Nicole Forsgren,Bas Alberts,Kevin Backhouse,Grey Baker,Greg Cecarelli,Derek Jedamski,Scot Kelly,Clair Sullivan

DOI: https://doi.org/10.48550/arXiv.2110.10246

2021-10-19

Software Engineering

Abstract:Open source is the connective tissue for much of the information economy. You would be hard-pressed to find a scenario where your data does not pass through at least one open source component. Many of the services and technology we all rely on, from banking to healthcare, also rely on open source software. The artifacts of open source code serve as critical i infrastructure for much of the global economy, making the security of open source software mission-critical to the world.

Britta U. Westner,Daniel R. McCloy,Eric Larson,Alexandre Gramfort,Daniel S. Katz,Arfon M. Smith,invited co-signees

2024-03-28

Abstract:Most scientists need software to perform their research (Barker et al., 2020; Carver et al., 2022; Hettrick, 2014; Hettrick et al., 2014; Switters and Osimo, 2019), and neuroscientists are no exception. Whether we work with reaction times, electrophysiological signals, or magnetic resonance imaging data, we rely on software to acquire, analyze, and statistically evaluate the raw data we obtain - or to generate such data if we work with simulations. In recent years there has been a shift toward relying on free, open-source scientific software (FOSSS) for neuroscience data analysis (Poldrack et al., 2019), in line with the broader open science movement in academia (McKiernan et al., 2016) and wider industry trends (Eghbal, 2016). Importantly, FOSSS is typically developed by working scientists (not professional software developers) which sets up a precarious situation given the nature of the typical academic workplace (wherein academics, especially in their early careers, are on short and fixed term contracts). In this paper, we will argue that the existing ecosystem of neuroscientific open source software is brittle, and discuss why and how the neuroscience community needs to come together to ensure a healthy growth of our software landscape to the benefit of all.

Computers and Society,Other Quantitative Biology

Dinesh Reddy Chittibala

DOI: https://doi.org/10.47941/ijce.1737

2024-03-21

Abstract:Purpose: This article aims to shed light on the transformative role of Open Source Software (OSS) in digital infrastructure and the accompanying security challenges. It highlights the critical need for automated code scanning technologies to address vulnerabilities stemming from coding errors, lack of secure coding practices, and the rapid development pace. Methodology: Through a comprehensive analysis of static, dynamic, and interactive code scanning methods, along with the exploration of AI and ML integration, this study examines scalable and efficient approaches to enhance detection capabilities early in the development lifecycle. Findings: While automated code scanning technologies have made significant strides in detecting and mitigating vulnerabilities, there remain notable research and methodology gaps, especially in technology scalability and the effectiveness of these methods. Unique Contribution to Theory, Policy, and Practice: This article posits a forward-looking perspective on automated code scanning, advocating for intelligent, collaborative, and integrated security measures in OSS. It emphasizes the indispensable role of community collaboration and open-source contributions in advancing these technologies, crucial for the proactive identification and mitigation of security vulnerabilities, thereby safeguarding the digital ecosystem's integrity and reliability.

Nadya Bliss,Lawrence A. Gordon,Daniel Lopresti,Fred Schneider,Suresh Venkatasubramanian

DOI: https://doi.org/10.48550/arXiv.2101.01264

2021-01-04

Computers and Society

Abstract:Computing devices are vital to all areas of modern life and permeate every aspect of our society. The ubiquity of computing and our reliance on it has been accelerated and amplified by the COVID-19 pandemic. From education to work environments to healthcare to defense to entertainment - it is hard to imagine a segment of modern life that is not touched by computing. The security of computers, systems, and applications has been an active area of research in computer science for decades. However, with the confluence of both the scale of interconnected systems and increased adoption of artificial intelligence, there are many research challenges the community must face so that our society can continue to benefit and risks are minimized, not multiplied. Those challenges range from security and trust of the information ecosystem to adversarial artificial intelligence and machine learning. Along with basic research challenges, more often than not, securing a system happens after the design or even deployment, meaning the security community is routinely playing catch-up and attempting to patch vulnerabilities that could be exploited any minute. While security measures such as encryption and authentication have been widely adopted, questions of security tend to be secondary to application capability. There needs to be a sea-change in the way we approach this critically important aspect of the problem: new incentives and education are at the core of this change. Now is the time to refocus research community efforts on developing interconnected technologies with security "baked in by design" and creating an ecosystem that ensures adoption of promising research developments. To realize this vision, two additional elements of the ecosystem are necessary - proper incentive structures for adoption and an educated citizenry that is well versed in vulnerabilities and risks.

