Skip to content

Instantly share code, notes, and snippets.

@mhenke

mhenke/software-options.md

Last active September 12, 2024 21:15
Show Gist options
  • Save mhenke/1a5d5145ad4c8cbc424084c592e1d052 to your computer and use it in GitHub Desktop.
Save mhenke/1a5d5145ad4c8cbc424084c592e1d052 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
software-options.md

  1. Provide a diagram that identifies the systems engineering view. Links to an external site of the software in the hypothetical environment.

  2. What are the threats perceived by users of the software in its intended operational environment? (If there are none or very few, then re-evaluate your project selection.)

  3. Develop a list of security features in the software (Again, if there are none or very few, then re-evaluate your choice).

TensorFlow: No SAST, Code Reviews 3/30, CII-Best-Practices In Progress

  1. Systems Engineering View:
    • System-of-Interest: TensorFlow, responsible for machine learning model development and deployment.
    • Other Systems: Machine learning libraries, datasets, cloud platforms, and model deployment environments (e.g., Kubernetes, AWS SageMaker).
    • Enabling Systems Inside the Environment of Operation:
      • Compilers
      • Model verification tools
      • TensorFlow Serving infrastructure
    • Enabling Systems Outside the Environment of Operation:
      • Security tools (e.g., vulnerability scanners, intrusion detection systems)
      • Model testing frameworks (e.g., adversarial robustness testing)
      • Dependency/package management tools (e.g., pip, Docker for TensorFlow containers)
  2. Model integrity and protection, adversarial attacks, and data privacy risks.
  3. Data Validation, Model Integrity, Secure TensorFlow Serving, Federated Learning (data localized, enhancing privacy, and secure)

React: No SAST, 129 Existing Vulnerabilities Detected, Token-Permissions

  1. Systems Engineering View:
    • System-of-Interest: React, used for building user interfaces and front-end development.
    • Other Systems: Browsers, APIs, backend services, and user authentication mechanisms.
    • Enabling Systems Inside the Environment of Operation:
      • Build tools (e.g., Webpack, Babel)
      • State management libraries (e.g., Redux)
      • Component libraries (e.g., Material-UI)
    • Enabling Systems Outside the Environment of Operation:
      • Continuous Integration (CI) pipelines (e.g., Jenkins, CircleCI)
      • Static analysis and code quality tools (e.g., ESLint, Prettier)
      • End-to-end testing frameworks (e.g., Cypress, Selenium)
  2. Cross-Site Scripting (XSS), insecure dependencies, and unauthorized access to sensitive data.
  3. Protection against cross-site scripting (XSS), safe event handling, and content security policy (CSP) integration (but needs to be configured separately at the server level)

Next.js: No SAST, 176 Existing Vulnerabilities Detected, Token-Permissions, Binary-Artifacts, CII-Best-Practices No Effort

  1. Systems Engineering View:
    • System-of-Interest: Next.js, a full-stack web application framework.
    • Other Systems: Databases (e.g., MongoDB, MySQL), third-party APIs, and CDNs (e.g., Cloudflare).
    • Enabling Systems Inside the Environment of Operation:
      • SSR (Server-Side Rendering) optimizers
      • Dynamic routing modules
      • Deployment pipelines (e.g., Vercel)
    • Enabling Systems Outside the Environment of Operation:
      • Monitoring tools (e.g., Datadog, Sentry)
      • API security tools (e.g., OAuth2, API gateways)
      • Dependency management tools (e.g., npm, Yarn)
  2. Server-Side Rendering (SSR) vulnerabilities, dependency risks, and token mismanagement.
  3. Content Security Policy (CSP), secure defaults for SSR and SSG, and API route protection.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment