Sobre el impacto y la preponderancia de las licencias de software en el mercado de los dispositivos móviles

La importancia de los dispositivos móviles ha crecido en forma considerable en los ultimos diez años, llegando estos a ocupar un rol preponderante en nuestras vidas. Conforme crece el uso y la adopción de estos dispositivos, los usuarios esperan obtener funcionalidades cada vez más complejas de los mismos. En este contexto, el sistema operativo para smartphones y tablets Android, ha experimentado un espectacular crecimiento en poco más de tres años de existencia. La presente línea de investigación explora una de las principales razones que sustentan este crecimiento: la licencia de software libre empleada por Android. Motivados por esta tesis, nos planteamos como objetivo investigar de qué manera la licencias de software elegida pueden afectar diversos aspectos de un producto e influir notablemente en su éxito o fracaso, usando como caso de estudio los sistemas operativos para dispositivos móviles.Eje: Ingeniería de SoftwareRed de Universidades con Carreras en Informática (RedUNCI

Seguridad y privacidad en la plataforma Android

Conforme crece el uso y la adopción de los dispositivos móviles, se espera que brinden funcionalidades cada vez más complejas. En consecuencia, la demanda de nuevas aplicaciones aumenta considerablemente. Android es una nueva plataforma licenciada como software libre que será clave para cubrir esta demanda, proveyendo un sistema operativo, middleware y las herramientas necesarias para el desarrollo de aplicaciones por medio del lenguaje Java. En este proyecto analizaremos la seguridad en la plataforma Android y determinaremos si esta permite salvaguardar la privacidad de los usuarios. En base a este análisis, propondremos soluciones a los problemas identificados, colaborando con el refinamiento de la plataforma.Eje: Arquitectura, Redes y Sistemas OperativosRed de Universidades con Carreras en Informática (RedUNCI

Seguridad y privacidad en la plataforma Android

Conforme crece el uso y la adopción de los dispositivos móviles, se espera que brinden funcionalidades cada vez más complejas. En consecuencia, la demanda de nuevas aplicaciones aumenta considerablemente. Android es una nueva plataforma licenciada como software libre que será clave para cubrir esta demanda, proveyendo un sistema operativo, middleware y las herramientas necesarias para el desarrollo de aplicaciones por medio del lenguaje Java. En este proyecto analizaremos la seguridad en la plataforma Android y determinaremos si esta permite salvaguardar la privacidad de los usuarios. En base a este análisis, propondremos soluciones a los problemas identificados, colaborando con el refinamiento de la plataforma.Eje: Arquitectura, Redes y Sistemas OperativosRed de Universidades con Carreras en Informática (RedUNCI

Application for managing container-based software development environments

Abstract. Virtualizing the software development process can enhance efficiency through unified, remotely managed environments. Docker containers, a popular technology in software development, are widely used for application testing and deployment. This thesis examines the use of containers as cloud-based development environments. This study explores the history and implementation of container-based virtualization before presenting containers as a novel cloud-based software development environment. Virtual containers, like virtual machines, have been extensively used in software development for code testing but not as development environments. Containers are also prevalent in the final stages of software production, specifically in the distribution and deployment of completed applications. In the practical part of the thesis, an application is implemented to improve the usability of a container-based development environment, addressing challenges in adopting new work environments. The work was conducted for a private company, and multiple experts provided input. The management application enhanced the container-based development environment’s efficiency by improving user rights management, virtual container management, and user interface. Additionally, the new management tools reduced training time for new employees by 50%, facilitating their integration into the organization. Container-based development environments with efficient management tools provide a secure, efficient, and unified platform for large-scale software development. Virtual containers also hold potential for future improvements in energy-saving strategies and organizational work method harmonization and integration.Sovellus konttipohjaisten ohjelmistonkehitysympäristöjen hallintaan. Tiivistelmä. Ohjelmistokehitysprosessin virtualisointi voi parantaa tehokkuutta yhtenäisten, etähallittujen ympäristöjen avulla. Ohjelmistonkehityksessä suosittu ohjelmistonkehitysteknologia, Docker-kontteja käytetään laajalti sovellusten testaamisessa ja käyttöönotossa. Tässä opinnäytetyössä tarkastellaan konttien käyttöä pilvipohjaisina kehitysympäristöinä. Tämä tutkimus tutkii konttipohjaisen virtualisoinnin historiaa ja toteutusta, jonka jälkeen esitellään konttien käyttöä uudenlaisena pilvipohjaisena ohjelmistokehitysympäristönä. Virtuaalisia kontteja, kuten virtuaalikoneita, on käytetty laajasti ohjelmistokehityksessä kooditestauksessa, mutta ei kehitysympäristöinä. Kontit ovat myös yleisiä ohjelmistotuotannon loppuvaiheissa, erityisesti valmiiden sovellusten jakelussa ja käyttöönotossa. Opinnäytetyön käytännön osassa toteutetaan konttipohjaisen kehitysympäristön käytettävyyttä parantava sovellus, joka vastaa uusien työympäristöjen käyttöönoton haasteisiin. Työ suoritettiin yksityiselle yritykselle, ja sen suunnitteluun osallistui useita asiantuntijoita. Hallintasovellus lisäsi konttipohjaisen kehitysympäristön tehokkuutta parantamalla käyttäjäoikeuksien hallintaa, virtuaalisen kontin hallintaa ja käyttöliittymää. Lisäksi uudet hallintatyökalut lyhensivät uusien työntekijöiden koulutusaikaa 50%, mikä helpotti heidän integroitumistaan organisaatioon. Säiliöpohjaiset kehitysympäristöt varustettuina tehokkailla hallintatyökaluilla tarjoavat turvallisen, tehokkaan ja yhtenäisen alustan laajamittaiseen ohjelmistokehitykseen. Virtuaalisissa konteissa on myös potentiaalia tulevaisuuden parannuksiin energiansäästöstrategioissa ja organisaation työmenetelmien harmonisoinnissa ja integroinnissa

