Building in web application security at the requirements stage : a tool for visualizing and evaluating security trade-offs : a thesis presented in partial fulfilment of the requirements for the degree of Master of Information Science in Information Systems at Massey University, Albany, New Zealand

One dimension of Internet security is web application security. The purpose of this Design-science study was to design, build and evaluate a computer-based tool to support security vulnerability and risk assessment in the early stages of web application design. The tool facilitates risk assessment by managers and helps developers to model security requirements using an interactive tree diagram. The tool calculates residual risk for each component of a web application and for the application overall so developers are provided with better information for making decisions about which countermeasures to implement given limited resources tor doing so. The tool supports taking a proactive approach to building in web application security at the requirements stage as opposed to the more common reactive approach of putting countermeasures in place after an attack and loss have been incurred. The primary contribution of the proposed tool is its ability to make known security-related information (e.g. known vulnerabilities, attacks and countermeasures) more accessible to developers who are not security experts and to translate lack of security measures into an understandable measure of relative residual risk. The latter is useful for managers who need to prioritize security spending. Keywords: web application security, security requirements modelling, attack trees, threat trees, risk assessment

UK security breach investigations report: an analysis of data compromise cases

This report, rather than relying on questionnaires and self-reporting, concerns cases that were investigated by the forensic investigation team at 7Safe. Whilst removing any inaccuracies arising from self-reporting, the authors acknowledge that the limitation of the sample size remains. It is hoped that the unbiased reporting by independent investigators has yielded interesting facts about modern security breaches. All data in this study is based on genuine completed breach investigations conducted by the compromise investigation team over the last 18 months

Web development evolution: the business perspective on security

Protection of data, information, and knowledge is a hot topic in today’s business environment. Societal, legislative and consumer pressures are forcing companies to examine business strategies, modify processes and acknowledge security to accept and defend accountability. Research indicates that a significant portion of the financial losses is due to straight forward software design errors. Security should be addressed throughout the application development process via an independent methodology containing customizable components. The methodology is designed to integrate with an organization’s existing software development processes while providing structure to implement secure applications, helping companies mitigate hard and soft costs

Seafloor characterization using airborne hyperspectral co-registration procedures independent from attitude and positioning sensors

The advance of remote-sensing technology and data-storage capabilities has progressed in the last decade to commercial multi-sensor data collection. There is a constant need to characterize, quantify and monitor the coastal areas for habitat research and coastal management. In this paper, we present work on seafloor characterization that uses hyperspectral imagery (HSI). The HSI data allows the operator to extend seafloor characterization from multibeam backscatter towards land and thus creates a seamless ocean-to-land characterization of the littoral zone

Developing a global risk engine

Risk analysis is a critical link in the reduction of casualties and damages due to earthquakes. Recognition of this relation has led to a rapid rise in demand for accurate, reliable and flexible risk assessment software. However, there is a significant disparity between the high quality scientific data developed by researchers and the availability of versatile, open and user-friendly risk analysis tools to meet the demands of end-users. In the past few years several open-source software have been developed that play an important role in the seismic research, such as OpenSHA and OpenSEES. There is however still a gap when it comes to open-source risk assessment tools and software. In order to fill this gap, the Global Earthquake Model (GEM) has been created. GEM is an internationally sanctioned program initiated by the OECD that aims to build independent, open standards to calculate and communicate earthquake risk around the world. This initiative started with a one-year pilot project named GEM1, during which an evaluation of a number of existing risk software was carried out. After a critical review of the results it was concluded that none of the software were adequate for GEM requirements and therefore, a new object-oriented tool was to be developed. This paper presents a summary of some of the most well known applications used in risk analysis, highlighting the main aspects that were considered for the development of this risk platform. The research that was carried out in order to gather all of the necessary information to build this tool was distributed in four different areas: information technology approach, seismic hazard resources, vulnerability assessment methodologies and sources of exposure data. The main aspects and findings for each of these areas will be presented as well as how these features were incorporated in the up-to-date risk engine. Currently, the risk engine is capable of predicting human or economical losses worldwide considering both deterministic and probabilistic-based events, using vulnerability curves. A first version of GEM will become available at the end of 2013. Until then the risk engine will continue to be developed by a growing community of developers, using a dedicated open-source platform

