Achieving Security Assurance with Assertion-based Application Construction

abstract: Modern software applications are commonly built by leveraging pre-fabricated modules, e.g. application programming interfaces (APIs), which are essential to implement the desired functionalities of software applications, helping reduce the overall development costs and time. When APIs deal with security-related functionality, it is critical to ensure they comply with their design requirements since otherwise unexpected flaws and vulnerabilities may consequently occur. Often, such APIs may lack sufficient specification details, or may implement a semantically-different version of a desired security model to enforce, thus possibly complicating the runtime enforcement of security properties and making it harder to minimize the existence of serious vulnerabilities. This paper proposes a novel approach to address such a critical challenge by leveraging the notion of software assertions. We focus on security requirements in role-based access control models and show how proper verification at the source-code level can be performed with our proposed approach as well as with automated state-of-the-art assertion-based techniques.The final version of this article, as published in EAI Endorsed Transactions on Collaborative Computing, can be viewed online at: http://eudl.eu/doi/10.4108/eai.21-12-2015.15081

Model Based System Assurance Using the Structured Assurance Case Metamodel

Assurance cases are used to demonstrate confidence in system properties of interest (e.g. safety and/or security). A number of system assurance approaches are adopted by industries in the safety-critical domain. However, the task of constructing assurance cases remains a manual, lenghty and informal process. The Structured Assurance Case Metamodel (SACM)is a standard specified by the Object Management Group (OMG). SACM provides a richer set of features than existing system assurance languages/approaches. SACM provides a foundation for model-based system assurance, which bears great application potentials in growing technology domains such as Open Adaptive Systems. However, the intended usage of SACM has not been sufficiently explained. In addition, there has not been support to interoperate between existing assurance case (models)and SACM models. In this article, we explain the intended usage of SACM based on our involvement in the OMG specification process of SACM. In addition, to promote a model-based approach, we provide SACM compliant metamodels for existing system assurance approaches (the Goal Structuring Notation and Claims-Arguments-Evidence), and the transformations from these models to SACM. We also briefly discuss the tool support for model-based system assurance which helps practitioners make the transition from existing system assurance approaches to model-based system assurance using SACM

Software Engineering Timeline: major areas of interest and multidisciplinary trends

Ingeniería del software. EvolucionSociety today cannot run without software and by extension, without Software Engineering. Since this discipline emerged in 1968, practitioners have learned valuable lessons that have contributed to current practices. Some have become outdated but many are still relevant and widely used. From the personal and incomplete perspective of the authors, this paper not only reviews the major milestones and areas of interest in the Software Engineering timeline helping software engineers to appreciate the state of things, but also tries to give some insights into the trends that this complex engineering will see in the near future

Citizen Electronic Identities using TPM 2.0

Electronic Identification (eID) is becoming commonplace in several European countries. eID is typically used to authenticate to government e-services, but is also used for other services, such as public transit, e-banking, and physical security access control. Typical eID tokens take the form of physical smart cards, but successes in merging eID into phone operator SIM cards show that eID tokens integrated into a personal device can offer better usability compared to standalone tokens. At the same time, trusted hardware that enables secure storage and isolated processing of sensitive data have become commonplace both on PC platforms as well as mobile devices. Some time ago, the Trusted Computing Group (TCG) released the version 2.0 of the Trusted Platform Module (TPM) specification. We propose an eID architecture based on the new, rich authorization model introduced in the TCGs TPM 2.0. The goal of the design is to improve the overall security and usability compared to traditional smart card-based solutions. We also provide, to the best our knowledge, the first accessible description of the TPM 2.0 authorization model.Comment: This work is based on an earlier work: Citizen Electronic Identities using TPM 2.0, to appear in the Proceedings of the 4th international workshop on Trustworthy embedded devices, TrustED'14, November 3, 2014, Scottsdale, Arizona, USA, http://dx.doi.org/10.1145/2666141.266614

The Nile Question: The Accords on the Water of the Nile and Their Implications on

Some authorities identify the Nile basin as one of the hotspots in an area where violent conflict could break out over the shared water resource because of the various hydropolitical intricacies it involves. Mounting demands for more water, an alarming population growth rate, the absence of comprehensive legal and institutional frameworks, and relations among the riparian states that are marred with suspicion and misunderstanding, are among the major factors creating the potential for an extreme conflict in the basin. To date, the Basin states have not been able to cooperate in order to devise a solution to the issue of the Nile – the utilisation and management of Nile water for the benefit of all riparian states. One of the impediments to such a solution, is the absence of a basinwide agreement. Although there have been various agreements over the Nile River, none of these has involved more than three states. The accords constitute one of the hurdles in the path towards cooperation. This article reviews the main agreements which have decided control over the Nile, their traits, and the implications for cooperative schemes in the basin. It also examines the current promising initiative, the Nile Basin Initiative, as a possible way forward to reach comprehensive cooperation. The article does not examine all the problems enveloping the Nile basin. It limits itself to the legal aspects of the questions of the Nile and proposes appropriate approaches to accords on the water of the Nile. Further, it concentrates on three countries, Egypt, the Sudan and Ethiopia, which are considered to be central actors in the Nile issues and deals with the accords involving them, or concluded on their behalf, during the colonial period

In our opinion… , March 2011

https://egrove.olemiss.edu/aicpa_news/2331/thumbnail.jp