We introduce context-aware scalable authentication (CASA) as a way of balancing security and usability for authentication. Our core idea is to choose an appropriate form of active authentication (e.g., typing a PIN) based on the combination of multiple passive factors (e.g., a user’s current location) for authentication. We provide a probabilistic framework for dynamically selecting an active authentication scheme that satisfies a specified security requirement given passive factors. We also present the results of three user studies evaluating the feasibility and users’ receptiveness of our concept. Our results suggest that location data has good potential as a passive factor, and that users can reduce up to 68% of active authentications when using an implementation of CASA, compared to always using fixed active authentication. Furthermore, our participants, including those who do not using any security mechanisms on their phones, were very positive about CASA and amenable to using it on their phones.
CASA: Context-Aware Scalable Authentication, at SOUPS 2013Jason Hong
We introduce context-aware scalable authentication (CASA) as a way of balancing security and usability for authentication. Our core idea is to choose an appropriate form of active authentication (e.g., typing a PIN) based on the combination of multiple passive factors (e.g., a user’s current location) for authentication. We provide a probabilistic framework for dynamically selecting an active authentication scheme that satisfies a specified security requirement given passive factors. We also present the results of three user studies evaluating the feasibility and users’ receptiveness of our concept. Our results suggest that location data has good potential as a passive factor, and that users can reduce up to 68% of active authentications when using an implementation of CASA, compared to always using fixed active authentication. Furthermore, our participants, including those who do not using any security mechanisms on their phones, were very positive about CASA and amenable to using it on their phones.
Nair, R., Voida, S. and Mynatt, E.D. Frequency-based detection of task switches". In Proceedings of the 19th British HCI Group Annual Conference (HCI 2005; Edinburgh, Scotland). Springer-Verlag (2005), Vol 2. 94-99.
Understanding the impact of a search system’s response latency on its users’ searching behaviour has been recently an active research topic in the information retrieval and human-computer interaction areas. Along the same line, this paper focuses on the user impact of search latency and makes the following two contributions. First, through a controlled experiment, we reveal the physiological effects of response latency on users and show that these effects are present even at small increases in response latency. We compare these effects with the information gathered from self-reports and show that they capture the nuanced attentional and emotional reactions to latency much better. Second, we carry out a large-scale analysis using a web search query log obtained from Yahoo to understand the change in the way users engage with a web search engine under varying levels of increasing response latency. In particular, we analyse the change in the click behaviour of users when they are subject to increasing response latency and reveal significant behavioural differences.
Interactive fault localization leveraging simple user feedback - by Liang GongLiang Gong
Many fault localization methods have been proposed in the literature. These methods take in a set of program execution profiles and output a list of suspicious program elements. The list of program elements ranked by their suspiciousness is then presented to developers for manual inspection. Currently, the suspicious elements are ranked in a batch process where developers' inspection efforts are rarely utilized for ranking. The inaccuracy and static nature of existing fault localization methods prompt us to incorporate user feedback to improve the accuracy of the existing methods. In this paper, we propose an interactive fault localization framework that leverages simple user feedback. Our framework only needs users to label the statements examined as faulty or clean, which does not require additional effort than conventional non-interactive methods. After users label suspicious program elements as faulty or clean, our framework incorporates such information and re-orders the rest of the suspicious program elements, aiming to expose truly faulty elements earlier. We have integrated our solution with three well-known fault localization methods: Ochiai, Tarantula, and Jaccard. The evaluation on five Unix programs and the Siemens test suite shows that our solution achieves significant improvements on fault localization accuracy.
The focal point of our project is to compare the differences between dirty fingerprints and cropped fingerprints using the data we have collected. During the procedure we captured three clean and three dirty fingerprints from each person in the group. We then analyzed the score, minutiae points, core/delta, good and poor quality of each of the fingerprints. The importance of this project is to analyze the impact of dirty fingerprints on quality.