PICES Press, Vol. 21, No. 2, Summer 2013

•The 2013 Inter-sessional Science Board Meeting: A Note from the Science Board Chairman (pp. 1-4) •ICES/PICES Workshop on Global Assessment of the Implications of Climate Change on the Spatial Distribution of Fish and Fisheries (pp. 5-8) •PICES participates in a Convention on Biological Diversity Regional Workshop (pp. 9-11) •Social and Economic Indicators for Status and Change within North Pacific Ecosystems (pp. 12-13) •The Fourth International Jellyfish Bloom Symposium (pp. 14-15) •Workshop on Radionuclide Science and Environmental Quality in the North Pacific (pp. 16-17) •PICES-MAFF Project on Marine Ecosystem Health and Human Well-Being: Indonesia Workshop (pp. 18-19) •Socioeconomic Indicators for United States Fisheries and Fishing Communities (pp. 20-23) •Harmful Algal Blooms in a Changing World (pp. 24-25, 27) •Enhancing Scientific Cooperation between PICES and NPAFC (pp. 26-27) •Workshop on Marine Biodiversity Conservation and Marine Protected Areas in the Northwest Pacific (pp. 28-29) •The State of the Western North Pacific in the Second Half of 2012 (pp. 30-31) •Stuck in Neutral in the Northeast Pacific Ocean (pp. 32-33) •The Bering Sea: Current Status and Recent Trends (pp. 34-36) •For your Bookshelf (p. 37) •Howard Freeland takes home Canadian awards (p. 38

Midwest Technology Assistance Center for Small Public Water Systems Final Report

The Midwest Technology Assistance Center (MTAC) was established October 1, 1998 to provide assistance to small public water systems throughout the Midwest via funding from the United States Environmental Protection Agency (USEPA) under section 1420(f) of the 1996 amendments to the Safe Drinking Water Act. This report summarizes progress made under USEPA Grant# 832591-01 for funds received in Federal Years (FY) 05 and 06. MTAC is a cooperative effort of the 10 states of the Midwest (congruent with USEPA regions 5 and 7), led by the Illinois State Water Survey and the University of Illinois. The director of their Water Resources Institute (WRI) coordinates the participation of each state in MTAC. Dr. Richard Warner (WRI director) and Kent Smothers were the principal investigators for this project. Kent Smothers serves as the managing director of the center, and is responsible for conducting routine activities with the advice and counsel of Dr. Richard Warner.published or submitted for publicationis peer reviewe

Experimental Case Studies for Investigating E-Banking Phishing Techniques and Attack Strategies

Phishing is a form of electronic identity theft in which a combination of social engineering and web site spoofing techniques are used to trick a user into revealing confidential information with economic value. The problem of social engineering attack is that there is no single solution to eliminate it completely, since it deals largely with the human factor. This is why implementing empirical experiments is very crucial in order to study and to analyze all malicious and deceiving phishing website attack techniques and strategies. In this paper, three different kinds of phishing experiment case studies have been conducted to shed some light into social engineering attacks, such as phone phishing and phishing website attacks for designing effective countermeasures and analyzing the efficiency of performing security awareness about phishing threats. Results and reactions to our experiments show the importance of conducting phishing training awareness for all users and doubling our efforts in developing phishing prevention techniques. Results also suggest that traditional standard security phishing factor indicators are not always effective for detecting phishing websites, and alternative intelligent phishing detection approaches are needed

Security, Privacy and Safety Risk Assessment for Virtual Reality Learning Environment Applications

Social Virtual Reality based Learning Environments (VRLEs) such as vSocial render instructional content in a three-dimensional immersive computer experience for training youth with learning impediments. There are limited prior works that explored attack vulnerability in VR technology, and hence there is a need for systematic frameworks to quantify risks corresponding to security, privacy, and safety (SPS) threats. The SPS threats can adversely impact the educational user experience and hinder delivery of VRLE content. In this paper, we propose a novel risk assessment framework that utilizes attack trees to calculate a risk score for varied VRLE threats with rate and duration of threats as inputs. We compare the impact of a well-constructed attack tree with an adhoc attack tree to study the trade-offs between overheads in managing attack trees, and the cost of risk mitigation when vulnerabilities are identified. We use a vSocial VRLE testbed in a case study to showcase the effectiveness of our framework and demonstrate how a suitable attack tree formalism can result in a more safer, privacy-preserving and secure VRLE system.Comment: Tp appear in the CCNC 2019 Conferenc

The State of Adaptation in the United States: An Overview

Over the past two decades the adaptation landscape has changed dramatically. From its early days as a vague theoretical concept, which was often viewed as a threat to advocating for the reduction of greenhouse gas emissions, it has developed into a widely, albeit not universally, recognized governmental mandate to reduce societal vulnerability to climate change. While it is important to appreciate the progress that we are making on this issue, it is impossible to ignore the urgent need to do more. Smart investment can be made by reflecting on what is already underway in order to determine where to build on existing efforts and where to innovate new approaches to fill the gaps in the path forward. In this report we provide illustrative examples of the variety of work on climate change adaptation that is underway in the United States. This is by no means an exhaustive survey of the field; however it does provide insight into the dominant focus of work to date, the resultant gaps, and the opportunities available for advancing this essential aspect of sustainability. We focus on four areas of activity -- agriculture, natural resources, human communities, and policy. The general trends relevant to these sectors can be applied more broadly to other sectors and countries. Adaptation can be thought of as a cycle of activities that ultimately -- if successful -- reduces vulnerability to climate change. This process starts with identifying the impacts of climate change to determine the types of problems climate change might pose. This includes all of the research on the causes and the global, regional, and local manifestations of climate change, often referred to as impacts assessments