发布求助
文献互助 智能选刊 最新文献

International journal of secure software engineering最新文献

筛选
英文 中文
Information Theoretic XSS Attack Detection in Web Applications Web应用程序中的信息论XSS攻击检测
International journal of secure software engineering Pub Date : 2014-07-01 DOI: 10.4018/IJSSE.2014070101
H. Shahriar, Sarah North, Wei-Chuen Chen, Edward Mawangi
{"title":"Information Theoretic XSS Attack Detection in Web Applications","authors":"H. Shahriar, Sarah North, Wei-Chuen Chen, Edward Mawangi","doi":"10.4018/IJSSE.2014070101","DOIUrl":"https://doi.org/10.4018/IJSSE.2014070101","url":null,"abstract":"Cross-Site Scripting (XSS) has been ranked among the top three vulnerabilities over the last few years. XSS vulnerability allows an attacker to inject arbitrary JavaScript code that can be executed in the victim's browser to cause unwanted behaviors and security breaches. Despite the presence of many mitigation approaches, the discovery of XSS is still widespread among today's web applications. As a result, there is a need to improve existing solutions and to develop novel attack detection techniques. This paper proposes a proxy-level XSS attack detection approach based on a popular information-theoretic measure known as Kullback-Leibler Divergence (KLD). Legitimate JavaScript code present in an application should remain similar or very close to the JavaScript code present in a rendered web page. A deviation between the two can be an indication of an XSS attack. This paper applies a back-off smoothing technique to effectively detect the presence of malicious JavaScript code in response pages. The proposed approach has been applied for a number of open-source PHP web applications containing XSS vulnerabilities. The initial results show that the approach can effectively detect XSS attacks and suffer from low false positive rate through proper choice of threshold values of KLD. Further, the performance overhead has been found to be negligible.","PeriodicalId":89158,"journal":{"name":"International journal of secure software engineering","volume":"13 1","pages":"1-15"},"PeriodicalIF":0.0,"publicationDate":"2014-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"82280266","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 5
Meta-Modeling Based Secure Software Development Processes 基于元建模的安全软件开发过程
International journal of secure software engineering Pub Date : 2014-07-01 DOI: 10.4018/IJSSE.2014070104
Mehrez Essafi, H. Ghézala
{"title":"Meta-Modeling Based Secure Software Development Processes","authors":"Mehrez Essafi, H. Ghézala","doi":"10.4018/IJSSE.2014070104","DOIUrl":"https://doi.org/10.4018/IJSSE.2014070104","url":null,"abstract":"This work suggests a multilevel support to software developers, who often lack knowledge and skills on how to proceed to develop secure software. In fact, developing software with such quality is a hard and complex task that involves many additional security-dedicated activities which are usually omitted in traditional software development lifecycles or integrated but not efficiently and appropriately deployed in some others. To federate all these software security-assurance activities in a structured way and provide the required guidelines for choosing and using them in a flexible development process, authors used meta-modeling techniques and dynamic process execution that consider developer's affinities and product's states. The proposed approach formalizes existing secure software development processes, allows integration of new ones, prevents ad-hoc executions and is supported by a tool to facilitate its deployment. A case study is given here to exemplify the proposed approach application and to illustrate some of its advantages.","PeriodicalId":89158,"journal":{"name":"International journal of secure software engineering","volume":"28 1","pages":"56-74"},"PeriodicalIF":0.0,"publicationDate":"2014-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"82886416","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 13
Secure Software Development Assimilation: Effects of External Pressures and Roles of Internal Factors 安全软件开发同化:外部压力的影响和内部因素的作用
International journal of secure software engineering Pub Date : 2014-07-01 DOI: 10.4018/ijsse.2014070103
Mingqiu Song, Donghao Chen, E. Mkoba
{"title":"Secure Software Development Assimilation: Effects of External Pressures and Roles of Internal Factors","authors":"Mingqiu Song, Donghao Chen, E. Mkoba","doi":"10.4018/ijsse.2014070103","DOIUrl":"https://doi.org/10.4018/ijsse.2014070103","url":null,"abstract":"Drawing upon institutional theory, this article develops an extended model to test and verify the effects of external institutional pressures on Secure Software Development (SSD) assimilation and the roles of internal critical factors. The empirical results are based on 86 survey data from respondents of related organizations in United Kingdom, Hong Kong, and Mainland China who have related project experience about SSD. Results from partial least squares (PLS) analysis suggest that both mimetic and coercive pressures have indirect effects on SSD assimilation with the distal mediation of top management. Normative pressures positively affect SSD assimilation with the full mediation of secure software champion. Results also suggest that secure software champion plays another partial mediation between top management participation and SSD assimilation. This paper highlights the important role of secure software champion for its dually mediating effects on both external and internal forces during SSD assimilation process.","PeriodicalId":89158,"journal":{"name":"International journal of secure software engineering","volume":"72 1","pages":"32-55"},"PeriodicalIF":0.0,"publicationDate":"2014-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"86266441","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 4
Design Churn as Predictor of Vulnerabilities? 设计流失是漏洞的预测因子?