Marcus D. Hanwell,Amitha Perera,Wes Turner,Patrick O'Leary,Katie Osterdahl,Bill Hoffman,Will Schroeder

DOI: https://doi.org/10.6084/m9.figshare.790756

2013-09-12

Abstract:Sustainable software ecosystems are difficult to build, and require concerted effort, community norms and collaborations. In science it is especially important to establish communities in which faculty, staff, students and open-source professionals work together and treat software as a first-class product of scientific investigation-just as mathematics is treated in the physical sciences. Kitware has a rich history of establishing collaborative projects in the science, engineering and medical research fields, and continues to work on improving that model as new technologies and approaches become available. This approach closely follows and is enhanced by the movement towards practicing open, reproducible research in the sciences where data, source code, methodology and approach are all available so that complex experiments can be independently reproduced and verified.

Software Engineering,Computers and Society

Guofei Gu,David Ott,Kun Sun GMU,Ehab Al-Shaer,Alvaro Cardenas,Yan Chen,William Enck,Hongxin Hu,Dennis Moreau,Cristina Nita-Rotaru,Don Porter,Mike Reiter,Sandra Scott-Hayward,Srinivasan Seshan

2018-01-01

Abstract:Recent years have seen a dramatic and rapid paradigm shift in computing from static control systems (often implemented in hardware), to dynamic, easily-reconfigurable, software-defined systems. The researchers and practitioners have just begun to scratch the surface of how the ever-increasing software-defined everything (SD-X) changes the landscape of cybersecurity. On one hand, a software-defined world adds potentially new attack surfaces that deserve new research investigation. On the other hand, considering the fact that everything can be defined by the software, now we can have a new playground to redesign the security mechanisms and services. With programmable security, we can also better embrace the new advances in big data and AI to provide more intelligent and adaptive security for the software-defined world. We believe the opportunity is ripe for academics to make foundational contributions, collaboratively with industry, to shape the next 5 years of research in this new space, SPS (Software-defined Programmable Security). Emerging data centers, cloud networks, IoT and edge computing also provide a fertile playground to consider disruptive software-defined programmable security designs. While many research directions are interesting, this report outlines a few high-priority areas:

Marcel Böhme,Eric Bodden,Tevfik Bultan,Cristian Cadar,Yang Liu,Giuseppe Scanniello

2024-09-26

Abstract:As our lives, our businesses, and indeed our world economy become increasingly reliant on the secure operation of many interconnected software systems, the software engineering research community is faced with unprecedented research challenges, but also with exciting new opportunities. In this roadmap paper, we outline our vision of Software Security Analysis for the software systems of the future. Given the recent advances in generative AI, we need new methods to evaluate and maximize the security of code co-written by machines. As our software systems become increasingly heterogeneous, we need practical approaches that work even if some functions are automatically generated, e.g., by deep neural networks. As software systems depend evermore on the software supply chain, we need tools that scale to an entire ecosystem. What kind of vulnerabilities exist in future systems and how do we detect them? When all the shallow bugs are found, how do we discover vulnerabilities hidden deeply in the system? Assuming we cannot find all security flaws, how can we nevertheless protect our system? To answer these questions, we start our research roadmap with a survey of recent advances in software security, then discuss open challenges and opportunities, and conclude with a long-term perspective for the field.

Software Engineering,Cryptography and Security

Wilhelm Hasselbring,Leslie Carr,Simon Hettrick,Heather Packer,Thanassis Tiropanis

DOI: https://doi.org/10.48550/arXiv.1908.05986

2019-08-16

Software Engineering

Abstract:In computational science and in computer science, research software is a central asset for research. Computational science is the application of computer science and software engineering principles to solving scientific problems, whereas computer science is the study of computer hardware and software design. The Open Science agenda holds that science advances faster when we can build on existing results. Therefore, research software has to be reusable for advancing science. Thus, we need proper research software engineering for obtaining reusable and sustainable research software. This way, software engineering methods may improve research in other disciplines. However, research in software engineering and computer science itself will also benefit from reuse when research software is involved. For good scientific practice, the resulting research software should be open and adhere to the FAIR principles (findable, accessible, interoperable and repeatable) to allow repeatability, reproducibility, and reuse. Compared to research data, research software should be both archived for reproducibility and actively maintained for reusability. The FAIR data principles do not require openness, but research software should be open source software. Established open source software licenses provide sufficient licensing options, such that it should be the rare exception to keep research software closed. We review and analyze the current state in this area in order to give recommendations for making computer science research software FAIR and open. We observe that research software publishing practices in computer science and in computational science show significant differences.

