※이 블로그는 삼성 소프트웨어 홍보 인플루언서인 삼성 오픈소스(소프트웨어) 컴패니언즈의 입장에서 바라본 ssdc2022 참관기로서, 외부 대학생 시선으로 바라 본 ssdc2022의 현장 분위기를 담고 있습니다. 지난 11월 15일부터 16일까지 이틀간 삼성전자 서초 사옥과 온라인에서 동시에 개최된 삼성 소프트웨어 개발자 콘퍼런스 2022(samsung software developer conference 2022, ssdc)에서는 ‘learn, share, network’라는 주제로 다양한 분야의 소프트웨어 개발자들이 각자의 지식을 공유하는 교류의 장이 펼쳐졌습니다. 이날 삼성 소프트웨어 개발자 콘퍼런스 2022에서는 키노트, 세션, 전시, 커뮤니티를 중심으로 행사가 진행되었습니다. samsung software developer conference 2022: keynote 올해 삼성 소프트웨어 개발자 콘퍼런스 2022는 삼성전자 한종희 대표이사 부회장의 개회사를 시작으로 성황리에 개막했습니다. 한종희 부회장은 “삼성전자는 기술 혁신의 근간인 소프트웨어 리더십을 공고히 하고 놀라운 사용자 경험이 일상화되는 세상을 만들고자 합니다”라며 “본 행사가 소프트웨어 개발자들에게 미래 설계와 발전에 도움이 될 인사이트를 얻는 시간이 되길 바랍니다”라는 인사말을 남겼습니다. 키노트는 삼성리서치 연구소장 승현준 사장의 ‘삼성전자 선행 연구개발 기술 소개’라는 주제로 시작되었습니다. 승현준 소장은 로보틱스, ai, 헬스 스택, sr 트랜슬레이트, 타이젠 플랫폼 등을 바탕으로 “삼성은 우리의 일상을 개선하기 위해 물리적 경험을 향상하는 디지털 기술을 만드는 데 집중하고 있다”고 말했습니다. 이어 삼성전자 제품에 탑재된 소프트웨어 기술인 스마트싱스, 빅스비, 보안 등의 주요 기술을 소개하는 내용과 삼성전자의 소프트웨어 개발 문화인 사내 fa, 오픈소스 프로젝트, 개발자 참여형 플랫폼 등 사내 제도에 대한 발표가 진행되었습니다. samsung software developer conference 2022: session 세션에는 삼성전자의 직원뿐만 아니라 현업 ceo의 발표도 진행되었습니다. ‘viralpick’의 ceo인 이승현 님은 ‘e-commerce hyper-automation’이라는 주제로 발표했습니다. 그는 기존의 커머스와 달리 자사는 판매자의 영역을 인공지능이 대체하여 상품 판매 전략에 대한 의사를 결정하고 이를 실행하도록 유도한다고 설명했습니다. 또한 데이터를 통한 전략적인 판단을 바탕으로 ‘superhuman intelligence’에서 기술의 자동화를 이루는 기반을 마련하며, 현재 45개국 대상 10개 플랫폼의 멀티채널로 구축하는 프로젝트를 진행하고 있다고 밝혀 청중들로부터 응원과 격려를 받았습니다. 세션에서는 삼성전자 개발자의 개발 스토리를 유머러스하게 풀어내기도 했습니다. 삼성전자 mx 사업부의 개발자 이바로슬 프로는 ‘코딩은 사랑을 싣고’라는 주제로 발표를 했는데, 코딩이라는 도구를 통해 인연을 찾아보길 바란다고 말하며, 개발자가 연애를 시작하고 본인을 소개하는 데 도움이 되는 포트폴리오를 만드는 방법도 제안했습니다. 이바로슬 프로는 연애에 본인의 장점인 코딩을 활용해 보고자 다짐했고, 상대방에게 자신의 정보를 소개하는 웹 게임을 개발했습니다. 개발에 사용된 기술력은 어렵지 않지만, 흥미를 끌 만한 아이디어가 빛을 발한다는 입장을 밝혔습니다. 마무리로는 역시나 연애는 쉽지 않음에도 결혼에 성공할 때까지 계속 도전하겠다는 포부를 드러내어 청중의 환호를 받았습니다. 삼성리서치의 ‘삼성 오픈 소스 컴패니언즈(sosc)’도 발표에 합세했습니다. sosc는 올해 3기를 맞아 활동 영역을 오픈소스에서 소프트웨어로 확장하고, ‘성장하는 소프트웨어의 동반자, sosc’라는 주제로 발표했습니다. 이들은 삼성전자의 직원 혹은 개발자가 아닌 대학생으로 이루어진 인플루언서 그룹으로, 외부의 시선에서 바라본 삼성전자를 소개했습니다. 20분 남짓한 시간 동안 6가지의 소주제로 6명의 인플루언서가 돌아가면서 발표하며 흥미를 자아냈습니다. 대표적으로 삼성 소프트웨어의 개발 과정에서 발견한 협력, 고객의 입장에서 생각하는 삼성의 개발 문화, 소프트웨어 업계 내 삼성의 경쟁력, sosc 소개 및 sosc의 브랜딩과 같이 다양한 이야기를 풀어나가며 day 1 세션의 마지막을 장식했습니다. samsung software developer conference 2022: exhibition 삼성전자는 자사의 전자제품을 전시하며 타이젠 부스를 운영했습니다. 올해로 출시 10주년을 맞은 타이젠의 부스에는 출시 최초의 카메라부터 현재까지 출시한 대표적인 제품이 전시되었습니다. 부스 운영자는 "타이젠은 지난 10년간 많은 제품을 출시하며 전 세계의 소비자를 만나고 있습니다. 아직 모르는 분도 있겠지만 관심을 가져 주신다면 더 좋은 제품을 출시할 수 있을 것입니다"라고 말하며 들뜬 마음을 전했습니다. 전시 제품에는 타이젠 2.3을 탑재한 gearfit2, 타이젠 4.0을 탑재한 family hub 및 robot vacuum, 타이젠 6.0을 탑재한 uhd 4k smart tv 등이 있습니다. edint는 인공지능을 활용하여 온라인 시험을 관리, 감독하는 솔루션을 개발 및 전시했습니다. 영상처리를 이용하여 정면 감시 및 측면 감시를 할 수 있는 솔루션으로 이를 이용하면 온라인 시험에서 부정행위를 적발할 수 있습니다. 얼굴에 인식된 하늘색 육면체의 모서리는 얼굴의 방향을 뜻하고, 자주색 선은 시선의 방향을 뜻하며, 이를 통해 얼굴 방향과 시선 방향의 일치 여부를 판별하게 됩니다. 아울러 얼굴뿐만 아니라 신체의 뼈대를 객체 요소로 추출하여 손을 감추는 행위 등을 의심 행위로 간주할 수 있습니다. 이러한 분석 정보는 시험이 끝난 후 개최자에게 리포트 형식으로 제공됩니다. 