We are heading for a perfect storm, making open source software poisoning and next-generation supply chain attacks much easier to execute, which could have major implications for organizations. The widespread adoption...
详细信息
ISBN:
(纸本)9781665476799
We are heading for a perfect storm, making open source software poisoning and next-generation supply chain attacks much easier to execute, which could have major implications for organizations. The widespread adoption of open source (99% of today's software utilizes open source), the ease of today's package managers, and the best practice of implementing continuous delivery for software projects provide an unprecedented opportunity for attack. Once an adversary compromises a project, they can deploy malicious code into production under the auspicious of a software patch. Downstream projects will ingest the compromised patch, and now those projects are potentially running the malicious code. The impact could be implementing backdoors, gathering intelligence, delivering malware, or denying a service. According to Sonatype, a leading commercial software security company, these next-generation supply chain attacks have increased 430% in the last year and there is not a good way to vet or monitor an open-source project prior to incorporating the project. In this paper, we analyzed two case studies of compromised open source components. We propose six continuous verification controls that enable organizations to make data-driven decisions and mitigate breaches, such as analyzing community metrics and project hygiene using scorecards and monitoring the boundary of the software in production. In one case study, the controls identified high levels of risk immediately even though the package is widely used and has over 7 million downloads a week. In both case studies we found that the controls could have prevented malicious actions despite the project breaches.
Linear programming models implemented in spreadsheets are understood to be difficult to reuse, whether with modified data that increases or decreases model scale (such as routine model maintenance), as well as with ne...
详细信息
Linear programming models implemented in spreadsheets are understood to be difficult to reuse, whether with modified data that increases or decreases model scale (such as routine model maintenance), as well as with new data (such as deploying a model to a new business setting). The difficulty arises because spreadsheets commingle cell formulas with data, which requires editing cell formulas when the data changes. We provide a novel technique to implement a linear programming model in a spreadsheet that allows for full re-use of the spreadsheet code. It robustly accommodates modified or new data, and enables a spreadsheet LP easily to be reused or even deployed to a new setting with an entirely new dataset. This technique applies to any linear programming model up to approximately 1 million non-zero constraint coefficients, and operates in native Excel without use of macros or VBA. Spreadsheet LP models can now be re-used, re-deployed, and re-optimized as easily as with algebraic software. (C) 2018 Elsevier Ltd. All rights reserved.
Nature likely implements modularization in multicellular developmental biology using the chemical context of the cell, cell division generational distance, and genetic triggers. Inspired in this, Evomorph is a propose...
详细信息
ISBN:
(纸本)9781728104041
Nature likely implements modularization in multicellular developmental biology using the chemical context of the cell, cell division generational distance, and genetic triggers. Inspired in this, Evomorph is a proposed heuristic method of Artificial Intelligence that pairs these concepts with Evolutionary Computation. It is described here as a flexible template matching for object detection in Machine Vision.
In this paper we deal with building parallel programs based on sequential application code and generic components providing specific functionality for parallelization, like load balancing or fault tolerance. We descri...
详细信息
In this paper we deal with building parallel programs based on sequential application code and generic components providing specific functionality for parallelization, like load balancing or fault tolerance. We describe an architectural approach employing aspect-oriented programming to assemble arbitrary object-oriented components. Several non-trivial crosscutting concerns arising from parallelization are addressed in the light of different applications, which arerepresentative of the most common types of parallelism. In particular, we demonstrate how aspect-oriented techniques allow us to leave all existing code untouched. We evaluate and compare our approach with its counterparts in conventional object-oriented programming. Copyright (C) 2008 John Wiley & Sons, Ltd.
In the Virtual Observatory (VO), software tools will perform the functions that have traditionally been performed by physical observatories and their instruments. These tools will not be adjuncts to VO functionality b...
详细信息
ISBN:
(纸本)0819441910
In the Virtual Observatory (VO), software tools will perform the functions that have traditionally been performed by physical observatories and their instruments. These tools will not be adjuncts to VO functionality but will make up the very core of the VO. Consequently, the tradition of observatory and system independent tools serving a small user base is not valid for the VO. For the VO to succeed, we must improve software collaboration and code sharing between projects and groups. A significant goal of the Scientist's Expert Assistant (SEA) project has been promoting effective collaboration and code sharing among groups. During the past three years, the SEA project has been developing prototypes for new observation planning software tools and strategies. Initially funded by the Next Generation Space Telescope, parts of the SEA code have since been adopted by the Space Telescope Science Institute. SEA has also supplied code for the SIRTF planning tools, and the JSky Open Source Java library. The potential benefits of sharing code are clear. The recipient gains functionality for considerably less cost. The provider gains additional developers working with their code. If enough users groups adopt a set of common code and tools, de facto standards can emerge (as demonstrated by the success of the FITS standard). code sharing also raises a number of challenges related to the management of the code. In this talk, we mill review our experiences with SEA - both successes and failures, and offer some lessons learned that might promote further successes in collaboration and re-use.
暂无评论