Access control models are usually static, i.e., permissions are granted based on a policy that only changes seldom. Especially for scenarios in health care and disaster management, a more flexible support of access control, i.e., the underlying policy, is needed.
Break-glass is one approach for such a flexible support of policies which helps to prevent system stagnation that could harm lives or otherwise result in losses. Today, break-glass techniques are usually added on top of standard access control solutions in an ad-hoc manner and, therefore, lack an integration into the underlying access control paradigm and the systems' access control enforcement architecture.
We present an approach for integrating, in a fine-grained manner, break-glass strategies into standard access control models and their accompanying enforcement architecture. This integration provides means for specifying break-glass policies precisely and supporting model-driven development techniques based on such policies.
My talk on working with the CloudStack Database for data recovery and unintended manipulation. From CloudStack Collaboration Conference North America 2014
Linux containers provide isolation between applications using namespaces and cgroups. While containers appear similar to VMs, they do not fully isolate applications and some security risks remain. To improve container security, Docker recommends: 1) not running containers as root, 2) dropping capabilities like CAP_SYS_ADMIN, 3) enabling user namespaces, and 4) using security modules like SELinux. However, containers cannot fully isolate applications that need full hardware or kernel access, so virtual machines may be needed in some cases.
Security patterns and model driven architecturebdemchak
This document provides an overview of security patterns and model driven architecture. It summarizes three papers on using security patterns to model security requirements. The document discusses how security patterns can be used to address the common problem of irregular and haphazard application of security measures leading to insecure systems. It describes Cheng's approach of revising the security pattern template to allow formal verification of requirements. Rosado's approach is also summarized, which presents a standardized security pattern template and evaluates several common security patterns. The document provides context on how security patterns can help capture expertise to facilitate secure systems design.
NWC 2015 - Critical - Path Simulation Jennifer Day
Critical-Path Simulation: Case studies in the identification and execution of finite-element analysis early in the design process to assure feasibility and increase ROI
Bradford Range - Acorn Product Development
Model-based Conformance Testing of Security PropertiesAchim D. Brucker
The document discusses model-based conformance testing of security properties. It presents an approach for the modular specification of security policies using a formal model. Based on this specification, a model-based test case generation approach is discussed that can be used to test the correctness of security infrastructure implementations and their conformance to high-level security policies. As an example, the document focuses on modeling firewalls and generating test cases to test firewall configurations and implementations. It describes modeling firewall policies directly as well as applying model transformations to optimize the test case generation process by removing redundancies from the policy model.
Formal Methods for Dependable Neural Networks Chih-Hong Cheng
This document discusses how formal methods can help certify dependable neural networks and ensure safety. It summarizes three in-house projects at fortiss GmbH aimed at using formal methods: 1) nn-verifier, a tool that uses constraint programming to formally verify properties of neural networks, 2) Formal synthesis of runtime monitors from specifications to constrain neural network outputs, and 3) Research towards understanding neural networks through formal verification and certification approaches analogous to standards like DO-178C. The goal is applying formal methods to analyze neural networks and guarantee properties like safety.
On the Transition from Design Time to Runtime Model-Based Assurance CasesRan Wei
Presentation slides for the paper "On the Transition from Design Time to Runtime Model-Based Assurance Cases" at 13th International Workshop on Models@Runtime
PythonQuants conference - QuantUniversity presentation - Stress Testing in th...QuantUniversity
In this talk, we will discuss the key aspects of model verification and validation and introduce a novel approach to do stress and scenario tests leveraging parallel and distributed computing technologies and the cloud.
We have developed a platform that leverages cloud based technologies to run stress tests on a massive scale without having to invest in fixed in-house architectures. Through a case study, we will illustrate best practices for stress and scenario testing for model verification and validation. These best practices meant to provide practical tips for companies embarking on a formal model risk management program or enhancing their stress testing methodologies
My talk on working with the CloudStack Database for data recovery and unintended manipulation. From CloudStack Collaboration Conference North America 2014
Linux containers provide isolation between applications using namespaces and cgroups. While containers appear similar to VMs, they do not fully isolate applications and some security risks remain. To improve container security, Docker recommends: 1) not running containers as root, 2) dropping capabilities like CAP_SYS_ADMIN, 3) enabling user namespaces, and 4) using security modules like SELinux. However, containers cannot fully isolate applications that need full hardware or kernel access, so virtual machines may be needed in some cases.
Security patterns and model driven architecturebdemchak
This document provides an overview of security patterns and model driven architecture. It summarizes three papers on using security patterns to model security requirements. The document discusses how security patterns can be used to address the common problem of irregular and haphazard application of security measures leading to insecure systems. It describes Cheng's approach of revising the security pattern template to allow formal verification of requirements. Rosado's approach is also summarized, which presents a standardized security pattern template and evaluates several common security patterns. The document provides context on how security patterns can help capture expertise to facilitate secure systems design.
NWC 2015 - Critical - Path Simulation Jennifer Day
Critical-Path Simulation: Case studies in the identification and execution of finite-element analysis early in the design process to assure feasibility and increase ROI
Bradford Range - Acorn Product Development
Model-based Conformance Testing of Security PropertiesAchim D. Brucker
The document discusses model-based conformance testing of security properties. It presents an approach for the modular specification of security policies using a formal model. Based on this specification, a model-based test case generation approach is discussed that can be used to test the correctness of security infrastructure implementations and their conformance to high-level security policies. As an example, the document focuses on modeling firewalls and generating test cases to test firewall configurations and implementations. It describes modeling firewall policies directly as well as applying model transformations to optimize the test case generation process by removing redundancies from the policy model.
Formal Methods for Dependable Neural Networks Chih-Hong Cheng
This document discusses how formal methods can help certify dependable neural networks and ensure safety. It summarizes three in-house projects at fortiss GmbH aimed at using formal methods: 1) nn-verifier, a tool that uses constraint programming to formally verify properties of neural networks, 2) Formal synthesis of runtime monitors from specifications to constrain neural network outputs, and 3) Research towards understanding neural networks through formal verification and certification approaches analogous to standards like DO-178C. The goal is applying formal methods to analyze neural networks and guarantee properties like safety.
On the Transition from Design Time to Runtime Model-Based Assurance CasesRan Wei
Presentation slides for the paper "On the Transition from Design Time to Runtime Model-Based Assurance Cases" at 13th International Workshop on Models@Runtime
PythonQuants conference - QuantUniversity presentation - Stress Testing in th...QuantUniversity
In this talk, we will discuss the key aspects of model verification and validation and introduce a novel approach to do stress and scenario tests leveraging parallel and distributed computing technologies and the cloud.
We have developed a platform that leverages cloud based technologies to run stress tests on a massive scale without having to invest in fixed in-house architectures. Through a case study, we will illustrate best practices for stress and scenario testing for model verification and validation. These best practices meant to provide practical tips for companies embarking on a formal model risk management program or enhancing their stress testing methodologies
DBMask: Fine-Grained Access Control on Encrypted Relational DatabasesMateus S. H. Cruz
Presentation given at the SWIM Seminar (University of Tsukuba) about MONOMI*.
This presentation is based on the uploader's understanding of the paper and may contain inaccurate interpretations.
A summary of the paper is available at: https://mshcruz.wordpress.com/2016/07/15/summary-dbmask/
*Nabeel et al.: "DBMask: Fine-Grained Access Control on Encrypted Relational Databases". CODASPY 2015.
This document provides information about an upcoming webinar on fleshing out architecture with design principles, activities, and closure. The webinar will focus on strategies for developing an agile structural architecture, including reviewing fundamental design principles, methods for bringing closure to basic design concepts, and drawing examples from agile systems and engineering processes. It includes the webinar abstract, bio of the presenter Rick Dove, and slides from previous webinars in the Agile Systems and Processes series.
