CAMARILLO, Calif. —
Socrates Frangis knows quite a bit about bug hunting—the cyber kind, that is.
Frangis, cybersecurity technical lead at Naval Surface Warfare Center, Port Hueneme Division (NSWC PHD), emphasized the critical importance of bug hunting in his keynote presentation at a free Cybersecurity Conference hosted by California State University, Channel Islands (CSUCI) on Oct. 11.
The university hosted the daylong conference, sponsored by Haas Automation Inc. of Oxnard, Calif., as part of National Cybersecurity Month. It was open to all businesses and individuals in the region.
“We feel we are meant to serve our greater region and offer a place to exchange ideas, collaborate and learn from each other,” Vandana Kohli, dean for CSUCI’s School of Arts & Sciences, told audience members in her welcoming comments.
Frangis, as NSWC PHD’s cybersecurity lead, handles naval combat systems engineering and security research. He is also a Ph.D. student in systems engineering at Naval Postgraduate School focusing on cybersecurity. He told the audience that sharing information learned is key to staying ahead of the latest malware, viruses and other cyberattacks.
“I spend a lot of time paying attention to when bugs come out and when things fail,” Frangis said. “I come to conferences like this to share what I’ve learned. We may be from all different sectors and organizations, but we can benefit from learning from one another.”
He defines “bug hunting” as looking for previously unknown software defects.
“We are trying to find issues; sometimes they are security vulnerabilities,” Frangis explained. “You can find plenty of bugs, but not all bugs are vulnerabilities and not all vulnerabilities are exploitable. For example, a spelling error versus a buffer overflow, which is something that can be used to crash the software and gain root access to the system. That’s a big deal.”
There are different methods and different tools for bug hunting, each with their own advantages and disadvantages, he said. The two main ones are static and dynamic analysis, which should be used together to find potential software problems.
It’s more critical to test software created out of house before making it active, Frangis said.
“The Navy does use a lot of Commercial Off-The-Shelf (COTS) hardware and software, but we also have a lot of strange, unique things,” he explained. “Developers often start with COTS software and customize it for our needs.”
Developers will run standard security scans for the operating system and commercial applications, but those security scans look only for known issues, and don’t know how to check on the customized portion of the software created specifically for the client—in NSWC PHD’s case, the Navy.
“So, we put it through Test and Evaluation (T&E),” Frangis said. “We are that independent oversight that tries to verify that not only is the software doing the thing we contracted for, but also supporting the NAVSEA Red Team which determines that it is secure and meets all the statutory requirements to actually get to the point of use.”
“And once that happens, we are also the in-service engineers to take care of it for 20 or 30 years,” he added. “Imagine supporting a fleet full of ships, full of computers and weird types of hardware—every component is constantly going obsolete, and our engineers have to figure out how to refresh it.”
Ron Rieger, director of artificial intelligence at Camarillo-based Semtech Corp., also spoke at the conference, and told the audience part of the cybersecurity threat is “you can’t cover all the possibilities (for intrusion and exploitation).” So, he asked, “How many combinations are possible before you find a problem?”
Frangis said intelligently assisted tools can be a big help in finding those software vulnerabilities.
Bug hunting, via tightly controlled contests with enticing bug bounties, is something even the Department of Defense (DOD) has encouraged, he explained. Some of the innovations developed via the contests were matured for DOD and private sector use. One example is the Defense Innovation Unit (DIU) Project Voltron Pilot Program.
“We are using this right now at NSWC PHD, and we are pushing to get it into operation as we speak,” Frangis said.
In wrapping up, Frangis stressed that any organization working in application development should send the developer’s code to its internal security team before it’s released to the public.
Jean Pan, an aircraft reporting custodian at Naval Facilities Engineering Command Engineering and Expeditionary Warfare Center at Port Hueneme and part of the command’s small Unmanned Aircraft System program, attended the daylong conference.
“I’m learning,” Pan said. “I’m glad we have programs like this locally where we can see what the greater community is doing” when it comes to dealing with cybersecurity issues.