How to Deal with Legacy Software Vulnerabilities, Draper & CMU

    Software isn’t perfect. Just ask Apple. The company, which found a security flaw in its software, alerted its customers and provided an update on its website. (Courtesy of Draper and ShutterStock)
    Software isn’t perfect. Just ask Apple. The company, which found a security flaw in its software, alerted its customers and provided an update on its website. (Courtesy of Draper and ShutterStock)

    Government agencies, financial institutions, airlines, and even the military, nearly every major sector in the United States is dealing with legacy IT that makes resolving issues difficult and fixing vulnerabilities expensive.

    These legacy systems are prone to bugs that may cause outages and waste engineering time to reconcile. Increasingly, the culprit is outdated software, which is software that is no longer supported by the vendor, or software whose original source code is not available.

    To address these challenges, Draper is partnering with Carnegie Mellon University (CMU) to develop a capability for rapidly patching legacy software in its original binary form.

    By creating this new capability, IT teams will be able to analyze, modify, and fix legacy binaries, as well as produce assured targeted micro-patches for known security flaws.

    The new capability is designed to address several challenges. Fixing security vulnerabilities in legacy software, for instance, requires patching at the binary level. Manual binary editing, however, is slow and error-prone. Additional challenges arise when patched, and recompiled binary code changes an IT system’s performance, making recertification difficult and slow.

    Michael Crystal, Draper Program Manager
    If only it were that easy to fix legacy software, the kind that’s no longer supported by a vendor, or software whose original source code is not available. While legacy systems remain operable – they can be found in many power plants, factories, financial systems, and elsewhere – patching the problem at the source code level has never been easy.
    Now a Draper-led team has developed a new micro patching toolkit designed to reduce the time to test, fix, re-certify and deploy patches to legacy software code from months to days, explains Michael Crystal, a Program Manager at Draper.

    These challenges and limitations can result in mission-critical software going unpatched for months to years, increasing the opportunity for attackers and the risk of the software becoming non-compliant.

    Therefore, it’s crucial to have a patch management solution that can make sure critical aspects of an IT system stay up to date, explains Michael Crystal, program manager at Draper.

    “Today, software patching is complicated, and the recertification process is largely manual and relies on human evaluators combing through piles of documentation, or assurance evidence, to determine whether the software meets certain certification criteria,” says Crystal.

    “We want to take the guesswork out of the process and enable the certification to go forward with confidence.”

    Funded under DARPA’s Assured Micropatching Program, the toolset, named VIBES, (which stands for Verified, Incremental Binary Editing with Synthesis), uses program synthesis and constraint programming techniques to compile a source-level patch and insert it into a preexisting binary program.

    VIBES uses formal verification to prove that only the intended change is made and provides evidence of correct behavior for subsequent recertification or accreditation processes.

    VIBES underwent development during a series of challenges arranged by the DARPA AMP program in 2021 and 2022.

    (Learn More… Courtesy of Draper and Vimeo.)

    Micropatches change the fewest possible bytes to achieve their objective, which minimizes potential side effects and should enable proof that the patches will preserve the original baseline functionality of the system.

    With these proofs, the time to test, recertify and deploy the patched system should be reduced from months to days.

    “The technologies developed by Draper and Carnegie Mellon University aim to enable professionals to quickly and accurately patch legacy binaries in the deployed software systems upon which their enterprises depend,” explains Philip Zucker, Ph.D., senior computer scientist and programmer at Draper.

    “You can test, package, stage and deploy patches automatically, saving your time and money over limited, manual processes.”

    Professor David Brumley, in ECE and CS at CMU

    “We’re thrilled that Draper is building on top of the CMU Binary Analysis Platform, a framework we developed and open sourced to enable analysis of programs in the machine code representation,” added David Brumley, a professor in CMU’s department of Electrical and Computer Engineering and a core member of CMU’s CyLab.

    Patching is difficult in that manual updates can take an extremely long time.

    A study by the Ponemon Institute found that more than half of all companies (55%) say that when it comes to patching, they spend more time manually navigating the various processes involved than actually patching vulnerabilities.

    Most companies (61%) feel that they are at a disadvantage for relying on manual processes for applying software patches.

    In February, VIBES was released as open-source software. CMU’s open-sourced software is called ‘Binary Analysis Platform,’ was originally released in 2015.

