This document discusses techniques for summarizing various aspects of software development. It begins by describing a software release cycle involving coding, testing, deployment, user feedback, and continuous integration/delivery (CD/CI). Next, it discusses approaches to summarizing source code, test cases, user reviews, and API documentation. Specifically, it describes generating informative summaries of source code classes, test cases, and user reviews to facilitate understanding, and detecting defects in API documentation by analyzing inconsistencies between code and documents. The document emphasizes the importance of summarization in managing software maintenance and evolution in response to changing requirements.
Cross Site Scripting Attacks and Preventive MeasuresIRJET Journal
This document summarizes cross-site scripting (XSS) attacks and preventive measures. It discusses that XSS attacks allow attackers to inject malicious scripts into web pages through inputs like search fields or comment boxes. There are three main types of XSS attacks: non-persistent reflect XSS through query parameters, persistent stored XSS by storing scripts on servers, and DOM-based XSS using document object model functions. Input validation and code filtering are effective preventive measures. The document also proposes a script filtering algorithm to sanitize inputs and prevent execution of malicious scripts.
Open Source Insight: Who Owns Linux? TRITON Attack, App Security Testing, Fut...Black Duck by Synopsys
We look at the three reasons you must attend the FLIGHT Amsterdam conference; how to build outstanding projects in the open source community; and why isn’t every app being security tested? Plus, in-depth into the TRITON attack; why 2018 is the year of open source; how open source is driving both IoT and AI and a webinar on the 2018 Open Source Rookies of the Year.
Open Source Insight is your weekly news resource for open source security and cybersecurity news!
Open Source Insight: NVD's New Look, Struts Vuln Ransomware & Google Open So...Black Duck by Synopsys
NIST redesigned the National Vulnerability Database with a much-needed, modernized look-and-feel — including a scrolling list of the latest scored vulnerabilities and a “visualization” section designed to provide different ways to look at the data.
First impression? While some kinks still need to be worked out (the site loads very slowly), it’s going to be much easier to find vulnerability and mitigation information in the NVD than in the past.
Software Analytics: Data Analytics for Software Engineering and SecurityTao Xie
Frodo Baggins presents on software analytics for software engineering and security tasks. The presentation discusses how software and how it is built and used is changing, with data now being ubiquitous and software having continuous development and release. Software analytics aims to enable software practitioners to perform data exploration and analysis to obtain useful insights. Examples of software analytics techniques discussed include XIAO for scalable code clone analysis, and SAS for incident management of online services. The presentation then shifts to discussing software analytics techniques for mobile app security, including WHYPER for natural language processing on app descriptions to link permissions to functionality, and AppContext for machine learning to classify malware.
Security in the age of open source - Myths and misperceptionsTim Mackey
As delivered at Interop ITX 2017.
The security of open source software is a function of the security of its components. For most applications, open source technologies are at their core, but security related issues may not be disclosed directly against the application because its use of the open-source component is hidden. In this talk, I explored how information flow benefits attackers, but how awareness can help defenders. I presented key attributes any vulnerability solution should have - including deep understanding of how open source development works and being DevOps aware.
Secure software development has become a priority for all organizations whether they build their own software or outsource. And code analysis is becoming the de facto choice to introduce secure development as well as measure inherent software risk.
Software Analytics:Towards Software Mining that Matters (2014)Tao Xie
This document discusses software analytics and summarizes several related papers and projects. It introduces Software Analytics, which aims to enable software practitioners to perform data exploration and analysis to obtain useful insights. It then summarizes papers on techniques for performance debugging by mining stack traces, scalable code clone analysis, incident management for online services, and using games to teach programming.
The document is a magazine issue focused on IT security topics. It includes the following sections: News, which reports on recent trends and developments in the security industry; Reports from security conferences; a Top Story on modern keylogging techniques; an Analytics section examining internet fraud and software vulnerabilities; a section on fighting crimeware; an exploration of whitelisting technology; a Forecast on threats in 2010; and an Interview challenging rootkits. The News section covers breakthroughs in DES encryption speeds, a novel data transfer security scheme, and the top 25 most dangerous programming errors. It also discusses the ongoing threat of large DDoS attacks.
Cross Site Scripting Attacks and Preventive MeasuresIRJET Journal
This document summarizes cross-site scripting (XSS) attacks and preventive measures. It discusses that XSS attacks allow attackers to inject malicious scripts into web pages through inputs like search fields or comment boxes. There are three main types of XSS attacks: non-persistent reflect XSS through query parameters, persistent stored XSS by storing scripts on servers, and DOM-based XSS using document object model functions. Input validation and code filtering are effective preventive measures. The document also proposes a script filtering algorithm to sanitize inputs and prevent execution of malicious scripts.
Open Source Insight: Who Owns Linux? TRITON Attack, App Security Testing, Fut...Black Duck by Synopsys
We look at the three reasons you must attend the FLIGHT Amsterdam conference; how to build outstanding projects in the open source community; and why isn’t every app being security tested? Plus, in-depth into the TRITON attack; why 2018 is the year of open source; how open source is driving both IoT and AI and a webinar on the 2018 Open Source Rookies of the Year.
Open Source Insight is your weekly news resource for open source security and cybersecurity news!
Open Source Insight: NVD's New Look, Struts Vuln Ransomware & Google Open So...Black Duck by Synopsys
NIST redesigned the National Vulnerability Database with a much-needed, modernized look-and-feel — including a scrolling list of the latest scored vulnerabilities and a “visualization” section designed to provide different ways to look at the data.
First impression? While some kinks still need to be worked out (the site loads very slowly), it’s going to be much easier to find vulnerability and mitigation information in the NVD than in the past.
Software Analytics: Data Analytics for Software Engineering and SecurityTao Xie
Frodo Baggins presents on software analytics for software engineering and security tasks. The presentation discusses how software and how it is built and used is changing, with data now being ubiquitous and software having continuous development and release. Software analytics aims to enable software practitioners to perform data exploration and analysis to obtain useful insights. Examples of software analytics techniques discussed include XIAO for scalable code clone analysis, and SAS for incident management of online services. The presentation then shifts to discussing software analytics techniques for mobile app security, including WHYPER for natural language processing on app descriptions to link permissions to functionality, and AppContext for machine learning to classify malware.
Security in the age of open source - Myths and misperceptionsTim Mackey
As delivered at Interop ITX 2017.
The security of open source software is a function of the security of its components. For most applications, open source technologies are at their core, but security related issues may not be disclosed directly against the application because its use of the open-source component is hidden. In this talk, I explored how information flow benefits attackers, but how awareness can help defenders. I presented key attributes any vulnerability solution should have - including deep understanding of how open source development works and being DevOps aware.
Secure software development has become a priority for all organizations whether they build their own software or outsource. And code analysis is becoming the de facto choice to introduce secure development as well as measure inherent software risk.
Software Analytics:Towards Software Mining that Matters (2014)Tao Xie
This document discusses software analytics and summarizes several related papers and projects. It introduces Software Analytics, which aims to enable software practitioners to perform data exploration and analysis to obtain useful insights. It then summarizes papers on techniques for performance debugging by mining stack traces, scalable code clone analysis, incident management for online services, and using games to teach programming.
