Dr. Stephen Torri, associate professor in The Department of Computer Science and Engineering at Mississippi State University and Mary Lyn and Niles Moseley Endowed Chair of Cybersecurity.
Dr. Torri, holds a doctorate in Computer Science from Auburn University and an MS in Computer Science from Washington University in Saint Louis.
He has experience as a staff software engineer with emphasis in object-oriented architecture, design and implementation. Faculty profile.
Listen to the episode
Here are the key takeaways
- Interest in cybersecurity: Dr. Torri’s interest in cybersecurity was sparked during his time in the Navy’s nuclear power program and further developed through his master’s and doctoral studies, particularly in reverse engineering and software engineering.
- Reverse engineering in cybersecurity: Dr. Torri discusses the significance of reverse engineering in cybersecurity, particularly for vulnerability researchers. This process involves analyzing assembly language and identifying weaknesses in systems to develop exploits.
- Penetration testing and cybersecurity education: The conversation touches on the role of penetration testers and the importance of integrating cybersecurity into the software development lifecycle. Dr. Torri emphasizes the need for cybersecurity education to include practical, hands-on experience.
- Current research and teaching focus: Dr. Torri is revitalizing his interest in reverse engineering and exploring how malware hides itself. His teaching approach in secure software engineering includes emphasizing non-functional requirements and the integration of cybersecurity into software engineering.
- Cybersecurity education at Mississippi State University (MSU): MSU offers various cybersecurity educational opportunities, including a bachelor’s in cybersecurity, a master’s degree, and a PhD in computer science. The university emphasizes hands-on learning and has adapted to offer more online courses.
The following is a full transcript of the interview:
Steve Bowcut:
Welcome to the Cybersecurity Guide Podcast. My name is Steve Bowcut and I’m a writer and an editor for Cybersecurity Guide and I’m the podcast’s host. Thank you for joining us today. We appreciate your listening. On today’s show, our guest is Dr. Stephen Torri, Associate Professor in the Department of Computer Science and Engineering at Mississippi State University and Mary Lynn and Niles Mosley, Endowed Chair of Cybersecurity.
Our topic today is going to be cybersecurity educational opportunities at MSU. A little bit about our guest before we bring him in. Dr. Torri holds a Doctorate in Computer Science from Auburn University and an MS in Computer Science from Washington University in St. Louis. He has experience as a staff software engineer with emphasis in object-oriented architecture design and implementation. He’s a visionary and highly technical professional with a distinguished record executing complex and high profile technology programs. With that, welcome Stephen. Thank you for joining me today.
Stephen Torri:
Thank you. Yeah.
All right. This is going to be an interesting conversation and I appreciate you giving up part of your day to help us put this resource together for students that are trying to pick their way through all of their educational opportunities. So let’s help the audience understand who you are a little bit and maybe a little bit of how you got to where you’re at. So how did you first become interested in cybersecurity and what did that path look like for you?
Stephen Torri:
Well, for growing up I was using computers way back in the day when you actually plugged them into TVs instead of actual monitors.
Steve Bowcut:
I remember those days. Yeah.
Stephen Torri:
Yes, the gray hair is screaming right now, but basically it just made me interested about computers and when I went to the Navy, I was in the nuclear power program there and that was a very interesting program for me about just how do you make a nuclear reactor work?
But in that whole thing, it’s like that attention to detail, that understanding what’s going on in the system, you have to make it resilient was set in there and then later getting experience with setting up land networks and messing around with Linux installations and stuff like that.
They just kind of compounded and really the time in my master’s program is where I got more into some of the security classes and then took some more during my doctorate, and it was in my master’s that I found about what became my dissertation topic in reverse engineering, kind of a mixture of that and software engineering.
And so I’ve just been taking two-step approach I guess to this is that I wanted to be a better software engineer, but I was also concerned about the resiliency of my software that I was writing. So.
Interesting, and I find it interesting that your dissertation was on reverse engineering. So have you found, through your studies and research, that reverse engineering is a significant aspect of what threat actors do? Do they have that capability? Is that common for threat actors? I guess that’s what I’m asking. Is that common for threat actors to have the capability to actually reverse engineer software and thereby apply their malware or learn how to develop malware?
