Security Support in Continuous Deployment Pipeline

Continuous Deployment (CD) has emerged as a new practice in the software industry to continuously and automatically deploy software changes into production. Continuous Deployment Pipeline (CDP) supports CD practice by transferring the changes from the repository to production. Since most of the CDP components run in an environment that has several interfaces to the Internet, these components are vulnerable to various kinds of malicious attacks. This paper reports our work aimed at designing secure CDP by utilizing security tactics. We have demonstrated the effectiveness of five security tactics in designing a secure pipeline by conducting an experiment on two CDPs - one incorporates security tactics while the other does not. Both CDPs have been analyzed qualitatively and quantitatively. We used assurance cases with goal-structured notations for qualitative analysis. For quantitative analysis, we used penetration tools. Our findings indicate that the applied tactics improve the security of the major components (i.e., repository, continuous integration server, main server) of a CDP by controlling access to the components and establishing secure connections

Software Security Metrics for Malware Resilience

We examine the level of resistance offered by a software product against malicious software (malware) attacks. Analysis is performed on the software architecture. This is available as a result of the software design process and can hence be used at an early stage in development. A model of a generic computer system is developed, based on the internationally recognized Common Criteria for Information Technology Security Evaluation. It is formally specified in the Z modeling language. Malicious software attacks and security mechanisms are captured by the model. A repository of generic attack methods is given and the concept of resistance classes introduced to distinguish different levels of protection. We assess how certain architectural properties and changes in system architecture affect the possible resistance classes of a product. This thesis has four main contributions: A generic model of an operating system from a security perspective, a repository of typical attack methods, a set of resistance classes, and an identification of software architecture metrics pertaining to ordered security levels

A novel intrusion detection system (IDS) architecture. Attack detection based on snort for multistage attack scenarios in a multi-cores environment.

Recent research has indicated that although security systems are developing, illegal intrusion to computers is on the rise. The research conducted here illustrates that improving intrusion detection and prevention methods is fundamental for improving the overall security of systems. This research includes the design of a novel Intrusion Detection System (IDS) which identifies four levels of visibility of attacks. Two major areas of security concern were identified: speed and volume of attacks; and complexity of multistage attacks. Hence, the Multistage Intrusion Detection and Prevention System (MIDaPS) that is designed here is made of two fundamental elements: a multistage attack engine that heavily depends on attack trees and a Denial of Service Engine. MIDaPS were tested and found to improve current intrusion detection and processing performances. After an intensive literature review, over 25 GB of data was collected on honeynets. This was then used to analyse the complexity of attacks in a series of experiments. Statistical and analytic methods were used to design the novel MIDaPS. Key findings indicate that an attack needs to be protected at 4 different levels. Hence, MIDaPS is built with 4 levels of protection. As, recent attack vectors use legitimate actions, MIDaPS uses a novel approach of attack trees to trace the attacker¿s actions. MIDaPS was tested and results suggest an improvement to current system performance by 84% whilst detecting DDOS attacks within 10 minutes

HI-Risk: a socio-technical method for the identification and monitoring of healthcare information security risks in the information society

This thesis describes the development of the HI-risk method to assess socio-technical information security risks. The method is based on the concept that related organisations experience similar risks and could benefit from sharing knowledge in order to take effective security measures. The aim of the method is to predict future risks by combining knowledge of past information security incidents with forecasts made by experts. HI-risks articulates the view that information security risk analysis should include human, environmental, and societal factors, and that collaboration amongst disciplines, organisations and experts is essential to improve security risk intelligence in today’s information society. The HI-risk method provides the opportunity for participating organisations to register their incidents centrally. From this register, an analysis of the incident scenarios leads to the visualisation of the most frequent scenario trees. These scenarios are presented to experts in the field. The experts express their opinions about the expected frequency of occurrence for the future. Their expectation is based on their experience, their knowledge of existing countermeasures, and their insight into new potential threats. The combination of incident and expert knowledge forms a risk map. The map is the main deliverable of the HI-risk method, and organisations could use it to monitor their information security risks. The HI-risk method was designed by following the rigorous process of design science research. The empirical methods used included qualitative and quantitative techniques, such as an analysis of historical security incident data from healthcare organisations, expert elicitation through a Delphi study, and a successful test of the risk forecast in a case organisation. The research focused on healthcare, but has potential to be further developed as a knowledge-based system or expert system, applicable to any industry. That system could be used as a tool for management to benchmark themselves against other organisations, to make security investment decisions, to learn from past incidents and to provide input for policy makers