삼성전자의 오픈소스 그룹에서 근무하는 홍문기 프로는 매터(matter)의 오픈소스 프로젝트 리더입니다. 매터란 csa 내 삼성을 포함한 다양한 기업이 협업하여 구축하고 있는 스마트홈 연동 표준입니다. 그는 삼성전자의 타이젠 플랫폼을 매터와 연결하기 위해 팀원과 함께 개발에 참여했습니다. 아울러 "고객의 거주지 내에 사물인터넷을 제공하는 여러 제품이 있다면, 특정 브랜드의 제품은 경우에 따라 활용하기 어려울 수도 있을 것"이라며 호환성 문제가 있는 기존 제품의 아쉬운 점과 함께 “매터라는 중간 다리를 통해 브랜드에 상관없이 원하는 제품으로 사물인터넷 환경을 꾸몄으면 좋겠다는 말을 전했습니다. samsung software developer conference 2022: community ssdc와 함께 소프트웨어 커뮤니티 연합 밋업도 동시에 진행되었습니다. 커뮤니티 밋업은 4년 전 ssdc의 전신인 soscon부터 매년 진행되고 있는 개발자 간 소통의 장입니다. 올해는 'software developer community'라는 웹사이트를 런칭하며 국내 60개 커뮤니티와 연합으로 진행하게 되었습니다. 이날 커뮤니티 밋업의 세션을 맡은 ‘위민후코드 서울’ 소속의 김승미 님은 ‘web3 생태계 입문기’라는 주제로 발표에 나섰으며, 개인이 발행한 콘텐츠에 대한 보상을 받을 수 있는 web3 생태계를 폭넓게 공부하기 위해 블록체인 학회에 참여하고 nft 워크숍에서 강사로도 활동하고 있다고 전했습니다. ‘ai robotics kr’ 소속의 김수영 님은 ‘우리가 원하는 로봇, 우리가 필요한 기술’이라는 주제로 ‘legged’라는 사족보행 로봇을 직접 제어하는 모습을 보여주며 이러한 로봇에 필요한 인지, 판단, 구동 등의 기술 요소를 개발하기 위해 노력하고 있다고 말했습니다. 장석진 프로는 삼성리서치에서 개발자 릴레이션십을 담당하고 있습니다. 다양한 커뮤니티에 속한 개발자가 서로 만날 수 있는 기회를 만들고자 프로그램을 기획하게 되었다고 밝혔습니다. 아울러 "기존에는 ai나 로봇 분야에서 고등학생과 여성 개발자 등이 상호 간에 네트워킹하는 데 많은 어려움을 겪었지만, 본 행사에서는 다양한 커뮤니티가 한 공간에 모여 교류함으로써 개발자 네트워킹에 좋은 영향력을 미칠 수 있을 것"이라는 긍정적인 입장을 밝혔습니다. 또한 "앞으로도 이러한 오프라인 행사가 마련되어 자주 모여 교류할 수 있으면 좋겠다"는 바람을 전했습니다. samsung software developer conference 2022: replay 삼성 소프트웨어 개발자 콘퍼런스 2022(samsung software developer conference 2022, ssdc)에 대한 자세한 내용은 홈페이지의 ‘replay’ 카테고리에서 확인할 수 있습니다.
samsung health stack open-source tech stack providing end-to-end solutions for collecting and analyzing research and clinical data what is samsung health stack? samsung health stack is an open-source toolset that provides end-to-end solutions for various medical research and clinician service use cases on android and wear os devices. it includes the app sdk, web portal, and a system to support backend services through api endpoints. visit github get resources app sdk the app sdk provides developers with highly customizable building blocks to create apps that collect participant data, such as onboarding, consent flow, surveys and tasks, and data visualization. download sdk web portal the web portal provides a ui portal customized to researchers' needs. it includes features for managing team members, creating and deploying app content, tracking consenting participants' activity, and analyzing data. download portal
health leverage our health platform to develop powerful health applications for your galaxy watch or smartphone. accelerate innovation and research in health and wellness with samsung's new health sdks samsung's health sdks enable a broad ecosystem of partners to accelerate innovation and solution development in health and wellness. as galaxy watch sensors and capabilities improve, you can, with user consent, integrate health data from galaxy watch and smartphones into your existing applications and platforms, as well as create innovative