    Draper logoDraper believes exciting things happen when new capabilities are imagined and created, whether formulating a concept and developing each component to achieve a field-ready prototype or combining existing technologies in new ways. Draper engineers apply multidisciplinary approaches that deliver new capabilities to customers.

    As a nonprofit engineering innovation company, Draper focuses on the design, development, and deployment of advanced technological solutions for the world’s most challenging and important problems.

    Draper provides engineering solutions directly to the government, industry, and academia, and offers unbiased assessments of technology or systems designed or recommended by other organizations, custom designed, as well as commercial-off-the-shelf.

    To Learn More, visit Draper at www.draper.com.

    Allied Universal & OnSolve Tie for Best AI & Machine Learning in 2022 ‘ASTORS’ Awards 

    OnSolve CEO Mark Herrington, and CMO Sue Holub accept the First of Three 2021 'ASTORS' Awards for OnSolve Risk Intelligence, and the OnSolve Control Center.
    OnSolve CEO Mark Herrington, and CMO Sue Holub accept the First of Three 2021 ‘ASTORS’ Awards for OnSolve Risk Intelligence, and the OnSolve Control Center.

    American Security Today’s Annual ‘ASTORS’ Awards is the preeminent U.S. Homeland Security Awards Program, and now in its Seventh Year, recognizes industry leaders of Physical and Border Security, Cybersecurity, Emergency Preparedness – Management and Response, Law Enforcement, First Responders, as well as federal, state and municipal government agencies in the acknowledgment of their outstanding efforts to Keep our Nation Secure.

    Sr. Business Development Manager, Vertical Markets at Allied Universal Kevin Francis, and Northeast Regional Director of HELIAUS® Technology Matthew Garrison, accept one of Three 2021 ‘ASTORS’ Awards at the 2021 'ASTORS' Awards Luncheon at ISC East
    Sr. Business Development Manager, Vertical Markets at Allied Universal Kevin Francis, and Northeast Regional Director of HELIAUS® Technology Matthew Garrison, accept one of Three 2021 ‘ASTORS’ Awards at the 2021 ‘ASTORS’ Awards Luncheon at ISC East

    Allied Universal (First of Three)

    Best Machine Learning & Artificial Intelligence (Tie**)

    • HELIAUS

    • HELIAUS® is a sophisticated Artificial Intelligence (AI)-driven solution that goes beyond the outmoded “detect and respond” model of risk management.

    Allied Universal has now begun using HELIAUS® capabilities to identify and mitigate additional security challenges such as insider threat, recurrent access violations, and incident frequency and response.
    Allied Universal can rely on HELIAUS® to identify and mitigate additional security challenges such as insider threat, recurrent access violations, and incident frequency and response.
    • More than just a tour or incident management system, HELIAUS® is a comprehensive workforce management solution that uses powerful algorithms to generate risk-adverse recommendations to keep your security professionals connected and engaged, situationally informed, and armed with the right recommendations to effectively create safer, more secure environments.

    • The bottom line is HELIAUS® can help reduce security and safety incidents by up to 20%, all while improving profitability and your bottom line.

    (Learn about HELIAUS®, a revolutionary integrated solution beyond the archaic “detect and respond” model of risk management. It’s not just a tour or incident management system. HELIAUS® is a comprehensive workforce management solution with AI technology at its core. Courtesy of Allied Universal and YouTube.)

    • Allied Universal Programs have been recognized with Multiple Awards in the 2020, 2019, and 2018 ‘ASTORS’ Homeland Security Awards Programs.

    OnSolve (First of Three)

    • OnSolve offers a suite of AI-powered risk intelligence, critical communications, and incident management capabilities, so organizations can control the entire critical event management process, keep ahead of change, monitor disasters, and be empowered to make quicker, more accurate decisions during the times that matter most.

    Accelerate Crisis Response with Onsolve Risk Intelligence – Identify and respond quickly when lives and business assets are threatened.
    • Organizations are able to gain risk intelligence information that allows them to prepare in advance for disasters and ensure business resiliency, send out mass alerts to notify the right people at the right time during a crisis, leverage a mobile incident management platform to retain full control during emergencies, and more.