HI-Risk: a socio-technical method for the identification and monitoring of healthcare information security risks in the information society

This thesis describes the development of the HI-risk method to assess socio-technical information security risks. The method is based on the concept that related organisations experience similar risks and could benefit from sharing knowledge in order to take effective security measures. The aim of the method is to predict future risks by combining knowledge of past information security incidents with forecasts made by experts. HI-risks articulates the view that information security risk analysis should include human, environmental, and societal factors, and that collaboration amongst disciplines, organisations and experts is essential to improve security risk intelligence in today’s information society. The HI-risk method provides the opportunity for participating organisations to register their incidents centrally. From this register, an analysis of the incident scenarios leads to the visualisation of the most frequent scenario trees. These scenarios are presented to experts in the field. The experts express their opinions about the expected frequency of occurrence for the future. Their expectation is based on their experience, their knowledge of existing countermeasures, and their insight into new potential threats. The combination of incident and expert knowledge forms a risk map. The map is the main deliverable of the HI-risk method, and organisations could use it to monitor their information security risks. The HI-risk method was designed by following the rigorous process of design science research. The empirical methods used included qualitative and quantitative techniques, such as an analysis of historical security incident data from healthcare organisations, expert elicitation through a Delphi study, and a successful test of the risk forecast in a case organisation. The research focused on healthcare, but has potential to be further developed as a knowledge-based system or expert system, applicable to any industry. That system could be used as a tool for management to benchmark themselves against other organisations, to make security investment decisions, to learn from past incidents and to provide input for policy makers

Enhancing the reliability of digital signatures as non-repudiation evidence under a holistic threat model

