A method to implement traceability and provability on a particular project in software development based on blockchain-recorded transactions of assigned developer time, the method comprising of the following steps: setting up a blockchain network comprised of a distributed, redundant, and tamper-resistant ledger; issuing each user an attestable pre-fabricated and signed virtualized environment on approved hardware that comes with functionality required for the user's role implemented as one of a set of virtual machine templates fashioned from a signed and approved pre-fabricated image; and verifying that assigned developer time is valid, and if so, record each development action on the ledger to enable extensive tracking and auditing of end- to-end software development process.

A method to implement traceability and provability on a particular project in software development based on blockchain-recorded transactions of assigned developer time, the method comprising of the following steps: setting up a blockchain network comprised of a distributed, redundant, and tamper-resistant ledger; issuing each user an attestable pre-fabricated and signed virtualized environment on approved hardware that comes with functionality required for the user's role implemented as one of a set of virtual machine templates fashioned from a signed and approved pre-fabricated image; and verifying that assigned developer time is valid, and if so, record each development action on the ledger to enable extensive tracking and auditing of end- to-end software development process.

Systems and methods including a framework for migration of live data. The method may comprised, by one or more hardware processors executing program instructions, receiving, at a migration proxy of the framework, code for reading data and writing data compatible with each of a plurality of states of a migration of data in a data store, wherein a service is at least intermittently reading data from and writing data to the data store; determining, by a migration runner of the framework, to perform the migration of the data; initiating, by the migration runner, the migration of the data, wherein the migration comprises a plurality of stages; storing, as the migration progresses through the plurality of stages, and at a migration data store of the framework, a current stage of the migration; and during the migration, using the migration proxy to read data from and write data to the data store.

In some examples, a system receives first measurements of data items used by a build server in building an executable program, the data items copied from a data repository to a storage partition that is separate from the data repository, and the storage partition to store the data items relating to building the executable program by the build server. The system determines, based on the first measurements and according to a policy specified for the storage partition, whether a corruption of the data items used by the build server in building the executable program has occurred.

In some examples, a system receives first measurements of data items used by a build server in building an executable program, the data items copied from a data repository to a storage partition that is separate from the data repository, and the storage partition to store the data items relating to building the executable program by the build server. The system determines, based on the first measurements and according to a policy specified for the storage partition, whether a corruption of the data items used by the build server in building the executable program has occurred.

A method, apparatus and computer program product for automated security policy synthesis and use in a container environment. In this approach, a binary analysis of a program associated with a container image is carried out within a binary analysis platform. During the binary analysis, the program is micro-executed directly inside the analysis platform to generate a graph that summarizes the program's expected interactions within the run-time container environment. The expected interactions are identified by analysis of one or more system calls and their arguments found during micro-executing the program. Once the graph is created, a security policy is then automatically synthesized from the graph and instantiated into the container environment. The policy embeds at least one system call argument. During run-time monitoring of an event sequence associated with the program executing in the container environment, an action is taken when the event sequence is determined to violate the security policy.

A computer-implemented method for building socket transferring between containers in cloud-native environments by using kernel tracing techniques is provided including probing a connection-relevant system call event by using an eBPF to collect and filter data at a router, creating a mirror call at a host namespace with a dummy server and dummy client by creating the dummy server with mirror listening parameters, sending a server host address mapping to overlay the server host address to the client coordinator in an overlay process, and creating and connecting the dummy client to return a client host address to the server coordinator. The method further includes transferring mirror connections to the overlay process via a forwarder by temporary namespaces entering and injecting socket system calls and probing a transfer call event to map an overlay socket with a transferred dummy socket to activate duplication when the overlay socket is not locked.

Aspects of the subject disclosure may include, for example, identifying a request to install a guest virtual machine on a physical host; identifying a UUID of the physical host; generating a virtual machine reference value; defining a modified UUID of the guest virtual machine comprising the UUID of the physical host and the virtual machine reference value; and assigning the modified UUID to the guest virtual machine, the physical host being identifiable via the modified UUID of the guest virtual machine. Other embodiments are disclosed.

Aspects of the disclosure relate to a relay-switch device that includes at least one sandbox to detect, isolate, and remove any discovered malware or cyber threat. In an embodiment, data is received, saved, and inspected in the at least one sandbox of the relay-switch device. A control layer manages network connectivity so that only home organization network connections or external party network connections are connected at given moment in time.

Aspects of the disclosure relate to a relay-switch device that includes at least one sandbox to detect, isolate, and remove any discovered malware or cyber threat. In an embodiment, data is received, saved, and inspected in the at least one sandbox of the relay-switch device. A control layer manages network connectivity so that only home organization network connections or external party network connections are connected at given moment in time.