80
مبادرة
#تواصل_تطوير
المحاضرة الثمانون من المبادرة مع
المهندس / أحمد سعيد رفاعي
مدير مشاريع وباحث في ادارة المشروعات
بعنوان
" دورة حياة تقدير التكلفة بمشروعات التشييد "
الثامنة والنصف مساء توقيت مكة المكرمة
السابعة والنصف توقيت القاهرة
الإثنين 09 نوفمبر 2020
وذلك عبر تطبيق زووم
Meeting ID: 812 2771 3116
https://us02web.zoom.us/meeting/register/tZUvde6vrzgrG9Jy6qAJj1lOuxbHoNJOE0H-
علما ان هناك بث مباشر للمحاضرة على وقناة يوتيوب
https://www.youtube.com/user/EEAchannal
للتواصل مع إدارة المبادرة عبر قناة تيليجرام
الرابط
https://t.me/EEAKSA
رابط اللينكدان والمكتبة الالكترونية
www.linkedin.com/company/eeaksa-egyptian-engineers-association/
رابط التسجيل العام للمحاضرات
https://forms.gle/vVmw7L187tiATRPw9
From Model-based to Model and Simulation-based Systems ArchitecturesObeo
Achieving quality engineering through descriptive and analytical models
Systems architecture design is a key activity that affect the
overall systems engineering cost. It is hence fundamental
to ensure that the system architecture reaches a proper quality.
In this paper, we leverage on MBSE approaches and complement them
with simulation techniques, as a prom-ising way to improve the quality of the system architecture definition, and to come up with inno-vative solutions while securing the systems engineering process.
Cybernetics in supply chain managementLuis Cabrera
This document discusses the role of operations research and simulation modeling in developing a cybernetic dynamic simulation model of a manufacturing supply chain system. It notes that production planning is a key but complex component that benefits from mathematical algorithms and computer modeling. Simulation allows analyzing complex systems with many variables and obtaining solutions that aren't possible with closed-form equations. The document provides examples of why simulation is useful and discusses representing real-world processes and testing different configurations and policies.
Machine Learning is increasingly being used by companies as a disruptor or providing a USP. This means that Machine Learning models need to cope with being a critical part of solutions and if those solutions use PCI-DSS or PII then the models must be highly secure.
In addition, if a Machine Learning model is part of your USP then you will want to protect it. Also, the EU AI Regulation and UK AI Strategy means that AI is becoming increasingly regulated. This means you need to be able to prove what model made a prediction and why it made it by providing auditability and explainabilty.
In this talk we go over these issues and how to address them including using AWS and how to implement development best practices.
The document contains slides related to software design concepts from the textbook "Software Engineering: A Practitioner's Approach". It discusses key design principles such as abstraction, architecture, patterns, separation of concerns, modularity, information hiding, stepwise refinement, functional independence, and cohesion. The slides provide examples and definitions for these important software design topics.
This document summarizes the results of Work Package 6 which developed methods and tools for GDPR compliance through privacy engineering. The key results include:
1) Demonstrating the feasibility of using assurance principles from safety engineering for privacy engineering and modelling privacy regulations as reference frameworks.
2) Developing a tool-supported method for handling multiple privacy reference frameworks using mapping models.
3) Providing reusable privacy assurance patterns contained in a knowledge base, along with reference framework models and mapping models between standards.
4) Releasing tool features and an open source knowledge base to support the privacy assurance method.
Vipul Kocher - Software Testing, A Framework Based ApproachTEST Huddle
EuroSTAR Software Testing Conference 2008 presentation on Software Testing, A Framework Based Approach by Vipul Kocher. See more at conferences.eurostarsoftwaretesting.com/past-presentations/
The document discusses various aspects of prototyping, including prototype development methodologies, types of prototypes, evaluation techniques, and tools used in prototyping. Specifically, it covers methodology for prototype development, types of prototypes like throwaway, evolutionary, and incremental prototypes. It also discusses techniques for prototype evaluation like protocol analysis and cognitive walkthroughs, and the benefits of prototyping for software development.
The document discusses openEHR China localization efforts. It proposes establishing a sharable archetype repository in China to accelerate archetype publication through an implementation-driven process. This involves modelers developing archetypes, implementers testing them in projects, and experts reviewing. The goal is to localize openEHR for Chinese needs faster while collaborating with the international community and standards bodies in China. A working group and timeline are proposed to publish the first localized archetypes by early 2018.
JamesSticky NoteThis is an introduction to a volume of t.docxchristiandean12115
James
Sticky Note
This is an introduction to a volume of the Journal of Education devoted to my papers. This piece is quite close to my paper "What is Literacy?".
1
Chapter 8
Design for Six Sigma
1
Design for Six Sigma
Design for Six Sigma (DFSS) represents a set of tools and methodologies used in product development for ensuring that goods and services will meet customer needs and achieve performance objectives and that the processes used to make and deliver them achieve six sigma capability.
2
2
DFSS Methodology: DMADV
Define – establish goals
Measure – identify voice of the customer and define CTQ measures
Analyze – propose and evaluate high-level design concepts
Design – design the details of the product and processes used to produce it
Verify – ensure that the product performs as expected and meets customer requirements
3
Features of DFSS
A high-level architectural view of the design
Use of CTQs with well-defined technical requirements
Application of statistical modeling and simulation approaches
Predicting defects, avoiding defects, and performance prediction using analysis methods
Examining the full range of product performance using variation analysis of subsystems and components
4
Concept Development
Concept development – the process of applying scientific, engineering, and business knowledge to produce a basic functional design that meets both customer needs and manufacturing or service delivery requirements.
5
Innovation
Innovation involves the adoption of an idea, process, technology, product, or business model that is either new or new to its proposed application.
The outcome of innovation is a discontinuous or breakthrough change that results in new and unique goods and services that delight customers and create competitive advantage.
6
Types of Innovation
1. An entirely new category of product (for example, Twitter)
2. First of its type on the market in a product category already in existence (for
example, the DVD player)
3. A significant improvement in existing technology (for example, the Blu-ray
disc technology)
4. A modest improvement to an existing product (for example, the latest iPad)
7
Creativity
Creativity is seeing things in new or novel ways.
Creativity tools, such as brainstorming and “brainwriting,” are designed to help change the context in which one views a problem or opportunity, thereby leading to fresh perspectives.
8
Understanding the Voice of the Customer
What is the product (good or service) intended to do?
Technical requirements, sometimes called design characteristics, translate the voice of the customer into technical language, specifically into measures of product performance.
9
Design Development
Design development - the process of applying scientific, engineering, and business knowledge to produce a basic functional design that meets all CTQ.
Peter Zimmerer - Evolve Design For Testability To The Next Level - EuroSTAR 2012TEST Huddle
EuroSTAR Software Testing Conference 2012 presentation on Evolve Design For Testability To The Next Level by Peter Zimmerer . See more at: http://conference.eurostarsoftwaretesting.com/past-presentations/
This document discusses expert systems and their application in road transport. It begins with definitions of expert systems and how they emulate human decision making. It then outlines the typical design of rule-based expert systems, including the knowledge base and inference engine. Next, it describes the six phase development process for building an expert system and provides comments on each phase. It also discusses rule-based reasoning approaches, including goal-driven and data-driven reasoning. Finally, it lists some advantages of expert systems and examples of their applications.