CASA: Context-Aware Scalable Authentication, at SOUPS 2013Jason Hong
We introduce context-aware scalable authentication (CASA) as a way of balancing security and usability for authentication. Our core idea is to choose an appropriate form of active authentication (e.g., typing a PIN) based on the combination of multiple passive factors (e.g., a user’s current location) for authentication. We provide a probabilistic framework for dynamically selecting an active authentication scheme that satisfies a specified security requirement given passive factors. We also present the results of three user studies evaluating the feasibility and users’ receptiveness of our concept. Our results suggest that location data has good potential as a passive factor, and that users can reduce up to 68% of active authentications when using an implementation of CASA, compared to always using fixed active authentication. Furthermore, our participants, including those who do not using any security mechanisms on their phones, were very positive about CASA and amenable to using it on their phones.
Nair, R., Voida, S. and Mynatt, E.D. Frequency-based detection of task switches". In Proceedings of the 19th British HCI Group Annual Conference (HCI 2005; Edinburgh, Scotland). Springer-Verlag (2005), Vol 2. 94-99.
Understanding the impact of a search system’s response latency on its users’ searching behaviour has been recently an active research topic in the information retrieval and human-computer interaction areas. Along the same line, this paper focuses on the user impact of search latency and makes the following two contributions. First, through a controlled experiment, we reveal the physiological effects of response latency on users and show that these effects are present even at small increases in response latency. We compare these effects with the information gathered from self-reports and show that they capture the nuanced attentional and emotional reactions to latency much better. Second, we carry out a large-scale analysis using a web search query log obtained from Yahoo to understand the change in the way users engage with a web search engine under varying levels of increasing response latency. In particular, we analyse the change in the click behaviour of users when they are subject to increasing response latency and reveal significant behavioural differences.
Interactive fault localization leveraging simple user feedback - by Liang GongLiang Gong
Many fault localization methods have been proposed in the literature. These methods take in a set of program execution profiles and output a list of suspicious program elements. The list of program elements ranked by their suspiciousness is then presented to developers for manual inspection. Currently, the suspicious elements are ranked in a batch process where developers' inspection efforts are rarely utilized for ranking. The inaccuracy and static nature of existing fault localization methods prompt us to incorporate user feedback to improve the accuracy of the existing methods. In this paper, we propose an interactive fault localization framework that leverages simple user feedback. Our framework only needs users to label the statements examined as faulty or clean, which does not require additional effort than conventional non-interactive methods. After users label suspicious program elements as faulty or clean, our framework incorporates such information and re-orders the rest of the suspicious program elements, aiming to expose truly faulty elements earlier. We have integrated our solution with three well-known fault localization methods: Ochiai, Tarantula, and Jaccard. The evaluation on five Unix programs and the Siemens test suite shows that our solution achieves significant improvements on fault localization accuracy.
The focal point of our project is to compare the differences between dirty fingerprints and cropped fingerprints using the data we have collected. During the procedure we captured three clean and three dirty fingerprints from each person in the group. We then analyzed the score, minutiae points, core/delta, good and poor quality of each of the fingerprints. The importance of this project is to analyze the impact of dirty fingerprints on quality.
Using Cognitive Dimensions Questionnaire to Evaluate the Usability of Securit...Chamila Wijayarathna
This was presented by me at the 28th annual gathering of Psychology of Programmers Interest Group (PPIG).
Usability issues that exist in security APIs cause programmers to embed those security APIs incorrectly to the applications they develop. This results in introduction of security vulnerabilities to those applications. One of the main reasons for security APIs to be not usable is currently there is no proper method by which the usability issues of security APIs can be identified. We conducted a study to assess the effectiveness of the cognitive dimensions questionnaire based usability evaluation methodology in evaluating the usability of security APIs. We used a cognitive dimensions based generic questionnaire to collect feedback from programmers who participated in the study. Results revealed interesting facts about the prevailing usability issues in four commonly used security APIs and the capability of the methodology to identify those issues.
Security is the first concerning criteria in software development. Here, we will know about the role of developer and information security staff. The Secure Software development model (S-SDLC) is also described here.
On 2019, the 30th edition of the International Symposium on Software Reliability Engineering (ISSRE 2019) took place in Berlin, Germany, October 28-31. The first edition took place in Washington, DC, USA, in 1990.