    • Before, during, and after a critical event strikes, organizations now have the power of AI to inform timely and accurate situational awareness, the relevance and speed of leading mass notification services to manage critical communications, and the ability to holistically and seamlessly manage critical events through incident management – all from OnSolve.

    • OnSolve risk intelligence technology continues to keep people safe and informed, allowing them to better protect themselves, their employees, and communities.

    (Learn how AI-powered OnSolve Risk Intelligence delivers intelligence that is truly actionable so you can make accurate and informed decisions. Courtesy of OnSolve and YouTube.)

    • *OnSolve was also recognized with Multiple Wins in the 2020, 2019, and 2018 ‘ASTORS’ Awards Programs.

    Final Days to Submit Nominations in the 2022 ‘ASTORS Homeland Security Awards

    Final Entries are being accepted for the 2022 ‘ASTORS’ Homeland Security Awards at https://americansecuritytoday.com/ast-awards/.

    Comprehensive List of Categories Include:

    Access Control/ Identification Personal/Protective Equipment Law Enforcement Counter Terrorism
    Perimeter Barrier/ Deterrent System Interagency Interdiction Operation Cloud Computing/Storage Solution
    Facial/IRIS Recognition Body Worn Video Product Cyber Security
    Video Surveillance/VMS Mobile Technology Anti-Malware
    Audio Analytics Disaster Preparedness ID Management
    Thermal/Infrared Camera Mass Notification System Fire & Safety
    Metal/Weapon Detection Rescue Operations Critical Infrastructure
    License Plate Recognition Detection Products COVID Innovations
    Workforce Management Government Security Programs And Many Others to Choose From!

    Don’t see a Direct Hit for your Product, Agency or Organization?

    Submit your category recommendation for consideration to Michael Madsen, AST Publisher, at: mmadsen@americansecuritytoday.com.

    Homeland Security remains at the forefront of our national conversation as we experience an immigration crisis along our southern border, and crime rates that are dramatically higher than before the Pandemic across the United States.

    These challenges have become a national priority with an influx of investments in innovative new technologies and systems.

    The pinnacle of the Annual ‘ASTORS’ Awards Program is the Annual ‘ASTORS’ Awards Presentation Luncheonan exclusive, affordable, gourmet, full-course plated meal event, in the heart of New York City, held at the International Security Conference & Exposition (ISC East) since it’s inception in 2017.

    In a typical year, DEAC Sabatino oversees the facilitation of legitimate travel for more than 410 million travelers in the air, land, and maritime environments.
    In a typical year, CBP OFO DEAC Sabatino oversees the facilitation of legitimate travel for more than 410 million travelers in the air, land, and maritime environments.

    And who better to address the aforementioned challenges, and initiatives to meet today’s threat landscape than Deputy Executive Assistant Commissioner (DEAC) Diane J. Sabatino of the Office of Field Operations, U.S. Customs and Border Protection (CBP), the opening keynote speaker at the much-anticipated 2022 ‘ASTORS’ Awards Presentation Luncheon, on Wednesday, November 16th, 2022.

    As the DEAC of the Office of Field Operations, U.S. Customs and Border Protection (CBP)Mrs. Sabatino leads more than 31,000 employees and oversees an annual operating budget of $6.5 billion.

    Register for the 2022 ‘ASTORS’ Luncheon Today

    (Hear a recent interview with Deputy Executive Assistant Commissioner (DEAC) Diane J. Sabatino held at Identity Week Europe on leveraging biometric comparison technology in U.S. air, maritime, and land border environments for the security of passengers, enhancing the customer experience and limiting the transmission of biological pathogens while respecting personal privacies and educating the public as the CBP further expands the implementation of biometrics to keep up with threats to the aviation and other border sectors. These new technological tools are there to automate administrative functions so that the most valuable component of the process, the officers, are able to focus on critical issues as they arise. Courtesy of evie kim sing and YouTube. Posted on Jul 13, 2022.)

    Enter, American Security Today, the #1 publication and media platform in the Government Security and Homeland Security fields with a circulation of over 75,000 readers and many tens of thousands more visiting our AST Website at www.americansecuritytoday.com each month.

    The continually evolving ‘ASTORS’ Awards Program will emphasize the trail of Accomplished Women in Leadership in 2022, as well as the Significance and Positive Impact of Advancing Diversity and Inclusion in our Next Generation of Government and Industry Leaders. #MentorshipMatters

    So be on the lookout for Special Guests, Presenters, Book Opportunities, and Attendees at the 2022 ‘ASTORS’ Awards Presentation Luncheon in November of 2022 in NYC!

