Biblio

Vendors who wish to provide software or services to large corporations and governments must often obtain numerous certificates of compliance. Each certificate asserts that the software satisfies a compliance regime, like SOC or the PCI DSS, to protect the privacy and security of sensitive data. The industry standard for obtaining a compliance certificate is an auditor manually auditing source code. This approach is expensive, error-prone, partial, and prone to regressions. We propose continuous compliance to guarantee that the codebase stays compliant on each code change using lightweight verification tools. Continuous compliance increases assurance and reduces costs. Continuous compliance is applicable to any source-code compliance requirement. To illustrate our approach, we built verification tools for five common audit controls related to data security: cryptographically unsafe algorithms must not be used, keys must be at least 256 bits long, credentials must not be hard-coded into program text, HTTPS must always be used instead of HTTP, and cloud data stores must not be world-readable. We evaluated our approach in three ways. (1) We applied our tools to over 5 million lines of open-source software. (2) We compared our tools to other publicly-available tools for detecting misuses of encryption on a previously-published benchmark, finding that only ours are suitable for continuous compliance. (3) We deployed a continuous compliance process at AWS, a large cloud-services company: we integrated verification tools into the compliance process (including auditors accepting their output as evidence) and ran them on over 68 million lines of code. Our tools and the data for the former two evaluations are publicly available.

For the security enhancement of the conventional visible light (VL) communication which allows the easy intrusion by adjacent adversary due to visible signal characteristic, the VL communication technique based on the asymmetric Rivest-Shamir-Adleman (RSA) encryption method is proposed for smart indoor service in this paper, and the optimal key length of the RSA encryption process for secure VL communication technique is investigated, and also the error performance dependent on the various asymmetric encryption key is analyzed for the performance evaluation of the proposed technique. Then we could see that the VL communication technique based on the RSA encryption gives the similar RMSE performance independent of the length of the public or private key and provides the better error performance as the signal to noise ratio (SNR) increases.