and powerful new products that enhance users' well-being through health insights. privileged health sdk the samsung privileged health sdk is a software platform that enables the medical community and digital health solution providers to harness the power of galaxy watch’s advanced sensors to develop powerful health-sensing capabilities in their applications. learn more request partnership samsung health stack the samsung health stack encompasses open-source tools, applications, and services to ease running, managing, and analyzing health studies across the android ecosystem. learn more download sdk device health sdk the samsung health device sdk defines bluetooth low energy (ble) compatible guidelines and samsung health specifications based on bluetooth generic attributes (gatt), including service structure, to connect with samsung health. learn more health connect samsung and google have collaboratively built a unified health platform that provides a simple and secure way to exchange health data between android apps. samsung health synchronizes its data with health connect, including steps, exercise, heart rate, and sleep. learn more code lab learn about using the samsung health sdks to implement useful features with our sample apps. go to code lab technical support having problems using the samsung health sdk? submit your query and receive technical support for your app. go to technical support
the 2022 samsung developer conference in san francisco showcased some of samsung’s latest innovations in technology. this year spotlighted samsung’s brilliant minds innovating a calm technology ecosystem that gives consumers more seamless experiences in their daily lives. every year we kick off sdc with a keynote speech. this year jonghee han, head of the device experience (dx) division, shared how samsung electronics is crafting systems that help make lives smarter, safer, more convenient, and more connected than ever before. covering everything from knox matrix to holistic household platforms like bixby home studio and smartthings. jh han, vice chairman, ceo and head of device experience (dx) division for those interested in learning more, discover the developer updates shared at sdc in this blog post. samsung electronics integrates matter into the smartthings ecosystem jaeyeon jung, corporate vice president at samsung electronics and head of smartthings, shared how developers can maximize calm technology in the home by tapping into smartthings new integration with matter. jaeyeon jung, vp and head of smartthings, mobile experience business matter-enabled devices will join numerous products and brands already available within smartthings’ vast ecosystem, including devices from google, eve systems, honeywell home by resideo, linksys, nanoleaf, philips hue, schlage, wemo, yale, and more. developers, we