The Infona portal uses cookies, i.e. strings of text saved by a browser on the user's device. The portal can access those files and use them to remember the user's data, such as their chosen settings (screen view, interface language, etc.), or their login data. By using the Infona portal the user accepts automatic saving and using this information for portal operation purposes. More information on the subject can be found in the Privacy Policy and Terms of Service. By closing this window the user confirms that they have read the information on cookie usage, and they accept the privacy policy and the way cookies are used by the portal. You can change the cookie settings in your browser.
Security is often treated as secondary or a non- functional feature of software which influences the approach of vendors and developers when describing their products often in terms of what it can do (Use Cases) or offer customers. However, tides are beginning to change as more experienced customers are beginning to demand for more secure and reliable software giving priority to confidentiality, integrity...
Information flow control (IFC) is useful in preventing information leakage during software execution. Our survey reveals that no IFC model is applied on the entire software development process. Applying an IFC model on the entire software development process offers the following features: (1) viewpoints of all stakeholders (i.e., customers and analysts) can be included and (2) the IFC model helps...
This talk presents results recently published in Software Testing, Verification and Reliability. In recent years, important efforts have been made for offering a dedicated language for modelling and verifying/proving security protocols. However, verifying the security protocol model does not guarantee that the actual implementation of the protocol will fulfil these properties. In this talk we present...
Due to the still increasing interconnectedness of systems it is very much important to further strengthen activities towards assuring security requirements of those systems. Quality assurance methods like coding guidelines with a focus on security related issues, and static analysis tools are necessary but not sufficient because of the fact that security is a system property. Therefore, it is important...
Modern cyber-physical systems place ever-increasing reliance on high-assurance software. Recent high-profile safety and security incidents directly attributable to software point to a failure to develop sufficient assurance of software correctness through verification and validation. While formal methods provide techniques for proving that critical safety and security properties hold for all inputs...
This paper argues about a new conceptual modeling language for the White-Box (WB) security analysis. In the WB security domain, an attacker may have access to the inner structure of an application or even the entire binary code. It becomes pretty easy for attackers to inspect, reverse engineer, and tamper the application with the information they steal. The basis of this paper is the 14 patterns developed...
Modern society depends on the continuing correct operation of software-based systems. Critical infrastructures — including energy, communication, transportation, and finance — all function within powerful and complex computing environments. The dependability of these systems is increasingly threatened by a wide range of adversaries, and increasing investments are being made to provide and assess sufficient...
The Multi-Source Signatures for Nuclear Programs project, part of Pacific Northwest National Laboratory's (PNNL's) Signature Discovery Initiative, seeks to computationally capture expert assessment of multi-type information to assess nuclear activities through a series of Bayesian network (BN) models. Information types may include text, sensor output, imagery, or audio/video files. The BN models incorporate...
This paper deals with an original approach to automate Model-Based Vulnerability Testing (MBVT) for Web applications, which aims at improving the accuracy and precision of vulnerability testing. Today, Model-Based Testing techniques are mostly used to address functional features. The adaptation of such techniques for vulnerability testing defines novel issues in this research domain. In this paper,...
This paper presents my Ph.D. research that focuses on developing concepts and techniques for Model-Based Vulnerability Testing (MBVT) of Web Applications. This research bridges the gap between MBT techniques, which are usually addressed to functional testing, and vulnerability testing, which is mostly done manually or with the assistance of Web Vulnerability Scanners, both techniques having several...
Software vulnerabilities are the root cause of computer security problem. How people can quickly discover vulnerabilities existing in a certain software has always been the focus of information security field. This paper has done research on software vulnerability techniques, including static analysis, Fuzzing, penetration testing. Besides, the authors also take vulnerability discovery models as an...
Probabilistic risk assessment provides a practical approach for assessing the security capabilities of systems. Terrorism risk assessment requires estimation of the probabilities and consequences of hypothetical attacks against a target. In order to address the interdependencies between the different elements present in the target environment we propose to develop a computer-based model. The model...
Security of web-based systems still remains a key challenge for most IT executives, for software is vulnerable at various stages and most severely weakened in the operational environment. In the past, models and tools or even design techniques have been devised to tackle this challenge. But we still see the reemergence of the same security issues that afflict both traditional and modern web-based...
Formal specification is usually employed to avoid ambiguity of security requirements. However, it is hard to assure correctness of this formal model and its conformance with security implementation. In this paper, a framework combining formal verification and security functional testing is proposed to support the correctness and conformance check procedure. Formal requirements are verified following...
Security attacks typically result from unintended behaviors or invalid inputs. Security testing is labor intensive because a real-world program usually has too many invalid inputs. It is highly desirable to automate or partially automate security-testing process. This paper presents an approach to automated generation of security tests by using formal threat models represented as Predicate/Transition...
Nowadays, with the prevalence of Web applications, more and more services and information are available over the Internet while their correctness, security and reliability are often crucial to the success of business and organizations. Web testing is one of the methods to ensure the Web security. However, due to the special characters of Web applications, traditional testing methods are not suitable...
Cloud computing is a new computing model, and security is ranked first among its challenges. This paper reviews existing security monitoring mechanisms compared with new challenges which are caused by this new model. We highlight possible weaknesses in existing monitoring mechanisms, and propose approaches to mitigate them.
In e-government evaluation of the validity of the security system, the testing and evaluation data obtained need synthetic evaluation, which will be influenced by human subjectivity and the results of the testing and evaluation will be affected accordingly. This paper presents an integrated AHP and multi-level fuzzy synthetic evaluation method to quantitative evaluation and analysis of safety data,...
Assuring the security of a software system in terms of testing nowadays still is a quite tricky task to conduct. Security requirements are taken as a foundation to derive tests to be executed against a system under test. Yet, these positive requirements by far do not cover all the relevant security aspects to be considered. Hence, especially in the event of security testing, negative requirements,...
In this paper, we propose a security evaluation model for the web application and define a security evaluation function based on the Analytic Hierarchy Process (AHP) to describe the model. We use the evaluation method proposed by this paper to evaluate the vulnerability test effect of a BBS application named IPB. The experiment result reveals that the evaluation value calculated by the security evaluation...
Set the date range to filter the displayed results. You can set a starting date, ending date or both. You can enter the dates manually or choose them from the calendar.