    Thomas Richardson, FDNY Chief of Department; Dr. Kathleen Kiernan, President of NEC National Security Systems; and Richard Blatus, FDNY Assistant Chief of Operations at the 2021 ‘ASTORS’ Awards Luncheon at ISC East.

    AST Honors Thomas Richardson, FDNY Chief of Department; Dr. Kathleen Kiernan, President of NEC National Security Systems; and Richard Blatus, FDNY Assistant Chief of Operations, at the 2021 ‘ASTORS’ Awards Luncheon at ISC East.

    The United States forever changed on September 11th, 2001, and we were fortunate to have many of those who responded to those horrific tragedies join us at our 2021 ‘ASTORS’ Awards Presentation Luncheon.

    In the days that followed 9/11, the critical need to protect our country catapulted us into new and innovative ways to secure our homeland – which is how many of the agencies and enterprise organizations that are today ‘ASTORS’ Awards Champions, came into being.

    Our keynote speaker TSA Administrator David Pekoske delivered a moving and timely address on the strategic priorities of the 64,000 member TSA workforce in securing the transportation system, enabling safe, and in many cases, contactless travel, and more (Be sure to see Interview.)
    TSA Administrator David Pekoske addressing attendees at the 2021 ‘ASTORS’ Awards Luncheon in New York City on November 17, 2021. (Be sure to see AST Exclusive Interview, facilitated by Dr. Kathleen Kiernan HERE.)

    Our 2021 keynote speaker featured a moving and informative address from TSA Administrator and Vice-Admiral of the United States Coast Guard (Ret), David Pekoske; to our attendees who traveled from across the United States and abroad, on the strategic priorities of the 64,000-member TSA workforce in securing the transportation system, enabling safe, and in many cases, contactless travel.

    Commissioner Bill Bratton signing copies of his latest work, ‘The Profession: A Memoir of Community, Race, and the Arc of Policing in America,’ at the 2021 ‘ASTORS’ Awards Presentation Luncheon. (Be sure to see AST Exclusive Interview with Comm Bratton, facilitated by Dr. Kathleen Kiernan HERE.)

    Legendary Police Commissioner William Bratton of the New York Police Department, the Boston Police Department, and former Chief of the Los Angeles Police Department  was also live at the event, meeting with attendees and signing copies of his latest work ‘The Profession: A Memoir of Community, Race, and the Arc of Policing in America,’ courtesy of the generosity of our 2021 ‘ASTORS’ Awards Premier Sponsors.

    The 2022 ‘ASTORS’ Awards Program is Proudly Sponsored by New PLATINUM SPONSOR: NEC National Security Systems (NSS), New Premier Sponsors Rajant Corporation, and guardDog AI, and returning Sponsors ATI Systems, Automatic Systems, RX Global, and SIMS Software!

    In 2021 over 200 distinguished guests representing Federal, State, and Local Governments, and Industry Leading Corporate Firms gathered from across North America, Europe, and the Middle East to be honored among their peers in their respective fields, which included:

    Team TSA
    Honoring the 20th anniversary of the Transportation Security Administration (Team TSA at the 2021 ‘ASTORS’ Awards Presentation Luncheon.)
    NCDMPH (Dr. Goolsby second from left), and American Red Cross Members accept 'Excellence in Public Safety' Awards at 2021 'ASTORS' Luncheon
    NCDMPH (Dr. Goolsby second from left), and American Red Cross Members accept an ‘Excellence in Public Safety’ Awards at 2021 ‘ASTORS’ Luncheon