invite you to build code with matter-enabled devices and watch the many smartthings tech sessions. dolby atmos releases a 3-d audio plugin for samsung mobile matthew reyes from dolby announced dolby atmos’ a new audio plugin with audiokinetic. the audio plugin enables game developers to create a 3-d surround sound effect for galaxy buds and samsung mobile. now players can feel every part of the action on their phones. dolby’s free plugin offers developers a chance to create an even better immersive experience. check out dolby’s tech session, which provides a plugin tutorial. samsung open-sources bothandy project sebastien seung and the team at samsung research america released samsung bothandy’s "openbothandy" open-source project. openbothandy provides manipulation benchmark scenarios, real-time simulation, and baseline manipulation codes. sebastian seung, president and head of samsung research experiment with samsung bothandy and advance robot manipulation technologies. bixby home studio simplifies voice commands bixby's developer evangelist, roger kibbe, shared what’s new with bixby developer studio and bixby home studio. this year's newest update is bixby home studio's voice control optimization tool on smartthings home devices. asr, nlu, and an entire command system are now completed locally on one device. what this means is bixby home studio allows developers to create code that helps consumers complete multiple tasks with a single command on the phone. imagine, you can ask to turn on your ac, and bixby home studio also checks to see if you have any windows open. roger kibbe, senior developer evangelist, north america bixby labs listen to roger’s tech session for more updates and start developing with bixby home studio. samsung health stack optimizes research studies principal engineer jinwoo song from samsung research’s data research team demonstrated how samsung health stack helps developers, engineers, and health professionals optimize research related to digital health using wearable devices. with samsung health stack’s app sdk, developers can create mobile apps that collect data from participants. applications include medical research studies, clinician services, or whatever your imagination envisions. tune in to jinwoo's recorded tech session, and contribute your visions to samsung health stack. relive sdc22 if you’re not done exploring the latest tech innovations, we welcome you to get inspired by sdc from the comfort of your home. you can experience sdc22 all over again–from watching the highlights to accessing the tech sessions on-demand. thank you for reading through our developer announcement for sdc22 events in the past. let us know your favorite moments from sdc by tagging us with the hashtag #sdc22 on twitter, facebook, linkedin, and youtube to continue the discussion.
