197,075 research outputs found
Design and implementation of a prototype to include security activities as part of application systems design
M.Com. (Information systems)This study has its origin in the growing need for information systems to be classified as 'secure'. With the increasing use of Computer Aided Software Engineering (CASE) tools in the design of application systems for commercial use, the risks that exist in terms of information security have become more prominent. The importance of considering security during the analysis and design of an information system, in other words, on a logical level, is increasing daily. Usually security features are added to existing application systems on an ad hoc basis. Security design activities should become such an integrated part of systems analysis and design activities on a logical level, that a complete integration of the two fields, security and computer aided software engineering, can be achieved. The aim of this dissertation is to study the literature to discover existing approaches to this integration, and to extract the strengths from them and expand on those strengths in order to compile an approach that is completely implementable in the form of a prototype data flow design tool (DFD tool). The proposed approach to the secure analysis and design of an application system of a logical level, which is presented in Chapter 4, is designed in conjunction with H.A.S. Booysen [Booysen, Kasselman, Eloff - 1994]. Existing CASE-tools have also been studied by the author to determine their current capabilities, especially in terms of security definition activities, but also in terms of their support to the systems analyst during the analysis and design phases of the project life cycle when developing a target application system
Large scale agile software development compliant to IEC 62443-4-1: artefact design and tool support
There has been a considerable increase in the use of agile methodologies over
the last years. However, applying these methodologies can be challenging, particularly
for industrial control systems that must obey to rigorous operational
requirements through regulations and standards, and in particular cybersecurity
requirements. The current work proposes a concept for a structured and systematic
integration of security activities into a DevOps pipeline, with the ambition of
pursuing the capability of both secure agile development and security compliant
agile software engineering. The basis for this concept is the integration of the IEC
62443-4-1 (4-1) standard, which describes secure product development in industrial
control systems, with a Continuous Integration/Continuous Delivery pipeline
specification. To achieve this, the security requirements, as described in the 4-1
standard, were mapped into a simple DevOps pipeline specification. As a result,
all of the 4-1 activities were analysed and classified according to the possibility of
being automated through tool support. Interviews with expert practitioners, from
the fields of security compliance and agile software engineering, were conducted to
evaluate the present work. Results have shown evidence about the possibility of
providing tool support for the IEC 62443-4-1 standard and to specify a DevOps
pipeline compliant to the 4-1 standard.Nos últimos anos houve um aumento considerável no uso de metodologias ágeis.
No entanto, a aplicação destas metodologias pode ser um desafio, em especial para
sistemas de controle industrial que têm a obrigação de obedecer a requisitos operacionais
rigorosos através de regulamentos e normas, e em particular no âmbito
da cibersegurança. Este trabalho propõe um conceito para uma integração estruturada
e sistemática de actividades de segurança num pipeline de DevOps, com o
intuito de alcançar ambas as capacidades de desenvolvimento ágil seguro e engenharia
de software ágil em conformidade com segurança. A base para este conceito
é a integração da norma IEC 62443-4-1 (4-1), que descreve o desenvolvimento seguro
de produtos em ambientes de controle industrial, com um especificação de
Continuous Integration/Continuous Delivery. Para alcançar isto, foi feito um mapeamento
de requisitos de segurança, de acordo com a descrição na norma 4-1,
numa especificação simples de DevOps. Como resultado, todas as actividades da
norma 4-1 foram analisadas e classificadas de acordo com a possibilidade de serem
automatizadas através de suporte de ferramentas. Para avaliar o trabalho, foram
realizadas entrevistas com profissionais especializados nas áreas de conformidade
em segurança de TI’s e engenharia de software ágil. Os resultados mostram evidências
sobre a possibilidade de fornecer suporte de ferramentas para a automatização
da norma IEC 62443-4-1 e para a especificação um pipeline de DevOps conforme
com a norma 4-1
Secure cloud micro services using Intel SGX
The micro service paradigm targets the implementation of
large and scalable systems while enabling fine-grained service-level main-
tainability. Due to their scalability, such architectures are frequently used
in cloud environments, which are often subject to privacy and trust issues
hindering the deployment of services dealing with sensitive data.
