Categorization of Security Design Patterns

Strategies for software development often slight security-related considerations, due to the difficulty of developing realizable requirements, identifying and applying appropriate techniques, and teaching secure design. This work describes a three-part strategy for addressing these concerns. Part 1 provides detailed questions, derived from a two-level characterization of system security based on work by Chung et. al., to elicit precise requirements. Part 2 uses a novel framework for relating this characterization to previously published strategies, or patterns, for secure software development. Included case studies suggest the framework\u27s effectiveness, involving the application of three patterns for secure design (Limited View, Role-Based Access Control, Secure State Machine) to a production system for document management. Part 3 presents teaching modules to introduce patterns into lower-division computer science courses. Five modules, integer over ow, input validation, HTTPS, les access, and SQL injection, are proposed for conveying an aware of security patterns and their value in software development

OWASP Framework-based Network Forensics to Analyze the SQLi Attacks on Web Servers

One of dangerous vulnerabilities that attack the web is SQLi. With this vulnerability, someone can obtain user data information, then change and delete that data. The solution to this attack problem is that the design website must improve security by paying attention to input validation and installing a firewall. This study's objective is to use network forensic tools to examine the designlink website's security against SQLi attacks, namely Whois, SSL Scan, Nmap, OWASP Zap, and SQL Map. OWASP is the framework that is employed; it is utilized for web security testing. According to the research findings, there are 14 vulnerabilities in the design website, with five medium level, seven low level, and two informational level. When using SQL commands with the SQL Map tool to get username and password information on its web server design. The OWASP framework may be used to verify the security of websites against SQLi attacks using network forensic tools, according to the study's findings. So that information about the vulnerabilities found on the website can be provided. The results of this study contribute to forensic network knowledge against SQLi attacks using the OWASP framework as well as for parties involved in website security

Secure Encoded Instruction Graphs for End-to-End Data Validation in Autonomous Robots

As autonomous robots become increasingly ubiquitous, more attention is being paid to the security of robotic operation. Autonomous robots can be seen as cyber-physical systems that transverse the virtual realm and operate in the human dimension. As a consequence, securing the operation of autonomous robots goes beyond securing data, from sensor input to mission instructions, towards securing the interaction with their environment. There is a lack of research towards methods that would allow a robot to ensure that both its sensors and actuators are operating correctly without external feedback. This paper introduces a robotic mission encoding method that serves as an end-to-end validation framework for autonomous robots. In particular, we put our framework into practice with a proof of concept describing a novel map encoding method that allows robots to navigate an objective environment with almost-zero a priori knowledge of it, and to validate operational instructions. We also demonstrate the applicability of our framework through experiments with real robots for two different map encoding methods. The encoded maps inherit all the advantages of traditional landmark-based navigation, with the addition of cryptographic hashes that enable end-to-end information validation. This end-to-end validation can be applied to virtually any aspect of robotic operation where there is a predefined set of operations or instructions given to the robot

DETECTING APPLICATION ANOMALIES: MACHINE LEARNING APPROACH

In the modern era, world has completely relied on software technology. As software applications became highly demanded, security concerns have arrived. Application security has become one of the chief concerns where companies have to protect their systems from vulnerabilities. Various other securities include mobile or end-point security, operation system security and network security. All these security categories are intended to protect their users and clients from the malicious intents and hackers. Application security became a prime requirement. Security risks of the applications are enveloped and lead to direct threat to the available business. All the application vulnerabilities take the advantage to compromise the software application security. Once a flaw is been found and private data access is determined, attacker will have capability to exploit the software application vulnerability to facilitate cyber crimes. The confidentiality of the data, availability and integrity of resources are targeted by the cyber crimes (“What is Application Security?” 2019). Overall, more than 13% of the reviewed sites were compromised with the web application security vulnerabilities and they are not completely extinct even with the traditional security methodologies (Application Security Vulnerability, 2014). In order to resolve these numerous common security issues, few of the detection, remediation and prevention techniques are to be used which includes defensive programming, sophisticated input validation, dynamic checks, and static source code analysis. In this paper, runtime environment framework is been introduced. This research study extracted few publications. All the publications considered various approaches to resolve the issue. In this research paper framework, machine learning is utilized to train and predict the output. Firstly, a sample java code is executed in various CPU cores and the generated output files are collected. These output files are then used to train machine learning. Machine learning results are then compared with actual output for decision statement

Some security issues for web based frameworks

This report investigates whether a vulnerability found in one web framework may be used to find a vulnerability in a different web framework. To test this hypothesis, several open source applications were installed in a secure test environment together with security analysis tools. Each one of the applications were developed using a different software framework. The results show that a vulnerability identified in one framework can often be used to find similar vulnerabilities in other frameworks. Crosssite scripting security issues are the most likely to succeed when being applied to more than one framework

