UWE Bristol research to help uncover and mitigate against hundreds of online public software supply chain vulnerabilities

Posted on

Many software and cloud platforms rely on the use of containerisation, a modern technique of deploying multiple software services quickly, securely and efficiently on large-scale cloud computing resources such as Microsoft Azure and Amazon Web Services (AWS). Platforms such as DockerHub provide an online repository of over 100,000 ready-to-deploy containers that are used widely in many of today’s modern software platforms. Whilst this offers great convenience for development teams, many of these containers may exhibit vulnerabilities, which if not managed, can introduce vulnerabilities into a company software stack. Recent security issues such as the log4j vulnerability and the Solarwinds Orion attack highlight the growing concern around software supply chain security, the dependencies that are made by development teams on third party software, and the implications of identifying and remediating such vulnerabilities later down the line.

As part of our CSC3 research, Alan Mills, Jonathan White and Phil Legg, have developed a suite of docker security visualisation and remediation tools: OGMA and BORVO. The suite of tools enable developer and security teams to quickly identify vulnerabilities against a variety of container security scanning platforms. Results from existing scanning tools can often differ or conflict, and so our aggregated approach helps provide a unified analysis to address conflicts and provide a visual means for thorough examination the results. Our approach also provides a more intuitive risk assessment that considers the true impact of vulnerabilities, such as how easily the vulnerability could actually be exploited by external or internal actors. Furthermore, the suite also provides developers with informed assessment of how to remediate the security issues whilst preserving the intended software functionality that is dependent on the container.

Our research paper “OGMA: Visualisation for Software Container Security Analysis and Automated Remediation” has been peer-reviewed and accepted for the IEEE Conference on Cyber Security and Resilience where the work will be presented and published at the end of July. We will also be sharing our insights in our related presentation on “Securing the Supply Chain – Practicality v Paranoia” at the upcoming BSides Cheltenham conference this weekend, which is a community-organised event for the regional cyber security industry and enthusiasts, and follows our lightning talk on software supply chain security delivered at CYBERUK 2022 earlier this year. OGMA and BORVO are both released as open-source applications that we have made available to the wider research community, to facilitate the examination and remediation of software vulnerabilities in containerised applications. For more details, including how to download and use the tools, please visit our GitHub page.

UWE Bristol hosts one of region’s largest cyber security events to attract future talent

Posted on

Last month UWE Bristol hosted the Unlock Cyber Taster Day at Frenchay campus, which was attended by over 300 young people.

Students aged 12 to 14 participated in hands-on activities including manipulating a Scalextric track to improve the performance of model racing cars.

The event was run by Unlock Cyber, an employer-led initiative established by UWE Bristol to build a community of young cyber security enthusiasts with the right skills to follow a career into the sector.

Industry and cyber representatives from across the West of England region attended the event yesterday in the School of Engineering building to deliver the cyber activities for schoolchildren.

UWE Bristol Cyber Schools Outreach Manager Elaine Brown, who manages the Unlock Cyber project, said: “Young people often think that employers need you to have a lot of technical expertise when in fact this is not the case. They are looking for applicants with good communication skills and enquiring minds, who enjoy problem solving and can work under pressure. We’re trying to engage with and excite more young people, especially girls, who probably think cyber is not for them, to ensure that cyber is more diverse and inclusive. Our biggest challenge moving forwards is how we can cope with the level of demand from schools.”

Kevin Milwood, Cyber Risk Manager from Hargreaves Lansdown, said: “Unlock Cyber stands for what I believe in – giving young people the opportunity to learn about careers in cyber. It’s such an important area for business and I’m passionate about doing what I can in the local area to develop the UK’s skills supply chain to meet the ever-increasing demand for cyber experts. The national curriculum is currently quite limited, so it’s great that Hargreaves Lansdown can get involved with a programme like this that lets us share our expertise.”

Ben Waring, HR and Resourcing Advisor at Leonardo Cyber Security Division in Bristol, said: “Cyber threats are a reality for all of us, so we want to respond to these long-term threats in a positive manner by generating future career opportunities for young people. For the Unlock Cyber taster day, our apprentices have designed a Cyber Crime scene, testing the students’ knowledge of how cyber criminals might target them and use any available information against them. This activity also helps students think about how they can better protect themselves and their family from cyber crime.”

UWE Bristol has worked with the National Cyber Security Centre (NCSC) and regional partners to develop the Unlock Cyber programme. The university has been recognised by NCSC for its excellence in cyber security education, across its outreach activities through Unlock Cyber, its taught programme at UWE Bristol, and its work across the region and the wider UK to improve cyber security education.

Back to top