The document is a magazine issue focused on IT security topics. It includes the following sections: News, which reports on recent trends and developments in the security industry; Reports from security conferences; a Top Story on modern keylogging techniques; an Analytics section examining internet fraud and software vulnerabilities; a section on fighting crimeware; an exploration of whitelisting technology; a Forecast on threats in 2010; and an Interview challenging rootkits. The News section covers breakthroughs in DES encryption speeds, a novel data transfer security scheme, and the top 25 most dangerous programming errors. It also discusses the ongoing threat of large DDoS attacks.
Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...Black Duck by Synopsys
Continuing a month of major announcements, Black Duck launched its new product, OpsSight — comprehensive, automated open source container security for production environments — at its FLIGHT 2017 user conference in Boston this week. Targeting the production phase of the software development life cycle, the initial release of OpsSight is optimized for Red Hat’s OpenShift Container Platform.
If you missed FLIGHT 2017, you can read all the news about OpsSight below, as well as stories on FLIGHT keynoters Charlie Miller and Chris Valasek’s presentation on why IoT insecurity is here to stay; the top 5 cybersecurity mistakes you need to avoid; the SEC prepares new cybersecurity guidelines; and security for the connected car
The document discusses .NET malware threats and analysis. It provides an agenda for the talk including an introduction to .NET details and analysis. It discusses common techniques used in .NET malware like decrypting encrypted content and loading external assemblies. The document lists tools that can be used to analyze .NET malware like dnSpy, ILSpy, and WinDbg. It also discusses following the entry point and calling chains in managed code to understand the malware's behavior.
Web Application Testing for Today’s Biggest and Emerging ThreatsAlan Kan
The document discusses emerging threats to web applications and strategies for testing applications to identify vulnerabilities. It finds that nearly half of all vulnerabilities are in web applications, with cross-site scripting and SQL injection being most common. Many vulnerabilities have no patches available yet. New attack types like client-side vulnerabilities are also emerging. The document advocates integrating security testing into the development process to help developers write more secure code and find issues early.
Open Source Insight: Global Response to COSRI 2017 Open Source Security and R...Black Duck by Synopsys
Many Black Duck-related news stories in this week’s edition of Open Source Insight, thanks to the release of our 2017 Open Source Security and Risk Analysis detailing significant cross-industry risks related to open source vulnerabilities and license compliance challenges.
Black Duck conducts hundreds of open source code audits annually, primarily related to merger and acquisition transactions. For the 2017 analysis, our Center for Open Source Research & Innovation (COSRI) analyzed over 1,000 applications and found both high levels of open source usage — 96% of the apps examined contained open source — and significant risk to open source security vulnerabilities — more than 60% of the apps contained open source security vulnerabilities. All security professionals concerned about vulnerabilities and license compliance will want to review the report, which can be downloaded from the Black Duck website.
Emphasizing the need to stay on top of software security vulnerabilities is the NVD CVE listing for the month of April 2017, which now exceeds 900 entries, including CVE-2016-4899, a high to critical flaw where the datamover module in the Linux version of NovaBACKUP DataCenter before 09.06.03.0353 is vulnerable to remote command execution via unspecified attack vectors.
On to this week’s top open source and open source security news…
This document provides a summary of the key points from the document "Consumer-Centric API Design".
1. The document discusses best practices for designing APIs that are consumer-centric and easy for developers to use. It emphasizes data abstraction, using common HTTP methods and patterns, and focusing on the needs of API consumers.
2. The author advocates designing APIs around core CRUD concepts to abstract complex business logic and data structures. Real-world examples show both good and bad approaches to data abstraction.
3. Additional chapters will cover topics like HTTP requests and responses, API versioning, authentication, permissions, documentation and testing. The goal is for readers to understand how to build APIs that third-party developers will enjoy
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019Alexandre Borges
.NET malware is well-known by security analysts, but even existing many tools such as dnSpy,.NET Reflector, de4dot and so on to make the analysis easier, most professionals have used them as a black box tool, without concerning to .NET internals, structures, MSIL coding and details. In critical cases, it is necessary have enough knowledge about internal mechanisms and to debug these .NET threats using WinDbg.
Unfortunately, .NET malware samples have become very challenger because it is so complicated to deobfuscated associated resources, as unpacking and dumping them from memory. Furthermore, most GUI debugging tools does an inside view of mechanisms such as CRL Loader, Managed Heap, Synchronization issues and Garbage Collection.
In the other side, .NET malware threats are incredibly interesting when analyzed from the MSIL instruction code, which allows to see code injections using .MSIL and attempts to compromise .NET Runtime keep being a real concern.
The purpose of this presentation is to help professionals to understand .NET malware threats and techniques by explaining concepts about .NET internals, mechanisms and few reversing techniques.
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...Black Duck by Synopsys
It’s an acronym-filled issue of Open Source Insight, as we look at the question of SCA (software composition analysis) and how it fits into the DevOps environment. The DHS (Department of Homeland Security) has concerning security gaps, according to its OIG (Office of Inspector General). Can the CVE (Common Vulnerabilities and Exposures) gap be closed? The GDPR (General Data Protection Regulation) is bearing down on us like a freight train, and it’s past time to include open source security into your GDPR plans.
Plus, an intro to the Open Hub community, looking at security for blockchain apps, and best practices for open source security in container environments are all featured in this week’s cybersecurity and open source security news.
The document is a slide deck for a presentation on analyzing .NET malware. It discusses how malware authors manipulate .NET internals and metadata to attack systems and the runtime. It also covers common techniques used in .NET malware like reflection, loading encrypted payloads, and injecting managed code into other processes. The presentation aims to help analysts better understand .NET internals when reversing malicious .NET samples.
ENISA is the EU's cybersecurity agency that works with EU members, private sector, and citizens to develop cybersecurity best practices. It assists EU members in implementing legislation and improving critical infrastructure resilience. ENISA seeks to enhance member state expertise by supporting cross-border cybersecurity communities throughout Europe.
The attack surface is expanding rapidly due to growth in mobile devices, public cloud usage, and cloud infrastructure. This expansion provides more opportunities for adversaries to operate. Annual global IP traffic is projected to pass 1 zettabyte by the end of 2016 and reach 2.3 zettabytes by 2020, representing a threefold increase. Much of this growth is driven by wireless devices and mobile usage. As the Internet of Everything takes shape and digitization increases, defenders will have more to protect while adversaries have more space to conduct operations.
The document is Cisco's 2017 Annual Cybersecurity Report which summarizes key findings about attacker and defender behaviors. Some major findings include: three leading exploit kits abruptly disappeared in 2016, leaving opportunities for smaller players; most companies use over five security vendors and products; and the top constraints to adopting advanced security according to a Cisco study are budget, compatibility, certification, and talent. The report examines the expanding attack surface, how attackers operate at different phases, trends in vulnerabilities and patching, and provides guidance on reducing adversaries' ability to compromise assets.
