发布求助
文献互助 智能选刊 最新文献

International journal of secure software engineering最新文献

筛选
英文 中文
Organizational Patterns for Security and Dependability: From Design to Application 安全性和可靠性的组织模式:从设计到应用
International journal of secure software engineering Pub Date : 2011-07-01 DOI: 10.4018/JSSE.2011070101
Y. Asnar, F. Massacci, Ayda Saïdane, C. Riccucci, M. Felici, A. Tedeschi, P. Khoury, Keqin Li, Magali Seguran, Nicola Zannone
{"title":"Organizational Patterns for Security and Dependability: From Design to Application","authors":"Y. Asnar, F. Massacci, Ayda Saïdane, C. Riccucci, M. Felici, A. Tedeschi, P. Khoury, Keqin Li, Magali Seguran, Nicola Zannone","doi":"10.4018/JSSE.2011070101","DOIUrl":"https://doi.org/10.4018/JSSE.2011070101","url":null,"abstract":"Designing secure and dependable IT systems requires a deep analysis of organizational as well as social aspects of the environment where the system will operate. Domain experts and analysts often face security and dependability S&D issues they have already encountered before. These concerns require the design of S&D patterns to facilitate designers when developing IT systems. This article presents the experience in designing S&D organizational patterns, which was gained in the course of an industry lead EU project. The authors use an agent-goal-oriented modeling framework i.e., the SI* framework to analyze organizational settings jointly with technical functionalities. This framework can assist domain experts and analysts in designing S&D patterns from their experience, validating them by proof-of-concept implementations, and applying them to increase the security level of the system.","PeriodicalId":89158,"journal":{"name":"International journal of secure software engineering","volume":"35 1","pages":"1-22"},"PeriodicalIF":0.0,"publicationDate":"2011-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"90678062","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 16
Building Secure Software Using XP 使用XP构建安全软件
International journal of secure software engineering Pub Date : 2011-07-01 DOI: 10.4018/JSSE.2011070104
W. Al-Ahmad
{"title":"Building Secure Software Using XP","authors":"W. Al-Ahmad","doi":"10.4018/JSSE.2011070104","DOIUrl":"https://doi.org/10.4018/JSSE.2011070104","url":null,"abstract":"Security is an important and challenging aspect that needs to be considered at an early stage during software development. Traditional software development methodologies do not deal with security issues and so there is no structured guidance for security design and development; security is usually an afterthought activity. This paper discusses the integration of XP with security activities based on the CLASP Comprehensive Lightweight Application Security Process methodology. This integration will help developers using XP develop secure software by applying security measures in all phases and activities, thereby minimizing the security vulnerabilities exploited by attackers.","PeriodicalId":89158,"journal":{"name":"International journal of secure software engineering","volume":"35 1","pages":"63-76"},"PeriodicalIF":0.0,"publicationDate":"2011-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"88171332","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 4
Security Gaps in Databases: A Comparison of Alternative Software Products for Web Applications Support 数据库中的安全漏洞:Web应用程序支持的替代软件产品的比较
International journal of secure software engineering Pub Date : 2011-07-01 DOI: 10.4018/JSSE.2011070103
Afonso Araújo Neto, M. Vieira
{"title":"Security Gaps in Databases: A Comparison of Alternative Software Products for Web Applications Support","authors":"Afonso Araújo Neto, M. Vieira","doi":"10.4018/JSSE.2011070103","DOIUrl":"https://doi.org/10.4018/JSSE.2011070103","url":null,"abstract":"When deploying database-centric web applications, administrators should pay special attention to database security requirements. Acknowledging this, Database Management Systems DBMS implement several security mechanisms that help Database Administrators DBAs making their installations secure. However, different software products offer different sets of mechanisms, making the task of selecting the adequate package for a given installation quite hard. This paper proposes a methodology for detecting database security gaps. This methodology is based on a comprehensive list of security mechanisms derived from widely accepted security best practices, which was used to perform a gap analysis of the security features of seven software packages composed by widely used products, including four DBMS engines and two Operating Systems OS. The goal is to understand how much each software package helps developers and administrators to actually accomplish the security tasks that are expected from them. Results show that while there is a common set of security mechanisms that is implemented by most packages, there is another set of security tasks that have no support at all in any of the packages.","PeriodicalId":89158,"journal":{"name":"International journal of secure software engineering","volume":"61 1","pages":"42-62"},"PeriodicalIF":0.0,"publicationDate":"2011-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"91304041","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 3
Secure by Design: Developing Secure Software Systems from the Ground Up 设计安全:从头开始开发安全的软件系统
International journal of secure software engineering Pub Date : 2011-07-01 DOI: 10.4018/JSSE.2011070102
H. Mouratidis, Miao Kang
