to the security life-cycle, we will in the next step better integrate the tools. This will facilitate a swift turn-around upon changes in an agile delivery pipeline and thus achieve consistency from TARA to security requirements and (regression) test cases.
Vector together with the University of Stuttgart has developed transformers and generative AI-based methodologies for the specification and validation of cybersecurity requirements with the goal to increase productivity and quality.
In this industry presentation, we practically show how generative AI can scale into an industry-scale security pipeline.

Mehr Inhalte dieses Speakers? Schaut doch mal bei sigs.de vorbei: https://www.sigs.de/autor/christof.ebert

Christof Ebert is the managing director of Vector Consulting Services in Stuttgart, Germany. He holds a PhD from University of Stuttgart, is a Senior Member of the IEEE and teaches at University of Stuttgart and Sorbonne university in Paris. Cybersecurity has been his focus since studying in USA and directly contributing against the Morris worm.

Mehr Inhalte dieses Speakers? Schaut doch mal bei sigs.de vorbei: https://www.sigs.de/experten/christof-ebert/

Christof Ebert, Maximilian Beck
17:45 - 18:45
Vortrag: Di 9.4

Vortrag Teilen