The document provides an overview of a product demonstration of Fidelis Cybersecurity's product line that will take place over 2 hours. It introduces two members of Fidelis' threat research team, John Laycock and Chris Rogers, and their backgrounds. The demonstration will include graphs on current APT threats, deployment best practices diagrams, optimization of infrastructure for the cyber kill chain, and pricing/availability information. The document then covers deductive reasoning techniques for file analysis, including analyzing NTFS metadata like MAC times, common file system locations for malware, registry keys used for persistence, Prefetch files, and the Task Scheduler. It discusses tools like hex editors, entropy analyzers, hash calculators, and PE analyzers that
Lab-4 Reconnaissance and Information Gathering A hacker.docxLaticiaGrissomzz
Lab-4: Reconnaissance and Information Gathering
A hacker uses many tools and methods to gather information about the target. There are two broad categories of information gathering methods: passive and active. These methods are detailed in the table below. In this lab, you will perform passive information gathering (gray-shaded column). In Lab 5, you will be performing active information gathering. Please review the table before starting this lab.
Information Gathering
Passive (Reconnaissance and Information Gathering) – This Week
Active (Scanning and Enumeration) – Next Week
Is the hacker contact with the target directly?
No direct contact with the target
Direct contact with the target
Are the activities logged?
No audit records on the target
Audit record might be created
What kind of tools has been used?
Web archives, Whois service, DNS servers, Search Engines
Port scanners, network scanners, vulnerability scanners (Nessus, Nmap)
What information can a hacker collect?
IP addresses, network range, telephone numbers, E-mail addresses, active machines, operating system version, network topology
Live hosts on a network, network topology, OS version, open ports on hosts, services running on hosts, running applications and their versions, patching level, vulnerabilities.
In passive information gathering, the hacker does not directly contact the target; therefore, no audit logs have been created. Both non-technical (such as employee names, birth dates, e-mail addresses) and technical information (IP addresses, domain names) can be gathered. This information can be used in many ways in the subsequent steps of the attack. For example, the phone numbers or e-mail addresses you discovered can be used in social engineering attacks. DNS records or subdomain names can be used to leverage specific attacks against hosts or URLs.
More notes on Reconnaissance and Information Gathering :
1) In this phase, an attacker may collect a lot of information without being noticed.
2) In some cases, an attacker may even discover vulnerabilities.
3) The information collected in this phase can be quite valuable when evaluated together with the information collected in the scanning and enumeration phase. For example, you might find the phone number and name of an employee in this phase, and you may find the computer IP address in the active scanning phase. You can use these two pieces of information together to leverage a social engineering attack. An attacker will increase the chance of gaining trust when s/he calls the victim's name and talk some specific about the victim's computer.
4) Companies should also perform reconnaissance and information gathering against themselves so that they can discover -before hackers- what kind of information the company and company employees disclose.
In this lab, you will practice 6 passive methods of Reconnaissance and Information Gathering. You have to use Kali VM in Sections 3, 5, and 6 of the lab. You may use Kali.
Built-in Security Mindfulness for Software DevelopersPhú Phùng
1) Software vulnerabilities, not network issues, are the main cause of cyber attacks according to surveys. Common software vulnerabilities like buffer overflows and injection attacks allow hackers to exploit programs.
2) Conventional network security mechanisms cannot prevent attacks from software vulnerabilities within programs. Developers often focus on functionality over security and make mistakes like lacking input validation that have led to vulnerabilities for 40+ years.
3) The University of Dayton is working to build security mindfulness for software developers through hands-on courses. Students learn about vulnerabilities and defensive programming techniques to avoid security problems at the design stage.
Application Security Guide for Beginners Checkmarx
The document provides an overview of application security concepts and terms for beginners. It defines key terms like the software development lifecycle (SDLC) and secure SDLC, which incorporates security best practices into each stage of development. It also describes common application security testing methods like static application security testing (SAST) and dynamic application security testing (DAST). Finally, it outlines some common application security threats like SQL injection, cross-site scripting, and cross-site request forgery and their potential impacts.
Here are the key points about an organization's strategic business units (SBUs):
- An SBU is a division within a company that is managed separately because it has different products, services, markets, or customers than other business units.
- SBUs allow large, diversified companies to focus their strategies and operations on specific business areas or market segments. Each SBU acts as its own profit center.
- Common ways companies segment into SBUs include by product type, customer type, industry, geography, or technology. For example, a tech company may have consumer and enterprise SBUs.
- Each SBU develops its own mission, objectives, strategies, budgets, and metrics for success. This
Operating System Upgrade Implementation Report And...Julie Kwhl
- Advancements in browsers and JavaScript libraries have made Flash unnecessary for most websites, allowing richer experiences without plugins.
- As devices like phones, tablets, and smart TVs became more common, accessibility of content across different platforms became important.
- Web standards like HTML5, CSS, and JavaScript now provide many of the interactive capabilities Flash once did, in an open and consistent way across all browsers and devices.
- While Flash had its place early on, today's web favors open standards that don't require plugins and can reach all internet-connected devices. The benefits of accessibility now outweigh Flash's capabilities for most sites.
Why are code reviews and penetration tests not enough to secure your organization’s software? This presentation explores the importance of threat modeling in the security journey.
The document describes how Cisco collaborated with other security companies to identify and shut down a major Angler exploit kit operation that was targeting 90,000 victims per day and generating tens of millions of dollars annually through ransomware attacks. By working with the hosting provider Limestone Networks, Cisco was able to determine that most of the Angler traffic was coming from a small number of Limestone and Hetzner servers, and helped get those servers taken offline to cripple the ransomware campaign. The success highlights the importance of industry collaboration to combat sophisticated cybercriminal operations.
Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...Black Duck by Synopsys
Continuing a month of major announcements, Black Duck launched its new product, OpsSight — comprehensive, automated open source container security for production environments — at its FLIGHT 2017 user conference in Boston this week. Targeting the production phase of the software development life cycle, the initial release of OpsSight is optimized for Red Hat’s OpenShift Container Platform.
If you missed FLIGHT 2017, you can read all the news about OpsSight below, as well as stories on FLIGHT keynoters Charlie Miller and Chris Valasek’s presentation on why IoT insecurity is here to stay; the top 5 cybersecurity mistakes you need to avoid; the SEC prepares new cybersecurity guidelines; and security for the connected car
The document discusses .NET malware threats and analysis. It provides an agenda for the talk including an introduction to .NET details and analysis. It discusses common techniques used in .NET malware like decrypting encrypted content and loading external assemblies. The document lists tools that can be used to analyze .NET malware like dnSpy, ILSpy, and WinDbg. It also discusses following the entry point and calling chains in managed code to understand the malware's behavior.
Web Application Testing for Today’s Biggest and Emerging ThreatsAlan Kan
The document discusses emerging threats to web applications and strategies for testing applications to identify vulnerabilities. It finds that nearly half of all vulnerabilities are in web applications, with cross-site scripting and SQL injection being most common. Many vulnerabilities have no patches available yet. New attack types like client-side vulnerabilities are also emerging. The document advocates integrating security testing into the development process to help developers write more secure code and find issues early.
Open Source Insight: Global Response to COSRI 2017 Open Source Security and R...Black Duck by Synopsys
Many Black Duck-related news stories in this week’s edition of Open Source Insight, thanks to the release of our 2017 Open Source Security and Risk Analysis detailing significant cross-industry risks related to open source vulnerabilities and license compliance challenges.