This document discusses expert systems and their application in road transport. It begins with definitions of expert systems and how they emulate human decision making. It then outlines the typical design of rule-based expert systems, including the knowledge base and inference engine. Next, it describes the six phase development process for building an expert system and provides comments on each phase. It also discusses rule-based reasoning approaches, including goal-driven and data-driven reasoning. Finally, it lists some advantages of expert systems and potential applications in areas like diagnosis, planning, and monitoring.
How Romanian companies are developing secure applications on Azure.pptxRadu Vunvulea
Discover how you can ensure that application secrets are not published to the project repository and what are the tools that can detect and react when this happens. Find out how you can maintain control of governance and security across large deployments using multiple tenants and subscriptions where a central tool is required to scan and manage security and cost economics aspects.
A methodology I developed a while back, for more of a military application, that I'm not revamping to fit a consumer model. I thought I would share the presentation, in the hopes that it will spark some interest in conversations, and maybe educate the public, not only on cloud computing as a whole, but also that bursting as it is portrayed, is not only a public cloud resource.
How to Build an Early Warning System to Harness Predictability and Win in the...IntelCollab.com
The document is a summary of a webinar on building an early warning system to gain predictability in the market. It discusses how to practically implement early warning systems using examples from consumer packaged goods. Key elements include identifying innovation signatures through patterns of preceding events, mapping supply chains to find signals, and designing a system with multiple time horizons to forecast events. The goal is to tie insights to resource allocation and strategic planning processes.
An Approach for cloud-based Situational Analysis for factories providing real...Sebastian Scholze
This document proposes a cloud-based approach for situational analysis and real-time reconfiguration services for factories. It involves using predictive analytics on data from connected products and factories to optimize production processes and product configurations. The approach includes services for situation monitoring, predictive analytics, reconfiguration and optimization, and security. It aims to enable reactive and predictive optimization of factories and products through runtime reconfiguration decisions based on analytics of current performance and configurations.
The term “usable security” is on everyone’s lips and there seems to be a general agreement that, first, security controls should
not unnecessarily affect the usability and unfriendliness of systems. And, second, that simple to use system should be preferred
as they minimize the risk of handling errors that can be the root cause of security incidents such as data leakages.
But it also seems to be a general surprise (at least for security experts), why software developers always (still) make so many
easy to avoid mistakes that lead to insecure software systems. In fact, many of the large security incidents of the last
weeks/months/years are caused by “seemingly simple to fix” programming errors.
Bringing both observations together, it should be obvious that we need usable and developer-friendly security controls and
programming frameworks that make it easy to build secure systems. Still, reality looks different: many programming languages, APIs, and frameworks provide complex interfaces that are, actually, hard to use securely. In fact, they are miles away from
providing usable security for developers.
In this talk, I will discuss examples of complex and “non-usable” security for developers such as APIs that, in fact, are (nearly)
impossible to use securely or that require a understanding of security topics that most security experts to not have (and, thus,
that we cannot expert from software developers).
Formalizing (Web) Standards: An Application of Test and ProofAchim D. Brucker
Most popular technologies are based on informal or semiformal standards that lack a rigid formal semantics. Typical examples include web technologies such as the DOM or HTML, which are defined by the Web Hypertext Application Technology Working Group (WHATWG) and the World Wide Web Consortium (W3C). While there might be API specifications and test cases meant to assert the compliance of a certain implementation, the actual standard is rarely accompanied by a formal model that would lend itself for, e.g., verifying the security or safety properties of real systems.
Even when such a formalization of a standard exists, two important questions arise: first, to what extend does the formal model comply to the standard and, second, to what extend does the implementation comply to the formal model and the assumptions made during the verification? In this paper, we present an approach that brings all three involved artifacts - the (semi-)formal standard, the formalization of the standard, and the implementations - closer together by combining verification, symbolic execution, and specification based testing.
More Related Content
Similar to Extending Access Control Models with Break-glass
DBMask: Fine-Grained Access Control on Encrypted Relational DatabasesMateus S. H. Cruz
Presentation given at the SWIM Seminar (University of Tsukuba) about MONOMI*.
This presentation is based on the uploader's understanding of the paper and may contain inaccurate interpretations.
A summary of the paper is available at: https://mshcruz.wordpress.com/2016/07/15/summary-dbmask/
*Nabeel et al.: "DBMask: Fine-Grained Access Control on Encrypted Relational Databases". CODASPY 2015.
This document provides information about an upcoming webinar on fleshing out architecture with design principles, activities, and closure. The webinar will focus on strategies for developing an agile structural architecture, including reviewing fundamental design principles, methods for bringing closure to basic design concepts, and drawing examples from agile systems and engineering processes. It includes the webinar abstract, bio of the presenter Rick Dove, and slides from previous webinars in the Agile Systems and Processes series.
80
مبادرة
#تواصل_تطوير
المحاضرة الثمانون من المبادرة مع
المهندس / أحمد سعيد رفاعي
مدير مشاريع وباحث في ادارة المشروعات
بعنوان
" دورة حياة تقدير التكلفة بمشروعات التشييد "
الثامنة والنصف مساء توقيت مكة المكرمة
السابعة والنصف توقيت القاهرة
الإثنين 09 نوفمبر 2020
وذلك عبر تطبيق زووم
Meeting ID: 812 2771 3116
https://us02web.zoom.us/meeting/register/tZUvde6vrzgrG9Jy6qAJj1lOuxbHoNJOE0H-
علما ان هناك بث مباشر للمحاضرة على وقناة يوتيوب
https://www.youtube.com/user/EEAchannal
للتواصل مع إدارة المبادرة عبر قناة تيليجرام
الرابط
https://t.me/EEAKSA
رابط اللينكدان والمكتبة الالكترونية
www.linkedin.com/company/eeaksa-egyptian-engineers-association/
رابط التسجيل العام للمحاضرات
https://forms.gle/vVmw7L187tiATRPw9
From Model-based to Model and Simulation-based Systems ArchitecturesObeo
Achieving quality engineering through descriptive and analytical models
Systems architecture design is a key activity that affect the
overall systems engineering cost. It is hence fundamental
to ensure that the system architecture reaches a proper quality.
In this paper, we leverage on MBSE approaches and complement them
with simulation techniques, as a prom-ising way to improve the quality of the system architecture definition, and to come up with inno-vative solutions while securing the systems engineering process.
Cybernetics in supply chain managementLuis Cabrera
This document discusses the role of operations research and simulation modeling in developing a cybernetic dynamic simulation model of a manufacturing supply chain system. It notes that production planning is a key but complex component that benefits from mathematical algorithms and computer modeling. Simulation allows analyzing complex systems with many variables and obtaining solutions that aren't possible with closed-form equations. The document provides examples of why simulation is useful and discusses representing real-world processes and testing different configurations and policies.
Machine Learning is increasingly being used by companies as a disruptor or providing a USP. This means that Machine Learning models need to cope with being a critical part of solutions and if those solutions use PCI-DSS or PII then the models must be highly secure.
In addition, if a Machine Learning model is part of your USP then you will want to protect it. Also, the EU AI Regulation and UK AI Strategy means that AI is becoming increasingly regulated. This means you need to be able to prove what model made a prediction and why it made it by providing auditability and explainabilty.
In this talk we go over these issues and how to address them including using AWS and how to implement development best practices.
The document contains slides related to software design concepts from the textbook "Software Engineering: A Practitioner's Approach". It discusses key design principles such as abstraction, architecture, patterns, separation of concerns, modularity, information hiding, stepwise refinement, functional independence, and cohesion. The slides provide examples and definitions for these important software design topics.
This document summarizes the results of Work Package 6 which developed methods and tools for GDPR compliance through privacy engineering. The key results include:
1) Demonstrating the feasibility of using assurance principles from safety engineering for privacy engineering and modelling privacy regulations as reference frameworks.