open source samsung automation studio is one way to integrate samsung services with open source or 3rd-part services. we are actively using open source and trying to contribute to the open source ecosystem. check out the following article. samsung electronics migrates iot developer tools to cloud foundry based on node-red samsung automation studio was forked from node-red version 0.17.5 and developed to support the easy development of smartthings automation webhook in early 2016. low-code programming for event-driven applications node-red is a programming tool for wiring together hardware devices, apis and online services in new and interesting ways. it provides a browser-based editor that makes it easy to wire together flows using the wide range of nodes in the palette that can be deployed to its runtime in a single-click. flow-based programming invented by j. paul morrison in the 1970s, flow-based programming is a way of describing an application’s behavior as a network of black-boxes, or “nodes” as they are called in node-red. each node has a well-defined purpose; it is given some data, it does something with that data and then it passes that data on. the network is responsible for the flow of data between the nodes. it is a model that lends itself very well to a visual representation and makes it more accessible to a wider range of users. if someone can break down a problem into discrete steps they can look at a flow and get a sense of what it is doing; without having to understand the individual lines of code within each node. more details are available at nodered.org contributes samsung automation studio team published custom nodes on the node-red site. we are improving it through open source. see the following github. https://github.com/samsung/samsungautomationstudio and we continue to engage the nodered community. running on cloud foundry automation studio deploys flows in secured and isolated containers whose healths and lifecycles are managed automatically by the reliable container platform (cf) cloud platform cloud platforms let anyone deploy network apps or services and make them available to the world in a few minutes. when an app becomes popular, the cloud scales it to handle more traffic, replacing build-out and migration efforts that once took months with a few keystrokes. cloud platforms enable you to focus exclusively on your apps and data without worrying about underlying infrastructure. the following diagram shows the layers of a typical technology stack, and compares the traditional it model to the cloud platform model: about the cloud foundry platform this section describes why cloud foundry is an industry-standard cloud platform. not all cloud platforms are created equal. some have limited language and framework support, lack key app services, or restrict deployment to a single cloud. as an industry-standard cloud platform, cloud foundry offers the following: open source code: the platform’s openness and extensibility prevent its users from being locked into a single framework, set of app services, or cloud. deployment automation: developers can deploy their apps to cloud foundry using their existing tools and with zero modification to their code. flexible infrastructure: you can deploy cloud foundry to run your apps on your own computing infrastructure, or deploy on an iaas like vsphere, aws, azure, gcp, or openstack. commercial options: you can also use a paas deployed by a commercial cloud foundry cloud provider. community support: a broad community contributes to and supports cloud foundry. cloud foundry is ideal for anyone interested in removing the cost and complexity of configuring infrastructure for their apps. more details are available at cloudfoundry.org get started - samsung automation studio (beta)
note: this article assumes that you have prior knowledge about machine learning. if you have any questions, please post them in the samsung neural forum. the development of machine learning has revolutionized the technology industry by bringing human-like decision making to compact devices. from health care to real estate, finance, and computer vision, machine learning has penetrated almost every field. today, many businesses deploy machine learning to gain a competitive edge for their products and services. one of the fastest-growing machine learning areas is deep neural networks (dnn), also known as artificial intelligence (ai), which is inspired by the neural interactions in the human brain. with the ai industry growing so quickly, it is not only difficult to be up-to-date with the latest innovations, but even more so to deploy those developments in your business or application. as ai technology paves its way into the mobile industry, one wonders: what can be achieved with the limited capacity of mobile embedded devices? how does one execute dnn models on mobile devices, and what are the implications of running a computationally intensive model on a low resource device? how does it affect the user experience? typically, a deep neural network is developed on a resource-rich gpu farm or server, where it is designed and then trained with a specific data set. this pre-trained dnn model is then ready to be deployed in an environment, such as a mobile device, to generate output. a pre-trained dnn model can easily be used to develop an ai-based application that brings completely unique user experiences to mobile devices. a variety of pre-trained models, such as inception, resnet, and mobilenet are available in the open source community. the samsung neural sdk is samsung’s in-house inference engine which efficiently executes a pre-trained dnn model on samsung mobile devices. it is a one-stop solution for all application and dnn model developers who want to develop