Black Duck conducts hundreds of open source code audits annually, primarily related to merger and acquisition transactions. For the 2017 analysis, our Center for Open Source Research & Innovation (COSRI) analyzed over 1,000 applications and found both high levels of open source usage — 96% of the apps examined contained open source — and significant risk to open source security vulnerabilities — more than 60% of the apps contained open source security vulnerabilities. All security professionals concerned about vulnerabilities and license compliance will want to review the report, which can be downloaded from the Black Duck website.
Emphasizing the need to stay on top of software security vulnerabilities is the NVD CVE listing for the month of April 2017, which now exceeds 900 entries, including CVE-2016-4899, a high to critical flaw where the datamover module in the Linux version of NovaBACKUP DataCenter before 09.06.03.0353 is vulnerable to remote command execution via unspecified attack vectors.
On to this week’s top open source and open source security news…
This document provides a summary of the key points from the document "Consumer-Centric API Design".
1. The document discusses best practices for designing APIs that are consumer-centric and easy for developers to use. It emphasizes data abstraction, using common HTTP methods and patterns, and focusing on the needs of API consumers.
2. The author advocates designing APIs around core CRUD concepts to abstract complex business logic and data structures. Real-world examples show both good and bad approaches to data abstraction.
3. Additional chapters will cover topics like HTTP requests and responses, API versioning, authentication, permissions, documentation and testing. The goal is for readers to understand how to build APIs that third-party developers will enjoy
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019Alexandre Borges
.NET malware is well-known by security analysts, but even existing many tools such as dnSpy,.NET Reflector, de4dot and so on to make the analysis easier, most professionals have used them as a black box tool, without concerning to .NET internals, structures, MSIL coding and details. In critical cases, it is necessary have enough knowledge about internal mechanisms and to debug these .NET threats using WinDbg.
Unfortunately, .NET malware samples have become very challenger because it is so complicated to deobfuscated associated resources, as unpacking and dumping them from memory. Furthermore, most GUI debugging tools does an inside view of mechanisms such as CRL Loader, Managed Heap, Synchronization issues and Garbage Collection.
In the other side, .NET malware threats are incredibly interesting when analyzed from the MSIL instruction code, which allows to see code injections using .MSIL and attempts to compromise .NET Runtime keep being a real concern.
The purpose of this presentation is to help professionals to understand .NET malware threats and techniques by explaining concepts about .NET internals, mechanisms and few reversing techniques.
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...Black Duck by Synopsys
It’s an acronym-filled issue of Open Source Insight, as we look at the question of SCA (software composition analysis) and how it fits into the DevOps environment. The DHS (Department of Homeland Security) has concerning security gaps, according to its OIG (Office of Inspector General). Can the CVE (Common Vulnerabilities and Exposures) gap be closed? The GDPR (General Data Protection Regulation) is bearing down on us like a freight train, and it’s past time to include open source security into your GDPR plans.
Plus, an intro to the Open Hub community, looking at security for blockchain apps, and best practices for open source security in container environments are all featured in this week’s cybersecurity and open source security news.
The document is a slide deck for a presentation on analyzing .NET malware. It discusses how malware authors manipulate .NET internals and metadata to attack systems and the runtime. It also covers common techniques used in .NET malware like reflection, loading encrypted payloads, and injecting managed code into other processes. The presentation aims to help analysts better understand .NET internals when reversing malicious .NET samples.
ENISA is the EU's cybersecurity agency that works with EU members, private sector, and citizens to develop cybersecurity best practices. It assists EU members in implementing legislation and improving critical infrastructure resilience. ENISA seeks to enhance member state expertise by supporting cross-border cybersecurity communities throughout Europe.
The attack surface is expanding rapidly due to growth in mobile devices, public cloud usage, and cloud infrastructure. This expansion provides more opportunities for adversaries to operate. Annual global IP traffic is projected to pass 1 zettabyte by the end of 2016 and reach 2.3 zettabytes by 2020, representing a threefold increase. Much of this growth is driven by wireless devices and mobile usage. As the Internet of Everything takes shape and digitization increases, defenders will have more to protect while adversaries have more space to conduct operations.
The document is Cisco's 2017 Annual Cybersecurity Report which summarizes key findings about attacker and defender behaviors. Some major findings include: three leading exploit kits abruptly disappeared in 2016, leaving opportunities for smaller players; most companies use over five security vendors and products; and the top constraints to adopting advanced security according to a Cisco study are budget, compatibility, certification, and talent. The report examines the expanding attack surface, how attackers operate at different phases, trends in vulnerabilities and patching, and provides guidance on reducing adversaries' ability to compromise assets.
The document provides an overview of a product demonstration of Fidelis Cybersecurity's product line that will take place over 2 hours. It introduces two members of Fidelis' threat research team, John Laycock and Chris Rogers, and their backgrounds. The demonstration will include graphs on current APT threats, deployment best practices diagrams, optimization of infrastructure for the cyber kill chain, and pricing/availability information. The document then covers deductive reasoning techniques for file analysis, including analyzing NTFS metadata like MAC times, common file system locations for malware, registry keys used for persistence, Prefetch files, and the Task Scheduler. It discusses tools like hex editors, entropy analyzers, hash calculators, and PE analyzers that
Lab-4 Reconnaissance and Information Gathering A hacker.docxLaticiaGrissomzz
Lab-4: Reconnaissance and Information Gathering
A hacker uses many tools and methods to gather information about the target. There are two broad categories of information gathering methods: passive and active. These methods are detailed in the table below. In this lab, you will perform passive information gathering (gray-shaded column). In Lab 5, you will be performing active information gathering. Please review the table before starting this lab.
Information Gathering
Passive (Reconnaissance and Information Gathering) – This Week
Active (Scanning and Enumeration) – Next Week
Is the hacker contact with the target directly?
No direct contact with the target
Direct contact with the target
Are the activities logged?
No audit records on the target
Audit record might be created
What kind of tools has been used?
Web archives, Whois service, DNS servers, Search Engines
Port scanners, network scanners, vulnerability scanners (Nessus, Nmap)
What information can a hacker collect?
IP addresses, network range, telephone numbers, E-mail addresses, active machines, operating system version, network topology
Live hosts on a network, network topology, OS version, open ports on hosts, services running on hosts, running applications and their versions, patching level, vulnerabilities.
In passive information gathering, the hacker does not directly contact the target; therefore, no audit logs have been created. Both non-technical (such as employee names, birth dates, e-mail addresses) and technical information (IP addresses, domain names) can be gathered. This information can be used in many ways in the subsequent steps of the attack. For example, the phone numbers or e-mail addresses you discovered can be used in social engineering attacks. DNS records or subdomain names can be used to leverage specific attacks against hosts or URLs.
More notes on Reconnaissance and Information Gathering :
1) In this phase, an attacker may collect a lot of information without being noticed.
2) In some cases, an attacker may even discover vulnerabilities.
3) The information collected in this phase can be quite valuable when evaluated together with the information collected in the scanning and enumeration phase. For example, you might find the phone number and name of an employee in this phase, and you may find the computer IP address in the active scanning phase. You can use these two pieces of information together to leverage a social engineering attack. An attacker will increase the chance of gaining trust when s/he calls the victim's name and talk some specific about the victim's computer.
4) Companies should also perform reconnaissance and information gathering against themselves so that they can discover -before hackers- what kind of information the company and company employees disclose.
