The proliferation of software tools and automated techniques in digital forensics has brought about some controversies regarding bias and fairness. Different biases exist and have been proven in some civil and criminal cases. In our research, we analyze and discuss these biases present in software tools and automation systems used by law enforcement organizations and in court proceedings. Furthermore, we present real-life cases and scenarios where some of these biases have determined or influenced these cases. We were also able to provide recommendations for reducing bias in software tools, which we hope will be the foundation for a framework that reduces or eliminates bias from software tools used in digital forensics. In conclusion, we anticipate that this research can help increase validation in digital forensics software tools and ensure users' trust in the tools and automation techniques.
more »
« less
Role-Based Ecosystem for the Design, Development, and Deployment of Secure Multi-Party Data Analytics Applications
Software applications that employ secure multi-party computation (MPC) can empower individuals and organizations to benefit from privacy-preserving data analyses when data sharing is encumbered by confidentiality concerns, legal constraints, or corporate policies. MPC is already being incorporated into software solutions in some domains; however, individual use cases do not fully convey the variety, extent, and complexity of the opportunities of MPC. This position paper articulates a role-based perspective that can provide some insight into how future research directions, infrastructure development and evaluation approaches, and deployment practices for MPC may evolve. Drawing on our own lessons from existing real-world deployments and the fundamental characteristics of MPC that make it a compelling technology, we propose a role-based conceptual framework for describing MPC deployment scenarios. Our framework acknowledges and leverages a novel assortment of roles that emerge from the fundamental ways in which MPC protocols support federation of functionalities and responsibilities. Defining these roles using the new opportunities for federation that MPC enables in turn can help identify and organize the capabilities, concerns, incentives, and trade-offs that affect the entities (software engineers, government regulators, corporate executives, end-users, and others) that participate in an MPC deployment scenario. This framework can not only guide the development of an ecosystem of modular and composable MPC tools, but can make explicit some of the opportunities that researchers and software engineers (and any organizations they form) have to differentiate and specialize the artifacts and services they choose to design, develop, and deploy. We demonstrate how this framework can be used to describe existing MPC deployment scenarios, how new opportunities in a scenario can be observed by disentangling roles inhabited by the involved parties, and how this can motivate the development of MPC libraries and software tools that specialize not by application domain but by role.
more »
« less
- PAR ID:
- 10165776
- Date Published:
- Journal Name:
- IEEE SecDev
- Volume:
- 2019
- Page Range / eLocation ID:
- 129 - 140
- Format(s):
- Medium: X
- Sponsoring Org:
- National Science Foundation
More Like this
-
-
Compliance reviews within a software organization are internal attempts to verify regulatory and security requirements during product development before its release. However, these reviews are not enough to adequately assess and address regulatory and security requirements throughout a software’s development lifecycle. We believe requirements engineers can benefit from an improved understanding of how software practitioners treat and perceive compliance requirements. This paper describes an interview study seeking to understand how regulatory and security standard requirements are addressed, how burdensome they may be for businesses, and how our participants perceived them in the software development lifecycle. We interviewed 15 software practitioners from 13 organizations with different roles in the software development process and working in various industry domains, including big tech, healthcare, data analysis, finance, and small businesses. Our findings suggest that, for our participants, the software release process is the ultimate focus for regulatory and security compliance reviews. Also, most participants suggested that having a defined process for addressing compliance requirements was freeing rather than burdensome. Finally, participants generally saw compliance requirements as an investment for both employees and customers. These findings may be unintuitive, and we discuss seven lessons this work may hold for requirements engineering.more » « less
-
null (Ed.)We conducted an ethnographic study of a software development company to explore if and how a development team adopts security practices into the development lifecycle. A PhD student in computer science with prior training in qualitative research methods was embedded in the company for eight months. The researcher joined the company as a software engineer and participated in all development activities as a new hire would, while also making observations on the development practices. During the fieldwork, we observed a positive shift in the development team's practices regarding secure development. Our analysis of data indicates that the shift can be attributed to enabling all software engineers to see how security knowledge could be applied to the specific software products they worked on. We also observed that by working with other developers to apply security knowledge under the concrete context where the software products were built, developers who possessed security expertise and wanted to push for more secure development practices (security advocates) could be effective in achieving this goal. Our data point to an interactive learning process where software engineers in a development team acquire knowledge, apply it in practice, and contribute to the team, leading to the creation of a set of preferred practices, or "culture" of the team. This learning process can be understood through the lens of the situated learning framework, where it is recognized that knowledge transfer happens within a community of practice, and applying the knowledge is the key in individuals (software engineers) acquiring it and the community (development team) embodying such knowledge in its practice. Our data show that enabling a situated learning environment for security gives rise to security-aware software engineers. We discuss the roles of management and security advocates in driving the learning process to start a security culture in a software company.more » « less
-
Connected and automated trucks (CATs) have the potential to transform the transportation system and logistics industry. Their unique features, such as operational strategies and truck driving behaviors, can affect transportation system performance. For successful development, testing and deployment of CATs, analysis, modeling, and simulation (AMS) plays an important role, especially in evaluating the impacts of CAT technologies on existing transportation systems. This paper presents a comprehensive review and assessment of up-to-date studies related to CAT AMS, focusing on three correlated elements: CAT applications, data, and tools. The research delves into CAT applications from individual CAT and CAT fleet to CAT-involved traffic. It explores available data sources relevant to CAT system use cases, assessing their potential issues and opportunities. The study also reviews existing AMS tools used to analyze CAT applications at both operational performance and network integration levels, emphasizing research needs in CAT-specific tools development. The findings identify the data needs and point out that existing AMS tools may not capture the complexity of CAT operation, which involves driving behaviors, vehicle-to-everything communications, autonomous capabilities, and response to truck-specific scenarios. The study will lay a solid foundation for further development of the AMS framework for CATs and provide guidance to future research of CAT applications.more » « less
-
The omnipresence of software systems across all aspects of society has necessitated that future technology professionals are aware of ethical concerns raised by the design and development of software and are trained to minimize harm by undertaking responsible engineering. This need has become even more urgent with artificial intelligence (AI) driven software deployment. In this paper we present a study of an interactive pedagogical intervention – role-play case studies – designed to teach undergraduate technology students about ethics with a focus on software systems. Drawing on the situated learning perspective from the Learning Sciences, we created case studies, associated stakeholder roles, discussion scripts, and pre and post discussion assignments to guide students’ learning. Open-ended data was collected from thirty-nine students and analyzed qualitatively. Findings from the study show that by taking on different perspectives on a problem, students were able to identify a range of ethical issues and understand the role of the software system process holistically, taking context, complexity, and trade-offs into account. In their discussion and reflections, students deliberated the role of software in society and the role of humans in automation. The curricula, including case studies, are publicly available for implementation.more » « less