ai-based applications for samsung mobile devices. to simplify the process of deploying applications that exploit neural network technology, the samsung neural sdk supports the leading dnn model formats, such as caffe, tensorflow, tflite, and onnx, while enabling you to select between the available compute units on the device, such as the cpu, gpu, or ai processor.1 the samsung neural sdk enables easy, efficient and secure execution of pre-trained dnn models on samsung mobile devices, irrespective of the constraints posed by hardware such as compute unit capability, memory configuration and power limitations. samsung neural stack features the samsung neural sdk provides simple apis that enable you to easily deploy on-device pre-trained or custom neural networks. the sdk is designed to accelerate the machine learning models in order to improve performance and optimize hardware utilization, balancing performance and latency with memory use and power consumption. the samsung neural sdk supports mixed precision formats (fp32/fp16 and int8), and provides a great variety of operations that enable you to experiment with different models and architectures to find what works best for your use case. it also employs industry-standard cryptographic encryption methods for neural network models, to protect your intellectual property. the samsung neural sdk includes complete api documentation for your ready reference. it describes all the optimization tools and supported operations, provides code examples, and more. sample benchmarking code included with the samsung neural sdk the accompanying sample benchmarking code helps you understand how to use the api methods and demonstrates the available features and configurations, such as selecting a compute unit and execution data type. the samsung neural sdk can be used in a wide range of applications that utilize deep neural networks and improves their performance on samsung mobile devices. it has already been applied to many use cases and we look forward to supporting your application idea. are you interested in using samsung neural sdk? visit samsung neural sdk to learn more about becoming a partner today. partners gain access to the sdk and technical content such as developer tips and sample code. if you have questions about the samsung neural sdk, email us at email@example.com.  ai processors include neural processing units (npu) and digital signal processors (dsp). the samsung neural sdk currently supports only the caffe and tensorflow formats.
Samsung Neural Team
application security this topic describe the security of applications which run on samsung devices. related info web security testing guide owasp secure software development lifecycle microsoft security development lifecycle (sdl) cwe list version 4.6 overview security is becoming an important issue with the increase of various smart devices. in order to protect data from users and businesses, samsung devices are enhancing security in several layers, from hardware to software. as samsung device applications are also software driven by samsung, the security needs to be taken into account. samsung device applications can store important information such as code and key values and personal information of the user, which is an important resource that must be protected. these resources can be leaked due to a variety of reasons, such as a simple mistake by a developer or hacking by an attacker. in order to safeguard this, samsung device applications need to be developed according to secure by design. in particular, the personal information of the user should comply with the policy related to the personal information for each country. secure by design all software within the devices developed by samsung are based on the secure development lifecycle (sdl) model, and development step is divided into analysis, design, implementation, and testing, so vulnerability should be removed by performing a security review at each step. from the same point of view, applications operating on samsung device should maintain the same security level. for this, we recommend that you consider security in the application development phase by referring to the following step-by-step security review. security in the analysis/design phase: you should identify important information that is stored and transferred and ensure that the information is handled safely. if you receive user input, you should review that you do not require more information than you need, and there is no issue with the input format. you must identify the important information to be used and ensure that the information is displayed on vulnerable areas in the flow of the program. in particular, when transmitting important information outside the device, you need to ensure that it communicates with the specified server through a secured channel. at the time of designing, you must first define important information that needs to be protected and design it in a proper manner to protect it. security in the implementation phase: it must be implemented in compliance with security rules to prevent information in the software from being leaked through known vulnerabilities. important information obtained in the design phase should be stored by applying security techniques such as encryption and make sure that it does not exist in plain text within the program. establish secure coding rules for each language and proceed with development accordingly. you must use only the minimum permissions required and notify the user of the permissions you use. you should make sure that the security channel is properly set on the network, and the latest version of the technology is applied. if you use encryption algorithms, you must use them securely using verified standard