International journal of secure software engineering Pub Date : 2014-07-01 DOI: 10.4018/ijsse.2014070102
A. Hovsepyan, R. Scandariato, Maximilian Steff, W. Joosen
{"title":"Design Churn as Predictor of Vulnerabilities?","authors":"A. Hovsepyan, R. Scandariato, Maximilian Steff, W. Joosen","doi":"10.4018/ijsse.2014070102","DOIUrl":"https://doi.org/10.4018/ijsse.2014070102","url":null,"abstract":"This paper evaluates a metric suite to predict vulnerable Java classes based on how much the design of an application has changed over time. It refers to this concept as design churn in analogy with code churn. Based on a validation on 10 Android applications, it shows that several design churn metrics are in fact significantly associated with vulnerabilities. When used to build a prediction model, the metrics yield an average precision of 0.71 and an average recall of 0.27.","PeriodicalId":89158,"journal":{"name":"International journal of secure software engineering","volume":"14 1","pages":"16-31"},"PeriodicalIF":0.0,"publicationDate":"2014-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"80390082","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 8
Threat Analysis in Goal-Oriented Security Requirements Modelling 面向目标的安全需求建模中的威胁分析
International journal of secure software engineering Pub Date : 2014-04-01 DOI: 10.4018/IJSSE.2014040101
P. H. Meland, E. Paja, Erlend Andreas Gjære, S. Paul, F. Dalpiaz, P. Giorgini
{"title":"Threat Analysis in Goal-Oriented Security Requirements Modelling","authors":"P. H. Meland, E. Paja, Erlend Andreas Gjære, S. Paul, F. Dalpiaz, P. Giorgini","doi":"10.4018/IJSSE.2014040101","DOIUrl":"https://doi.org/10.4018/IJSSE.2014040101","url":null,"abstract":"Goal and threat modelling are important activities of security requirements engineering: goals express why a system is needed, while threats motivate the need for security. Unfortunately, existing approaches mostly consider goals and threats separately, and thus neglect the mutual influence between them. In this paper, the authors address this deficiency by proposing an approach that extends goal modelling with threat modelling and analysis. The authors show that this effort is not trivial and a trade-off between visual expressiveness, usability and usefulness has to be considered. Specifically, the authors integrate threat modelling with the socio-technical security modelling language (STS-ml), introduce automated analysis techniques that propagate threats in the combined models, and present tool support that enables reuse of threats facilitated by a threat repository. The authors illustrate their approach on a case study from the Air Traffic Management (ATM) domain, from which they extract some practical challenges. The authors conclude that threats provide a useful foundation and justification for the security requirements that the authors derive from goal modelling, but this should not be considered as a replacement to risk assessment. The usage of goals and threats early in the development process allows raising awareness of high-level security issues that occur regardless of the chosen technology and organizational processes.","PeriodicalId":89158,"journal":{"name":"International journal of secure software engineering","volume":"56 1","pages":"1-19"},"PeriodicalIF":0.0,"publicationDate":"2014-04-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"88518927","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 21
A Structured Method for Security Requirements Elicitation concerning the Cloud Computing Domain 一种结构化的云计算领域安全需求提取方法
International journal of secure software engineering Pub Date : 2014-04-01 DOI: 10.4018/IJSSE.2014040102
Kristian Beckers, Isabelle Côté, Ludger Goeke, Selim Güler, M. Heisel
{"title":"A Structured Method for Security Requirements Elicitation concerning the Cloud Computing Domain","authors":"Kristian Beckers, Isabelle Côté, Ludger Goeke, Selim Güler, M. Heisel","doi":"10.4018/IJSSE.2014040102","DOIUrl":"https://doi.org/10.4018/IJSSE.2014040102","url":null,"abstract":"Cloud computing systems offer an attractive alternative to traditional IT-systems, because of economic benefits that arise from the cloud's scalable and flexible IT-resources. The benefits are of particular interest for SME's. The reason is that using Cloud Resources allows an SME to focus on its core business rather than on IT-resources. However, numerous concerns about the security of cloud computing services exist. Potential cloud customers have to be confident that the cloud services they acquire are secure for them to use. Therefore, they have to have a clear set of security requirements