Chujiao Ma

Cybersecurity researcher passionate about making security simple, actionable and accessible. Proponent of secure by design. My work bridges the gap between academia and industry to help realize innovative solutions, turning research papers into products and practices.

PhD in Computer Science & Engineering from University of Connecticut. Bachelor degree in Electrical and Computing Engineering from Franklin W. Olin College of Engineering. Privacy Engineering certificate from Carnegie Mellon University. Certified Information Privacy Technologist (CIPT) certification from the International Association of Privacy Professionals. My interest ranges from crypto agility for post-quantum cryptography and open source security to privacy tools and data protection. You can contact me on LinkedIn.

In addition to the same interests most people have such as traveling, cooking, music and art, I also enjoy more whimsical things like math jokes and maintaining a playlist of Kpop songs about food.

a sampler of my work

 

Open-Source Security

Open-source code is something that everyone uses. However, the security is often assumed. This can lead to open source supply chain issues and breaches such as log4j. The onus of of ensuring the security of open-source code often falls upon the users. What can we do about it?

Talks & Publications:

Chujiao Ma, Vaibhav Garg. Hidden Risk of Unpopularity in Open Source. SCTE, 2021. Link

Chujiao Ma, Matthew Bosack, Wendy Rothschell, Noopur Davis, Vaibhav Garg. Wanted Hacked or Patched: Bug Bounties for Third Party Open-Source Software Components. ;Login: Usenix Publication, 2022. Link

Chujiao Ma. Wanted Hacked or Patched: Bug Bounties for Third Party Open-Source Software Components. BrightTALK Webinar, 2022. Link

Chujiao Ma. To Everyone It Does Concern: Bug Bounties for Third Party Open-Source Libraries. SOSS Community Day – North America, 2024. Link

(Panelist) Chujiao Ma. Discover Yourself through Open Source Software Security. Grace Hopper, 2024. Link

 

 

Crypto-agility & Quantum

Changes in cryptography is inevitable. However, updating our infrastructure to support that change is not so simple. We proposed Crypto Agility Risk Assessment Framework as a way to approach such transition in an optimized manner, especially for post-quantum cryptography.

The availability of a usable quantum computer can render most of our public key cryptography vulnerable. NIST has already published the finalists from the post-quantum cryptography competition, and they are most likely will be required in the near future. What do we need to do about it right now?

Talks & Publications:

Chujiao Ma, Luis Colon, Joe Dera, Bahman Rashidi, Vaibhav Garg, CARAF: Crypto Agility Risk Assessment FrameworkJournal of Cybersecurity, Volume 7, Issue 1, 2021. Link 

Chujiao Ma, Crypto Agility: Adapting and Prioritizing Security in a Fast-Paced World, LISA’21, Usenix Association, 2021. Link  

Chujiao Ma, Post-Quantum Cryptography: What Executives Should Know, Executive Women Forum Annual Conference, 2021.

Chujiao Ma, Vaibhav Garg, Navigating the Transition to a Post-Quantum World, SCTE, 2021. Link 

 

Automating privacy

Privacy has became an important area of concern in the past few years. Unlike security, privacy focuses more on the context and usage. Processes and countermeasures for privacy should be separated from but can be complementary to those for security. My work in this area has been internal to Comcast thus far, from creation of de-identification guidelines to driving adoption of privacy tools for developers and developing privacy training to help shift privacy to the left.