algorithms where vulnerabilities are not reported. security in test phase: security checks must be performed before deployment to prevent security issues and maintain security through maintenance after deployment. before deployment, it is necessary to verify that there is no issue with analysis, design, and implementation when actually operated through simulated hacking, packet checking, etc. after deployment, if a new vulnerability is found or a modification occurs in the security check, it must be patched and applied to all users as soon as possible. security review process in order to maintain the security of the application ecosystem, samsung is performing security checks on the submitted applications. samsung checks the risk or misuse cases that may occur due to the submitted applications, and if there is an issue, the deployment process can be stopped and the application submitter can be advised to fix it. application security guide this section provides basic security guidelines to consider in the development of applications. for a safe and reliable application running environment, we recommend that you proceed with the following points in the development phase. data protection three key factors for data protection are confidentiality, integrity, and availability. if an application sends or stores sensitive information, the application must encrypt data stored on these devices and protect it from attackers. it is very important to protect sensitive data such as user credentials or personal information in application security. if the mechanism of the operating system is not used correctly, sensitive data can be unintentionally exposed. definition of sensitive data: personally identifiable information that can be exploited for identity theft: for example, resident registration number, social security number, credit card number, bank account number, health information, etc. sensitive data that can lead to loss of honor and loss of money if leaked all data that must be protected for legal or compliance reasons. security item description data protection sensitive data, such as passwords or pin data, should not be exposed through the user interface. the key values used by the application must be hardcoded or not stored in plain text. sensitive data should not be stored in an application container or external storage. sensitive data should not be recorded in the application log.sensitive data should not be shared with third parties unless it is necessary in the architecture. sensitive data should not be shared with third parties unless it is necessary in the architecture. keyboard cache must be disabled from the text input that processes sensitive data. sensitive data should not be exposed even during internal communication. you should ensure that the data stored in the client-side storage (ex: html5 local storage, session store, indexeddb, regular cookie, or flash cookie) does not contain sensitive data. make sure that you have provided clear t&c for the collection and use of the provided personal information and that you have provided selective consent to the use of that data before you use it. reference links:european union general data protection regulation (gdpr) overvieweuropean union data protection supervisor - internet privacy engineering networkapplication development privacy guide table 1. data protection security description and reference links authentication if there is a feature to log-in to the remote service by the user, it must be configured through security design. even when most of the logic is operating on a remote service, the device must also meet security requirements on how to manage user accounts and sessions. security item description authentication if the application provides remote services to the user, user name and password authentication must be performed from the remote service. if you use status storage session management, the remote service must authenticate the client request using the randomly generated session identifier without sending the user's credentials. if using stateless token-based authentication, the remote services must provide signed tokens using security algorithms. when a user logs out, the remote service must end the existing session. table 2. authentication security description access control an application can access a resource only if it has access to it. security item description access control application must require only the minimum access required. application must use the privilege that match the permissions and specify the privileges used. when accessing user data, make sure that the principle of minimum access privilege requirement is followed. applications must have access to apis, data files, urls, controllers, directories, services, and other resources with minimal access required. you should verify and process all input from external resources and users. this should include data received through the ui, a user-defined url, inter-process communication (ipc), etc. if an application uses a completely unprotected custom url, you should not export sensitive information. important data or apis must be protected from user access other than data owners. reference links:owasp cheat sheet: access control table 3. access control security description and reference links communications when the network is used, the application should not display the transmitted/received content using a secured channel. security item description communications data must be encrypted on the network using tls(transport layer security). security channels must be used consistently throughout the application. the setting of the security channel must be configured to protect information safely. the data being transmitted must be protected from being snatched/taken