In this lab, you will practice 6 passive methods of Reconnaissance and Information Gathering. You have to use Kali VM in Sections 3, 5, and 6 of the lab. You may use Kali.
Built-in Security Mindfulness for Software DevelopersPhú Phùng
1) Software vulnerabilities, not network issues, are the main cause of cyber attacks according to surveys. Common software vulnerabilities like buffer overflows and injection attacks allow hackers to exploit programs.
2) Conventional network security mechanisms cannot prevent attacks from software vulnerabilities within programs. Developers often focus on functionality over security and make mistakes like lacking input validation that have led to vulnerabilities for 40+ years.
3) The University of Dayton is working to build security mindfulness for software developers through hands-on courses. Students learn about vulnerabilities and defensive programming techniques to avoid security problems at the design stage.
Application Security Guide for Beginners Checkmarx
The document provides an overview of application security concepts and terms for beginners. It defines key terms like the software development lifecycle (SDLC) and secure SDLC, which incorporates security best practices into each stage of development. It also describes common application security testing methods like static application security testing (SAST) and dynamic application security testing (DAST). Finally, it outlines some common application security threats like SQL injection, cross-site scripting, and cross-site request forgery and their potential impacts.
Here are the key points about an organization's strategic business units (SBUs):
- An SBU is a division within a company that is managed separately because it has different products, services, markets, or customers than other business units.
- SBUs allow large, diversified companies to focus their strategies and operations on specific business areas or market segments. Each SBU acts as its own profit center.
- Common ways companies segment into SBUs include by product type, customer type, industry, geography, or technology. For example, a tech company may have consumer and enterprise SBUs.
- Each SBU develops its own mission, objectives, strategies, budgets, and metrics for success. This
Operating System Upgrade Implementation Report And...Julie Kwhl
- Advancements in browsers and JavaScript libraries have made Flash unnecessary for most websites, allowing richer experiences without plugins.
- As devices like phones, tablets, and smart TVs became more common, accessibility of content across different platforms became important.
- Web standards like HTML5, CSS, and JavaScript now provide many of the interactive capabilities Flash once did, in an open and consistent way across all browsers and devices.
- While Flash had its place early on, today's web favors open standards that don't require plugins and can reach all internet-connected devices. The benefits of accessibility now outweigh Flash's capabilities for most sites.
Why are code reviews and penetration tests not enough to secure your organization’s software? This presentation explores the importance of threat modeling in the security journey.
The document describes how Cisco collaborated with other security companies to identify and shut down a major Angler exploit kit operation that was targeting 90,000 victims per day and generating tens of millions of dollars annually through ransomware attacks. By working with the hosting provider Limestone Networks, Cisco was able to determine that most of the Angler traffic was coming from a small number of Limestone and Hetzner servers, and helped get those servers taken offline to cripple the ransomware campaign. The success highlights the importance of industry collaboration to combat sophisticated cybercriminal operations.
Similar to Summarization Techniques for Code, Change, Testing and User Feedback - VSS 2017 (20)
Maliheh (Mali) Izadi, PhD, Andrea Di Sorbo, and Sebastiano Panichella co-chaired the 3rd Intl. Workshop on NL-based Software Engineering
April 20 2024, Lisbon, Portugal.
Diversity-guided Search Exploration for Self-driving Cars Test Generation thr...Sebastiano Panichella
Timo Blattner, Christian Birchler, Timo Kehrer, Sebastiano Panichella: Diversity-guided Search Exploration for Self-driving Cars Test Generation through Frenet Space Encoding. Intl. Workshop on Search-Based and Fuzz Testing (SBFT). 2024
SBFT Tool Competition 2024 -- Python Test Case Generation TrackSebastiano Panichella
Nicolas Erni, Al-Ameen, Mohammed, Christian Birchler, Pouria Derakhshanfar, Stephan Lukasczyk, Sebastiano Panichella: SBFT Tool Competition 2024 -- Python Test Case Generation Track 17th International Workshop on Search-Based and Fuzz Testing
SBFT Tool Competition 2024 - CPS-UAV Test Case Generation TrackSebastiano Panichella
Sajad Khatiri, Prasun Saurabh, Timothy Zimmermann, Charith Munasinghe, Christian Birchler, Sebastiano Panichella: SBFT Tool Competition 2024 - CPS-UAV Test Case Generation Track 17th International Workshop on Search-Based and Fuzz Testing
Simulation-based Testing of Unmanned Aerial Vehicles with AerialistSebastiano Panichella
Sajad Khatiri, Sebastiano Panichella, Paolo Tonella: Simulation-based Testing of Unmanned Aerial Vehicles with Aerialist. International Conference on Software Engineering. 2024
Testing with Fewer Resources: Toward Adaptive Approaches for Cost-effective ...Sebastiano Panichella
Lecture entitled "Testing with Fewer Resources: Toward Adaptive Approaches for Cost-effective Test Generation and Selection" at the International Summer School
on Search- and Machine Learning-based Software Engineering
June 22-24, 2022 - Córdoba, Spain
Sebastiano Panichella and Christian Birchler
COSMOS:
DevOps for Complex Cyber-physical Systems
Sebastiano Panichella
Zurich University of Applied Sciences (ZHAW)
Workshop on Adaptive CPSoS (WASOS) 2023
Testing and Development Challenges for Complex Cyber-Physical Systems: Insigh...Sebastiano Panichella
Keynote presentation </b>at ICST (AIST workshop) entitled "Testing and Development Challenges for Complex Cyber-Physical Systems: Insights from the COSMOS H2020 Project"
An Empirical Characterization of Software Bugs in Open-Source Cyber-Physical ...Sebastiano Panichella
Presentation at 16th IEEE International Conference on Software
Testing, Verification and Validation (ICST): An Empirical Characterization of Software Bugs in Open-Source Cyber-Physical Systems. Journal of Systems & Software (JSS).
Automated Identification and Qualitative Characterization of Safety Concerns ...Sebastiano Panichella
Presentation at the IEEE/ACM International Conference on
Automated Software Engineering (ASE 2023):
“Automated Identification and Qualitative Characterization of Safety Concerns
Reported in UAV Software Platforms” -
Transactions on Software Engineering and Methodology
This document provides information about the NL-based Software Engineering (NLBSE) '23 workshop to be held on May 20th, 2023. The workshop will have two keynote speakers, two paper presentation sessions, a tool competition, and will be held in a hybrid format with both in-person and remote participation. It outlines the schedule, participating speakers and chairs, instructions for remote participants, and plans for recording and publishing the workshop proceedings.
Simulation-based Test Case Generation for Unmanned Aerial Vehicles in the Nei...Sebastiano Panichella
This document proposes a method called SURREALIST to generate realistic simulated test cases for unmanned aerial vehicles (UAVs) using real flight logs. It aims to address limitations of field testing such as lack of reproducibility and limited test scenarios. SURREALIST works in two steps: 1) It systematically replicates real flights in simulation by finding optimal drone and environment configurations that minimize differences between real and simulated flight trajectories. 2) It generates new challenging test cases by manipulating drone and environment configurations according to a difficulty measure, such as violating safety distances to obstacles. The approach is evaluated on examples of replicating and modifying an existing flight to evaluate its ability to find bugs. SURREALIST aims to generate tests that can discover non
Exposed! A case study on the vulnerability-proneness of Google Play AppsSebastiano Panichella
This study analyzed the vulnerability levels of 1000 mobile apps from Google Play across 23 categories. The key findings were:
1) Medical apps had significantly fewer vulnerabilities than other categories like Finance and Shopping.
