The Infona portal uses cookies, i.e. strings of text saved by a browser on the user's device. The portal can access those files and use them to remember the user's data, such as their chosen settings (screen view, interface language, etc.), or their login data. By using the Infona portal the user accepts automatic saving and using this information for portal operation purposes. More information on the subject can be found in the Privacy Policy and Terms of Service. By closing this window the user confirms that they have read the information on cookie usage, and they accept the privacy policy and the way cookies are used by the portal. You can change the cookie settings in your browser.
With a growing amount of transferred data in an interconnected world, the insurance of a secure communication between two peers becomes a critical task in the software industry. A leak of critical data can cause tremendous costs in a financial, social but also political manner. For this sake, cryptographic protocols are implemented and regulate the data transfer, thus ensuring the safety of transferred...
In most cases, web applications communicate with web services (SOAP and RESTful). The former act as a front-end to the latter, which contain the business logic. A hacker might not have direct access to those web services (e.g., they are not on public networks), but can still provide malicious inputs to the web application, thus potentially compromising related services. Typical examples are XML injection...
Continuous security certification of software-as-a-service (SaaS) aims at continuously, i.e. repeatedly and automatically validating whether a SaaS application adheres to a set of security requirements. Since SaaS applications make heavy use of web application technologies, checking security requirements with the help of web application testing techniques seems evident. However, these techniques mainly...
With the continuous and rapid increase in quantity and diversity of Smartphone application usage, the storage of sensitive personal and even financial information of the users is also being augmented. It creates motivation for developers of malicious applications to put more effort on discovering ways to identify and exploit the vulnerabilities of utility applications and grab the sensitive information...
Security testing is a pivotal activity in engineering secure software. It consists of two phases: generating attack inputs to test the system, and assessing whether test executions expose any vulnerabilities. The latter phase is known as the security oracle problem. In this work, we present SOFIA, a Security Oracle for SQL-Injection Vulnerabilities. SOFIA is programming-language and source-code independent,...
Due to the still increasing interconnectedness of systems it is very much important to further strengthen activities towards assuring security requirements of those systems. Quality assurance methods like coding guidelines with a focus on security related issues, and static analysis tools are necessary but not sufficient because of the fact that security is a system property. Therefore, it is important...
For the purpose of security of the computer systems, organizations now a days plan a lot of things like firewalls, network scanning tools, secure sockets layer (SSL) etc. However security bugs present at the application layer (code level) caused by unawareness or mistakes of the developers are usually ignored. Such security bugs can lead to unauthorized privileges on a computer system. For example...
The intent mechanism is a powerful feature of the Android platform that helps compose existing components together to build a Mobile application. However, hackers can leverage the intent messaging to extract personal data or to call components without credentials by sending malicious intents to components. This paper tackles this issue by proposing a security testing method which aims at detecting...
This paper describes best practices for the security evaluation of biometric systems. This type of evaluation has been addressed in several documents. However, not all of these documents describe the complete evaluation methodology, or are focused on biometrics or do propose clear testing procedures. Therefore, this work defines the most proper way to carry out this evaluation methodology considering...
Security testing still is a hard task, especially if focusing on non-functional security testing. The two main reasons behind this are, first, at the most a lack of the necessary knowledge required for security testing, second, managing the almost infinite amount of negative test cases, which result from potential security risks. To the best of our knowledge, the issue of the automatic incorporation...
Testing for security related issues is an important task of growing interest due to the vast amount of applications and services available over the internet. In practice testing for security often is performed manually with the consequences of higher costs, and no integration of security testing with today's agile software development processes. In order to bring security testing into practice, many...
Software security is no longer just a problem for software designers, developers and testers. Almost all the white-collar crimes are based on computer security. Many research papers are published on static code analysis, dynamic code analysis and software development design time security issues. This paper proposes a framework for testing security vulnerabilities based on publicly known security vulnerabilities...
Stuxnet event in 2010 causes the intense attention all over the world about information security problems of industrial control systems, how to assure the security of industrial control systems has become a hot topic both in the industry sectors and in academic community. In this paper, we focus on security testing of industrial control devices. We first review the existing security certifications...
Network services face various security challenges such as targeted attacks exploiting security vulnerabilities. Fuzz testing plays an important role in security testing of network service. However, current fuzzing approaches focus on protocol syntax and packet structure, more than multi-phase behavioral interactions between client and server of network service. This paper presents a model-based behavioral...
Today's ongoing trend towards intense usage of web service based applications in daily business and everybody's daily life poses new challenges for security testing. Additionally, such applications mostly not execute in their own runtime environment but instead are deployed in some data center, run alongside multiple other applications, and serve different purposes for sundry user domains with diverging...
Due to extensive use of various network services and web based applications and heterogeneous organizational security requirements, enterprise network configuration is becoming very complex that imposes high operational workload on both regular and experienced administrators. This complexity extensively reduces overall network assurability and usability which in turn make the network vulnerable to...
Fuzz testing or fuzzing is interface robustness testing by stressing the interface of a system under test (SUT) with invalid input data. It aims at finding security-relevant weaknesses in the implementation that may result in a crash of the system-under-test or anomalous behavior. Fuzzing means sending invalid input data to the SUT, the input space is usually huge. This is also true for behavioral...
We propose a novel approach that merges implied scenarios and race condition analysis techniques, to systematically detect and analyse security-related vulnerabilities at the architectural level. We apply our approach to an industrial case related to architecting systems interfacing the cloud. The application demonstrates an effective use of the approach, where the approach has detected securityrelated...
The increased deployment of service centric systems in security critical application contexts poses new challenges to properly test such a system's security. If taking a closer look at the inherent complexity of such applications, sophisticated approaches to testing security are indispensable. In our paper we propose a novel model -- based methodology for the risk -- driven security testing of service...
Set the date range to filter the displayed results. You can set a starting date, ending date or both. You can enter the dates manually or choose them from the calendar.