Application of Software Engineering Principles to Synthetic Biology and Emerging Regulatory Concerns

As the science of synthetic biology matures, engineers have begun to deliver real-world applications which are the beginning of what could radically transform our lives. Recent progress indicates synthetic biology will produce transformative breakthroughs. Examples include: 1) synthesizing chemicals for medicines which are expensive and difficult to produce; 2) producing protein alternatives; 3) altering genomes to combat deadly diseases; 4) killing antibiotic-resistant pathogens; and 5) speeding up vaccine production. Although synthetic biology promises great benefits, many stakeholders have expressed concerns over safety and security risks from creating biological behavior never seen before in nature. As with any emerging technology, there is the risk of malicious use known as the dual-use problem. The technology is becoming democratized and de-skilled, and people in do-it-yourself communities can tinker with genetic code, similar to how programming has become prevalent through the ease of using macros in spreadsheets. While easy to program, it may be non-trivial to validate novel biological behavior. Nevertheless, we must be able to certify synthetically engineered organisms behave as expected, and be confident they will not harm natural life or the environment. Synthetic biology is an interdisciplinary engineering domain, and interdisciplinary problems require interdisciplinary solutions. Using an interdisciplinary approach, this dissertation lays foundations for verifying, validating, and certifying safety and security of synthetic biology applications through traditional software engineering concepts about safety, security, and reliability of systems. These techniques can help stakeholders navigate what is currently a confusing regulatory process. The contributions of this dissertation are: 1) creation of domain-specific patterns to help synthetic biologists develop assurance cases using evidence and arguments to validate safety and security of designs; 2) application of software product lines and feature models to the modular DNA parts of synthetic biology commonly known as BioBricks, making it easier to find safety features during design; 3) a technique for analyzing DNA sequence motifs to help characterize proteins as toxins or non-toxins; 4) a legal investigation regarding what makes regulating synthetic biology challenging; and 5) a repeatable workflow for leveraging safety and security artifacts to develop assurance cases for synthetic biology systems. Advisers: Myra B. Cohen and Brittany A. Dunca

INTEGRATION OF INTELLIGENCE TECHNIQUES ON THE EXECUTION OF PENETRATION TESTS (iPENTEST)

Penetration Tests (Pentests) identify potential vulnerabilities in the security of computer systems via security assessment. However, it should also benefit from widely recognized methodologies and recommendations within this field, as the Penetration Testing Execution Standard (PTES). The objective of this research is to explore PTES, particularly the three initial phases: 1. Pre-Engagement Interactions; 2. Intelligence Gathering; 3. Threat Modeling; and ultimately to apply Intelligence techniques to the Threat Modeling phase. To achieve this, we will use open-source and/or commercial tools to structure a process to clarify how the results were reached using the research inductive methodology. The following steps were implemented: i) critical review of the “Penetration Testing Execution Standard (PTES)”; ii) critical review of Intelligence Production Process; iii) specification and classification of contexts in which Intelligence could be applied; iv) definition of a methodology to apply Intelligence Techniques to the specified contexts; v) application and evaluation of the proposed methodology to real case study as proof of concept. This research has the ambition to develop a model grounded on Intelligence techniques to be applied on PTES Threat Modeling phase

Investigating Advances in the Acquisition of Secure Systems Based on Open Architecture, Open Source Software, and Software Product Lines

Naval Postgraduate School Acquisition Research Progra

Report of the Stanford Linked Data Workshop

The Stanford University Libraries and Academic Information Resources (SULAIR) with the Council on Library and Information Resources (CLIR) conducted at week-long workshop on the prospects for a large scale, multi-national, multi-institutional prototype of a Linked Data environment for discovery of and navigation among the rapidly, chaotically expanding array of academic information resources. As preparation for the workshop, CLIR sponsored a survey by Jerry Persons, Chief Information Architect emeritus of SULAIR that was published originally for workshop participants as background to the workshop and is now publicly available. The original intention of the workshop was to devise a plan for such a prototype. However, such was the diversity of knowledge, experience, and views of the potential of Linked Data approaches that the workshop participants turned to two more fundamental goals: building common understanding and enthusiasm on the one hand and identifying opportunities and challenges to be confronted in the preparation of the intended prototype and its operation on the other. In pursuit of those objectives, the workshop participants produced:1. a value statement addressing the question of why a Linked Data approach is worth prototyping;2. a manifesto for Linked Libraries (and Museums and Archives and …);3. an outline of the phases in a life cycle of Linked Data approaches;4. a prioritized list of known issues in generating, harvesting & using Linked Data;5. a workflow with notes for converting library bibliographic records and other academic metadata to URIs;6. examples of potential “killer apps” using Linked Data: and7. a list of next steps and potential projects.This report includes a summary of the workshop agenda, a chart showing the use of Linked Data in cultural heritage venues, and short biographies and statements from each of the participants

Measuring Drive-by Download Defense in Depth

Defense in depth is vital as no single security product detects all of today’s attacks. To design defense in depth organizations rely on best practices and isolated product reviews with no way to determine the marginal benefit of additional security products. We propose empirically testing security products’ detection rates by linking multiple pieces of data such as network traffic, executable files, and an email to the attack that generated all the data. This allows us to directly compare diverse security products and to compute the increase in total detection rate gained by adding a security product to a defense in depth strategy not just its stand alone detection rate. This approach provides an automated means of evaluating risks and the security posture of alternative security architectures. We perform an experiment implementing this approach for real drive-by download attacks found in a real time email spam feed and compare over 40 security products and human click-through rates by linking email, URL, network content, and executable file attack data