{"title":"Secure by Design: Developing Secure Software Systems from the Ground Up","authors":"H. Mouratidis, Miao Kang","doi":"10.4018/JSSE.2011070102","DOIUrl":"https://doi.org/10.4018/JSSE.2011070102","url":null,"abstract":"This paper describes results and reflects on the experience of engineering a secure web based system for the pre-employment screening domain. In particular, the paper presents results from a Knowledge Transfer Partnership KTP project between the School of Computing, IT and Engineering at the University of East London and the London-based award winning pre-employment company Powerchex Ltd. The Secure Tropos methodology, which is based on the principle of secure by design, has been applied to the project to guide the development of a web based system to support employment reference and background checking specifically for the financial services industry. Findings indicate the potential of the methodology for the development of secure web based systems, and support the argument of incorporating security considerations from the early stages of the software development process, i.e., the idea of secure by design. The developed system was tested by a third, independent to the project, party using a well known method of security testing, i.e., penetration testing, and the results provided did not indicate the presence of any major security problems. The experience and lessons learned by the application of the methodology to an industrial setting are also discussed in the paper.","PeriodicalId":89158,"journal":{"name":"International journal of secure software engineering","volume":"11 1","pages":"23-41"},"PeriodicalIF":0.0,"publicationDate":"2011-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"83418777","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 6
Analysis of ANSI RBAC Support in EJB EJB中对ANSI RBAC支持的分析
International journal of secure software engineering Pub Date : 2011-04-01 DOI: 10.4018/JSSE.2011040102
W. Darwish, K. Beznosov
{"title":"Analysis of ANSI RBAC Support in EJB","authors":"W. Darwish, K. Beznosov","doi":"10.4018/JSSE.2011040102","DOIUrl":"https://doi.org/10.4018/JSSE.2011040102","url":null,"abstract":"This paper analyzes access control mechanisms of the Enterprise Java Beans EJB architecture and defines a configuration of the EJB protection system in a more precise and less ambiguous language than the EJB 3.0 standard. Using this configuration, the authors suggest an algorithm that formally specifies the semantics of authorization decisions in EJB. The level of support is analyzed for the American National Standard Institute's ANSI specification of Role-Based Access Control RBAC components and functional specification in EJB. The results indicate that the EJB specification falls short of supporting even Core ANSI RBAC. EJB extensions dependent on the operational environment are required in order to support ANSI RBAC required components. Other vendor-specific extensions are necessary to support ANSI RBAC optional components. Fundamental limitations exist, however, due to the impracticality of some aspects of the ANSI RBAC standard itself. This paper sets up a framework for assessing implementations of ANSI RBAC for EJB systems.","PeriodicalId":89158,"journal":{"name":"International journal of secure software engineering","volume":"15 1","pages":"25-52"},"PeriodicalIF":0.0,"publicationDate":"2011-04-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"87212852","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 1
Ell Secure Information System Using Modal Logic Technique 利用模态逻辑技术保护信息系统
International journal of secure software engineering Pub Date : 2011-04-01 DOI: 10.4018/JSSE.2011040104
Y. Bai, K. Khan
{"title":"Ell Secure Information System Using Modal Logic Technique","authors":"Y. Bai, K. Khan","doi":"10.4018/JSSE.2011040104","DOIUrl":"https://doi.org/10.4018/JSSE.2011040104","url":null,"abstract":"In this paper, the authors propose a formal logic technique to protect information systems. As the widespread use of computer systems grows, the security of the information stored in such systems has become more important. As a security mechanism, authorization or access control ensures that all accesses to the system resources occur exclusively according to the access polices and rules specified by the system security agent. Authorization specification has been widely studied and a variety of approaches have been investigated. The authors propose a formal language with modal logic to specify the system security policies. The authors also provide the reasoning in response to system access requests, especially in situations where the security agent's knowledge base is incomplete. The semantics of this language is provided by translating it into epistemic logic program in which knowledge related modal operators are employed to represent agents' knowledge in reasoning. The authors demonstrate how this approach handles the situation where the security agent's knowledge on access decision is incomplete. The proposed mechanism effectively prevents unauthorized and malicious access to information systems.","PeriodicalId":89158,"journal":{"name":"International journal of secure software engineering","volume":"15 1","pages":"65-76"},"PeriodicalIF":0.0,"publicationDate":"2011-04-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"88792151","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 5
Using Executable Slicing to Improve Rogue Software Detection Algorithms 利用可执行切片改进流氓软件检测算法
International journal of secure software engineering Pub Date : 2011-04-01 DOI: 10.4018/JSSE.2011040103
Jan Durand, Juan Flores, T. Atkison, Nicholas A. Kraft, Randy K. Smith