Penetration testing and mitigation of vulnerabilities windows server

Cyber attack has become a major concern over the past few years. While the technical capability to attack has declined, hacking tools-both simple and comprehensive-are themselves evolving rapidly. Certain approaches are necessary to protect a system from cyber threats. This work engages with comprehensive penetration testing in order to find vulnerabilities in the Windows Server and exploit them. Some forms of method penetration testing have been used in this experiment, including reconnaissance probes, brute force attacks based on password guessing, implanting malware to create a backdoorfor escalating privileges, and flooding the target. This experiment was focused on gaining access in order to ascertainthe identities of hackers and thus better understand their methods and performed penetration testing to evaluate security flaws in the Windows Server, which is a famous OS for web applications. It is expected that this work will serve as aguideline for practitioners who want to prepare and protect their systems before putting them onlin

Analisi sulla sicurezza di container e immagini in ambiente Docker

Nel corso dell'ultima decade il mondo delle tecnologie di virtualizzazione si è reso protagonista di una rapida espansione. Questa tesi ha lo scopo di analizzare gli aspetti riguardanti la sicurezza di questo settore in continua evoluzione, nello specifico in merito alla virtualizzazione basata su container tramite l'utilizzo di Docker. I sistemi di virtualizzazione sono concettualmente divisi in implementazione tramite hypervisor o tramite container (in cui rientra Docker): l'utilizzo di container e immagini permette di realizzare sistemi virtuali più leggeri e portabili, ma non senza alcuni compromessi sulla sicurezza. Docker prevede l'implementazione di alcune feature rivolte all'isolamento dei sistemi realizzati che tuttavia possono essere soggette a vulnerabilità che in alcuni casi permettono di ottenere l'accesso all'intero sistema host da parte di un attaccante

Information security standards in payment card industry

Data security is an important activity in many companies, especially if they operate in an environment with sensitive data. To facilitate the implementation of data security measures, a variety of standards, frameworks and best practices are available as a guidelines according to which a company can or must act. These standards can be different in their requirements, while some of their requirements and chapters can be similar. This work examines theoretical background of information security in the processing of payments, while selected standards and frameworks that help to safeguard information are also analysed. The case of implementation of the standard PCI DSS and ISO/IEC 20000 using ITIL in companies in the business of processing payment transactions is presented. Additionally, implementation in cases of risk and vulnerability, modelled in the ArchiMate language, is also demonstrated. The main aim of the master thesis is to examine how the company could at minimum cost and use of various sources implement standard ISO/IEC 27001 on the basis of what is already available from the standards PCI DSS and ITIL. For this purpose, the master thesis reviews, compares and conducts mapping of various requirements between those standards. On this basis, the concept of the implementation model of ISO / IEC 27001 with the integration of the PCI DSS and ITIL is developed. Through this model, companies could lower their costs and more easily implement the new standard as well as reduce the level of risk. The conclusion of the thesis offers overview of the findings and suggestions for further work. In this master thesis knowledge acquired in postgraduate study of Information Systems and decision-making at the Faculty of Engineering and Computer Science is used. Moreover, this thesis makes use of the knowledge and experience gained from my work in the field of software development, in particular web applications and web services, as well as the implementation of safety standards in the network which is discussed in this thesis. In addition to this, domestic and foreign scientific, technical articles, conference contributions, standards and frameworks are used as a relevant knowledge sources