To celebrate this very important anniversary, we promoted an initiative to identify the ISSRE most influential papers, called "Highlights from 30 years of ISSRE". We looked for ISSRE papers that had a great influence and impact in the community. The goal of the initiative is to remember those papers and their authors, which, in practice, tell a good part of the story of our conference.
On 2019, the 30th edition of the International Symposium on Software Reliability Engineering (ISSRE 2019) took place in Berlin, Germany, October 28-31. The first edition took place in Washington, DC, USA, in 1990.
To celebrate this very important anniversary, we promoted an initiative to identify the ISSRE most influential papers, called "Highlights from 30 years of ISSRE". We looked for ISSRE papers that had a great influence and impact in the community. The goal of the initiative is to remember those papers and their authors, which, in practice, tell a good part of the story of our conference.
A REVIEW OF SECURITY INTEGRATION TECHNIQUE IN AGILE SOFTWARE DEVELOPMENTijseajournal
Agile software development has gained a lot of popularity in the software industry due to its iterative and
incremental approach as well as user involvement. Agile has also been criticized due to lack of its ability to
deliver secure software. In this paper, extensive literature has been performed, in order to highlight the
existing security issues in agile software development. Majority of challenges reported in literature,
occurred due to lack of involvement of security expert. Improving security of a software system without
damaging the real essence of Agile can achieved with the continuous involvement of security engineer
throughout development lifecycle with its defined role and responsibilities.
Penetration testing services also described as pen testing or ethical hacking is the method of testing a network, website, or mobile application to find security weaknesses which could be exploited by a hacker.Penetration testing can be automated with software apps or executed manually. The principal goal of penetration testing is to discover security vulnerabilities.
https://www.smore.com/8hv31-penetration-testing-services
You Got Your Engineering in my Data Science - Addressing the Reproducibility ...jonbodner
Presented at PyData DC 2016.
Data science is the backbone of modern scientific discovery and industry. It makes sense of everything from cancer trials to package delivery logistics. But all is not well with data science. Over the past decade, multiple studies have been found to be unreliable and non-reproducible when other scientists tried to recreate their results. This is due to a variety of factors, including fraud, pressure to publish, improper data handling practices, and bugs in analytic tools.
The problems faced by data science mirror problems that software engineering has been trying to solve. While there are no silver bullets to guarantee quality software, techniques have been developed over time that have improved quality and reliability. Some of these techniques, including open source, version control, automation, and fuzzing could be adapted to the data science domain to improve reliability and help address the reproducibility crisis.
ChaoSlingr: Introducing Security based Chaos TestingAaron Rinehart
ChaoSlingr is a Security Chaos Engineering Tool focused primarily on the experimentation on AWS Infrastructure to bring system security weaknesses to the forefront.
The industry has traditionally put emphasis on the importance of preventative security control measures and defense-in-depth where-as our mission is to drive new knowledge and perspective into the attack surface by delivering proactively through detective experimentation. With so much focus on the preventative mechanisms we never attempt beyond one-time or annual pen testing requirements to actually validate whether or not those controls actually are performing as designed.
Our mission is to address security weaknesses proactively, going beyond the reactive processes that currently dominate traditional security models.
Testing Is How You Avoid Looking StupidSteve Branam
Presented at With The Best IOT online conference, Oct 14 2017: As IOT products become more pervasive, they have an increasing ability to adversely affect the lives of their users and those around them. Testing is the due diligence that closes the engineering loop to verify proper behavior. This presents an introductory overview to testing for IOT products, covering the IOT triad: embedded IOT devices, backend servers, and frontend apps. I talk about the consequences of inadequate testing for companies and individual contributors, and levels and types of testing.
Ask me anything:A Conversational Interface to Augment Information Security w...Matthew Park
Security products often create more problems than they
solve, drowning users in alerts without providing the context
required to remediate threats. This challenge is compounded
by a lack of experienced personnel and security
tools with complex interfaces. These interfaces require users
to become domain experts or rely on repetitive, time consuming
tasks to turn this data deluge into actionable intelligence.
