User:Jwalden

From TeachingOpenSource

James Walden

James Walden is an associate professor of computer science in the College of Informatics at Northern Kentucky University. The College of Informatics has over 2,000 students and offers 14 degree programs at the undergraduate and graduate levels.

Dr. Walden's research interest focus on software security, including security-oriented mining of open source software repositories, mobile and web application security, security metrics, and security education. He teaches courses in secure software engineering, computer security, cloud computing, and a variety of other topics. His students analyze the security of open source projects in the secure software engineering class.

Dr. Walden worked at Intel prior to joining Northern Kentucky University, and he spent the 2011-2012 academic year as a visiting research professor with the DistriNet research group at Katholieke Universiteit Leuven in Belgium.

He is a member of OWASP and has submitted bug fixes to open source projects.

OpenMRS

The project seems to use a variety of communication channels, including not only IRC but also Google Groups and Google Hangouts. They have had security audits in the past, with Aspect Security and Jim Manico from OWASP. They were unhappy with the huge number of false positives with the 768MB static analysis report they received.

Class Activities

I would like to create activities for my secure software engineering and computer security classes.

Code Review: Perform a code review of a component of OpenMRS with the assistance of a static analysis tool to find vulnerabilities. Use the Code Review documentation to guide the process. Possibly use an open source code review tool like Review Board or Rietveld.

Penetration Test: Setup OpenMRS on a VM. Students work in groups using open source web application security tools like w3af to identify potential vulnerabilities in OpenMRS.

Security Plugin: Create a security plugin to set and verify security configuration settings of application and server, similar to WPsecurity plugin.

References

Austin, A. and Williams, L., One Technique is Not Enough: An Empirical Comparison of Vulnerability Discovery Techniques, International Symposium on Empirical Software Engineering and Measurement (ESEM) 2011.

B. Smith, A. Austin, M. Brown, J. King, J. Lankford, A. Meneely, L. Williams, Challenges for Protecting the Privacy of Health Information: Required Certification Can Leave Common Vulnerabilities Undetected, Security and Privacy in Medical and Home-care Systems (SPIMACS 2010) Workshop of ACM Computers and Communication Security 2010, Chicago, IL, pp. 1-12, 2010.

Engineering in Health Care workshop @ ICSE