2) Developing a tool-supported method for handling multiple privacy reference frameworks using mapping models.
3) Providing reusable privacy assurance patterns contained in a knowledge base, along with reference framework models and mapping models between standards.
4) Releasing tool features and an open source knowledge base to support the privacy assurance method.
Vipul Kocher - Software Testing, A Framework Based ApproachTEST Huddle
EuroSTAR Software Testing Conference 2008 presentation on Software Testing, A Framework Based Approach by Vipul Kocher. See more at conferences.eurostarsoftwaretesting.com/past-presentations/
The document discusses various aspects of prototyping, including prototype development methodologies, types of prototypes, evaluation techniques, and tools used in prototyping. Specifically, it covers methodology for prototype development, types of prototypes like throwaway, evolutionary, and incremental prototypes. It also discusses techniques for prototype evaluation like protocol analysis and cognitive walkthroughs, and the benefits of prototyping for software development.
The document discusses openEHR China localization efforts. It proposes establishing a sharable archetype repository in China to accelerate archetype publication through an implementation-driven process. This involves modelers developing archetypes, implementers testing them in projects, and experts reviewing. The goal is to localize openEHR for Chinese needs faster while collaborating with the international community and standards bodies in China. A working group and timeline are proposed to publish the first localized archetypes by early 2018.
JamesSticky NoteThis is an introduction to a volume of t.docxchristiandean12115
James
Sticky Note
This is an introduction to a volume of the Journal of Education devoted to my papers. This piece is quite close to my paper "What is Literacy?".
1
Chapter 8
Design for Six Sigma
1
Design for Six Sigma
Design for Six Sigma (DFSS) represents a set of tools and methodologies used in product development for ensuring that goods and services will meet customer needs and achieve performance objectives and that the processes used to make and deliver them achieve six sigma capability.
2
2
DFSS Methodology: DMADV
Define – establish goals
Measure – identify voice of the customer and define CTQ measures
Analyze – propose and evaluate high-level design concepts
Design – design the details of the product and processes used to produce it
Verify – ensure that the product performs as expected and meets customer requirements
3
Features of DFSS
A high-level architectural view of the design
Use of CTQs with well-defined technical requirements
Application of statistical modeling and simulation approaches
Predicting defects, avoiding defects, and performance prediction using analysis methods
Examining the full range of product performance using variation analysis of subsystems and components
4
Concept Development
Concept development – the process of applying scientific, engineering, and business knowledge to produce a basic functional design that meets both customer needs and manufacturing or service delivery requirements.
5
Innovation
Innovation involves the adoption of an idea, process, technology, product, or business model that is either new or new to its proposed application.
The outcome of innovation is a discontinuous or breakthrough change that results in new and unique goods and services that delight customers and create competitive advantage.
6
Types of Innovation
1. An entirely new category of product (for example, Twitter)
2. First of its type on the market in a product category already in existence (for
example, the DVD player)
3. A significant improvement in existing technology (for example, the Blu-ray
disc technology)
4. A modest improvement to an existing product (for example, the latest iPad)
7
Creativity
Creativity is seeing things in new or novel ways.
Creativity tools, such as brainstorming and “brainwriting,” are designed to help change the context in which one views a problem or opportunity, thereby leading to fresh perspectives.
8
Understanding the Voice of the Customer
What is the product (good or service) intended to do?
Technical requirements, sometimes called design characteristics, translate the voice of the customer into technical language, specifically into measures of product performance.
9
Design Development
Design development - the process of applying scientific, engineering, and business knowledge to produce a basic functional design that meets all CTQ.
Peter Zimmerer - Evolve Design For Testability To The Next Level - EuroSTAR 2012TEST Huddle
EuroSTAR Software Testing Conference 2012 presentation on Evolve Design For Testability To The Next Level by Peter Zimmerer . See more at: http://conference.eurostarsoftwaretesting.com/past-presentations/
This document discusses expert systems and their application in road transport. It begins with definitions of expert systems and how they emulate human decision making. It then outlines the typical design of rule-based expert systems, including the knowledge base and inference engine. Next, it describes the six phase development process for building an expert system and provides comments on each phase. It also discusses rule-based reasoning approaches, including goal-driven and data-driven reasoning. Finally, it lists some advantages of expert systems and examples of their applications.
This document discusses expert systems and their application in road transport. It begins with definitions of expert systems and how they emulate human decision making. It then outlines the typical design of rule-based expert systems, including the knowledge base and inference engine. Next, it describes the six phase development process for building an expert system and provides comments on each phase. It also discusses rule-based reasoning approaches, including goal-driven and data-driven reasoning. Finally, it lists some advantages of expert systems and potential applications in areas like diagnosis, planning, and monitoring.
How Romanian companies are developing secure applications on Azure.pptxRadu Vunvulea
Discover how you can ensure that application secrets are not published to the project repository and what are the tools that can detect and react when this happens. Find out how you can maintain control of governance and security across large deployments using multiple tenants and subscriptions where a central tool is required to scan and manage security and cost economics aspects.
A methodology I developed a while back, for more of a military application, that I'm not revamping to fit a consumer model. I thought I would share the presentation, in the hopes that it will spark some interest in conversations, and maybe educate the public, not only on cloud computing as a whole, but also that bursting as it is portrayed, is not only a public cloud resource.
How to Build an Early Warning System to Harness Predictability and Win in the...IntelCollab.com
The document is a summary of a webinar on building an early warning system to gain predictability in the market. It discusses how to practically implement early warning systems using examples from consumer packaged goods. Key elements include identifying innovation signatures through patterns of preceding events, mapping supply chains to find signals, and designing a system with multiple time horizons to forecast events. The goal is to tie insights to resource allocation and strategic planning processes.
An Approach for cloud-based Situational Analysis for factories providing real...Sebastian Scholze
This document proposes a cloud-based approach for situational analysis and real-time reconfiguration services for factories. It involves using predictive analytics on data from connected products and factories to optimize production processes and product configurations. The approach includes services for situation monitoring, predictive analytics, reconfiguration and optimization, and security. It aims to enable reactive and predictive optimization of factories and products through runtime reconfiguration decisions based on analytics of current performance and configurations.
Similar to Extending Access Control Models with Break-glass (20)
The term “usable security” is on everyone’s lips and there seems to be a general agreement that, first, security controls should
not unnecessarily affect the usability and unfriendliness of systems. And, second, that simple to use system should be preferred
as they minimize the risk of handling errors that can be the root cause of security incidents such as data leakages.
But it also seems to be a general surprise (at least for security experts), why software developers always (still) make so many
easy to avoid mistakes that lead to insecure software systems. In fact, many of the large security incidents of the last
weeks/months/years are caused by “seemingly simple to fix” programming errors.
Bringing both observations together, it should be obvious that we need usable and developer-friendly security controls and
programming frameworks that make it easy to build secure systems. Still, reality looks different: many programming languages, APIs, and frameworks provide complex interfaces that are, actually, hard to use securely. In fact, they are miles away from
providing usable security for developers.
In this talk, I will discuss examples of complex and “non-usable” security for developers such as APIs that, in fact, are (nearly)
impossible to use securely or that require a understanding of security topics that most security experts to not have (and, thus,
that we cannot expert from software developers).
Formalizing (Web) Standards: An Application of Test and ProofAchim D. Brucker
Most popular technologies are based on informal or semiformal standards that lack a rigid formal semantics. Typical examples include web technologies such as the DOM or HTML, which are defined by the Web Hypertext Application Technology Working Group (WHATWG) and the World Wide Web Consortium (W3C). While there might be API specifications and test cases meant to assert the compliance of a certain implementation, the actual standard is rarely accompanied by a formal model that would lend itself for, e.g., verifying the security or safety properties of real systems.