Stephen Torri:
Short answer is yes. Actually. There’s a profession you can get into in cybersecurity called a vulnerability researcher and they are trying to find the weaknesses in something, whether it’s a website, embedded application, software application, cell phones, whatever, they are using their understanding of what the assembly language looks like because that’s what we do when we’re reading it, is we take it from the ones and zeros.
We use a disassembler, we try to read this stuff, and so people would go through and look at it from that perspective or say the vulnerability research perspective and try to find the weaknesses. And once you find the weakness, then you’re like, okay, how can I make it exploit that weakness to make the system do something it wasn’t designed to do?
Right. Interesting. Well, today we talk a lot about pen testers and pen testers are usually attacking applications or networks that are not really looking at the code. They’re not reverse engineering, but it would be the same concept, but at a deeper level at a code or programming level. Is that a fair assessment?
Stephen Torri:
I can’t say specifically what pen testers do professionally. I’ve tried, we’re training students here in our cybersecurity club to compete in some of these competitions, some of them that were competing in our blue team, meaning you’re defending a network, and we had students that just did it cold turkey here, not even about a month ago, and did very good considering that they were unfamiliar with that thing.
We’ve been restarting that program here, but we’ve also had a team that went to a competition, got third place in more or less, you might say the red team side of things, the attacker side, that would be the penetration tester.
In that competition you really don’t have time, per se, at least on these more quicker contests to go there and reverse engineering. But somebody’s going in there trying to find vulnerabilities that they can exploit later. People that are doing it, if they have the time, the money and…
The time, money, and people essentially, they can take as much time as they need to find the weaknesses in a system and try to develop what is going to be their approach to exploit that system for their uses.
Exactly. Okay. So tell us about research that you’re currently working on. Is there anything that’s captured your interest that you’re working on now?
Stephen Torri:
Well, prior to coming here to MSU, I was working for 12 years as a software engineer, so I got to see quite a bit about what focus people were putting stuff on. So while I’ve been here, I’ve been trying to revitalize my reverse engineering interests in a sense, as a part of a class that I’m teaching. But I’m also interested later on of looking at stuff of like, “Okay, how does malware hide itself? Can we prevent that? How can we be a bit more explicit about what are functions and variables inside of these applications that we’re running?”
I mean, the information’s there, but identifying it is there’s things that people can do to prevent it, to make it harder for somebody to analyze their application. Usually the people they’re doing that the most are the malware writers. The other, let’s see, so in this secure software engineering class that I’m doing, we’re trying to teach them more about what are the things that you have to do as a culture, the team, the organization, in a sense, to do security.
It’s not necessarily just buying the right applications or getting necessarily a single course training. I’m teaching about non-functional requirements, how those impact the performance and the security of the application. How fast should it run? Okay, well, what protection mechanism am I using? Well, that that’s not free. So, okay, how do I understand their impact as much as the functional? This is where I say, essentially, cybersecurity and software engineering are becoming one and the same, and that is, it isn’t good enough to make an application simply work.
It’s like it has to be resilient, it has to keep information confidential, integrity of it, authenticating the right people, and we need to be considering that earlier into the lifetime, you might say, of a piece of software that could be even before it’s released, per se. And so it’s a whole layered defense. You would see a castle, right? There’s the outer wall, the inner wall, the keep. We put all these things together to make our application do what it’s supposed to do, resist doing something wrong and trying to defeat somebody who’s trying to do something malicious with it.
Right. Yeah. I know in industry right now, one of the kind of buzz phrases, if you will, is shift left. And so the idea behind shifting left is to take security and move it. If you think about the development lifecycle of software, move it to the left so that now it’s earlier people are thinking about security and developing software with security in mind rather than in the old days when you just built it, you tested it, “Oh yeah, it works. Okay, now let’s check and see if it’s secure.”
So it was kind of an afterthought. And so I assume that’s something that you’re stressing in the classes that you teach to this kind of a integrate security throughout the whole development life cycle?
Stephen Torri:
Yes. With each requirement, you’re trying to think about in a sense, what are the trust boundaries in a system? Meaning, at what point do I inside sort of that we look at the keep analogy, if you’re inside the keep, you usually don’t have to check everybody to make sure that they are who they say they are or whatever you trust once they’re in there. But anyone in crossing the threshold to get in might have to say the secret passphrase or badge in or whatever.