In this paper we investigate the integration of trusted execution based on
Intel Software Guard Extensions (SGX) into micro service applications.
We present our Vert.x Vault, that supports SGX-based trusted execution
in Eclipse Vert.x, a renowned tool-kit for writing reactive micro service
applications. With our approach, secure micro services can run alongside
regular ones, inter-connected via the Vert.x event bus to build large Vert.x
applications that can contain multiple trusted components.
Maintaining a full-edged Java Virtual Machine (JVM) inside an SGX
enclave is impractical due to its complexity, less secure because of a large
Trusted Code Base (TCB), and would suffer from performance penalties
due to a high memory footprint. However, as Vert.x is written in Java, for
a lean TCB this requires integration of native enclave C/C++ code into
Vert.x, for which we propose the usage of Java Native Interface (JNI).
Our Vert.x Vault provides the benefits of micro service architectures
together with trusted execution to support privacy and data confidentiality
for sensitive applications in the cloud at scale. In our evaluation we show
the feasibility of our approach, buying a significantly increased level of
security for a low performance overhead of only ≈ 8:7%
Security aspects in cloud based condition monitoring of machine tools
In the modern competitive environments companies must have rapid production systems that are able to deliver parts that satisfy highest quality standards. Companies have also an increased need for advanced machines equipped with the latest technologies in maintenance to avoid any reduction or interruption of production. Eminent therefore is the need to monitor the health status of the manufacturing equipment in real time and thus try to develop diagnostic technologies for machine tools. This paper lays the foundation for the creation of a safe remote monitoring system for machine tools using a Cloud environment for communication between the customer and the maintenance service company. Cloud technology provides a convenient means for accessing maintenance data anywhere in the world accessible through simple devices such as PC, tablets or smartphones. In this context the safety aspects of a Cloud system for remote monitoring of machine tools becomes crucial and is, thus the focus of this pape
Combined automotive safety and security pattern engineering approach
Automotive systems will exhibit increased levels of automation as well as ever tighter integration with other vehicles, traffic infrastructure, and cloud services. From safety perspective, this can be perceived as boon or bane - it greatly increases complexity and uncertainty, but at the same time opens up new opportunities for realizing innovative safety functions. Moreover, cybersecurity becomes important as additional concern because attacks are now much more likely and severe. However, there is a lack of experience with security concerns in context of safety engineering in general and in automotive safety departments in particular. To address this problem, we propose a systematic pattern-based approach that interlinks safety and security patterns and provides guidance with respect to selection and combination of both types of patterns in context of system engineering. A combined safety and security pattern engineering workflow is proposed to provide systematic guidance to support non-expert engineers based on best practices. The application of the approach is shown and demonstrated by an automotive case study and different use case scenarios.EC/H2020/692474/EU/Architecture-driven, Multi-concern and Seamless Assurance and Certification of Cyber-Physical Systems/AMASSEC/H2020/737422/EU/Secure COnnected Trustable Things/SCOTTEC/H2020/732242/EU/Dependability Engineering Innovation for CPS - DEIS/DEISBMBF, 01IS16043, Collaborative Embedded Systems (CrESt
Secure Integration of Desktop Grids and Compute Clusters Based on Virtualization and Meta-Scheduling
Reducing the cost for business or scientific computations, is a commonly expressed goal in today’s companies. Using the available computers of local employees or the outsourcing of such computations are two obvious solutions to save money for additional hardware. Both possibilities exhibit security related disadvantages, since the deployed software and data can be copied or tampered if appropriate countermeasures are not taken. In this paper, an approach is presented to let a local desktop machines and remote cluster resources be securely combined into a singel Grid environment. Solutions to several problems in the areas of secure virtual networks, meta-scheduling and accessing cluster schedulers from desktop Grids are proposed
- …