Daniel Méndez Fernández,Daniel Graziotin,Stefan Wagner,Heidi Seibold

DOI: https://doi.org/10.1007/978-3-030-32489-6_17

2019-08-13

Abstract:Open science describes the movement of making any research artefact available to the public and includes, but is not limited to, open access, open data, and open source. While open science is becoming generally accepted as a norm in other scientific disciplines, in software engineering, we are still struggling in adapting open science to the particularities of our discipline, rendering progress in our scientific community cumbersome. In this chapter, we reflect upon the essentials in open science for software engineering including what open science is, why we should engage in it, and how we should do it. We particularly draw from our experiences made as conference chairs implementing open science initiatives and as researchers actively engaging in open science to critically discuss challenges and pitfalls, and to address more advanced topics such as how and under which conditions to share preprints, what infrastructure and licence model to cover, or how do it within the limitations of different reviewing models, such as double-blind reviewing. Our hope is to help establishing a common ground and to contribute to make open science a norm also in software engineering.

Software Engineering

Steven Arzt,Linda Schreiber,Dominik Appelt

2024-06-06

Abstract:Software security has been an important research topic over the years. The community has proposed processes and tools for secure software development and security analysis. However, a significant number of vulnerabilities remains in real-world software-driven systems and products. To alleviate this problem, legislation is being established to oblige manufacturers, for example, to comply with essential security requirements and to establish appropriate development practices. We argue that software engineering research needs to provide better tools and support that helps industry comply with the new standards while retaining effcient processes. We argue for a stronger cooperation between legal scholars and computer scientists, and for bridging the gap between higher-level regulation and code-level engineering.

Software Engineering

Florian Angermeir,Markus Voggenreiter,Fabiola Moyón,Daniel Mendez,Fabiola Moyon

DOI: https://doi.org/10.1109/icse-seip52600.2021.00037

2021-05-01

Abstract:Agile and DevOps are widely adopted by the industry. Hence, integrating security activities with industrial practices, such as continuous integration (CI) pipelines, is necessary to detect security flaws and adhere to regulators' demands early. In this paper, we analyze automated security activities in CI pipelines of enterprise-driven open source software (OSS). This shall allow us, in the long-run, to better understand the extent to which security activities are (or should be) part of automated pipelines. In particular, we mine publicly available OSS repositories and survey a sample of project maintainers to better understand the role that security activities and their related tools play in their CI pipelines. To increase transparency and allow other researchers to replicate our study (and to take different perspectives), we further disclose our research artefacts. Our results indicate that security activities in enterprise-driven OSS projects are scarce and protection coverage is rather low. Only 6.83% of the analyzed 8,243 projects apply security automation in their CI pipelines, even though maintainers consider security to be rather important. This alerts industry to keep the focus on vulnerabilities of 3rd Party software and it opens space for other improvements of practice which we outline in this manuscript.

Jukka Ruohonen,Gaurav Choudhary,Adam Alami

2024-12-08

Abstract:Many open source software (OSS) projects need more human resources for maintenance, improvements, and sometimes even their survival. This need allegedly applies even to vital OSS projects that can be seen as being a part of the world's critical infrastructures. To address this resourcing problem, new funding instruments for OSS projects have been established in recent years. The paper examines two such funding bodies for OSS and the projects they have funded. The focus of both funding bodies is on software security and cyber security in general. Based on a qualitative analysis, particularly OSS supply chains, network and cryptography libraries, programming languages, and operating systems and their low-level components have been funded and thus seen as critical in terms of cyber security by the two funding bodies. In addition to this and other results, the paper makes a contribution by connecting the research branches of critical infrastructure and sustainability of OSS projects. A further contribution is made by connecting the topic examined to recent cyber security regulations. Furthermore, an important argument is raised that neither cyber security nor sustainability alone can entirely explain the rationales behind the funding decisions made by the two bodies.