{"title":"Using Executable Slicing to Improve Rogue Software Detection Algorithms","authors":"Jan Durand, Juan Flores, T. Atkison, Nicholas A. Kraft, Randy K. Smith","doi":"10.4018/JSSE.2011040103","DOIUrl":"https://doi.org/10.4018/JSSE.2011040103","url":null,"abstract":"This paper describes a research effort to use executable slicing as a pre-processing aid to improve the prediction performance of rogue software detection. The prediction technique used here is an information retrieval classifier known as cosine similarity that can be used to detect previously unknown, known or variances of known rogue software by applying the feature extraction technique of randomized projection. This paper provides direction in answering the question of is it possible to only use portions or subsets, known as slices, of an application to make a prediction on whether or not the software contents are rogue. This research extracts sections or slices from potentially rogue applications and uses these slices instead of the entire application to make a prediction. Results show promise when applying randomized projections to cosine similarity for the predictions, with as much as a 4% increase in prediction performance and a five-fold decrease in processing time when compared to using the entire application.","PeriodicalId":89158,"journal":{"name":"International journal of secure software engineering","volume":"11 1","pages":"53-64"},"PeriodicalIF":0.0,"publicationDate":"2011-04-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"76088874","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 7
Integrating Patient Consent in e-Health Access Control 在电子医疗访问控制中整合患者同意
International journal of secure software engineering Pub Date : 2011-04-01 DOI: 10.4018/JSSE.2011040101
Kim Wuyts, R. Scandariato, G. Verhenneman, W. Joosen
{"title":"Integrating Patient Consent in e-Health Access Control","authors":"Kim Wuyts, R. Scandariato, G. Verhenneman, W. Joosen","doi":"10.4018/JSSE.2011040101","DOIUrl":"https://doi.org/10.4018/JSSE.2011040101","url":null,"abstract":"Many initiatives exist that integrate e-health systems on a large scale. One of the main technical challenges is access control, although several frameworks and solutions, like XACML, are becoming standard practice. Data is no longer shared within one affinity domain but becomes ubiquitous, which results in a loss of control. As patients will be less willing to participate without additional control strategies, patient consents are introduced that allow the patients to determine precise access rules on their medical data. This paper explores the consequences of integrating consent in e-health access control. First, consent requirements are examined, after which an architecture is proposed which incorporates patient consent in the access control service of an e-health system. To validate the proposed concepts, a proof-of-concept implementation is built and evaluated.","PeriodicalId":89158,"journal":{"name":"International journal of secure software engineering","volume":"1 1","pages":"1-24"},"PeriodicalIF":0.0,"publicationDate":"2011-04-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"84052834","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 20
A Systematic Empirical Analysis of Forging Fingerprints to Fool Biometric Systems 伪造指纹欺骗生物识别系统的系统实证分析
International journal of secure software engineering Pub Date : 2011-01-01 DOI: 10.4018/JSSE.2011010103
C. Schwarzl, E. Weippl
{"title":"A Systematic Empirical Analysis of Forging Fingerprints to Fool Biometric Systems","authors":"C. Schwarzl, E. Weippl","doi":"10.4018/JSSE.2011010103","DOIUrl":"https://doi.org/10.4018/JSSE.2011010103","url":null,"abstract":"This paper serves to systematically describe the attempts made to forge fingerprints to fool biometric systems and to review all relevant publications on forging fingerprints to fool sensors. The research finds that many of the related works fail in this aspect and that past successes could not be repeated. First, the basics of biometrics are explained in order to define the meaning of the term security in this special context. Next, the state of the art of biometric systems is presented, followed by to the topic of security of fingerprint scanners. For this, a series of more than 30,000 experiments were conducted to fool scanners. The authors were able to reproduce and keep records of each single step in the test and to show which methods lead to the desired results. Most studies on this topic exclude a number of steps in producing a fake finger and fooling a fingerprint scanner are not explained, which means that some of the studies cannot be replicated. In addition, the authors' own ideas and slight variations of existing experiment set-ups are presented.","PeriodicalId":89158,"journal":{"name":"International journal of secure software engineering","volume":"24 1","pages":"40-83"},"PeriodicalIF":0.0,"publicationDate":"2011-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"86112082","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 2
A Formal Language for XML Authorisations Based on Answer Set Programming and Temporal Interval Logic Constraints 基于答案集规划和时间间隔逻辑约束的XML授权形式化语言
International journal of secure software engineering Pub Date : 2011-01-01 DOI: 10.4018/JSSE.2011010102
Sean Policarpio, Yan Zhang
{"title":"A Formal Language for XML Authorisations Based on Answer Set Programming and Temporal Interval Logic Constraints","authors":"Sean Policarpio, Yan Zhang","doi":"10.4018/JSSE.2011010102","DOIUrl":"https://doi.org/10.4018/JSSE.2011010102","url":null,"abstract":"The Extensible Markup Language is susceptible to security breaches because it does not incorporate methods to protect the information it encodes. This work focuses on the development of a formal language that can provide role-based access control to information stored in XML formatted documents. This language has the capacity to reason whether access to an XML document should be allowed. The language, AxmlT, allows for the specification of authorisations on XML documents and distinguishes itself from other research with the inclusion of temporal interval reasoning and the XPath query language.","PeriodicalId":89158,"journal":{"name":"International journal of secure software engineering","volume":"12 1","pages":"22-39"},"PeriodicalIF":0.0,"publicationDate":"2011-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"90183840","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 6
首页 上一页 下一页 尾页
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
请完成安全验证×
相关产品
×
本文献相关产品
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信