Information security standards in payment card industry

Data security is an important activity in many companies, especially if they operate in an environment with sensitive data. To facilitate the implementation of data security measures, a variety of standards, frameworks and best practices are available as a guidelines according to which a company can or must act. These standards can be different in their requirements, while some of their requirements and chapters can be similar. This work examines theoretical background of information security in the processing of payments, while selected standards and frameworks that help to safeguard information are also analysed. The case of implementation of the standard PCI DSS and ISO/IEC 20000 using ITIL in companies in the business of processing payment transactions is presented. Additionally, implementation in cases of risk and vulnerability, modelled in the ArchiMate language, is also demonstrated. The main aim of the master thesis is to examine how the company could at minimum cost and use of various sources implement standard ISO/IEC 27001 on the basis of what is already available from the standards PCI DSS and ITIL. For this purpose, the master thesis reviews, compares and conducts mapping of various requirements between those standards. On this basis, the concept of the implementation model of ISO / IEC 27001 with the integration of the PCI DSS and ITIL is developed. Through this model, companies could lower their costs and more easily implement the new standard as well as reduce the level of risk. The conclusion of the thesis offers overview of the findings and suggestions for further work. In this master thesis knowledge acquired in postgraduate study of Information Systems and decision-making at the Faculty of Engineering and Computer Science is used. Moreover, this thesis makes use of the knowledge and experience gained from my work in the field of software development, in particular web applications and web services, as well as the implementation of safety standards in the network which is discussed in this thesis. In addition to this, domestic and foreign scientific, technical articles, conference contributions, standards and frameworks are used as a relevant knowledge sources

Diseño de una herramienta automatizada para las pruebas de penetración informática del riesgo de inyecciones SQL inferenciales existente en aplicaciones empresariales bajo ambiente web

De los riesgos de seguridad en ambientes web, el riesgo de inyecciones SQL es catalogado como el más importante, y, de los siete tipos existentes de inyecciones SQL, las inyecciones SQL inferenciales son las que presentan una mayor complejidad en sus pruebas de penetración, debido a que es necesario extraer la información no de manera determinística sino infiriendo los datos al observar cambios de comportamiento en el ambiente web. La presente tesis de maestría tiene como objetivo la reducción de tiempo empleado en las pruebas de penetración usadas para la evaluación del riesgo de inyecciones SQL inferenciales presente en ambientes web. Para esto se usó una metodología mixta: cuantitativa para el análisis de los algoritmos usados en la evaluación de dicho riesgo y cualitativa al analizar las estrategias y herramientas utilizados actualmente en las pruebas de penetración sobre el riesgo mencionado. Como resultado de esta investigación, se pudo establecer que el algoritmo bit a bit es el más eficiente en la extracción de información y la herramienta SQLMAP la más completa para su evaluación. En términos de tiempos, la herramienta SQLBrute - SQL Injection Brute Forcer es la mejor para el caso de las inyecciones SQL inferenciales basadas en tiempo y The Mole para el caso de las no basadas en tiempo. Además, se realizó una herramienta usando el algoritmo bit a bit optimizado, y se comparó los tiempos empleados por ella con las herramientas más eficientes disponibles. Al comparar los tiempos de la herramienta desarrollada, se comprobó que esta investigación disminuyo los tiempos empleados en la evaluación del riesgo tratado y que la herramienta desarrollada realiza la extracción de datos de manera más eficienteAbstract: There are many security risks in a web environment. However, SQL injections is the most important risk. This risk has seven sub-types and inferential SQL Injection is the most complex sub-type: It is necessary extract the information not in a deterministic way but inferring the data by means of observing behavior changes in the web environment. This thesis is a research process on time reduction of inferential SQL injections present in web environments. With that purpose, a mixed methodology was used (quantitative and qualitative) for analyze the strategies, algorithms and tools that penetration testers current use in evaluation of the aforementioned risk. According to the study conducted, bit-to-bit is the faster algorithm for extracting information and SQLMAP tool is the most complete. In time terms, the SQLBrute - SQL Injection Brute Forcer tool is the best tool for based on time inferential SQL injections and The Mole for non-time based injections. After this identification, a tool was made using optimized algorithm bit-to-bit. That tool was compared with the aforementioned tools and verifying that it is effectively more efficient. Finally, the tool was used in a real environment. In this way, it was found that it is possible to decrease the time in the evaluation of the treated riskMaestrí