Cryptography and Security,Computers and Society,Software Engineering

Randy Heiland,Betsy Thomas,Von Welch,Craig Jackson

DOI: https://doi.org/10.48550/arXiv.1309.1677

2013-09-06

Cryptography and Security

Abstract:In its Vision and Strategy for Software for Science, Engineering, and Education the NSF states that it will invest in activities that: "Recognize that software strategies must include the secure and reliable deployment and operation of services, for example by campuses or national facilities or industry, where identity, authentication, authorization and assurance are crucial operational capabilities." and "Result in high-quality, usable, secure, vulnerability-free, sustainable, robust, well-tested, and maintainable/evolvable software; and which promotes the sustainability of solid and useful on-going investments." Such statements evidence that security should indeed be a first-class consideration of the software ecosystem. In this position paper, we share some thoughts related to research software security. Our thoughts are based on the observation that security is not a binary, all-or-nothing attribute, but a range of practices and requirements depending on how the software is expected to be deployed and used. We propose that the community leverage the concept of a maturity model, and work to agree on a research software security maturity model. This model would categorize different sets of security needs of the deployment community, and provide software developers a roadmap for advancing the security maturity of their software. The intent of this paper is not to express such a comprehensive maturity model, but instead to start a conversation and set some initial requirements.

Stan Zajdel,Diego Elias Costa,Hafedh Mili

DOI: https://doi.org/10.48550/arXiv.2206.10358

2022-06-21

Software Engineering

Abstract:The Open Source Software movement has been growing exponentially for a number of years with no signs of slowing. Driving this growth is the widespread availability of libraries and frameworks that provide many functionalities. Developers are saving time and money incorporating this functionality into their applications resulting in faster more feature-rich releases. Despite the growing success and the advantages that open source software provides, there is a dark side. Due to its community construction and largely unregulated distribution, the majority of open source software contains bugs, vulnerabilities and other issues making it highly susceptible to exploits. The lack of oversight, in general, hinders the quality of this software resulting in a trickle-down effect in the applications that use it. Additionally, developers who use open source tend to arbitrarily download the software into their build systems but rarely keep track of what they have downloaded resulting in an excessive amount of open source software in their applications and in their ecosystem. This paper discusses processes and practices that users of open source software can implement into their environments that can safely track and control the introduction and usage of open source software into their applications, and report on some preliminary results obtained in an industrial context. We conclude by discussing governance issues related to the disciplined use and reuse of open source and areas for further improvements.

John Sherlock,Manoj Muniswamaiah,Lauren Clarke,Shawn Cicoria

DOI: https://doi.org/10.48550/arXiv.1812.11697

2018-12-31

Other Computer Science

Abstract:Open Source Software (OSS) history is traced to initial efforts in 1971 at Massachusetts Institute of Technology (MIT) Artificial Intelligence (AI) Lab, the initial goals of OSS around Free vs. Freedom, and its evolution and impact on commercial and custom applications. Through OSS history, much of the research and has been around contributors (suppliers) to OSS projects, the commercialization, and overall success of OSS as a development process. In conjunction with OSS growth, intellectual property issues and licensing issues still remain. The consumers of OSS, application architects, in developing commercial or internal applications based upon OSS should consider license risk as they compose their applications using Component Based Software Development (CBSD) approaches, either through source code, binary, or standard protocols such as HTTP.

Ziyue Pan,Wenbo Shen,Xingkai Wang,Yutian Yang,Rui Chang,Yao Liu,Chengwei Liu,Yang Liu,Kui Ren

DOI: https://doi.org/10.1109/TDSC.2023.3253572

2024-01-31

Abstract:The continuous integration and continuous deployment (CI/CD) pipelines are widely adopted on Internet hosting platforms, such as GitHub. With the popularity, the CI/CD pipeline faces various security threats. However, current CI/CD pipelines suffer from malicious code and severe vulnerabilities. Even worse, people have not been fully aware of its attack surfaces and the corresponding impacts.