Even when such a formalization of a standard exists, two important questions arise: first, to what extend does the formal model comply to the standard and, second, to what extend does the implementation comply to the formal model and the assumptions made during the verification? In this paper, we present an approach that brings all three involved artifacts - the (semi-)formal standard, the formalization of the standard, and the implementations - closer together by combining verification, symbolic execution, and specification based testing.
Your (not so) smart TV is currently busy with taking down the InternetAchim D. Brucker
More and more devices of our daily life are ``smart:'' ranging from
smart light bulbs to smart TVs to smart fridges -- everything can,
and most likely will be, in the future connected to the
Internet. More and more people are already used to remotely
controlling their heating at home using their smart phone. In this
talk, we will explain the technology behind the ``smart things'' and
discuss the how your smart thermostat and your neighbour's TV might
be hijacked to take down the Internet.
Combining the Security Risks of Native and Web Development: Hybrid AppsAchim D. Brucker
Cross-platform frameworks, such as Apache Cordova, are becoming
increasingly popular. They promote the development of hybrid apps
that combine native, i.e., system specific, code and system
independent code, e.g., HTML5/JavaScript. Combining native with
platform independent code opens Pandora's box: all the the security
risks for native development are multiplied with the security risk
of web applications.
In the first half of our talk, we start our talk with short
introduction into hybrid app development, present specific attacks
followed by a report on how Android developers are using Apache
Cordova. In the second half of the talk, we will focus on developing
secure hybrid apps: both with hands-on guidelines for defensive
programming as well as recommendations for hybrid app specific
security testing strategies.
On the one hand, browser extensions, e.g., for Chrome, are very
useful, as they extend web browsers with additional functionality
(e.g., blocking ads). On the other hand, they are the most
dangerous code that runs in your browsers: extension can read and
modify both the content displayed in the browser. As they also can
communicate with any web-site or web-service, they can report both
data and metadata to external parties.
The current security model for browser extensions seems to be
inadequate for expressing the security or privacy needs of browser
users. Consequently, browser extensions are a "juice target" for
attackers targeting web users.
We present results of analysing over 2500 browser extensions on how
they use the current security model and discuss examples of extensions
that are potentially of high risk. Based on the results of our
analysis of real world browser extensions as well as our own threat
model, we discuss the limitations of the current security model form a
user perspective.
need of browser users.
Security testing is an important part of any security development
life-cycle (SDLC) and, thus, should be a part of any secure software
development life-cycle. Still, security testing is often understood by
an activity done by security testers in the time between "end of
development" and "offering the product to customers".
Learning from traditional testing that the fixing of bugs is the more
costly the later it is done in development, we believe that security
testing should be integrated into the daily development activities.
Based on the SDLC of a large software vendor, we will present the
benefits of early security testing and discuss what is necessary to
achieve a "security testing as development activity" approach.
Developing Secure Software: Experiences From an International Software VendorAchim D. Brucker
At large enterprises, a security development life-cycle (SDLC) needs
to support a large range of development models as well as a large
range of programming techniques.
I will present the SDLC of a large software vendor from the
perspective of introducing security testing into the early steps of a
software development life-cycle (i.e., enabling developers to use
software testing tools).
Using Third Party Components for Building an Application Might be More Danger...Achim D. Brucker
Today, nearly all developers rely on third party components for building an application. Thus, for most software vendors, third
party components in general and Free/Libre and Open Source Software (FLOSS) in particular, are an integral part of their
software supply chain.
As the security of a software offering, independently of the delivery model, depends on all components, a secure software supply
chain is of utmost importance. While this is true for both proprietary and as well as FLOSS components that are consumed,
FLOSS components impose particular challenges as well as provide unique opportunities. For example, on the one hand,
FLOSS licenses contain usually a very strong “no warranty” clause and no service-level agreement. On the other hand, FLOSS
licenses allow to modify the source code and, thus, to fix issues without depending on an (external) software vendor.
This talk is based on working on integrating securely third-party components in general, and FLOSS components in particular,
into the SAP's Security Development Lifecycle (SSDL). Thus, our experience covers a wide range of products (e.g., from small
mobile applications of a few thousands lines of code to large scale enterprise applications with more than a billion lines of code),
a wide range of software development models (ranging from traditional waterfall to agile software engineering to DevOps), as
well as a multiple deployment models (e.g., on premise products, custom hosting, or software-as-a-service).
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...Achim D. Brucker
Developing mobile applications is a challenging business: de-
velopers need to support multiple platforms and, at the same time, need
to cope with limited resources, as the revenue generated by an average
app is rather small. This results in an increasing use of cross-platform
development frameworks that allow developing an app once and offering
it on multiple mobile platforms such as Android, iOS, or Windows.
Apache Cordova is a popular framework for developing multi-platform
apps. Cordova combines HTML5 and JavaScript with native applica-
tion code. Combining web and native technologies creates new security
challenges as, e. g., an XSS attacker becomes more powerful.
In this paper, we present a novel approach for statically analysing the
foreign language calls. We evaluate our approach by analysing the top
Cordova apps from Google Play. Moreover, we report on the current state
of the overall quality and security of Cordova apps.
The Isabelle homepage describes Isabelle as "a generic proof assistant. It allows mathematical formulas to be expressed in a formal language and provides tools for proving those formulas in a logical calculus." While this, without doubts, what most users of Isabelle are using Isabelle for, there is much more to discover: Isabelle is also a framework for building formal methods tools.
In this talk, I will report on our experience in using Isabelle for building formal tools for high-level specifications languages (e.g., OCL, Z) as well as using Isabelle's core engine for new applications domains such as generating test cases from high-level specifications.
Agile Secure Software Development in a Large Software Development Organisatio...Achim D. Brucker
Security testing is an important part of any (agile) secure software development lifecyle. Still, security testing is often understood as an activity done by security testers in the time between "end of development" and "offering the product to customers."
Learning from traditional testing that the fixing of bugs is the more costly the later it is done in development, we believe that security testing should be integrated into the daily development activities. To achieve this, we developed a security testing strategy, as part of SAP's security development lifecycle which supports the specific needs of the various software development models at SAP.
In this presentation, we will briefly presents SAP's approach to an agile secure software development process in general and, in particular, present SAP's Security Testing Strategy that enables developers to find security vulnerabilities early by applying a variety of different security testing methods and tools.
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
Security testing is an important part of any security development life-cycle (SDLC) and, thus, should be a part of any software development life-cycle.
We will present SAP's Security Testing Strategy that enables developers to find security vulnerabilities early by applying a variety of different security testing methods and tools. We explain the motivation behind it, how we enable global development teams to implement the strategy, across different SDLCs and report on our experiences.
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...Achim D. Brucker
Security testing is an important part of any security development lifecycle (SDL) and, thus, should be a part of any software (development) lifecycle. Still, security testing is often understood as an activity done by security testers in the time between "end of development'" and "offering the product to customers.'"
On the one hand, learning from traditional testing that the fixing of bugs is the more costly the later it is done in development, security testing should be integrated into the daily development activities. On the other hand, developing software for the cloud and offering software in the cloud raises the need for security testing in a "close-to-production" or even production environment. Consequently, we need an end-to-end integration of security testing into the software lifecycle.
In this talk, we will report on our experiences on integrating security testing ``end-to-end'' into SAP's software development lifecycle in general and, in particular, SAP's Secure Software Development Lifecycle (S2DL). Moreover, we will discuss different myths, challenges, and opportunities in the are security testing.