covering their security needs. Eliciting these requirements is a difficult task, because of the amount of stakeholders and technical components to consider in a cloud environment. Therefore, the authors propose a structured, pattern-based method supporting eliciting security requirements and selecting security measures. The method guides potential cloud customers to model the application of their business case in a cloud computing context using a pattern-based approach. Thus, a potential cloud customer can instantiate our so-called Cloud System Analysis Pattern. Then, the information of the instantiated pattern can be used to fill-out our textual security requirements patterns and individual defined security requirement patterns, as well. The presented method is tool-supported. Our tool supports the instantiation of the cloud system analysis pattern and automatically transfers the information from the instance to the security requirements patterns. In addition, they have validation conditions that check e.g., if a security requirement refers to at least one element in the cloud. The authors illustrate their method using an online-banking system as running example.","PeriodicalId":89158,"journal":{"name":"International journal of secure software engineering","volume":"21 1","pages":"20-43"},"PeriodicalIF":0.0,"publicationDate":"2014-04-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"85929491","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 18
An Invariant-Based Approach for Detecting Attacks Against Data in Web Applications 基于不变量的Web应用数据攻击检测方法
International journal of secure software engineering Pub Date : 2014-01-01 DOI: 10.4018/IJSSE.2014010102
R. Ludinard, Eric Totel, F. Tronel, V. Nicomette, M. Kaâniche, E. Alata, R. Akrout, Yann Bachy
{"title":"An Invariant-Based Approach for Detecting Attacks Against Data in Web Applications","authors":"R. Ludinard, Eric Totel, F. Tronel, V. Nicomette, M. Kaâniche, E. Alata, R. Akrout, Yann Bachy","doi":"10.4018/IJSSE.2014010102","DOIUrl":"https://doi.org/10.4018/IJSSE.2014010102","url":null,"abstract":"RRABIDS Ruby on Rails Anomaly Based Intrusion Detection System is an application level intrusion detection system IDS for applications implemented with the Ruby on Rails framework. The goal of this intrusion detection system is to detect attacks against data in the context of web applications. This anomaly based IDS focuses on the modelling of the normal application profile using invariants. These invariants are discovered during a learning phase. Then, they are used to instrument the web application at source code level, so that a deviation from the normal profile can be detected at run-time. This paper illustrates on simple examples how the approach detects well-known categories of web attacks that involve a state violation of the application, such as SQL injections. Finally, an assessment phase is performed to evaluate the accuracy of the detection provided by the proposed approach.","PeriodicalId":89158,"journal":{"name":"International journal of secure software engineering","volume":"52 1","pages":"19-38"},"PeriodicalIF":0.0,"publicationDate":"2014-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"87143056","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 8
Validation of a Trust Approach in Multi-Organization Environments 多组织环境下信任方法的验证
International journal of secure software engineering Pub Date : 2014-01-01 DOI: 10.4018/ijsse.2014010101
Khalifa Toumi, A. Cavalli, César Andrés
{"title":"Validation of a Trust Approach in Multi-Organization Environments","authors":"Khalifa Toumi, A. Cavalli, César Andrés","doi":"10.4018/ijsse.2014010101","DOIUrl":"https://doi.org/10.4018/ijsse.2014010101","url":null,"abstract":"A Multi-Organization Environment is composed of several players that depend on each other for resources and services. In order to manage the security of the exchange process the authors introduce the concept of trust. The authors show how adding this aspect of the cooperative work. In particular, the authors provide a framework where the concepts of trust requirement and trust evaluation play important roles for defining trust vectors. These vectors evaluate a set of requirements, under some conditions, and provide a degree of confidence. In the authors' framework they consider two different types of vectors. On the one hand a vector that relates a user to an organization and on the other hand a vector that links two organizations. Different simulations are presented in this paper in order to show this approach. Moreover, the authors show how these vectors are evaluated and shared among the different organizations. Finally, the authors propose a possible architecture to explain how to integrate their trust module in MOE in order to enhance the security.","PeriodicalId":89158,"journal":{"name":"International journal of secure software engineering","volume":"61 1","pages":"1-18"},"PeriodicalIF":0.0,"publicationDate":"2014-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"81469581","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 3