over in the middle. (ex. defence against man in the middle attack) reference links:owasp – tls cheat sheet table 4. communications security description and reference links input validation you must defend the command insertion attack through validating the validity of input value. input value validation should be considered at all stages of development. security item description input validation input values must process the data based on type and content, applicable laws, regulations and other policy compliance, and define how to handle it. you must ensure that input validation is performed on a trusted service layer. you need to check whether it protects against parameter attacks such as mass parameter allocation attacks or unsafe parameter allocation. all possible input values (e.g. html form fields, rest requests, url parameters, http headers, cookies, batch files, rss feeds, etc.) must be checked using validation (ex. whitelist). you should check whether the values entered are in the correct form in well-defined schemas, including allowed characters, lengths, and patterns. the url redirection and forward should display a warning that only whitelist targets are allowed or that you are connecting with potentially untrusted content. make sure you use memory safety strings, secure memory copy, and pointer calculation to detect or prevent stacks, buffers, or heap overflows. in order to prevent integer overflow, you need to make sure that sign, range, and input validation techniques are used. reference links:xml external entity (xxe) prevention cheat sheetreducing xss by way of automatic context-aware escaping in template systems table 5. input validation security description and reference links password management in case of application with different user password, security settings are required for them. security item description password management you must ensure that the password does not contain spaces and cut/copy is not performed. in the password change feature, you should check that the user's current password and new password are required. it is recommended to provide a password strength meter so that users can set a stronger password. it is also recommended to provide rules that limit allowed character types (uppercase letter, numeric, special characters). you should check that it is recommended to change your user password within the right due date. do not store the user password in the application's properties or settings file in plain text or recoverable form. passwords must be stored, transferred, and compared in a hashed state using a standard hash function. to prevent random attacks, you should use the login limit(number of login) or captcha. default password should not be generated. make sure you do not show the key information, like passwords in the log. reference links:cwe-804: guessable captchacwe-836: use of password hash instead of password for authenticationcwe-257: storing passwords in a recoverable formatcwe-261: weak encoding for passwordcwe-263: password aging with long expiration table 6. password management security description and reference links session manager a session is a technique for controlling and maintaining the status of a user or device interacting with one user in a web application. a session has a unique value for each user and cannot guess or share that value. security item description session manager you should check that the session token is not exposed/displayed in the application's url parameter or error message. make sure the application generates a new session token from user authentication. you should check that the session token is stored using properly secured cookies or security methods. you should check that a session token is generated using a standard encryption algorithm. make sure the session is not reused by verifying that the session token is invalid when logout and session expires. reference links:owasp session management cheat sheetalgorithms, key size and parameters report 2014 table 7. session manager security description and reference links error handling the purpose of error handling is to allow applications to provide security events related to monitoring, status check, and increase in permission, and not just creating logs. security item description error handling you must ensure that common error handling formats and access method are used. you must make sure exception handling is used on the code base to explain expected and unexpected error conditions. you must ensure that other error handlers that can prepare all unprocessed exceptions are defined. in case of an error, you must make sure that the message shown to the user does not contain application-related technical or sensitive information. we recommend using separate error codes for error support.. table 8. error handling security description release check the following before releasing the application. security item description release application must be signed and distributed with a valid certificate, and the private key must be properly protected. debugging code and developer support code (test code, back door, hidden settings, etc.) must be removed. deployed applications should not output or record detailed errors or debugging messages. libraries and frameworks etc. used by applications should be checked for known vulnerabilities. the equipment used for release must be able to respond to external threats (viruses, hacking, etc.). it should be built in release mode. a separate debug message should not be left from the application. if you include binary, debug information should be removed. if a vulnerability occurs after release, you should update the application as soon as possible and always keep the latest version. table 9. release security description