2) An app's vulnerability level did not affect its rating, but apps with more downloads tended to have higher vulnerability levels.
3) Contextual information like app description, metadata, and static code features could predict an app's vulnerability level with over 75% accuracy, with market data providing complementary insights to code analysis. Addressing app security is important as users may not be aware of risks when installing apps.
Search-based Software Testing (SBST) '22
Workshop Co-Chairs:
Giovani Guizzo
UNIVERSITY COLLEGE LONDON, UNITED KINGDOM
Sebastiano Panichella
ZURICH UNIVERSITY OF APPLIED SCIENCE, SWITZERLAND
Competition Co-Chairs:
Alessio Gambi
UNIVERSITY OF PASSAU, GERMANY
Gunel Jahangirova
UNIVERSITÀ DELLA SVIZZERA ITALIANA, SWITZERLAND
Vincenzo Riccio
UNIVERSITÀ DELLA SVIZZERA ITALIANA, SWITZERLAND
Fiorella Zampetti
UNIVERSITY OF SANNIO, ITALY
Website Chair:
Rebecca Moussa
UNIVERSITY COLLEGE LONDON, UNITED KINGDOM
Program Committee:
Nazareno Aguirre, Universidad Nacional de Río Cuarto - CONICET, Argentina
Aldeida Aleti, Monash University, Australia
Giuliano Antoniol, Ecole Polytechnique de Montréal, Canada
Kate Bowers, Oakland University, USA
Jose Campos, University of Washington, USA
Thelma E. Colanzi, State University of Maringá, Brazil
Byron DeVries, Grand Valley State University, USA
Gordon Fraser, University of Passau, Germany
Erik Fredericks, Oakland University, USA
Gregory Gay, Chalmers and the University of Gothenburg, Sweden
Alessandra Gorla, IMDEA Software Institute, Spain
Gregory Kapfhammer, Allegheny College, USA
Yiling Lou, Peking University, China
Mitchell Olsthoorn, Delft University of Technology, Netherlands
Justyna Petke, University College London, UK
Silvia R. Vergilio, Universidade Federal do Paraná, Brazil
Simone do Rocio Senger de Souza, University of São Paulo, Brazil
Thomas Vogel, Humboldt-Universität zu Berlin, Germany
Jie Zhang, University College London, UK
Tool Competition
Introduction
NLP-based approaches and tools have been proposed to improve the efficiency of software engineers, processes, and products, by automatically processing natural language artifacts (issues, emails, commits, etc.).
We believe that the availability of accurate tools is becoming increasingly necessary to improve Software Engineering (SE) processes. One important process is issue management and prioritization where developers have to understand, classify, prioritize, assign, etc. incoming issues reported by end-users and developers.
This year, we are pleased to announce the first edition of the NLBSE’22 tool competition on issue report classification, an important task in issue management and prioritization.
For the competition, we provide a dataset encompassing more than 800k labeled issue reports (as bugs, enhancements, and questions) extracted from real open-source projects. You are invited to leverage this dataset for evaluating your classification approaches and compare the achieved results against a proposed baseline approach (based on FastText).
Competition overview
We created a Colab notebook with detailed information about the competition (provided data, baseline approach, paper submission, paper format, etc.).
If you want to participate, you must:
Train and tune a multi-label multi-class classifier using the provided training set. The classifier should assign one label to an issue.
Evaluate your classifier on the provided test set
Write a paper (4 pages max.) describing:
The architecture and details of the classifier
The procedure used to pre-process the data
The procedure used to tune the classifier on the training set
The results of your classifier on the test set
Additional info.: provide a link to your code/tool with proper documentation on how to run it
Submit the paper by emailing the tool competition organizers (see below)
Submissions will be evaluated and accepted based on correctness and reproducibility, defined by the following criteria:
Clarity and detail of the paper content
Availability of the code/tool, released as open-source
Correct training/tuning/evaluation of your code/tool on the provided data
Clarity of the code documentation
The accepted submissions will be published at the workshop proceedings.
The submissions will be ranked based on the F1 score achieved by the proposed classifiers on the test set, as indicated in the papers.
The submission with the highest F1 score will be the winner of the competition.
How to participate?
Email your paper to Oscar Chaparro (oscarch@wm.edu) and Rafael Kallis (rk@rafaelkallis.com) by the submission deadline.
This presentation by Nathaniel Lane, Associate Professor in Economics at Oxford University, was made during the discussion “Pro-competitive Industrial Policy” held at the 143rd meeting of the OECD Competition Committee on 12 June 2024. More papers and presentations on the topic can be found at oe.cd/pcip.
This presentation was uploaded with the author’s consent.
This presentation by Yong Lim, Professor of Economic Law at Seoul National University School of Law, was made during the discussion “Artificial Intelligence, Data and Competition” held at the 143rd meeting of the OECD Competition Committee on 12 June 2024. More papers and presentations on the topic can be found at oe.cd/aicomp.
This presentation was uploaded with the author’s consent.
This presentation by OECD, OECD Secretariat, was made during the discussion “Competition and Regulation in Professions and Occupations” held at the 77th meeting of the OECD Working Party No. 2 on Competition and Regulation on 10 June 2024. More papers and presentations on the topic can be found at oe.cd/crps.
This presentation was uploaded with the author’s consent.
This presentation by Professor Giuseppe Colangelo, Jean Monnet Professor of European Innovation Policy, was made during the discussion “The Intersection between Competition and Data Privacy” held at the 143rd meeting of the OECD Competition Committee on 13 June 2024. More papers and presentations on the topic can be found at oe.cd/ibcdp.
This presentation was uploaded with the author’s consent.
Carrer goals.pptx and their importance in real lifeartemacademy2
Career goals serve as a roadmap for individuals, guiding them toward achieving long-term professional aspirations and personal fulfillment. Establishing clear career goals enables professionals to focus their efforts on developing specific skills, gaining relevant experience, and making strategic decisions that align with their desired career trajectory. By setting both short-term and long-term objectives, individuals can systematically track their progress, make necessary adjustments, and stay motivated. Short-term goals often include acquiring new qualifications, mastering particular competencies, or securing a specific role, while long-term goals might encompass reaching executive positions, becoming industry experts, or launching entrepreneurial ventures.
Moreover, having well-defined career goals fosters a sense of purpose and direction, enhancing job satisfaction and overall productivity. It encourages continuous learning and adaptation, as professionals remain attuned to industry trends and evolving job market demands. Career goals also facilitate better time management and resource allocation, as individuals prioritize tasks and opportunities that advance their professional growth. In addition, articulating career goals can aid in networking and mentorship, as it allows individuals to communicate their aspirations clearly to potential mentors, colleagues, and employers, thereby opening doors to valuable guidance and support. Ultimately, career goals are integral to personal and professional development, driving individuals toward sustained success and fulfillment in their chosen fields.