Printoo – from here to the Internet of Things

This thesis is a pedagogical case study on Strategy applied to Innovation, using Printoo – a product by Ynvisible – as a setting. Hence, the focus of this case is to describe and analyze the challenge of this company and its managers to define a fit strategy for its new, innovative product. Printoo’s concept is highly innovative and it is inserted in an area of technological development with great potential – Printed Electronics. Several tools and trends influence this area, such as the Makers culture, Crowdfunding, Open-Source and the increasing use of Technology in Education. Furthermore, there is a debate on implementing the concept of the Internet of Things – in which Printed Electronics may have a role. From the interviews and analysis performed, this paper has two key conclusions. The first one is that Ynvisible should focus on both Printoo – a series of kits of Printed Electronics technologies components – and on the company’s own proprietary Electrochromic displays – that are included in Printoo – in order to maximize the power it has over the potential profits that will derive from this innovation, because Printoo is highly imitable and the displays are not. Nevertheless, Printoo is an important marketing tool to promote Ynvisible’s displays and other components from suppliers. The second conclusion is that Education is an important market that Printoo should address, and that the approach should combine continuous improvement – of the technologies that the kits contain and of the experiences they allow to perform – and service improvement – as courses and workshops – which actually Ynvisible is starting to do. Other markets are also important, such as the Makers, Open Source market and the Prototyping market

A decision support system for corporations cyber security risk management

This thesis presents a decision aiding system named C3-SEC (Contex-aware Corporative Cyber Security), developed in the context of a master program at Polytechnic Institute of Leiria, Portugal. The research dimension and the corresponding software development process that followed are presented and validated with an application scenario and case study performed at Universidad de las Fuerzas Armadas ESPE – Ecuador. C3-SEC is a decision aiding software intended to support cyber risks and cyber threats analysis of a corporative information and communications technological infrastructure. The resulting software product will help corporations Chief Information Security Officers (CISO) on cyber security risk analysis, decision-making and prevention measures for the infrastructure and information assets protection. The work is initially focused on the evaluation of the most popular and relevant tools available for risk assessment and decision making in the cyber security domain. Their properties, metrics and strategies are studied and their support for cyber security risk analysis, decision-making and prevention is assessed for the protection of organization's information assets. A contribution for cyber security experts decision support is then proposed by the means of reuse and integration of existing tools and C3-SEC software. C3-SEC extends existing tools features from the data collection and data analysis (perception) level to a full context-ware reference model. The software developed makes use of semantic level, ontology-based knowledge representation and inference supported by widely adopted standards, as well as cyber security standards (CVE, CPE, CVSS, etc.) and cyber security information data sources made available by international authorities, to share and exchange information in this domain. C3-SEC development follows a context-aware systems reference model addressing the perception, comprehension, projection and decision/action layers to create corporative scale cyber security situation awareness

Generalizing production testing operations for IoT devices

Abstract. A rapidly increasing number of new IoT products entering the market puts strain on the testing effort required to manufacture them. Every device needs to be tested at the manufacturing site before it can be shipped to the customer. This testing process during manufacturing is called Production Testing. If test automation systems running these tests are developed with a single system engineering approach, the number of test automation systems becomes unmaintainable. In addition to this, the development cost of such test automation system has to be covered by each product. Reusability of test automation and test assets is low when resources cannot be efficiently shared between products. Existing solutions for generalizing testing effort from a single system approach to support multiple products were reviewed from the literature. Software Product Line Engineering is recognized as a possible solution, but its adoption requires organizational, economical, and technical changes. This thesis studied technical solutions for how test automation system could be developed to support the testing of multiple products. Test automation system was designed based on existing literature, and two example products were used to mimic realistic IoT products. Work followed to define test requirements for two example products, implement tests, and execute them for the first example product. After tests passed for the first example product, they were executed for the second product. Test failures and evident problems were marked as variation points, and they were analysed. Test attributes that needed to be varied were recognized, and four different sources for that information were identified. Test logic was identified as one of the sources for attributes, and there was no need to variate it. Matching configuration was created for other sources: component, test, and hardware configuration. Tests were successfully executed for the second example product after introducing the variation via configuration files. Prototype implementation succeeded in its goal to create production test automation system capable of testing two different example products using common test assets. Needed variation was introduced successfully through configuration files. This thesis shows that general test assets can be created for production testing, despite the fact that production testing is tightly coupled to the target hardware. Future work continues by testing additional hardware platforms to reveal more variation points. This helps to develop production testing test automation to support a wider range of hardware platforms and components. Storing the hardware-specific configuration data to the device looks promising topic for further study

Designing for Reuse in an Industrial Internet of Things Monitoring Application

Abstract The Internet of Things (IoT) continues to experience rapid growth, and its influence is extending into previously unreached domains. However, some of these new domains impose specific limitations that complicate the design and implementation of IoT systems. Examples of such limitations are the exclusion of specific protocols, restrictions on the types of data that can be collected, requirements about what information can be transmitted to the public and controls around how that communication occurs. Capturing, representing and designing for these limitations as well as reuse is essential for the quick and successful deployment of such projects. In this paper, we present a case study of an IoT human in the loop monitoring system built for use within an industrial setting. We report our experiences with both designing the first deployment of the system as well as designing variation points into the software architecture to account for future iterations and deployment into other environments