The IEEE Cybersecurity Ambassadors are experts in various aspects of cybersecurity who are committed and available to speak at IEEE and other events. Ambassadors represent the global community of researchers, developers, and users who are advancing the security of cyber systems ranging from small edge nodes to cloud-based servers.
Ambassadors are prepared to speak to audiences with various technical backgrounds, including student groups, non-security technical groups, and members of the public.
Inquiries about the program and to invite an Ambassador to your event, please send email to cybsi-ambassadors@ieee.org.
Current Ambassadors:
Carl Landwehr
A Building Code for Building Code: Why we need it and how it’s getting started
Abstract: Software is an engineered artifact. The continuing presence of security vulnerabilities, largely the product of implementation errors, in software systems reflects the immature state of this engineering field. Techniques are available that can prevent many of these errors, but those techniques are relatively unused. This talk argues that the building codes developed for physical structures offer a useful framework for developing a consensus that could help industry develop less vulnerable systems and help customers express their requirements for such systems. A draft code for medical device software security has already been produced, and another one, to address power system software,is in the works.
Bio: Carl Landwehr is Fellow of the IEEE and a member of the Cybersecurity Hall of Fame. His current appointments include Lead Research Scientist at the Cyber Security policy and Research Institute at George Washington University and Visiting McDevitt Professor of Computer Science at LeMoyne College. His thirty five year career in cybersecurity R&D includes service with the Naval Research Laboratory, National Science Foundation, IARPA, and several other institutions.
Jim DelGrosso
An Ounce of Design is Worth a Pound of Bug Cure
Abstract: If you study today’s common software defects, you’ll find that they haven’t changed much over the past decade. We seem to be making the same mistakes, even though we should know better. This talk will describe common design flaws and highlight how an investment in secure design can pay a big dividend in the form of reduced bugs later in the software development phase. This work is part of the IEEE Cybersecurity Initiatives’ Center for Secure Design (CSD), which seeks to identify common design flaws and design patterns, and creating tools so architects and developers can build security into tomorrow’s systems.
Bio: Jim DelGrosso, Senior Principal Consultant, has been with Cigital since 2006. In addition to his overarching knowledge of software security, he specializes in Architecture Analysis, Threat Modeling and Secure Design. In fact, he was a catalyst for creating Cigital’s current Architecture Analysis practice. Jim is also the Executive Director for the IEEE Computer Society Center for Secure Design (CSD).
Baijian “Justin” Yang
IEEE Try-CybSI: A Collaborative and Interactive Platform for Cybersecurity Learning
Abstract: IEEE Try-CybSI (http://try.cybersecurity.ieee.org/) is a platform for collecting, sharing, archiving, and curating cyber security and privacy technical artifacts, such as code, data, results, and exploits. The platform enables security professionals and students to “experience” examples or demos from virtualized computing containers accessible online. Current modules demonstrate SSL-Striping, Heartbleed, and Padding Oracle attacks. Try-CybSI is an ongoing process. Cybersecurity experts are encouraged to contribute content—share teaching materials and experiences; translate the hands-on instructions of each example to multiple languages. This presentation describes the platform, how to use it and how to help grow it.
Bio: Dr. Baijian “Justin” Yang is currently an Associate Professor at the Department of Computer and Information Technology, Purdue University. He received his Ph.D. in Computer Science from Michigan State University in 2002, and his MS and BS in Automation (EECS) from Tsinghua University in 1998, and 1995, respectively. He holds several industry certifications, such as CISSP, MCSE, and Six Sigma Black Belt. He is currently the lead of IEEE Try-CybSI project and a board member ATMAE.
Lotfi ben Othmane
What Will It Take to Develop Secure Software?
Abstract: Software is an essential component to the operation of business information systems, cyber physical systems, and various personal devices. Most reported cyber-attacks exploit vulnerabilities in software. Despite increased awareness and concern about threats, current state of the art of software engineering practices are inadequate. Challenges that hinder development of secure software start with difficulty of identifying threats and estimating risks. Practices such as incremental software development also pose challenges to software security. Ultimately, the software community must apply secure software engineering good practices and embrace a “security culture” in order to reduce the impact of weak protection mechanisms and of the continuous discovery of new vulnerabilities.
Bio: Lotfi ben Othmane is the Head of the Department Secure Software Engineering at Fraunhofer Institute for Secure Information Technology, centered in Darmstadt, Germany and an Adjunct Professor at Sherbrooke University, in Quebec, Canada. He has extensive experience in industry and academia in Tunisia, Canada, USA, The Netherlands, and Germany. Dr. ben Othmane’s research interests include the use of data science in secure software development, development of secure systems using an agile approach, and security and safety in connected vehicles. He has more than 30 peer-reviewed publications. Dr. ben Othmane received his Ph.D. degree from Western Michigan University, USA, in 2010; M.S. degree from University of Sherbrooke, Canada, in 2000; and B.S degree from University of Sfax, Tunisia, in 1995.