In this paper we present Artemis, a conversational
interface to endpoint detection and response (EDR)
event data. Artemis leverages dialog to drive the automation
of complex tasks and reduce the need to learn a structured
query language. Designed to empower inexperienced
and junior security workers to better understand their security
environment, Artemis provides an intuitive platform
to ask questions of alert data as users are guided through
triage and hunt workflows. In this paper, we will discuss
our user-centric design methodology, feedback from user interviews,
and the design requirements generated upon completion
of our study. We will also present core functionality,
findings from scenario-based testing, and future research for
the Artemis platform.
Nexus User Conference DevOps "Table Stakes": The minimum required to play the...Aaron Rinehart
In this session we will cover the ‘table stakes’ or the minimum foundational components in what it means to deliver high quality secure software in today’s software driven world. From gaining visibility into the software supply chain to building empathy with engineering teams through DevSecOps practices we will dive through what it takes to play the bare minimum hand and how that contributes to improving value-velocity and faster adoption of more advanced techniques such as Chaos Engineering.
Eric Proegler Early Performance Testing from CAST2014Eric Proegler
Development and deployment contexts have changed considerably over the last decade. The discipline of performance testing has had difficulty keeping up with modern testing principles and software development and deployment processes.
Most people still see performance testing as a single experiment, run against a completely assembled, code-frozen, production-resourced system, with the "accuracy" of simulation and environment considered critical to the value of the data the test provides.
But what can we do to provide actionable and timely information about performance and reliability when the software is not complete, when the system is not yet assembled, or when the software will be deployed in more than one environment?
Eric deconstructs “realism” in performance simulation, talks about performance testing more cheaply to test more often, and suggest strategies and techniques to get there. He will share findings from WOPR22, where performance testers from around the world came together in May 2014 to discuss this theme in a peer workshop.
From the demise of conventional signature-based endpoint technologies have risen next generation solutions. These technologies have cluttered the marketplace introducing a conundrum for endpoint selection. This session will focus on the key requirements for effective security prevention, detection, and remediation. It will introduce a real-world framework for categorizing endpoint capabilities, and enable selection of solutions matching the unmet needs of security programs. The following topics will be covered:
• What do i actually need?
• Real-world framework to categorize endpoint capabilities
• Map vendors into buckets within the framework
• Housekeeping, what's needed before you even start?
• Cheat sheet of probing questions to ask vendors
• Best practices of deploying best of breed solutions
Using Cognitive Dimensions Questionnaire to Evaluate the Usability of Securit...Chamila Wijayarathna
This was presented by me at the 28th annual gathering of Psychology of Programmers Interest Group (PPIG).
Usability issues that exist in security APIs cause programmers to embed those security APIs incorrectly to the applications they develop. This results in introduction of security vulnerabilities to those applications. One of the main reasons for security APIs to be not usable is currently there is no proper method by which the usability issues of security APIs can be identified. We conducted a study to assess the effectiveness of the cognitive dimensions questionnaire based usability evaluation methodology in evaluating the usability of security APIs. We used a cognitive dimensions based generic questionnaire to collect feedback from programmers who participated in the study. Results revealed interesting facts about the prevailing usability issues in four commonly used security APIs and the capability of the methodology to identify those issues.
Security is the first concerning criteria in software development. Here, we will know about the role of developer and information security staff. The Secure Software development model (S-SDLC) is also described here.
On 2019, the 30th edition of the International Symposium on Software Reliability Engineering (ISSRE 2019) took place in Berlin, Germany, October 28-31. The first edition took place in Washington, DC, USA, in 1990.
To celebrate this very important anniversary, we promoted an initiative to identify the ISSRE most influential papers, called "Highlights from 30 years of ISSRE". We looked for ISSRE papers that had a great influence and impact in the community. The goal of the initiative is to remember those papers and their authors, which, in practice, tell a good part of the story of our conference.
On 2019, the 30th edition of the International Symposium on Software Reliability Engineering (ISSRE 2019) took place in Berlin, Germany, October 28-31. The first edition took place in Washington, DC, USA, in 1990.
To celebrate this very important anniversary, we promoted an initiative to identify the ISSRE most influential papers, called "Highlights from 30 years of ISSRE". We looked for ISSRE papers that had a great influence and impact in the community. The goal of the initiative is to remember those papers and their authors, which, in practice, tell a good part of the story of our conference.
