a sampler of my work
Open-source code is something that everyone uses. However, the security is often assumed. This can lead to open source supply chain issues and breaches such as log4j. The onus of of ensuring the security of open-source code often falls upon the users. What can we do about it?
Talks & Publications:
Chujiao Ma, Vaibhav Garg. Hidden Risk of Unpopularity in Open Source. SCTE, 2021. Link
Chujiao Ma, Matthew Bosack, Wendy Rothschell, Noopur Davis, Vaibhav Garg. Wanted Hacked or Patched: Bug Bounties for Third Party Open-Source Software Components. ;Login: Usenix Publication, 2022. Link
Chujiao Ma. Wanted Hacked or Patched: Bug Bounties for Third Party Open-Source Software Components. BrightTALK Webinar, 2022. Link
Crypto-agility & Quantum
Changes in cryptography is inevitable. However, updating our infrastructure to support that change is not so simple. We proposed Crypto Agility Risk Assessment Framework as a way to approach such transition in an optimized manner, especially for post-quantum cryptography.
The availability of a usable quantum computer can render most of our public key cryptography vulnerable. NIST has already published the finalists from the post-quantum cryptography competition, and they are most likely will be required in the near future. What do we need to do about it right now?
Talks & Publications:
Chujiao Ma, Luis Colon, Joe Dera, Bahman Rashidi, Vaibhav Garg, CARAF: Crypto Agility Risk Assessment Framework, Journal of Cybersecurity, Volume 7, Issue 1, 2021. Link
Chujiao Ma, Crypto Agility: Adapting and Prioritizing Security in a Fast-Paced World, LISA’21, Usenix Association, 2021. Link
Chujiao Ma, Post-Quantum Cryptography: What Executives Should Know, Executive Women Forum Annual Conference, 2021. Link
Chujiao Ma, Vaibhav Garg, Navigating the Transition to a Post-Quantum World, SCTE, 2021. Link
Privacy has became an important area of concern in the past few years. Unlike security, privacy focuses more on the context and usage. Processes and countermeasures for privacy should be separated from but can be complementary to those for security. My work in this area ranges from coming up with de-identification process for data to privacy tools.