    Register Today for the 2022 ‘ASTORS’ Luncheon

    2021 ‘ASTORS’ Awards Luncheon (starting front row, left to right) SIMS Software President & CEO Michael Struttmann; TENEO Risk Advisory Executive Chairman Commissioner Bill Bratton; NEC National Security Systems President Dr. Kathleen Kiernan; TSA Administrator David Pekoske; Fortior Solutions General Counsel Katherine Cowan; NEC Corporation of America Senior Vice President & Chief Experience Officer Raffie Beroukhim; TENEO Risk Advisory Chief of Staff David Cagno; Infragard National Board Member Doug Farber, Lumina Analytics Co-Founder & Chairman Allan Martin, and AMAROK Senior Vice President Sales & Marketing Mike Dorrington.
    2021 ‘ASTORS’ Awards Luncheon (starting front row, left to right) SIMS Software President & CEO Michael Struttmann; TENEO Risk Advisory Executive Chairman Commissioner Bill Bratton; NEC National Security Systems President Dr. Kathleen Kiernan; TSA Administrator David Pekoske; Fortior Solutions General Counsel Katherine Cowan; NEC Corporation of America Senior Vice President & Chief Experience Officer Raffie Beroukhim; TENEO Risk Advisory Chief of Staff David Cagno; Infragard National Board Member Doug Farber, Lumina Analytics Co-Founder & Chairman Allan Martin, and AMAROK Senior Vice President Sales & Marketing Mike Dorrington.

    ISC East is the Northeast’s leading security & public safety event, hosted in collaboration with premier sponsor Security Industry Association (SIA) and in partnership with ASIS NYC.

    Each year, in order to keep our communities safe and secure, security dealers, installers, integrators, and consultants, along with corporate, government, and law enforcement/first responder practitioners, convene in New York City to network, learn and evaluate the latest technologies and solutions from premier exhibiting brands.

    Representing NEC at the 2021 'ASTORS' Awards Luncheon -Stacey Brown, SVP Raffie Beroukhim, Dr. Kathleen Kiernan, 2021 'ASTORS' Industry Leader of the Year; Christopher Gillyard, Rachel Sisk, and Frank Sangiorg
    Representing NEC Corporation at the 2021 ‘ASTORS’ Awards Luncheon at ISC in New York City – NEC Director of Marketing Stacey Brown, NEC Senior Vice President Raffie Beroukhim, NEC NSS President Dr. Kathleen Kiernan, the 2021 ‘ASTORS’ Extraordinary Industry Leadership & Innovation Person of the Year; NEC NSS Regional Sales Director Chris Gillyard, NEC NSS Executive Assistant Rachel Sisk, and NEC Regional Sales Director Frank Sangiorgi

    This combination of one-on-one conversations with top innovators, high-quality special events, and cutting-edge education and training, make ISC East the most comprehensive East Coast event to guide the industry in getting back to business.

    Taking place November 15-17 at the Javits Center in NYC (SIA Education@ISC: November 15-17 | Exhibit Hall: November 16-17), ISC East will be co-locating again with the Natural Disaster & Emergency Management Expo (NDEM EXPO), a comprehensive trade event and online resource dedicated to the preparation, response, and recovery of physical and human assets of public and private organizations. Qualified professionals who register for ISC East will be granted access to both events.

    Corporate firms, the majority of which return year to year to build upon their Legacy of Wins include:

    AlertMedia, Allied Universal, AMAROK, ATI Systems, Attivo Networks, Axis Communications, Automatic Systems of America, BriefCam, Canon U.S.A., Fortior Solutions, guardDog.ai, Hanwha Techwin of America, HID Global, Mark43, IPVideo Corporation, Konica Minolta Business Solutions, Lumina Analytics, NEC National Security Systems, NICE Public Safety, OnSolve, PureTech Systems, Quantum Corporation, Rave Mobile Safety, Regroup Mass Notification, Robotic Assistance Devices, Rajant Corporation, SafeLogicSenstar Corporation, ShotSpotter, Singlewire Software, SolarWinds Worldwide, Teledyne FLIR, Valor Systems, and Wiresecure, just to name a few!

    Team ATI Systems (featuring Dr. Ray Bassiouni, second from right) Accepts the 2021 Platinum 'ASTORS' Award for the ATI Systems Mobile Solutions for Giant Voice, in addition to a 2020 'ASTORS' Extraordinary Leadership & Innovation Award at the 2021 'ASTORS' Awards Luncheon at ISC East.
    Team ATI Systems (featuring Dr. Ray Bassiouni, second from right) Accepts the 2021 Platinum ‘ASTORS’ Award for the ATI Systems Mobile Solutions for Giant Voice, in addition to a 2020 ‘ASTORS’ Extraordinary Leadership & Innovation Award at the 2021 ‘ASTORS’ Awards Luncheon at ISC East.

    Why American Security Today?