This presentation by Professor Alex Robson, Deputy Chair of Australia’s Productivity Commission, was made during the discussion “Competition and Regulation in Professions and Occupations” held at the 77th meeting of the OECD Working Party No. 2 on Competition and Regulation on 10 June 2024. More papers and presentations on the topic can be found at oe.cd/crps.
This presentation was uploaded with the author’s consent.
Why Psychological Safety Matters for Software Teams - ACE 2024 - Ben Linders.pdfBen Linders
Psychological safety in teams is important; team members must feel safe and able to communicate and collaborate effectively to deliver value. It’s also necessary to build long-lasting teams since things will happen and relationships will be strained.
But, how safe is a team? How can we determine if there are any factors that make the team unsafe or have an impact on the team’s culture?
In this mini-workshop, we’ll play games for psychological safety and team culture utilizing a deck of coaching cards, The Psychological Safety Cards. We will learn how to use gamification to gain a better understanding of what’s going on in teams. Individuals share what they have learned from working in teams, what has impacted the team’s safety and culture, and what has led to positive change.
Different game formats will be played in groups in parallel. Examples are an ice-breaker to get people talking about psychological safety, a constellation where people take positions about aspects of psychological safety in their team or organization, and collaborative card games where people work together to create an environment that fosters psychological safety.
This presentation by Thibault Schrepel, Associate Professor of Law at Vrije Universiteit Amsterdam University, was made during the discussion “Artificial Intelligence, Data and Competition” held at the 143rd meeting of the OECD Competition Committee on 12 June 2024. More papers and presentations on the topic can be found at oe.cd/aicomp.
This presentation was uploaded with the author’s consent.
XP 2024 presentation: A New Look to Leadershipsamililja
Presentation slides from XP2024 conference, Bolzano IT. The slides describe a new view to leadership and combines it with anthro-complexity (aka cynefin).
This presentation by Tim Capel, Director of the UK Information Commissioner’s Office Legal Service, was made during the discussion “The Intersection between Competition and Data Privacy” held at the 143rd meeting of the OECD Competition Committee on 13 June 2024. More papers and presentations on the topic can be found at oe.cd/ibcdp.
This presentation was uploaded with the author’s consent.
This presentation by OECD, OECD Secretariat, was made during the discussion “Pro-competitive Industrial Policy” held at the 143rd meeting of the OECD Competition Committee on 12 June 2024. More papers and presentations on the topic can be found at oe.cd/pcip.
This presentation was uploaded with the author’s consent.
The importance of sustainable and efficient computational practices in artificial intelligence (AI) and deep learning has become increasingly critical. This webinar focuses on the intersection of sustainability and AI, highlighting the significance of energy-efficient deep learning, innovative randomization techniques in neural networks, the potential of reservoir computing, and the cutting-edge realm of neuromorphic computing. This webinar aims to connect theoretical knowledge with practical applications and provide insights into how these innovative approaches can lead to more robust, efficient, and environmentally conscious AI systems.
Webinar Speaker: Prof. Claudio Gallicchio, Assistant Professor, University of Pisa
Claudio Gallicchio is an Assistant Professor at the Department of Computer Science of the University of Pisa, Italy. His research involves merging concepts from Deep Learning, Dynamical Systems, and Randomized Neural Systems, and he has co-authored over 100 scientific publications on the subject. He is the founder of the IEEE CIS Task Force on Reservoir Computing, and the co-founder and chair of the IEEE Task Force on Randomization-based Neural Networks and Learning Systems. He is an associate editor of IEEE Transactions on Neural Networks and Learning Systems (TNNLS).
Suzanne Lagerweij - Influence Without Power - Why Empathy is Your Best Friend...Suzanne Lagerweij
This is a workshop about communication and collaboration. We will experience how we can analyze the reasons for resistance to change (exercise 1) and practice how to improve our conversation style and be more in control and effective in the way we communicate (exercise 2).
This session will use Dave Gray’s Empathy Mapping, Argyris’ Ladder of Inference and The Four Rs from Agile Conversations (Squirrel and Fredrick).
Abstract:
Let’s talk about powerful conversations! We all know how to lead a constructive conversation, right? Then why is it so difficult to have those conversations with people at work, especially those in powerful positions that show resistance to change?
Learning to control and direct conversations takes understanding and practice.
We can combine our innate empathy with our analytical skills to gain a deeper understanding of complex situations at work. Join this session to learn how to prepare for difficult conversations and how to improve our agile conversations in order to be more influential without power. We will use Dave Gray’s Empathy Mapping, Argyris’ Ladder of Inference and The Four Rs from Agile Conversations (Squirrel and Fredrick).
In the session you will experience how preparing and reflecting on your conversation can help you be more influential at work. You will learn how to communicate more effectively with the people needed to achieve positive change. You will leave with a self-revised version of a difficult conversation and a practical model to use when you get back to work.
Come learn more on how to become a real influencer!
Suzanne Lagerweij - Influence Without Power - Why Empathy is Your Best Friend...
Summarization Techniques for Code, Change, Testing and User Feedback - VSS 2017
1. Sebastiano Panichella
Institut für Informatik
Universität Zürich
panichella@ifi.uzh.ch
Vienna Software Seminar (2017)
Summarization Techniques
for Code, Change, Testing
and User Feedback
4. “In modern software companies it is nowadays, crucial to enact a
software development process able to dynamically react to
market requirements (i.e., users requests), delivering at same
time high quality and reliable software”.
Release Cycle
6. Summarization Approaches
“…have the general capability of automatically extracting or abstracting
key content from one or more sources of information thus, determining
the relevant information in the source being summarized and reducing
its content…”
1) indicative summary: it provides a direct link to the required content
relevant sources to users, so that they can read the provided information
more depth.
2) informative summary it has the goal to substitute the origisource
of information, by mainly assembling the relevant content, presenting it
in a new, more concise and structured form.
3) critical summary (or review) it eports or selects the main opinions
or statements related to a specific discussed topic, thus, it brings the
most relevant feedback, both positives and negatives, about a given
subject discussed in the source document.
6
7. Example of informative
summary
MILAN, Italy, April 18. A small airplane crashed into a government
building in heart of Milan, setting the top floors on fire, Italian
police reported. There were no immediate reports on casualties as
rescue workers attempted to clear the area in the city's financial
district. Few details of the crash were available, but news reports
about it immediately set off fears that it might be a terrorist act
akin to the Sept. 11 attacks in the United States. Those fears sent
U.S. stocks tumbling to session lows in late morning trading.
Witnesses reported hearing a loud explosion from the 30-story
office building, which houses the administrative offices of the local
Lombardy region and sits next to the city's central train station.
Italian state television said the crash put a hole in the 25th floor
of the Pirelli building. News reports said smoke poured from the
opening. Police and ambulances rushed to the building in downtown
Milan. No further details were immediately available.
8. MILAN, Italy, April 18. A small airplane crashed into a government
building in heart of Milan, setting the top floors on fire, Italian
police reported. There were no immediate reports on casualties as
rescue workers attempted to clear the area in the city's financial
district. Few details of the crash were available, but news reports
about it immediately set off fears that it might be a terrorist act
akin to the Sept. 11 attacks in the United States. Those fears sent
U.S. stocks tumbling to session lows in late morning trading.