And so when we’re designing the software, we’re like, “Okay, within this component, let’s say we don’t have to test internally, but anything crossing the boundaries into that component, whether it’s through a distributed networking or standard networking or whatever, at that point, I’ll check things.”
So it’s thinking about where those critical points are, what are the threats to the system, some, it’s like they do have to do much better on input validation, let’s say, whereas other ones don’t because there isn’t really much input validation or something. It’s like a medical device. It usually is not expecting user inputs per se.
Yeah, exactly. Okay, excellent. Thank you. So let’s kind of change our focus here a little bit and talk about what educational opportunities are available at Mississippi State University. I assume there’s various degrees and are they specifically cybersecurity degrees or are students getting degrees in computer science with an emphasis in or how does that all work at MSU?
Stephen Torri:
Well, the department’s been putting a lot of effort in here to get a lot deeper in a sense to what is cybersecurity. The department is on one of the few places to be awarded by the National Security Agency as a Center of Academic Excellence. That is in operations, teaching, and sort of research. And so, one of the things that we’ve been doing is developing a bachelor’s in cybersecurity. So it is a computer science degree, but it’s going to be under the label of cybersecurity.
So you’re going to have software classes, operating systems, some basic things. You’ll have technical electives that you can take. It’s a pretty challenging sort of four year. Some do five-year degrees if they’re going to do an accelerated masters. So we do have, for the other bachelor’s, we do have computer science and software engineering, just different emphasis on the topics they’re covering.
So the cybersecurity engineer would be probably a good option for somebody who knows from the outset that cybersecurity is where they want their career to be, right?
Stephen Torri:
Yeah. This one’s going to be a little bit more on the software engineering side of things. There’s one that’s in the works for more in applied sciences. You might consider that more of the, it seems to be leaning towards the CIS admin approach to things.
Steve Bowcut:
Oh, okay.
Stephen Torri:
So there’s different ways in which people can have jobs in this particular industry. So the one thing I want to say is that we do also have a master’s degree in cybersecurity, and some students will take what is called an accelerated path to that. Meaning if they have a 3.5 or greater GPA in their junior year or whatever, they can apply to do that. And they can essentially, within one additional year focusing on coursework, they can get a master’s in cybersecurity and go to industry after that.
These, yeah, this one, and let’s see, we also have naturally have a PhD in computer science for those that want to be either teaching, and this is a thing for people that are even mid or late career. Some people will go and work on these degrees and then go into academia after they retire from their first job.
And our degrees, now we might say thank you due to COVID, maybe, we now have a lot of onward online focus where we’re trying to offer all of these degrees in a sense, if somebody can’t be here on campus. So I have a number of master’s students that are working coursework, some doing a thesis projects on one and at least four PhD students that are working remotely on their degrees.
Steve Bowcut:
Oh, wow. Excellent. I know that’s very popular right now. People we’ve kind of adopted, we quickly adopted this whole online world with COVID. I think that did kind of spur that on a little bit. The adoption of just doing most everything online.
Stephen Torri:
This program that we have here, I mean, computer science in general, as we’re doing right now, we’re having this conversation over a vast distance, excuse me. And so it’s, there’s really no technical reason in a sense of you don’t have any physical labs that you’re working with chemicals or whatever. So it lends itself very well to being a distributed experience in a sense. You can attend synchronously or asynchronously depending on the class.
Excellent. So let’s paint a vision here if we can. So if a student who’s thinking about coming to Mississippi State University to pursue an education in cybersecurity, what kinds of clubs or projects can they expect to be involved in, either in the undergraduate or the master’s degree program? Is there specific types of projects that they might find themselves involved in?
Stephen Torri:
Well, I believe there’s a… To kind of answer that question, I look at it as you have various communities you can be active with online, that is, there are some people that work on some of these competitions. We have a cybersecurity at MSU Club, which has been revitalized since we’ve gotten back on campus from COVID.
And so we have a group of students that are taking on the challenge of, “Okay, what contests are out there that we could be involved with? What kind of skills are we going to need to have to be able to do this?”
And that’s what I’m challenging the leadership there to accept the ownership of is saying like, “Okay, we want to be competing in these contests. Okay, fine. What do we have to do that?” So they’ve been trying to look at, “Okay, what are we doing? Just how can we improve our club year after year kind of thing. That’s what we’re shooting for.” So there’s that.