Remote E-Voting Using the Smart Card Web Server 使用智能卡Web服务器进行远程电子投票
International journal of secure software engineering Pub Date : 2014-01-01 DOI: 10.4018/ijsse.2014010103
Sheila Cobourne, Lazaros Kyrillidis, K. Mayes, K. Markantonakis
{"title":"Remote E-Voting Using the Smart Card Web Server","authors":"Sheila Cobourne, Lazaros Kyrillidis, K. Mayes, K. Markantonakis","doi":"10.4018/ijsse.2014010103","DOIUrl":"https://doi.org/10.4018/ijsse.2014010103","url":null,"abstract":"Voting in elections is the basis of democracy, but voting at polling stations may not be possible for all citizens. Remote Internet e-voting uses the voter's own equipment to cast votes, but is potentially vulnerable to many common attacks, which affect the election's integrity. Security can be improved by distributing vote processing over many web servers installed in tamper-resistant, secure environments, using the Smart Card Web Server SCWS on a mobile phone Subscriber Identity Module SIM. A generic voting model is proposed, using a SIM/SCWS voting application with standardised Mobile Network Operator MNO management procedures to process the votes cast. E-voting systems Pret i Voter and Estonian I-voting are used to illustrate the generic model. As the SCWS voting application is used in a distributed processing architecture, e-voting security is enhanced: to compromise an election, an attacker must target many individual mobile devices, rather than a centralised web server.","PeriodicalId":89158,"journal":{"name":"International journal of secure software engineering","volume":"100 1","pages":"39-60"},"PeriodicalIF":0.0,"publicationDate":"2014-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"80997323","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 7
Performance Evaluation of SHA-2 Standard vs. SHA-3 Finalists on Two Freescale Platforms 两种飞思卡尔平台上SHA-2标准与SHA-3最终入选者的性能评估
International journal of secure software engineering Pub Date : 2013-10-01 DOI: 10.4018/ijsse.2013100101
Pal-Stefan Murvay, B. Groza
{"title":"Performance Evaluation of SHA-2 Standard vs. SHA-3 Finalists on Two Freescale Platforms","authors":"Pal-Stefan Murvay, B. Groza","doi":"10.4018/ijsse.2013100101","DOIUrl":"https://doi.org/10.4018/ijsse.2013100101","url":null,"abstract":"Embedded devices are ubiquitously involved in a large variety of security applications which heavily rely on the computation of hash functions. Roughly, two alternatives for speeding up computations co-exist in these resource constrained devices: parallel processing and hardware acceleration. Needles to say, multi-core devices are clearly the next step in embedded systems due to clear technological limitations on single processor frequency. Hardware accelerators are long known to be a cheaper approach for costly cryptographic functions. The authors analysis is focused on the five SHA-3 finalists which are also contrasted to the previous SHA-2 standard and to the widespread MD5. On the hardware side, the authors deploy their implementations on two platforms from Freescale: a S12X core equipped with an XGATE coprocessor and a Kinetis K60 core equipped with a crypto co-processor. These platforms differ significantly in terms of computational power, the first is based on a 16-bit Freescale proprietary architecture while the former relies on a more recent 32-bit Cortex core. The authors' experimental results show mixed performances between the old standard and the new candidates. Some of the new candidates clearly outperform the old standard in terms of both computational speed and memory requirements while others do not. Bottom line, on the 16 bit platform BLAKE and Grostl are the top performers while on the 32-bit platform Keccak, Blake and Skein give the best results.","PeriodicalId":89158,"journal":{"name":"International journal of secure software engineering","volume":"29 1","pages":"1-24"},"PeriodicalIF":0.0,"publicationDate":"2013-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"85330357","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 3
首页 上一页 下一页 尾页
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
请完成安全验证×
相关产品
×
本文献相关产品
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信