Industrial Challenges of Secure Software DevelopmentAchim D. Brucker
This document discusses the challenges of secure software development at an industrial scale. It describes SAP's secure software development lifecycle process, which includes training, threat modeling, security testing, validation, and response. It then discusses some of the key challenges for industrial software development, including scalability issues due to large codebases, maintenance challenges due to modular code, and the difficulty of achieving complete security or automation. The document argues for more research in risk-based and economic approaches to security, as well as techniques for composable, automated security testing of integrated software systems.
SAST for JavaScript: A Brief Overview of Commercial ToolsAchim D. Brucker
Static application security testing (SAST) is a widely used technique that helps to find security vulnerabilities in program code at an early stage in the software development life-cycle. Since a few years, JavaScript is gaining more and more popularity as an implementation language for large applications. Consequently, there is a demand for SAST tools that support JavaScript.
We report briefly on our method for evaluating SAST tools for JavaScript as well as summarize the results of our analysis.
A Collection of Real World (JavaScript) Security Problems: Examples from 2 1/...Achim D. Brucker
The document outlines security challenges in JavaScript applications, including examples from SAP UI5, Apache Cordova, and HANA XS Engine. It discusses common vulnerabilities like cross-site scripting, insecure functions, and secrets stored in source code. Specific issues addressed include prototype-based inheritance risks in SAP UI5, the JavaScript to Java bridge in Cordova exposing more than intended, and SQL injection risks in HANA XS Engine applications. The goal is to help detect security problems during development for these application types.
Deploying Static Application Security Testing on a Large ScaleAchim D. Brucker
SCA, if used for finding vulnerabilities also called SAST, is an
important technique for detecting software vulnerabilities already
at an early stage in the software development life-cycle. As such,
SCA is adopted by an increasing number of software vendors.
The wide-spread introduction of SCA at a large software vendor,
such as SAP, creates both technical as well as non-technical
challenges. Technical challenges include high false positive and
false negative rates. Examples of non-technical challenges are the
insufficient security awareness among the developers and managers
or the integration of SCA into a software development life-cycle
that facilitates agile development. Moreover, software is not
developed following a greenfield approach: SAP's security
standards need to be passed to suppliers and partners in the same
manner as SAP's customers begin to pass their security standards
to SAP.
In this paper, we briefly present how the SAP's Central Code
Analysis Team introduced SCA at SAP and discuss open problems in
using SCA both inside SAP as well as across the complete software
production line, i.e., including suppliers and partners.
Service Compositions: Curse or Blessing for Security?Achim D. Brucker
Building large systems by composing reusable services is not a new idea, it is at least 25 years old. Still, only recently the scenario of dynamic interchangeable services that are consumed via public networks is becoming reality. Following the Software as a Service (Saas) paradigm, an increasing number of complex applications is offered as a service that themselves can be used composed for building even larger and more complex applications. This will lead to situations in which users are likely to unknowingly consume services in a dynamic and ad hoc manner.
Leaving the rather static (and mostly on-premise) service composition scenarios of the past 25 years behind us, dynamic service compositions, have not only the potential to transform the software industry from a business perspective, they also requires new approaches for addressing the security, trustworthiness needs of users.
The EU FP7 project Aniketos develops new technology, methods, tools and security services that support the design-time creation and run-time dynamic behaviour of dynamic service compositions, addressing service developers, service providers and service end users.
In this talk, we will motivate several security and trustworthiness requirements that occur in dynamic service compositions and discuss the solutions developed within the project Aniketos. Based on our experiences, we will discuss open research challenges and potential opportunities for potential opportunities for applying type systems.
Encoding Object-oriented Datatypes in HOL: Extensible Records RevisitedAchim D. Brucker
We briefly present the theorem proving environment HOL-OCL. The HOL-OCL system is an interactive proof environment for object-oriented (i.e., UML/OCL) specifications that is build on top of Isabelle/HOL. Overall, we introduce the overall system architecture and, in more detail, our extensible encoding of object-oriented data models into HOL.
While our extensible encoding is inspired by the extensible record package of Isabelle/HOL, its implementation is not directly based on it. In this talk, we will discuss how our approach differs from the existing one and discuss how it serves as a basis for implementing allows for implementing Isabelle-based tools for object-oriented models.
Modern applications are inherently heterogeneous: they are built by composing loosely coupled services that are, usually, offered and operated by different service providers. While this approach increases the flexibility of the composed applications, it makes the implementation of security and trustworthiness requirements much more difficult. As the requirements for security and trustworthiness, in nearly all sectors, are increasing dramatically, there is a need for new approaches that integrate security requirements right from the beginning while composing service-based applications.
In this paper, we present a framework for secure service composition using a model-based approach for specifying, building, and executing composed services. As a unique feature, this framework integrates security requirements as a first class citizen and, thus, avoids the "security as an afterthought" paradigm.
Building Production Ready Search Pipelines with Spark and MilvusZilliz
Spark is the widely used ETL tool for processing, indexing and ingesting data to serving stack for search. Milvus is the production-ready open-source vector database. In this talk we will show how to use Spark to process unstructured data to extract vector representations, and push the vectors to Milvus vector database for search serving.
CAKE: Sharing Slices of Confidential Data on BlockchainClaudio Di Ciccio
Presented at the CAiSE 2024 Forum, Intelligent Information Systems, June 6th, Limassol, Cyprus.
Synopsis: Cooperative information systems typically involve various entities in a collaborative process within a distributed environment. Blockchain technology offers a mechanism for automating such processes, even when only partial trust exists among participants. The data stored on the blockchain is replicated across all nodes in the network, ensuring accessibility to all participants. While this aspect facilitates traceability, integrity, and persistence, it poses challenges for adopting public blockchains in enterprise settings due to confidentiality issues. In this paper, we present a software tool named Control Access via Key Encryption (CAKE), designed to ensure data confidentiality in scenarios involving public blockchains. After outlining its core components and functionalities, we showcase the application of CAKE in the context of a real-world cyber-security project within the logistics domain.
Paper: https://doi.org/10.1007/978-3-031-61000-4_16
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
Taking AI to the Next Level in Manufacturing.pdfssuserfac0301
Read Taking AI to the Next Level in Manufacturing to gain insights on AI adoption in the manufacturing industry, such as:
1. How quickly AI is being implemented in manufacturing.
2. Which barriers stand in the way of AI adoption.
3. How data quality and governance form the backbone of AI.
4. Organizational processes and structures that may inhibit effective AI adoption.
6. Ideas and approaches to help build your organization's AI strategy.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Programming Foundation Models with DSPy - Meetup SlidesZilliz
Prompting language models is hard, while programming language models is easy. In this talk, I will discuss the state-of-the-art framework DSPy for programming foundation models with its powerful optimizers and runtime constraint system.
GraphRAG for Life Science to increase LLM accuracyTomaz Bratanic
GraphRAG for life science domain, where you retriever information from biomedical knowledge graphs using LLMs to increase the accuracy and performance of generated answers
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Fueling AI with Great Data with Airbyte WebinarZilliz
This talk will focus on how to collect data from a variety of sources, leveraging this data for RAG and other GenAI use cases, and finally charting your course to productionalization.
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdfTechgropse Pvt.Ltd.
In this blog post, we'll delve into the intersection of AI and app development in Saudi Arabia, focusing on the food delivery sector. We'll explore how AI is revolutionizing the way Saudi consumers order food, how restaurants manage their operations, and how delivery partners navigate the bustling streets of cities like Riyadh, Jeddah, and Dammam. Through real-world case studies, we'll showcase how leading Saudi food delivery apps are leveraging AI to redefine convenience, personalization, and efficiency.