A REVIEW OF SECURITY INTEGRATION TECHNIQUE IN AGILE SOFTWARE DEVELOPMENTijseajournal
Agile software development has gained a lot of popularity in the software industry due to its iterative and
incremental approach as well as user involvement. Agile has also been criticized due to lack of its ability to
deliver secure software. In this paper, extensive literature has been performed, in order to highlight the
existing security issues in agile software development. Majority of challenges reported in literature,
occurred due to lack of involvement of security expert. Improving security of a software system without
damaging the real essence of Agile can achieved with the continuous involvement of security engineer
throughout development lifecycle with its defined role and responsibilities.
Penetration testing services also described as pen testing or ethical hacking is the method of testing a network, website, or mobile application to find security weaknesses which could be exploited by a hacker.Penetration testing can be automated with software apps or executed manually. The principal goal of penetration testing is to discover security vulnerabilities.
https://www.smore.com/8hv31-penetration-testing-services
You Got Your Engineering in my Data Science - Addressing the Reproducibility ...jonbodner
Presented at PyData DC 2016.
Data science is the backbone of modern scientific discovery and industry. It makes sense of everything from cancer trials to package delivery logistics. But all is not well with data science. Over the past decade, multiple studies have been found to be unreliable and non-reproducible when other scientists tried to recreate their results. This is due to a variety of factors, including fraud, pressure to publish, improper data handling practices, and bugs in analytic tools.
The problems faced by data science mirror problems that software engineering has been trying to solve. While there are no silver bullets to guarantee quality software, techniques have been developed over time that have improved quality and reliability. Some of these techniques, including open source, version control, automation, and fuzzing could be adapted to the data science domain to improve reliability and help address the reproducibility crisis.
ChaoSlingr: Introducing Security based Chaos TestingAaron Rinehart
ChaoSlingr is a Security Chaos Engineering Tool focused primarily on the experimentation on AWS Infrastructure to bring system security weaknesses to the forefront.
The industry has traditionally put emphasis on the importance of preventative security control measures and defense-in-depth where-as our mission is to drive new knowledge and perspective into the attack surface by delivering proactively through detective experimentation. With so much focus on the preventative mechanisms we never attempt beyond one-time or annual pen testing requirements to actually validate whether or not those controls actually are performing as designed.
Our mission is to address security weaknesses proactively, going beyond the reactive processes that currently dominate traditional security models.
Testing Is How You Avoid Looking StupidSteve Branam
Presented at With The Best IOT online conference, Oct 14 2017: As IOT products become more pervasive, they have an increasing ability to adversely affect the lives of their users and those around them. Testing is the due diligence that closes the engineering loop to verify proper behavior. This presents an introductory overview to testing for IOT products, covering the IOT triad: embedded IOT devices, backend servers, and frontend apps. I talk about the consequences of inadequate testing for companies and individual contributors, and levels and types of testing.
Ask me anything:A Conversational Interface to Augment Information Security w...Matthew Park
Security products often create more problems than they
solve, drowning users in alerts without providing the context
required to remediate threats. This challenge is compounded
by a lack of experienced personnel and security
tools with complex interfaces. These interfaces require users
to become domain experts or rely on repetitive, time consuming
tasks to turn this data deluge into actionable intelligence.
In this paper we present Artemis, a conversational
interface to endpoint detection and response (EDR)
event data. Artemis leverages dialog to drive the automation
of complex tasks and reduce the need to learn a structured
query language. Designed to empower inexperienced
and junior security workers to better understand their security
environment, Artemis provides an intuitive platform
to ask questions of alert data as users are guided through
triage and hunt workflows. In this paper, we will discuss
our user-centric design methodology, feedback from user interviews,
and the design requirements generated upon completion
of our study. We will also present core functionality,
findings from scenario-based testing, and future research for
the Artemis platform.
Nexus User Conference DevOps "Table Stakes": The minimum required to play the...Aaron Rinehart
In this session we will cover the ‘table stakes’ or the minimum foundational components in what it means to deliver high quality secure software in today’s software driven world. From gaining visibility into the software supply chain to building empathy with engineering teams through DevSecOps practices we will dive through what it takes to play the bare minimum hand and how that contributes to improving value-velocity and faster adoption of more advanced techniques such as Chaos Engineering.