Witnesses reported hearing a loud explosion from the 30-story
office building, which houses the administrative offices of the local
Lombardy region and sits next to the city's central train station.
Italian state television said the crash put a hole in the 25th floor
of the Pirelli building. News reports said smoke poured from the
opening. Police and ambulances rushed to the building in downtown
Milan. No further details were immediately available.
How many victims?
Was it a terrorist act?
What was the target?
What happened?
Says who?
When, where?
Example of informative
summary
18. Questions when Generating
Summaries of Java Classes
■ 1) What information to include in the summaries?
■ 2) How to generate and present the summaries?
18
19. Software Words Usage Model: deriving <actions>, <themes>,
and <secondary arguments> from class, methods, attributes
and variable identifiers
E. Hill et al. Automatically capturing
source code context of NL-queries
for software maintenance and reuse.
ICSE 2009
Summary Generator
20. When Navigating Java Classes…
https://github.com/larsb/atunesplus/blob/master/aTunes/src/main/java/net/sourceforge/atunes/kernel/modules/repository/audio/AudioFile.java
we look at
- Name of the Class
- Attributes
- Methods
- Dependencies between Classes
Source Code
Summaries: How?
21. When Navigating Java Classes…
Source Code
Summaries: How?
■ Generic responsibilities (domain independent)
■ Class stereotypes [Dragan et al., ICSM’10]
■ E.g., data class, entity, controller, boundary,
etc.
22. When Navigating Java Classes…
Source Code
Summaries: How?
■ Generic responsibilities (domain independent)
■ Class stereotypes [Dragan et al., ICSM’10]
■ E.g., data class, entity, controller, boundary,
etc.
23. How to present and
generate the summaries?
Other Code Artefacts can
be Summarised as well:
- Packages
- Classes
- Methods
- etc.http://www.cs.wayne.edu/~severe/jsummarizer/
24. [ Moreno at al. - ICPC 2013 ]
Evaluation of the Summaries
25. Potential Useful Code Descriptions can be
Found in Developers’ Discussions…
source'code'descrip+ons'in'external'
ar+facts.!
..................................................
When call the method IndexSplitter.split(File
destDir, String[] segs) from the Lucene cotrib
directory(contrib/misc/src/java/org/apache/
lucene/index) it creates an index with
segments descriptor file with wrong data.
Namely wrong is the number representing the
name of segment that would be created next in
this index.
..................................................
CLASS:'IndexSplitter! METHOD:'split!
■ Others researchers proposed to detect source code
descriptions from sources external to the source code:
■ Mailing list and Issue tracker
■ StackOverflow Discussions
[ Vassallo at al. - ICPC 2014 ][ Panichella at al. - ICPC 2012 ]
26. Software Changes over the Time…
“…as consequence the original documentation tend to be
incomplete and inconsistent with the source code…”
Insufficient
Information
Source Code
Difficult
to Understand
APIs Documents
Inconsistent withComing back
to the reality...
Inconsistent/
Incomplete
26
27. Source Code
APIs Documents
Inconsistent
API Document Defects are Frequent
API Document JDK-1.8
Class:
InputEvent
Method:
getMaskForButton(int button)
————————————-—————————————-
————————————-—————————————-
https://docs.oracle.com/javase/8/docs/api/java/awt/event/InputEvent.html
“…and tend to be discovered and fixed after long time…”
http://stackoverflow.com/questions/2967303/inconsistency-in-java-util-concurrent-future
27
28. DRONE
DetectoR of dOcumentatioN dEfects
Code
API
Document
Software
Artifacts
AST Parsing
Pre-Process
and POS
Tagging
Defect
Reports
Control Flow-
Based Constraint
Analysis
SMT
Solver
Dependency
Parsing and
Pattern Analysis
Code Constraint
FOL Generating
Doc Constraint
FOL Generating
HeuristicsHeuristics
28
29. DRONE
DetectoR of dOcumentatioN dEfects
Code
API
Document
Software
Artifacts
AST Parsing
Pre-Process
and POS
Tagging
Defect
Reports
Control Flow-
Based Constraint
Analysis
SMT
Solver
Dependency
Parsing and
Pattern Analysis
Code Constraint
FOL Generating
Doc Constraint
FOL Generating
HeuristicsHeuristics
29
30. DRONE
DetectoR of dOcumentatioN dEfects
Code
API
Document
Software
Artifacts
AST Parsing
Pre-Process
and POS
Tagging
Defect
Reports
Control Flow-
Based Constraint
Analysis
SMT
Solver
Dependency
Parsing and
Pattern Analysis
Code Constraint
FOL Generating
Doc Constraint
FOL Generating
HeuristicsHeuristics
30
31. DRONE
DetectoR of dOcumentatioN dEfects
Code
API
Document
Software
Artifacts
AST Parsing
Pre-Process
and POS
Tagging
Defect
Reports
Control Flow-
Based Constraint
Analysis
SMT
Solver
Dependency
Parsing and
Pattern Analysis
Code Constraint
FOL Generating
Doc Constraint
FOL Generating
HeuristicsHeuristics
31
32. Code
API
Document
Software
Artifacts
AST Parsing
Pre-Process
and POS
Tagging
Defect
Reports
Control Flow-
Based Constraint
Analysis
SMT
Solver
Dependency
Parsing and
Pattern Analysis
Code Constraint
FOL Generating
Doc Constraint
FOL Generating
HeuristicsHeuristics
DRONE
Documentation Code
With DRONE we analyzed
over 1 million of LOC and more than
30,000 Javadoc documents
belonging to 8 java libraries
detecting around 2000 of
API documentation defects.
with high precision (values between
0.58 - 0.83) and an high recall (values >
0.81) results.
“Analyzing APIs Documentation and Code to Detect Directive Defects”. ICSE 2017
Evaluation of the Summaries
32
37. Example of Test Case
Generated by Evosuite
Test Case Automatically
Generated by Evosuite
(for the class apache.commons.Option.Java)
}
37
38. Example of Test Case
Generated by Evosuite
Test Case Automatically
Generated by Evosuite
(for the class apache.commons.Option.Java)
Not Meaningful
Names for Test Methods
It is difficult to tell, without
reading the contents of the
target class, what is the
behavior under test.
}
38
39. Test Case Automatically
Generated by Evosuite
(for the class apache.commons.Option.Java)
Example of Test Case
Generated by Evosuite
39
40. Test Case Automatically
Generated by Evosuite
(for the class apache.commons.Option.Java)
Our Solution: Automatically Generate
Summaries of Test Cases
40
46. SURF (Summarizer of User Reviews Feedback)
Summaries of User Reviews
What Would Users Change in My App? Summarizing App Reviews for Recommending Software Changes.
24th ACM SIGSOFT International Symposium on the Foundations of Software Engineering (FSE) - 2016.
SURF: Summarizer of User Reviews Feedback.
Proceedings of the 39th IEEE International Conference on Software Engineering (ICSE) - 2017
46
49. Results
V.S.!
2) SURF helps to prevent more than half
of the time required for analyzing users
feedback and planning software changes.
3) 92% of manually extracted
feedback appears also in the
automatic generated summaries.
4) Summaries generated by SURF
are reasonably correct, adequate,
concise, and expressive.
49