Traditional sensitive operations, like banking transactions, purchase processes, contract agreements etc. need to tie down the involved parties respecting the commitments made, avoiding a further repudiation of the responsibilities taken. Depending on the context, the commitment is made in one way or another, being handwritten signatures possibly the most common mechanism ever used. With the shift to digital communications, the same guarantees that exist in real world transactions are expected from electronic ones as well. Non-repudiation is thus a desired property of current electronic transactions, like those carried out in Internet banking, e-commerce or, in general, any electronic data interchange scenario. Digital evidence is generated, collected, maintained, made available and verified by non-repudiation services in order to resolve disputes about the occurrence of a certain event, protecting the parties involved in a transaction against the other's false denial about such an event. In particular, a digital signature is considered as non-repudiation evidence which can be used subsequently, by disputing parties or by an adjudicator, to arbitrate in disputes. The reliability of a digital signature should determine its capability to be used as valid evidence. The reliability depends on the trustworthiness of the whole life cycle of the signature, including the generation, transfer, verification and storage phases. Any vulnerability in it would undermine the reliability of the digital signature, making its applicability as non-repudiation evidence dificult to achieve. Unfortunately, technology is subject to vulnerabilities, always with the risk of an occurrence of security threats. Despite that, no rigorous mechanism addressing the reliability of digital signatures technology has been proposed so far. The main goal of this doctoral thesis is to enhance the reliability of digital signatures in order to enforce their non-repudiation property when acting as evidence. In the first instance, we have determined that current technology does not provide an acceptable level of trustworthiness to produce reliable nonrepudiation evidence that is based on digital signatures. The security threats suffered by current technology are suffice to prevent the applicability of digital signatures as non-repudiation evidence. This finding is also aggravated by the fact that digital signatures are granted legal effectiveness under current legislation, acting as evidence in legal proceedings regarding the commitment made by a signatory in the signed document. In our opinion, the security threats that subvert the reliability of digital signatures had to be formalized and categorized. For that purpose, a holistic taxonomy of potential attacks on digital signatures has been devised, allowing their systematic and rigorous classification. In addition, and assuming a realistic security risk, we have built a new approach more robust and trustworthy than the predecessors to enhance the reliability of digital signatures, enforcing their non-repudiation property. This new approach is supported by two novel mechanisms presented in this thesis: the signature environment division paradigm and the extended electronic signature policies. Finally, we have designed a new fair exchange protocol that makes use of our proposal, demonstrating the applicability in a concrete scenario. ----------------------------------------------------------------------------------------------------------------------------------------------------------------Las operaciones sensibles tradicionales, tales como transacciones bancarias, procesos de compra-venta, firma de contratos etc. necesitan que las partes implicadas queden sujetas a los compromisos realizados, evitando así un repudio posterior de las responsabilidades adquiridas. Dependiendo del contexto, el compromiso se llevaría a cabo de una manera u otra, siendo posiblemente la firma manuscrita el mecanismo más comúnmente empleado hasta la actualidad. Con el paso a las comunicaciones digitales, se espera que las mismas garantías que se encuentran en las transacciones tradicionales se proporcionen también en las electrónicas. El no repudio es, por tanto, una propiedad deseada a las actuales transacciones electrónicas, como aquellas que se llevan a cabo en la banca online, en el comercio electrónico o, en general, en cualquier intercambio de datos electrónico. La evidencia digital se genera, recoge, mantiene, publica y verifica mediante los servicios de no repudio con el fin de resolver disputas acerca de la ocurrencia de un determinado evento, protegiendo a las partes implicadas en una transacción frente al rechazo respecto a dicho evento que pudiera realizar cualquiera de las partes. En particular, una firma digital se considera una evidencia de no repudio que puede emplearse posteriormente por las partes enfrentadas o un tercero durante el arbitrio de la disputa. La fiabilidad de una firma digital debería determinar su capacidad para ser usada como evidencia válida. Dicha fiabilidad depende de la seguridad del ciclo de vida completo de la firma, incluyendo las fases de generación, transferencia, verificación, almacenamiento y custodia. Cualquier vulnerabilidad en dicho proceso podría socavar la fiabilidad de la firma digital, haciendo difícil su aplicación como evidencia de no repudio. Desafortunadamente, la tecnología está sujeta a vulnerabilidades, existiendo siempre una probabilidad no nula de ocurrencia de amenazas a su seguridad. A pesar de ello, hasta la fecha no se ha propuesto ningún mecanismo que aborde de manera rigurosa el estudio de la fiabilidad real de la tecnología de firma digital. El principal objetivo de esta tesis doctoral es mejorar la fiabilidad de las firmas digitales para que éstas puedan actuar como evidencia de no repudio con garantías suficientes

Contribution Barriers to Open Source Projects

Contribution barriers are properties of Free/Libre and Open Source Software (FLOSS) projects that may prevent newcomers from contributing. Contribution barriers can be seen as forces that oppose the motivations of newcomers. While there is extensive research on the motivation of FLOSS developers, little is known about contribution barriers. However, a steady influx of new developers is connected to the success of a FLOSS project. The first part of this thesis adds two surveys to the existing research that target contribution barriers and motivations of newcomers. The first exploratory survey provides the indications to formulate research hypotheses for the second main survey with 117 responses from newcomers in the two FLOSS projects Mozilla and GNOME. The results lead to an assessment of the importance of the identified contribution barriers and to a new model of the joining process that allows the identification of subgroups of newcomers affected by specific contribution barriers. The second part of the thesis uses the pattern concept to externalize knowledge about techniques lowering contribution barriers. This includes a complete categorization of the existing work on FLOSS patterns and the first empirical evaluation of these FLOSS patterns and their relationships. The thesis contains six FLOSS patterns that lower specific important contribution barriers identified in the surveys. Wikis are web-based systems that allow its users to modify the wiki's contents. They found on wiki principles with which they minimize contribution barriers. The last part of the thesis explores whether a wiki, whose content is usually natural text, can also be used for software development. Such a Wiki Development Environment (WikiDE) must fulfill the requirements of both an Integrated Development Environment (IDE) and a wiki. The simultaneous compliance of both sets of requirements imposes special challenges. The thesis describes an adapted contribution process supported by an architecture concept that solves these challenges. Two components of a WikiDE are discussed in detail. Each of them helps to lower a contribution barrier. A Proof of Concept (PoC) realization demonstrates the feasibility of the concept