Vulnerability anti-patterns:a timeless way to capture poor software practices (Vulnerabilities)

There is a distinct communication gap between the software engineering and cybersecurity communities when it comes to addressing reoccurring security problems, known as vulnerabilities. Many vulnerabilities are caused by software errors that are created by software developers. Insecure software development practices are common due to a variety of factors, which include inefficiencies within existing knowledge transfer mechanisms based on vulnerability databases (VDBs), software developers perceiving security as an afterthought, and lack of consideration of security as part of the software development lifecycle (SDLC). The resulting communication gap also prevents developers and security experts from successfully sharing essential security knowledge. The cybersecurity community makes their expert knowledge available in forms including vulnerability databases such as CAPEC and CWE, and pattern catalogues such as Security Patterns, Attack Patterns, and Software Fault Patterns. However, these sources are not effective at providing software developers with an understanding of how malicious hackers can exploit vulnerabilities in the software systems they create. As developers are familiar with pattern-based approaches, this paper proposes the use of Vulnerability Anti-Patterns (VAP) to transfer usable vulnerability knowledge to developers, bridging the communication gap between security experts and software developers. The primary contribution of this paper is twofold: (1) it proposes a new pattern template – Vulnerability Anti-Pattern – that uses anti-patterns rather than patterns to capture and communicate knowledge of existing vulnerabilities, and (2) it proposes a catalogue of Vulnerability Anti-Patterns (VAP) based on the most commonly occurring vulnerabilities that software developers can use to learn how malicious hackers can exploit errors in software

Uniform: The Form Validation Language

Digital forms are becoming increasingly more prevalent but the ease of creation is not. Web Forms are difficult to produce and validate. This design project seeks to simplify this process. This project is comprised of two parts: a logical programming language (Uniform) and a web application. Uniform is a language that allows its users to define logical relationships between web elements and apply simple rules to individual inputs to both validate the form and manipulate its components depending on user input. Uniform provides an extra layer of abstraction to complex coding. The web app implements Uniform to provide business-level programmers with an interface to build and manage forms. Users will create form templates, manage form instances, and cooperatively complete forms through the web app. Uniform’s development is ongoing, it will receive continued support and is available as open-source. The web application is software owned and maintained by HP Inc. which will be developed further before going to market

Analysis and evaluation of SafeDroid v2.0, a framework for detecting malicious Android applications

Android smartphones have become a vital component of the daily routine of millions of people, running a plethora of applications available in the official and alternative marketplaces. Although there are many security mechanisms to scan and filter malicious applications, malware is still able to reach the devices of many end-users. In this paper, we introduce the SafeDroid v2.0 framework, that is a flexible, robust, and versatile open-source solution for statically analysing Android applications, based on machine learning techniques. The main goal of our work, besides the automated production of fully sufficient prediction and classification models in terms of maximum accuracy scores and minimum negative errors, is to offer an out-of-the-box framework that can be employed by the Android security researchers to efficiently experiment to find effective solutions: the SafeDroid v2.0 framework makes it possible to test many different combinations of machine learning classifiers, with a high degree of freedom and flexibility in the choice of features to consider, such as dataset balance and dataset selection. The framework also provides a server, for generating experiment reports, and an Android application, for the verification of the produced models in real-life scenarios. An extensive campaign of experiments is also presented to show how it is possible to efficiently find competitive solutions: the results of our experiments confirm that SafeDroid v2.0 can reach very good performances, even with highly unbalanced dataset inputs and always with a very limited overhead

Static Taint Analysis via Type-checking in TypeScript

With the widespread use of web applications across the globe, and the ad- vancements in web technologies in recent years, these applications have grown more ubiquitous and sophisticated than ever before. Modern web applications face the constant threat of numerous web security risks given their presence on the internet and the massive influx of data from external sources. This paper presents a novel method for analyzing taint through type-checking and applies it to web applications in the context of preventing online security threats. The taint analysis technique is implemented in TypeScript using its built-in type-checking features, and then integrated into a web application developed using the React web framework. This web application is then validated against different types of injection attacks. The results of the validation show that taint analysis is an effective means to prevent pervasive online attacks, such as eval injection, cross-site scripting (XSS), and SQL injection in web applications. Considering that our proposed taint analysis technique can be implemented using existing type-checking features of TypeScript, it can be quickly adopted by developers to add taint analysis into their applications with no performance overhead. With the large number of web applications developed in TypeScript, the widespread adoption of our technique can help prevent cyberattacks and protect the online community from potential harm. By combining taint analysis with other secure web practices, such as input validation, application developers can strengthen the overall security of web applications