Things to Consider When Choosing a Website Developer for your Website | FODUUFODUU
Choosing the right website developer is crucial for your business. This article covers essential factors to consider, including experience, portfolio, technical skills, communication, pricing, reputation & reviews, cost and budget considerations and post-launch support. Make an informed decision to ensure your website meets your business goals.
Driving Business Innovation: Latest Generative AI Advancements & Success StorySafe Software
Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency.
During the hour, we’ll take you through:
Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board.
Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes.
Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI.
We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI.
This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!
HCL Notes and Domino License Cost Reduction in the World of DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this!
We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slackshyamraj55
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/building-and-scaling-ai-applications-with-the-nx-ai-manager-a-presentation-from-network-optix/
Robin van Emden, Senior Director of Data Science at Network Optix, presents the “Building and Scaling AI Applications with the Nx AI Manager,” tutorial at the May 2024 Embedded Vision Summit.
In this presentation, van Emden covers the basics of scaling edge AI solutions using the Nx tool kit. He emphasizes the process of developing AI models and deploying them globally. He also showcases the conversion of AI models and the creation of effective edge AI pipelines, with a focus on pre-processing, model conversion, selecting the appropriate inference engine for the target hardware and post-processing.
van Emden shows how Nx can simplify the developer’s life and facilitate a rapid transition from concept to production-ready applications.He provides valuable insights into developing scalable and efficient edge AI solutions, with a strong focus on practical implementation.
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
Extending Access Control Models with Break-glass
1. Extending Access Control Models with
Break-glass
Achim D. Brucker Helmut Petritsch
{achim.brucker, helmut.petritsch}@sap.com
Vincenz-Priessnitz-Str. , Karlsruhe, Germany
ACM Symposium on Access Control Models and Technologies
(SACMAT )
Stresa, Italy, th June
2. Outline
Motivation
Break-glass: The Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
3. Motivation
Our Vision
Assume,
we are a nurse
trying to access the patient record of Peter Meier ...
A.D. Brucker and H. Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
6. Motivation
Break-glass or Overriding Access Control
While often motivated with
health care or
public security
scenarios, also enterprises demand break-glass solutions:
for preventing stagnation on the system administration level and
for preventing stagnation on the business process level.
In fact, state of the art enterprise systems support break-glass, e.g.,
Virsa Firefighter for SAP,
Oracle’s Role Manager.
A.D. Brucker and H. Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
7. Motivation
The Situation Today
Mostly implemented using pre-staged accounts that are
either stored in sealed covers or
electronically issued on request.
Break-glass solutions should cover
the creation of break-glass accounts,
the distribution pre-staged accounts,
the monitoring of the use of break-glass accounts, and
the cleanup after an break-glass situation.
This solution is
quite coarse-grained and
not integrated into regular access control.
A.D. Brucker and H. Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
8. Outline
Motivation
Break-glass: The Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
9. Break-glass: The Main Idea
Observations and Goals
During discussions with end users, we observed:
depending on the situation, different overrides can be justified
some restrictions can never be overridden
The two main design goals are:
access-control decisions should be overrideable on a per
permission basis and
fine-grained configuration of the restrictions that can be
overridden.
A.D. Brucker and H. Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
10. Break-glass: The Main Idea
Emergeny Levels
Definition
A policy p refines a policy p′ (written p ⊑ p′) if and only if the set of
system traces that are allowed under p is a subset of the system traces
that are allowed under p′.
A policy p refines a policy p′ iff p is at least as restrictive as p′.
p⊺ is the policy that allows all actions and
p– is the policy that denies all actions.
p– refines all policies and every policy is a refinement of p⊺.
PA be the set of all policies of the access control model A.
(PA, ⊑, p–, p⊺) is a lattice.
A.D. Brucker and H. Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
11. Break-glass: The Main Idea
Regular Policies and Emergeny Policies
Definition
We refer to the regular policy, i. e., the policy that should be obeyed in
normal operations, as preg and we refer to the set of policies that are
refined by the regular policy, i. e.,
LA = {p ∣ p ∈ PA ∧ preg
⊑ p ∧ p ≠ preg
}
as emergency levels or emergency policies of the policy preg. We require
that (PA ∖ p–, ⊑, preg, p⊺) is a lattice, i. e., inf(PA ∖ p–) = preg.
An emergency level can be active or inactive.
Only active emergency levels contribute to the access control
decision.
The regular policy is always active.
A.D. Brucker and H. Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
12. Break-glass: The Main Idea
Hierarchical Break-glass Access Control
An access that is only granted by an
emergency policy ℓ ∈ LA is called
override access.
Override accesses are only granted if
there is an active policy granting
access.
Obligations can be attached to an
(emergency) policy, i.e., requiring
user confirmations or for activating
monitoring.
By evaluating the policies in
topological order, the refinement
relation holds by construction!
A.D. Brucker and H. Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
13. Outline
Motivation
Break-glass: The Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
14. A Generic Architecture Supporting Break-glass
Break-glass Architecture: Main Idea
The break-glass policy combination strategy can be
implemented by a meta PDP.
The Break-glass PDP implements the break-glass policy
combination strategy on top of existing PDPs
User confirmations can be implemented using obligations:
the various PDPs need to support obligations
the various PEPs need to support obligations
the user interface needs to support confirmation requests
Break-glass does not impose restrictions on the underlying
access control model!
A.D. Brucker and H. Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
15. A Generic Architecture Supporting Break-glass
A Generic Break-glass Architecture
User Interface Confirmation Handler
Obligation
Support
Protected
Resource
PEP
Break-glass
PDP
Single
Sign-on
Existing
PDP(s)
Obligation Support
Policy Manager
Authentication
1
4
2
3
3
3a
3b
A.D. Brucker and H. Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
16. Outline
Motivation
Break-glass: The Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
17. Extending Model-driven Security
The Model-driven Security Vision
A Tool-supported and Security-aware Formal Model-driven Engineering Process
1..∗
Role
Class
+ Public Method
# Protected Method
attribute: Type
− Private Method
Class
+ Public Method
# Protected Method
attribute: Type
− Private Method
Class
+ Public Method
# Protected Method
attribute: Type
− Private Method
Model Transformation
Design
Phase Phase
Verification and
Code−generation Phase Deployment Phase
Testing and
UML/OCL
(XMI)
or
SecureUML/OCL
Code
Generator
Repository
Model
(su4sml)
Model−Analysis
and Verification
(HOL−OCL)
Transformation
Model
HOL−TestGen
ArgoUML
AC
Config
C#
+OCL
Test
Harness
manual
Code
Proof
Obligations
Test Data
Program
Generation
Validation
A.D. Brucker and H. Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
18. Extending Model-driven Security
The Model-driven Security Vision
A Tool-supported and Security-aware Formal Model-driven Engineering Process
1..∗
Role
Class
+ Public Method
# Protected Method
attribute: Type
− Private Method
Class
+ Public Method
# Protected Method
attribute: Type
− Private Method
Class
+ Public Method
# Protected Method
attribute: Type
− Private Method
Model Transformation
Design
Phase Phase
Verification and
Code−generation Phase Deployment Phase
Testing and
UML/OCL
(XMI)
or
SecureUML/OCL
Code
Generator
Repository
Model
(su4sml)
Model−Analysis
and Verification
(HOL−OCL)
Transformation
Model
HOL−TestGen
ArgoUML
AC
Config
C#
+OCL
Test
Harness
manual
Code
Proof
Obligations
Test Data
Program
Generation
Validation
Generic
SecureUML
ArgoUML−plugin
A.D. Brucker and H. Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
19. Extending Model-driven Security
The Model-driven Security Vision
A Tool-supported and Security-aware Formal Model-driven Engineering Process
1..∗
Role
Class
+ Public Method
# Protected Method
attribute: Type
− Private Method
Class
+ Public Method
# Protected Method
attribute: Type
− Private Method
Class
+ Public Method
# Protected Method
attribute: Type
− Private Method
Model Transformation
Design
Phase Phase
Verification and
Code−generation Phase Deployment Phase
Testing and
UML/OCL
(XMI)
or
SecureUML/OCL
Code
Generator
Repository
Model
(su4sml)
Model−Analysis
and Verification
(HOL−OCL)
Transformation
Model
HOL−TestGen
ArgoUML
AC
Config
C#
+OCL
Test
Harness
manual
Code
Proof
Obligations
Test Data
Program
Generation
Validation
Transformations:
SecureUML −> UML/OCL
UML/OCL −> UML/OCL
A.D. Brucker and H. Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
20. Extending Model-driven Security
The Model-driven Security Vision
A Tool-supported and Security-aware Formal Model-driven Engineering Process
1..∗
Role
Class
+ Public Method
# Protected Method
attribute: Type
− Private Method
Class
+ Public Method
# Protected Method
attribute: Type
− Private Method
Class
+ Public Method
# Protected Method
attribute: Type
− Private Method
Model Transformation
Design
Phase Phase
Verification and
Code−generation Phase Deployment Phase
Testing and
UML/OCL
(XMI)
or
SecureUML/OCL
Code
Generator
Repository
Model
(su4sml)
Model−Analysis
and Verification
(HOL−OCL)
Transformation
Model
HOL−TestGen
ArgoUML
AC
Config
C#
+OCL
Test
Harness
manual
Code
Proof
Obligations
Test Data
Program
Generation
Validation
Code Generator
SecureUML, UML, OCL
Java, C#, Junit, XACL, USE, ...