Tom Caldwell
Advanced Efficacy through Machine Learning Analytics and Artificial Intelligence
Abstract: With the extreme volume of threats it takes more than threat researchers to keep up the pace. It also takes “machines” to maintain the efficacy of your security strategy. Machine learning (ML) and artificial intelligence (AI) are now common components of threat intelligence. ML and AI enable a contextual analysis that creates “connective association” across the domains of end point, network, IP, URL, cloud for IT and internet of things (IoT). Tom Caldwell will explore the various use cases and strategies around types of ML and AI used in threat intelligence and behavioral analytics. He will explain how models using unsupervised and supervised learning algorithms along with heuristics can automate the ability to learn new forms of morphed malware or new types of adversarial anomalistic activity. These types of analytics are found in both user and network behavioral detection technologies, and effectively bring together human security researchers and “machines” into a single targeted solution for cybersecurity.
Bio: Tom Caldwell is a veteran of the software and networking industry. He previously held positions at Cisco and Microsoft. Tom has deep expertise in delivering Cloud-based software products and large scale software systems to large enterprise and service providers. Most recently Tom was Co-Founder/EVP of CyberFlow Analytics, a Network Behavioral Analytics startup. Tom’s current interests and efforts focus on Cyber Security Threat Intelligence and End Point Protection. With a MS in Computer Science, he has more than 20 years in business and software engineering.
Martin Jaatun
Where to start with software security?
Abstract: Software security is about building software that will be secure even when it is attacked. Numerous guidelines and best practices exist, outlining processes and methodologies that can be adopted to achieve better software security. The problem is that there are too many activities to take on all at once without overwhelming the developers. In practice these are only used to a limited extent and the problem of insecure software is bigger than ever. It can be argued that organizations learn best by comparing themselves to other organizations that tackle similar challenges, rather than comparing themselves to abstract theoretical models of ideal practices for software security. The speaker highlights key software security activities that many organizations have found useful and that may be adapted to other sectors.
Bio: Dr. Martin Gilje Jaatun is a Senior Scientist at SINTEF ICT, Trondheim, Norway, where he has been employed since 2004. He received his Sivilingeniør degree in Telematics from the Norwegian Institute of Technology (NTH) in 1992, and the Dr.Philos. degree from the University of Stavanger in 2015. Previous positions include scientist at the Norwegian Defence Research Establishment (FFI), and Senior Lecturer in information Security at the Bodø Graduate School of Business. His research interests include software security, security in cloud computing, and security of critical information infrastructures. He is vice chairman of the Cloud Computing Association (cloudcom.org), President of Cloud Security Alliance Norway, and a Senior Member of the IEEE.
Mark Tehranipoor
When it Comes to Security, Don’t Forget about the Hardware
Abstract: Escalating concerns about hardware security are in part a result of the globalization of design, fabrication, and assembly of integrated circuits and systems. The complexity of today’s electronic components and systems supply chain has made it increasingly vulnerable to malicious activities, security attacks, and counterfeiting. In this talk I will analyze the vulnerabilities and threats, with a focus on challenges posed by emerging attacks and threats. Potential solutions to addressing these threats and vulnerabilities are described. Finally, opportunities for securing hardware within different application domains, at different levels of abstraction, and at levels from nanoscale devices to systems are presented.
Bio: Mark Tehranipoor is the Intel Charles E. Young Endowed Chair Professor in Cybersecurity at the Electrical and Computer Engineering Department, University of Florida. His current research interests include: hardware security and trust, supply chain risk management and security, counterfeit electronics detection and prevention, and reliable circuit design. Dr. Tehranipoor has published over 300 journal articles and refereed conference papers and has given more than 150 invited talks and keynote addresses since 2006. He has two patents, and has published six books and eleven book chapters. He is a recipient of 12 best paper awards and nominations, as well as the 2008 IEEE Computer Society (CS) Meritorious Service Award, the 2012 IEEE CS Outstanding Contribution, the 2009 NSF CAREER Award, and the 2014 MURI award. His projects are sponsored by both the industry (Semiconductor Research Corporation (SRC), Texas Instruments, Freescale, Comcast, Honeywell, LSI, Avago, Mentor Graphics, R3Logic, Cisco, Qualcomm, MediaTek, etc.) and Government (NSF, ARO, MDA, DOD, AFOSR, DOE, etc.).
Haya Shulman
Internet (In-)Security: A Continuing Challenge
Abstract: Internet security has received significant attention during the last few decades, producing many recommendations and best practices. But how are we doing? A number of large scale Internet studies have been performed, for example, to explore Domain Name System Security Extensions (DNSSEC) adoption on zones, vulnerabilities of DNS to cache poisoning, and router misconfigurations. These studies expose critical vulnerabilities in widely used systems and protocols that allow attacks on clients and services. The presentation evaluates the extent of the problems, analyzes the sources for vulnerabilities, and provides recommendations and mitigations.
Bio: Haya Shulman is the head of cybersecurity and analytics department at Fraunhofer SIT. Previously, she was a research group leader in the European Center for Security and Privacy by Design (EC-SPRIDE). Her research interests are in network and cyber security, focusing on attacks and on devising countermeasures. Dr. Shulman has received a number of awards, including the ‘Checkpoint Institute for Information Security (CPIIS)’ award, the Feder prize for research in communication technologies, and the IETF/IRTF Applied Networking Research Prize. She also is a recipient of an ICANN research fellowship. She received her Ph.D. from Bar-Ilan University where she was awarded the Rector Prize for her research achievements.