Cryptography and Security

Gregory R. Watson,Addi Malviya-Thakur,Daniel S. Katz,Elaine M. Raybourn,Bill Hoffman,Dana Robinson,John Kellerman,Clark Roundy

DOI: https://doi.org/10.48550/arXiv.2308.14953

2023-08-31

Abstract:Research software plays a crucial role in advancing scientific knowledge, but ensuring its sustainability, maintainability, and long-term viability is an ongoing challenge. To address these concerns, the Sustainable Research Software Institute (SRSI) Model presents a comprehensive framework designed to promote sustainable practices in the research software community. This white paper provides an in-depth overview of the SRSI Model, outlining its objectives, services, funding mechanisms, collaborations, and the significant potential impact it could have on the research software community. It explores the wide range of services offered, diverse funding sources, extensive collaboration opportunities, and the transformative influence of the SRSI Model on the research software landscape

Computers and Society

Lukas Käll,Yasset Perez-Riverol,Wout Bittremieux,William S. Noble,Lennart Martens,Aivett Bilbao,Michael R. Lazear,Bjorn Grüning,Daniel S. Katz,Michael J. MacCoss,Chengxin Dai,Jimmy K. Eng,Robbin Bouwmeester,Michael Robert Shortreed,Enrique Audain,Timo Sachsenberg,Jeroen Van Goey,Georg Wallmann,Bo Wen,William E. Fondrie

DOI: https://doi.org/10.26434/chemrxiv-2024-wf6dw

2024-12-09

Abstract:Scientific discovery relies on innovative software as much as experimental methods, especially in proteomics, where computational tools are essential for mass spectrometer setup, data analysis, and interpretation. Since the introduction of SEQUEST, proteomics software has grown into a complex ecosystem of algorithms, predictive models, and workflows, but the field faces challenges, including the increasing complexity of mass spectrometry data, limited reproducibility due to proprietary software, and difficulties integrating with other omics disciplines. Closed-source, platform-specific tools exacerbate these issues by restricting innovation, creating inefficiencies, and imposing hidden costs on the community. Open-source software (OSS), aligned with the FAIR Principles (Findable, Accessible, Interoperable, Reusable), offers a solution by promoting transparency, reproducibility, and community-driven development, which fosters collaboration and continuous improvement. In this manuscript, we explore the role of OSS in computational proteomics, its alignment with FAIR principles, and its potential to address challenges related to licensing, distribution, and standardization. Drawing on lessons from other omics fields, we present a vision for a future where OSS and FAIR principles underpin a transparent, accessible, and innovative proteomics community.

Chemistry

Huy Tu,Rishabh Agrawal,Tim Menzies

DOI: https://doi.org/10.48550/arXiv.2003.05922

2020-03-13

Abstract:How should software engineering be adapted for Computational Science (CS)? If we understood that, then we could better support software sustainability, verifiability, reproducibility, comprehension, and usability for CS community. For example, improving the maintainability of the CS code could lead to: (a) faster adaptation of scientific project simulations to new and efficient hardware (multi-core and heterogeneous systems); (b) better support for larger teams to co-ordinate (through integration with interdisciplinary teams); and (c) an extended capability to model complex phenomena. In order to better understand computational science, this paper uses quantitative evidence (from 59 CS projects in Github) to check 13 published beliefs about CS. These beliefs reflect on (a) the nature of scientific challenges; (b) the implications of limitations of computer hardware; and (c) the cultural environment of scientific software development. What we found was, using this new data from Github, only a minority of those older beliefs can be endorsed. More than half of the pre-existing beliefs are dubious, which leads us to conclude that the nature of CS software development is changing. Further, going forward, this has implications for (1) what kinds of tools we would propose to better support computational science and (2) research directions for both communities.

Software Engineering

Sam Wen Ping,Jeffrey Cheok Jun Wah,Lee Wen Jie,Jeremy Bong Yong Han,Saira Muzafar

2023-11-18

Abstract:In recent years, technology has advanced considerably with the introduction of many systems including advanced robotics, big data analytics, cloud computing, machine learning and many more. The opportunities to exploit the yet to come security that comes with these systems are going toe to toe with new releases of security protocols to combat this exploitation to provide a secure system. The digitization of our lives proves to solve our human problems as well as improve quality of life but because it is digitalized, information and technology could be misused for other malicious gains. Hackers aim to steal the data of innocent people to use it for other causes such as identity fraud, scams and many more. This issue can be corrected during the software development life cycle, integrating security across the development phases, and testing of the software is done early to reduce the number of vulnerabilities that might or might not heavily impact an organisation depending on the range of the attack. The goal of a secured system software is to prevent such exploitations from ever happening by conducting a system life cycle where through planning and testing is done to maximise security while maintaining functionality of the system. In this paper, we are going to discuss the recent trends in security for system development as well as our predictions and suggestions to improve the current security practices in this industry.

Cryptography and Security,Software Engineering