A.D. Brucker and H. Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
21. Extending Model-driven Security
The Model-driven Security Vision
A Tool-supported and Security-aware Formal Model-driven Engineering Process
1..∗
Role
Class
+ Public Method
# Protected Method
attribute: Type
− Private Method
Class
+ Public Method
# Protected Method
attribute: Type
− Private Method
Class
+ Public Method
# Protected Method
attribute: Type
− Private Method
Model Transformation
Design
Phase Phase
Verification and
Code−generation Phase Deployment Phase
Testing and
UML/OCL
(XMI)
or
SecureUML/OCL
Code
Generator
Repository
Model
(su4sml)
Model−Analysis
and Verification
(HOL−OCL)
Transformation
Model
HOL−TestGen
ArgoUML
AC
Config
C#
+OCL
Test
Harness
manual
Code
Proof
Obligations
Test Data
Program
Generation
Validation
HOL−OCL
formal analysis
formal verification
A.D. Brucker and H. Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
22. Extending Model-driven Security
The Model-driven Security Vision
A Tool-supported and Security-aware Formal Model-driven Engineering Process
1..∗
Role
Class
+ Public Method
# Protected Method
attribute: Type
− Private Method
Class
+ Public Method
# Protected Method
attribute: Type
− Private Method
Class
+ Public Method
# Protected Method
attribute: Type
− Private Method
Model Transformation
Design
Phase Phase
Verification and
Code−generation Phase Deployment Phase
Testing and
UML/OCL
(XMI)
or
SecureUML/OCL
Code
Generator
Repository
Model
(su4sml)
Model−Analysis
and Verification
(HOL−OCL)
Transformation
Model
HOL−TestGen
ArgoUML
AC
Config
C#
+OCL
Test
Harness
manual
Code
Proof
Obligations
Test Data
Program
Generation
Validation
HOL−TestGen
model−based unit test
sequence testing
A.D. Brucker and H. Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
23. Extending Model-driven Security
The Model-driven Security Vision
A Tool-supported and Security-aware Formal Model-driven Engineering Process
1..∗
Role
Class
+ Public Method
# Protected Method
attribute: Type
− Private Method
Class
+ Public Method
# Protected Method
attribute: Type
− Private Method
Class
+ Public Method
# Protected Method
attribute: Type
− Private Method
Model Transformation
Design
Phase Phase
Verification and
Code−generation Phase Deployment Phase
Testing and
UML/OCL
(XMI)
or
SecureUML/OCL
Code
Generator
Repository
Model
(su4sml)
Model−Analysis
and Verification
(HOL−OCL)
Transformation
Model
HOL−TestGen
ArgoUML
AC
Config
C#
+OCL
Test
Harness
manual
Code
Proof
Obligations
Test Data
Program
Generation
Validation
A.D. Brucker and H. Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
24. Extending Model-driven Security
SecureUML
Subject
Group User
Role Permission
AuthorizationConstraint
Action
AtomicAction CompositeAction
Resource
0..* 0..* 1..* 0..* 0..* 1..* 0..*
0..*
0..*
0..* 0..* 0..*
0..1 0..*
0..*
SecureUML
is a UML-based notation,
provides abstract Syntax given by MOF compliant metamodel,
is pluggable into arbitrary design modeling languages,
is supported by an ArgoUML plugin.
A.D. Brucker and H. Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
25. Extending Model-driven Security
SecureUML
Subject
Group User
Role Permission
AuthorizationConstraint
Action
AtomicAction CompositeAction
Resource
0..* 0..* 1..* 0..* 0..* 1..* 0..*
0..*
0..*
0..* 0..* 0..*
0..1 0..*
0..*
Policy Obligation
1..*
0..*
1..* 0..*
0..*
0..*
SecureUML
is a UML-based notation,
provides abstract Syntax given by MOF compliant metamodel,
is pluggable into arbitrary design modeling languages,
is supported by an ArgoUML plugin.
can easily be extended with support for break-glass.
A.D. Brucker and H. Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
26. Extending Model-driven Security
Modeling Access Control with SecureUML
MedicalRecord
disease:String
medication:String
read():OclVoid
update():OclVoid
create():OclVoid
Patient
name:String
0..*
owner 1
«secureuml.role»
UserRole
«secureuml.role»
AdministratorRole
«secureuml.permission»
OwnerMedicalRecord
MedicalRecord:read
MedicalRecord:update
MedicalRecord:delete
caller=self.owner.name
«secureuml.policy»
LowEmergencyLevel
«secureuml.policy»
HighEmergencyLevel
«secureuml.permission»
EmergencyOwnerMedicalRecord
MedicalRecord:read
A.D. Brucker and H. Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
29. Extending Model-driven Security
Code Generation (Java and XACML)
In case of XACML, we can generate
the policies and
the PDP configuration.
In particular, we
sort the policies topological,
use the “first-applicable” combining algorithm of XACML, and
exploit the obligations support of XACML.
With respect to the application, we generate
(stubs of) the business logic,
the calls to PDP, and
the PEP.
A.D. Brucker and H. Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
30. Outline
Motivation
Break-glass: The Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
31. Conclusion and Future Work
Conclusion and Future Work
We presented a
a generic break-glass model that allows the fine-grained,
overriding of access control decisions,
an generic architecture for implementing break-glass,
an extension of SecureUML supporting break-glass, and
the mapping of break-glass to XACML
Future work includes the integration and development of
analysis techniques for user providing feedback to the user,
break-glass concepts for IT compliance, and
techniques for a posteriori analysis of incidents.
A.D. Brucker and H. Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
33. Bibliography
Bibliography
Achim D. Brucker and Helmut Petritsch.
Extending access control models with break-glass.
In ACM symposium on access control models and technologies (SACMAT), pages
–. ACM Press, .
A.D. Brucker and H. Petritsch (SAP Research) Access Control Models with Break-glass SACMAT