There’s some professional societies, the Association of Computing Machinery, ACM does have a group here on campus. There’s a variety of other things that you can be involved with. As to the undergraduates, I don’t remember if there’s a capstone. I mainly teach senior and graduate student classes. So there’s a set path essentially through this. Let me look up the cyber…
Which may include, we may include a capstone. I know it often does. Okay, so let’s move on from that. This is, I’m interested in getting your perspective on what academia, specifically, MSU is doing to in response to industry… Industry is kind of clamoring for cybersecurity professionals. There’s not enough of them and are where there are enough of them, they don’t have the right skills oftentimes, and so I’m just wondering if MSU is responding to that need, and if so, how?
Stephen Torri:
Well, we have a board that works with our head of department essentially, and other faculty to provide a set outside input. As much as we also have industry contacts with people to hear about what they’re doing. I get stuff back from my students from when they do their internships plus my own professional experience.
So like I say, what we’ve been doing recently is considering this bachelor’s of applied sciences degree, which is, that’s kind of in the works right now where we’re trying to help those that are doing, let’s say, starting on a more CIS admin approach at a community college. How have they transferred us and finished out getting a degree in, I’m not sure exactly what the title of it’s going to be yet.
I don’t know what it’s actually going to be, so I won’t even try to project, but we’re also, the thing that’s been important to us was, like you said, the call from this case from the National Security Agency, the Department of Defense saying, “We need people that are able to hit the ground running to an extent,” I, if I got to teach them the foundation here, I can’t teach them everything.
So the focus that we’ve been doing is a lot more hands on stuff. That’s what the knowledge units of this certification say covers. So for example, in my operating systems class it’s not just simply understanding the parts of what’s going on in the operating system, what we’re doing is we have this big project that they work on throughout the semester that ties into certain pieces about what’s in an operating system, like the processes, memory, file systems, things like that.
So we’re trying to give them the foundation to understand that there’s all these various parts that make up an operating system and they’re trying to abstract away essentially from the application developer this need to understand the exact hardware they’re running on. They just simply program to the operating system. The operating system writers, they handle all the stuff of the drivers and those other kind of things.
And so that’s what we’re doing in this class as well as in my software reverse engineering class, I do a bunch of little hands on things where they’re translating from assembly to C++, for example, and then there’s some other newer technology that has, well it wasn’t exactly taught in the past, but stuff like anti-reverse engineering techniques that people try to use to prevent you from reverse engineering or dissembling what’s going on.
Am I in a debugger? Am I ina container or a virtual machine? How do I break out of that virtual machine? So there’s all that kind of stuff that we’re trying to at least introduce them to and give them this good rounded foundation in cybersecurity that their employer then can build upon with whatever custom training they have.
Got it. All right, perfect. Thank you. All right. We’re just about out of time. Couple of more questions, if you will. The next one is we try and provide a list of resources for people that come to our website.
So if you were to come up with your top picks of cybersecurity reading lists, and it could be books or papers or lectures or even conferences and trade shows, what resources would you recommend for students that want to learn more about cybersecurity?
Stephen Torri:
Well, I got a few that come to mind. Some of these books are fairly new, like the Secure, Resilient and Agile Software Development by Mark Merkow. That’s the book that I’m using in my secure software engineering class. That one is rather interesting because it’s covering a wide variety of topics. It’s like cybersecurity is technical and it is people in a sense.
So one of the things it’s doing instead of having to figure out all the things that the system must do right away, get all the requirements correct, rather, it’s sort of this iterative process where let’s try a few things here, get those right. Work at sort of a more methodical pattern. So it’s a good book that’s covering that as well as some of the technical applications and things that one needs to consider as a part of that. And so with that book, I couple articles that are out there, one of them is Secure by Design Secure GDPR Compliant and Trusted Software.
This one I found is a blog off of Omniscien. I think it is. Let’s see, one of the other ones is Defect Management Process, How to Manage a Defect Effectively from the Software Testing Help website. So it’s a mix.
Cybersecurity, in a sense, from a software engineer’s perspective is like, “Okay, I need to design my software so it meets the objectives. I can test it to make sure it works as I intended it. That way, also, if I make new changes and something breaks, I know what broke it last because everything else has been tested.” So I believe like we said earlier, before we started, you’re going to have a whole list of these there.