Eric Proegler Early Performance Testing from CAST2014Eric Proegler
Development and deployment contexts have changed considerably over the last decade. The discipline of performance testing has had difficulty keeping up with modern testing principles and software development and deployment processes.
Most people still see performance testing as a single experiment, run against a completely assembled, code-frozen, production-resourced system, with the "accuracy" of simulation and environment considered critical to the value of the data the test provides.
But what can we do to provide actionable and timely information about performance and reliability when the software is not complete, when the system is not yet assembled, or when the software will be deployed in more than one environment?
Eric deconstructs “realism” in performance simulation, talks about performance testing more cheaply to test more often, and suggest strategies and techniques to get there. He will share findings from WOPR22, where performance testers from around the world came together in May 2014 to discuss this theme in a peer workshop.
From the demise of conventional signature-based endpoint technologies have risen next generation solutions. These technologies have cluttered the marketplace introducing a conundrum for endpoint selection. This session will focus on the key requirements for effective security prevention, detection, and remediation. It will introduce a real-world framework for categorizing endpoint capabilities, and enable selection of solutions matching the unmet needs of security programs. The following topics will be covered:
• What do i actually need?
• Real-world framework to categorize endpoint capabilities
• Map vendors into buckets within the framework
• Housekeeping, what's needed before you even start?
• Cheat sheet of probing questions to ask vendors
• Best practices of deploying best of breed solutions
Software testing tools are evolving. More testing frameworks are emerging through the open source community and commercial vendors. In addition, we’re starting to see the rise of machine-learning (ML) and artificial intelligence (AI) in testing solutions.
Given this evolution, it is important to map the tools that match both the practitioners’ skills and their testing types. When referring to the testing practitioners, we mainly look at three different personas:
-The business tester
-The software developer in test (SDET)
-The software developer
These practitioners are tasked with creating, maintaining, and executing unit tests, build acceptance tests, integration, regression, and other nonfunctional tests.
In this webinar led by Perfecto’s Chief Evangelist, Eran Kinsbruner, you will learn the following:
-How should testing types be dispersed among the three personas and throughout the DevOps pipeline?
-What tools should each of these three personas use for the creation and execution of tests?
-What are the key benefits to continuous testing when mapped correctly?
Remote usability testing and remote user research for usabilityUser Vision
From User Vision's presentation on remote usability testing describing some of the main methods, challenges, tools and tips for successful remote usability testing for user experience
Knock x Knock: The Design and Evaluation of a Unified Authentication Manageme...Jason Hong
We introduce UniAuth, a set of mechanisms for streamlining authentication to devices and web services. With UniAuth, a user first authenticates himself to his UniAuth client, typically his smartphone or wearable device. His client can then authenticate to other services on his behalf. In this paper, we focus on exploring the user experiences with an early iPhone prototype called Knock x Knock. To manage a variety of accounts securely in a usable way, Knock x Knock incorporates features not supported in existing password managers, such as tiered and location-aware lock control, authentication to laptops via knocking, and storing credentials locally while working with laptops seamlessly. In two field studies, 19 participants used Knock x Knock for one to three weeks with their own devices and accounts. Our participants were highly positive about Knock x Knock, demonstrating the desirability of our approach. We also discuss interesting edge cases and design implications.
Velocity 2019 - Security Precognition 2019 Slides - San Jose 2019Aaron Rinehart
Large scale distributed systems have unpredictable and complex outcomes that are costly when security incidents occur. Security incident response today is mostly a reactive and chaotic exercise. Chaos engineering allows security incident response teams to proactively experiment on recurring incident patterns to derive new information about underlying factors that were previously unknown.
What if you could flip that scenario on its head? Chaos engineering advances the security incident response framework by reversing the postmortem and preparation phase. This is done by developing live fire exercises that can be measured and managed. Contrary to red team game days, chaos engineering doesn’t use threat actor tactics, techniques, and procedures. Instead it develops teams through unique configuration, cyberthreat, and user error scenarios that challenge responders to react to events outside their playbooks and comfort zones.