    The traditional security marketplace has long been covered by a host of publications putting forward the old-school basics to what is Today – a fast-changing security landscape.

    American Security Today is uniquely focused on the broader Homeland Security & Public Safety marketplace with over 75,000 readers at the Federal, State, and local levels of government as well as firms allied to the government.

    American Security Today brings forward a fresh compelling look and read with our customized digital publications that hold readers’ eyes throughout the story with cutting-edge editorial that provides solutions to their challenges.

    Harness the Power of the Web – with our 100% Mobile Friendly Publications

    AST puts forward the Largest and Most Qualified Circulation in Government with Over 75,000 readers on the Federal, State and Local levels.
    AST puts forward the Largest and Most Qualified Circulation in Government with Over 75,000 readers on the Federal, State and Local levels.

    AST Digital Publications are distributed to over 75,000 qualified government and homeland security professionals, in federal, state, local, and private security sectors.

    ‘PROTECTING OUR NATION, ONE CITY AT A TIME’

    AST Reaches both Private & Public Experts, essential to meeting these new challenges.

    Today’s new generation of public safety and security experts need real-time knowledge to deal with domestic and international terrorism, lone wolf attacks, unprecedented urban violence, shifts in society, culture, and media bias – making it increasingly difficult for Homeland Security, Law Enforcement, First Responders, Military and Private Security Professionals to implement coordinated security measures to ensure national security and improve public safety.

    American Security Today

    These experts are from Government at the federal, state, and local levels as well as from private firms allied to the government.

    AST provides a full plate of topics in our AST Monthly Magazine Editions, AST Website, and AST Daily News Alerts, covering 23 Vital Sectors such as Access Control, Perimeter Protection, Video Surveillance/Analytics, Airport Security, Border Security, CBRNE Detection, Border Security, Ports, Cybersecurity, Networking Security, Encryption, Law Enforcement, First Responders, Campus Security, Security Services, Corporate Facilities, and Emergency Response among others.

    AST has Expanded readership into integral Critical Infrastructure audiences such as Protection of Nuclear Facilities, Water Plants & Dams, Bridges & Tunnels, and other potential targets of terrorism.

    Other areas of concern include Transportation Hubs, Public Assemblies, Government Facilities, Sporting & Concert Stadiums, our Nation’s Schools & Universities, and Commercial Business Destinations – all enticing targets due to the large number of persons and resources clustered together.

    (See just a few highlights of American Security Today’s 2021 ‘ASTORS’ Awards Presentation Luncheon at ISC East. Courtesy of My Pristine Images and Vimeo.)

    To learn more about ‘ASTORS’ Homeland Security Award Winners solutions, please see the 2021 ‘ASTORS’ CHAMPIONS Edition Fully Interactive Magazine – the Best Products of 2021 ‘A Year in Review.’

    The Annual CHAMPIONS edition includes a review of Annual ‘ASTORS’ Award Winning products and programs, highlighting key details on many of the winning firm’s products and services, including video interviews and more.

    It serves as your Go-To Source throughout the year for The Best of 2021 Products and Services endorsed by American Security Today, and can satisfy your agency’s and/or organization’s most pressing Homeland Security and Public Safety needs.

    From Physical Security (Access Control, Critical Infrastructure, Perimeter Protection, and Video Surveillance Cameras and Video Management Systems), to IT Security (Cybersecurity, Encryption, Data Storage, Anti-Malware, and Networking Security – Just to name a few), the 2021 ‘ASTORS’ CHAMPIONS EDITION has what you need to Detect, Delay, Respond to, and Mitigate today’s real-time threats in our constantly evolving security landscape.

    It also includes featured guest editorial pieces from some of the security industry’s most respected leaders, and recognized firms in the 2021 ‘ASTORS’ Awards Program.

    • For a complete list of 2021 ‘ASTORS’ Award Winners, begin HERE.

    For more information on All Things American Security Today, as well as the 2021 ‘ASTORS’ Awards Program, please contact Michael Madsen, AST Publisher at mmadsen@americansecuritytoday.com.

    AST strives to meet a 3 STAR trustworthiness rating, based on the following criteria:

    • Provides named sources
    • Reported by more than one notable outlet
    • Includes supporting video, direct statements, or photos

    Subscribe to the AST Daily News Alert Here.