There’s a bunch of others that I have listed on here that you can do. One of the older ones that’s my favorite is Managing Software Debt Building for Inevitable Change, because that’s the thing about it is people don’t know what they want ’til they see it. So how do you guide them from the initial idea to okay, trying it. So which is where Agile kind of comes in, so.
Excellent. So that’ll be a helpful list. We will put that on the website so that students can go there and look at those resources. Thank you for that. Lastly, we’ll kind of end with kind of a fun question, but I think it can be useful and informative for students.
So if you were to dust off your crystal ball and look into the future, so five years or 10 years or whatever’s appropriate, what do you think students today need to do to prepare? What’s the future going to look like and what do students need to do today to prepare for that?
Stephen Torri:
One of the things I was thinking about in this on the five years thing is cybersecurity merging with software engineering. That is, it isn’t the job of the soft engineers just to code it and that’s it. They’re responsible for coding it, testing it, ensuring it’s as defect free as possible as a part of some secure development life cycle.
That’s because you’re going to always going to be pushing out new changes. And so every two weeks or so, you could be pushing out a release to your client. And so we need to have automated ways to do all our testing and validation stuff so that we can be producing the best code we can, should have a deliverable or usable piece of code every two weeks.
Yeah, that’s interesting because I know that in the industry, kind of the rule of thumb that people hold up is that there’s probably 100 developers for every one security professional in a large team.
And so I’ve wondered myself, does that mean that what we should be doing is taking these developers and educating them more on security, or should we be training more security people? And just so that relationship, that proportion changes a little bit and I don’t know what the answer is, but it’d be interesting… How do you feel about that?
Stephen Torri:
Well, I think in a way, one company did it. They, rather than having their own testing department do all the testing, they taught their developers how to do the unit testing, for example. So they could write the quick tests that the developers can use to make sure that, “Okay, the new thing I’m adding works as intended and I haven’t broken anything else.”
And so then what did that free up the testing team to do? Well, it freed them up to handle the more longer term you might call it integration and pre-release kind of testing. So they were focusing on more on those kinds of elements. So I think as a developer, you’re going to have to know about testing and take responsibility for your code that you’re creating. And one of that responsibilities is the security of it. And so there’s tools that you’re going to be using, static analysis tools that we can run on the source code itself or dynamic when we’re testing it.
Maybe in the integration level, it’s going to be a part of your job to think about how could this be broken when you call a function and it has five exceptions it can throw? You actually have to really deal with it right then and there when you’re making the call, what does it mean to your application when it gets an IO exception at that place? So it’s tempting to not try to deal with that, but then you’re kicking the can down the road and at some point someone’s going to have to deal with it.
Yeah, exactly. Yeah, that’s true. Anything else that students just starting out in their academic career need to think about?
Stephen Torri:
When I was in my last job, we worked as a part of an agile team. So yes, I’m an introvert. I generally like to just to be by myself…
Steve Bowcut:
Me and you both.
Stephen Torri:
At the same time, but it’s like I do appreciate the presence other humans. And so what we did as a part of that team is we’d have a daily meeting that would say, “Okay, I’m working on this. I got this done. I’m stuck on that.” And it allows everyone to kind of know what everyone else is working on for other team members to help you with whatever project you’re working on.
So expect to be a part of a team now, not 100 percent talk in front of others. You just have to talk about the basics because those meetings are really quick. 15 minutes. And then it’s like when… If you don’t know something, that’s fine, just say you don’t know it, but you’re willing to learn it.
That’s what companies want is, yeah, the job advert may say 15 different skills. If you have five of those, apply for the job. Because maybe you’ll learn those as part of what you’re doing. People just want someone that will…
Their yes is yes, their no is no, they show up in time, they do good work, they participate as a part of the team. That doesn’t mean you hang out with everybody after work. But they’re trying to meet an objective, so you understand that you’re going to be… You will be programming, you’re just going to be a part of a team working with others on it.
Steve Bowcut:
Right. Yeah. Got it. Okay. All right, Dr. Torri, I think we have used all of our allotted time, but thank you so much. I really appreciate your taking some time to meet with us today. This has been very informative, so thank you.
Stephen Torri:
You’re welcome.
Steve Bowcut:
Thank you to our listeners for being with us as well. And please remember to subscribe and review if you find this podcast interesting. And join us next time for another episode of the Cybersecurity Guide Podcast.