Join Aaron Rinehart to explore the hidden costs of security incidents, learn a new technique for uncovering system weaknesses in systems security, and more. You’ll also get a glimpse of ChaoSlingr, an open source security chaos engineering tool built and deployed within a Fortune 5 company. Aaron explains how the tool helped his team discover that many of their security controls didn’t function as intended and how, as a result, they were able to proactively improve them before they caused any real problems.
Learn to implement security controls throughout all areas of your software development life cycle, and examine the types of security tools and services that are best used at each phase of development. This vendor agnostic talk will discuss the strengths and weaknesses of each type of offering whether you are developing one application or managing thousands.
Video Link: https://www.youtube.com/watch?v=Nk1ZOV1OqP0
Geoffrey Vaughan, Security Engineer at Security Innovation, discusses the pro's and con's of using a hacker vs. a scanning tool for testing applications.
Managing Next Generation Threats to Cyber SecurityPriyanka Aash
The emergence of next generation technology into the cyber security space has added complications and challenges on several levels. When we talk about next generation technologies we should mean those associated directly with artificial intelligence (AI) and associated components such as machine learning (ML). Unfortunately, many organizations opt to hype current generation products as next gen. In this workshop we will begin by exploring what we need to know about AI and its components. We will dispense with the marketing hype and get down to the facts. Then we will look in detail at a few available tools that truly are next gen - and what makes them next gen - followed by a discussion of where the adversary is going with AI, ML and other next gen technologies. We will wrap up with research from my upcoming book which discusses the collision between the law and cyber science. In this section we also will address some governance issues that you need to know
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIVladimir Iglovikov, Ph.D.
Presented by Vladimir Iglovikov:
- https://www.linkedin.com/in/iglovikov/
- https://x.com/viglovikov
- https://www.instagram.com/ternaus/
This presentation delves into the journey of Albumentations.ai, a highly successful open-source library for data augmentation.
Created out of a necessity for superior performance in Kaggle competitions, Albumentations has grown to become a widely used tool among data scientists and machine learning practitioners.
This case study covers various aspects, including:
People: The contributors and community that have supported Albumentations.
Metrics: The success indicators such as downloads, daily active users, GitHub stars, and financial contributions.
Challenges: The hurdles in monetizing open-source projects and measuring user engagement.
Development Practices: Best practices for creating, maintaining, and scaling open-source libraries, including code hygiene, CI/CD, and fast iteration.
Community Building: Strategies for making adoption easy, iterating quickly, and fostering a vibrant, engaged community.
Marketing: Both online and offline marketing tactics, focusing on real, impactful interactions and collaborations.
Mental Health: Maintaining balance and not feeling pressured by user demands.
Key insights include the importance of automation, making the adoption process seamless, and leveraging offline interactions for marketing. The presentation also emphasizes the need for continuous small improvements and building a friendly, inclusive community that contributes to the project's growth.
Vladimir Iglovikov brings his extensive experience as a Kaggle Grandmaster, ex-Staff ML Engineer at Lyft, sharing valuable lessons and practical advice for anyone looking to enhance the adoption of their open-source projects.
Explore more about Albumentations and join the community at:
GitHub: https://github.com/albumentations-team/albumentations
Website: https://albumentations.ai/
LinkedIn: https://www.linkedin.com/company/100504475
Twitter: https://x.com/albumentations
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
3. If Cost Too Much
Stop using authentication system
4. A Few Could Fit All
How can we choose security lock
system for different situations?
Do they provide better security and
usability from users’ perspectives?
33. Quotes
P3 said, “I don't normally use a security
lock, but I would be much more inclined to
use one if it didn't require constant
unlocking.”
34. Quotes
P5 said, “I like the system. It’s a great pain
to type pin at home, because the nature of
the phone, it goes to sleep quickly, then I
have to type pin again, which is super
annoying.”
