Amit Seal Ami

@[email protected]
25 Followers
69 Following
28 Posts

CyberSecurity | Researcher | Ph. D. Candidate

I question assumptions made in the #infosec world.

For example, do security analysis techniques work as they claim? How do we evaluate security analysis techniques and figure out design/implementation flaws in them? Are they all designed with similar threat models in mind, or do they make implicit unaligned assumptions? So on and so forth.

Then, I make systematic evaluation frameworks for security techniques.

🎯

https://amitsealami.com/works

Websitehttps://amitsealami.com
FromBangladesh πŸ‡§πŸ‡©
Now atUSA πŸ‡ΊπŸ‡Έ
Show threadAmit Seal AmiAug 13, 2023

lack of response, SAST developers' unwillingness to accept a flaw as an issue, NDA/confidentiality of product code, and lack of incentives.

6. Security, being a weak-linked software property, can only be holistically improved when SASTs focus on hard-to-find vulnerabilities, focusing more on reducing false negatives instead of inheriting the focus on reducing false positives from the program analysis domain.

7. That can only be done by raising awareness about Flaws in SASTs, aligning the design goals of SASTs with the goals of practitioners, designing evaluation protocol, and streamlining the false-negative reporting process.

8. The full paper, in both PDF and web-readable format, is available here! https://amitsealami.com/false-negatives-kill/

'False negative - that one is going to kill you': Understanding Industry Perspectives of Static Analysis based Security Testing

We explore what practitioners know, think, expect, and believe about Security Testing Tools and their Limitations

Amit Seal Ami
Show threadAmit Seal AmiAug 13, 2023

3. Furthermore, while participants described their strong preference towards security, the processes for selecting SASTs did not reflect such a strong preference. We identified two critical reasons based on our findings:

a. Lack of Motivation: practitioners often seemed unreasonably optimistic about SASTs' abilities, assuming that SASTs "just work."

b. Lack of Means: those who wanted to evaluate described the existing means, such as benchmarks, as biased and/or not representative of real, complex vulnerabilities.

4. Further, we report a critical paradox in SAST-related assumptions in practice. Participants expressed that they rely on SASTs to overcome the limitations (gap) of manual analysis and, at the same time, expect that manual analysis will cover the limitations (flaws) of SASTs.

5. Aggravatingly, even if practitioners find flaws, they are hesitant to report those flaws because of the experienced

Amit Seal AmiAug 13, 2023

While we have been focusing on reducing false positives in vulnerability detection, my IEEE S&P'24 paper, in collaboration with Kevin Moran, Denys Poshyvanyk, and Adwait Nadkarni, shows the contrary: developers would rather have more false positives if the tool finds the vulnerabilities. FNs are of more concern to them. Key insights below:

1. While we found several insights that match existing literature, e.g., "Select situations can lead to the de-prioritization of software security," the rest challenge existing literature, identifying challenges that need attention from practitioners, SAST developers, and researchers.

2. For example, "Developer Happiness is Key" is the primary design goal of program analysis tools, thus focusing on reducing false positives in general. However, participants strongly favor reducing false negatives because "that one is going to kill you".

Further Key insights and the full paper are available below:

tags: #IEEESSP'24 #sp #security #sast #study #stem #WM

Amit Seal AmiJul 26, 2023
Metasecurity SolutionsJul 25, 2023

The last time there was a major slowdown in the mighty network of ocean currents that shapes the climate around the North Atlantic, it seems to have plunged Europe into a deep cold for over a millennium.

That was roughly 12,800 years ago, when not many people were around to experience it. But in recent decades, human-driven warming could be causing the currents to slow once more, and scientists have been working to determine whether and when they might undergo another great weakening, which would have ripple effects for weather patterns across a swath of the globe.
A pair of researchers in Denmark this week put forth a bold answer: A sharp weakening of the currents, or even a shutdown, could be upon us by century’s end.

https://www.nature.com/articles/s41467-023-39810-w

Warning of a forthcoming collapse of the Atlantic meridional overturning circulation - Nature Communications

The Atlantic meridional overturning circulation (AMOC) is a major tipping element in the climate system. Here, data-driven estimators for the time of tipping predict a potential AMOC collapse mid-century under the current emission scenario.

Nature
Amit Seal AmiApr 29, 2023
Dustin VolzApr 28, 2023

Great scoop by @kimzetter: DoJ, Mandiant and Microsoft stumbled upon the SolarWinds breach six months earlier than previously reported, but were unaware of the significance of what they had found.

Amazing this is only surfacing publicly now.

https://www.wired.com/story/solarwinds-hack-public-disclosure/

DOJ Detected SolarWinds Breach Months Before Public Disclosure

In May 2020, the US Department of Justice noticed Russian hackers in its network but did not realize the significance of what it had found for six months.

WIRED
Amit Seal AmiJan 1, 2023

Happy new year. 

Last year I did not do much. I hope I will do more this year.

Regardless, I pray that everyone around me will live happily, with sound health and with peace.

I pray the same for you. πŸ™

#newyear #newyear2023

Amit Seal AmiDec 21, 2022

Read this question earlier: "Can you name a famous horse without googling?"

---

me instantly: TROJAN HORSE πŸ™‹β€β™‚οΈ
also me: But.. that's not an actual horse πŸ€¦β€β™‚οΈ
then me: Still a horse! πŸ€·β€β™‚οΈ

I sure hope I am not the only one who went through this route of thinking.

Show threadAmit Seal AmiDec 21, 2022
Nothing against the individual in this filter, to be honest. But I was being bombarded with news and articles about him in my news feed, here, and elsewhere. I am glad if you want to discuss about things he has been doing, but I am not really interested to know about this person any more.
Amit Seal AmiDec 21, 2022

This is a lifesaver in Mastodon!

Instant sanitization of my mastodon feed. πŸ™πŸΌ

Sharing this in case someone else needs it.

Amit Seal AmiNov 12, 2022
Micah LeeNov 9, 2022
This post is good. Read it, especially if you're just joining Mastodon from Twitter https://www.hughrundle.net/home-invasion/
Home invasion - Mastodon's Eternal September begins

The fediverse is dealing with a huge wave of Twitter people bringing toxic ideas with them.