51. Result: User Feedback
Feature
Easy to
understand
Useful Secure
Prefer to
use
Location-
based
5 4.5 4 4
Comp-
based
4.5 4 3.5 3.5
Notification - 4 - 4
52. Quote
• P17 said, “It is annoying to use security
locks all the time, but whereas if I had
such a system which requires pin only
at unsecure places its usefulness adds
more value when compared to the
annoyance caused by it. So, I will
definitely use it.”
53. Conclusion
• Proposed a Naive Bayes framework to
combine multiple factors to adjust active
authentication schemes
• The framework allowed us to choose
active factor in a quantitative way
• Field studies indicated that users
preferred the proposed system
56. Location as a Signal
• People have their own mobility patterns
• Random people don’t have access to
certain places
57. Field Study #1
• Where do people log in to their phones?
• 32 participants
• 7 to 140 days
PlacePlace Mean Time [%]Mean Time [%] Mean Activation [%]Mean Activation [%]
1 (Home) 38.9 31.9
2 (Workplace) 18.7 28.9
Others 42.4 39.2
Today, devices require the same authentication regardless of the contexts. for instance, when a phone is at user ’ s home and in a foreign country which the user has never been to, the phone always require a PIN to unlock. Because of this, we need to design authentication system to be secure even in the most risky case.
However, if security system costs too much, users simply stop using it. In the case of mobile phones, people stop using security lock. Actually, many existing work reported that about half of the users do not use security lock.
This clearly shows that the concept of one fits all does not work well. Then, a question is, do a few fit all? If we have a few security lock system, do they cover all situations? More specifically, How can we choose security lock system for different situations? Do they provide better security and usability for users? These are questions that we investigated in this work.
So, we propose context-aware scalable authentication In
And we tested the framework through filed studies with two rather simple implementations of the framework
I will come back to this term later in this presentation. Now, we can compare confidence levels given by different sets of signals. The next questions is what signal we should combine ----- Meeting Notes (7/9/13 13:09) ----- explain sign
In the second field study, we developed a authentication system that changes authentication schemes based on users ’ locations. Then, we tested the system using users ’ own phones for two weeks
Now, the question is what authentication schemes we have to use for different locations. For simplicity, we used three locations in our system. Home. workplace ad others. Also, we used three different authentication scheme, None, PIN and password. Finally, we used authentication at workplace as a standard.
Now, we come back to this equation.
We can compare confidence levels from different sets of signals. As an example, let ’ s compare a scenario where a person types correct PIN at workplace and a scenario where a person types correct PIN at other places.
the first terms in these equation denotes the confidence given by typing a correct PIN. These values can be calculated using entropies of PIN. The second term denotes the confidence given by being at certain locations these values were obtain in the first field study.
When we compare these two, the confidence in the second scenario is smaller than the first one. Intuitively, being at other place provide smaller confidence than being at workplace.
So, if we want the confidence level in the second scenario as high as the one in the first scenario, we have to change the authentication scheme. If a person types a correct password at other places,
it can provide higher confidence than the first scenario ----- Meeting Notes (7/9/13 13:09) ----- entropy
by repeating the process, we came up with the two sets of configurations.
by repeating the process, we came up with the two sets of configurations.
----- Meeting Notes (7/9/13 13:09) ----- comparison between the first study
----- Meeting Notes (7/9/13 13:09) ----- add take aways
Qualitative feedback? 10
----- Meeting Notes (7/25/13 07:30) ----- fix
So, if we want the confidence level in the second scenario as high as the one in the first scenario, we have to change the authentication scheme. If a person types a correct password at other places,
So, if we want the confidence level in the second scenario as high as the one in the first scenario, we have to change the authentication scheme. If a person types a correct password at other places,
So, if we want the confidence level in the second scenario as high as the one in the first scenario, we have to change the authentication scheme. If a person types a correct password at other places,
We decided to start from a very simple and effective signal. That is location. Because people have their own mobility patterns, and random people don ’ t have access to users ’ home or workplaces. We thought that location can provide strong confidence about a person ’ s identity
We conducted two field study to investigate our idea. In the first study, we investigated how much we could improve the usability of user authentication in our system. The results were very positive. 60% of the time, people log into their phones at home or workplace. ----- Meeting Notes (7/9/13 13:09) ----- definition of other places