Hardening with Scapolite: a DevOps-based Approach for Improved Authoring and Testing of Security-Configuration Guides in Large-Scale Organizations

Security Hardening is the process of configuring IT systems to ensure the security of the systems' components and data they process or store. In many cases, so-called security-configuration guides are used as a basis for security hardening. These guides describe secure configuration settings for components such as operating systems and standard applications. Rigorous testing of security-configuration guides and automated mechanisms for their implementation and validation are necessary since erroneous implementations or checks of hardening guides may severely impact systems' security and functionality. At Siemens, centrally maintained security-configuration guides carry machine-readable information specifying both the implementation and validation of each required configuration step. The guides are maintained within git repositories; automated pipelines generate the artifacts for implementation and checking, e.g., PowerShell scripts for Windows, and carry out testing of these artifacts on AWS images. This paper describes our experiences with our DevOps-inspired approach for authoring, maintaining, and testing security-configuration guides. We want to share these experiences to help other organizations with their security hardening and, thus, increase their systems' security.Comment: We submitted this article as a full-length paper. Unfortunately, the CODASPY Program Committee decided that our paper can only be accepted in the tool track. Thus, the published version only consists of 6 page

Engineering Secure Adaptable Web Services Compositions

Service-oriented architecture defines a paradigm for building applications by assembling autonomous components such as web services to create web service compositions. Web services are executed in complex contexts where unforeseen events may compromise the security of the web services composition. If such compositions perform critical functions, prompt action may be required as new security threats may arise at runtime. Manual interventions may not be ideal or feasible. To automatically decide on valid security changes to make at runtime, the composition needs to make use of current security context information. Such security changes are referred to as dynamic adaptation. This research proposes a framework to develop web services compositions that can dynamically adapt to maintain the same level of security when unforeseen security events occur at runtime. The framework is supported by mechanisms that map revised security requirements arising at runtime to a new security configuration plan that is used to adapt the web services composition

Internet of robotic things : converging sensing/actuating, hypoconnectivity, artificial intelligence and IoT Platforms

The Internet of Things (IoT) concept is evolving rapidly and influencing newdevelopments in various application domains, such as the Internet of MobileThings (IoMT), Autonomous Internet of Things (A-IoT), Autonomous Systemof Things (ASoT), Internet of Autonomous Things (IoAT), Internetof Things Clouds (IoT-C) and the Internet of Robotic Things (IoRT) etc.that are progressing/advancing by using IoT technology. The IoT influencerepresents new development and deployment challenges in different areassuch as seamless platform integration, context based cognitive network integration,new mobile sensor/actuator network paradigms, things identification(addressing, naming in IoT) and dynamic things discoverability and manyothers. The IoRT represents new convergence challenges and their need to be addressed, in one side the programmability and the communication ofmultiple heterogeneous mobile/autonomous/robotic things for cooperating,their coordination, configuration, exchange of information, security, safetyand protection. Developments in IoT heterogeneous parallel processing/communication and dynamic systems based on parallelism and concurrencyrequire new ideas for integrating the intelligent “devices”, collaborativerobots (COBOTS), into IoT applications. Dynamic maintainability, selfhealing,self-repair of resources, changing resource state, (re-) configurationand context based IoT systems for service implementation and integrationwith IoT network service composition are of paramount importance whennew “cognitive devices” are becoming active participants in IoT applications.This chapter aims to be an overview of the IoRT concept, technologies,architectures and applications and to provide a comprehensive coverage offuture challenges, developments and applications

Studying Security Issues in HPC (Super Computer) Environment

HPC has evolved from being a buzzword to becoming one of the most exciting areas in the field of Information Technology & Computer Science. Organizations are increasingly looking to HPC to improve operational efficiency, reduce expenditure over time and improve the computational power. Using Super Computers hosted on a particular location and connected with the Internet can reduce the installation of computational power and making it centralise. However, centralise system has some advantages and disadvantages over the distributed system, but we avoid discussing those issues and focusing more on the HPC systems. HPC can also be used to build web and file server and for applications of cloud computing. Due to cluster type architecture and high processing speed, we have experienced that it works far better and handles the loads in much more efficient manner then series of desktop with normal configuration connected together for application of cloud computing and network applications. In this paper we have discussed on issues re lated to security of data and information on the context of HPC. Data and information are vanurable to security and safety. It is the purpose of this paper to present some practical security issues related to High Performance Computing Environment. Based on our observation on security requirements of HPC we have discuss some existing security technologies used in HPC. When observed to various literatures, we found that the existing techniques are not enough. We have discussed, some of the key issues relating to this context. Lastly, we have made an approach to find an appropriate solution using Blowfish encryption and decryption algorithm. We hope that, with our proposed concepts, HPC applications to perform better and in safer way. At the end, we have proposed a modified blow fish algorithmic technique by attaching random number generator algorithm to make the encryption decryption technique more appropriate for our own HPC environment

Information Security Management In Context Of Globalization

The security of information should be understood as the provision of confidentiality, accessibility, integrity, authenticity, and accountability of information. Confidentiality is defined by ISO 27001:2005 as “the property that information is not made available or dis-closed to unauthorized individuals, entities, or processes”. Issues about information availability, understood as “being accessible and usable upon demand by an authorized entity” , are not usually seen as a problem of the whole company. Lack of access to data is easily explained away by leave, the lack of electricity, a virus, or missed key. The third main property of information system security is integrity, that is to say, “safeguarding the accuracy and completeness of assets”. It may be considered at a technical level. Then it concerns the structure and configuration of network devices and applications. However, problems of integrity are mainly related to the activities of workers collecting and processing data. Failure to comply with integrity may cause delays in decision-making by management or a lack of actions to minimize the effect of existing threats.

Information Security Management In Context Of Globalization

The security of information should be understood as the provision of confidentiality, accessibility, integrity, authenticity, and accountability of information. Confidentiality is defined by ISO 27001:2005 as “the property that information is not made available or dis-closed to unauthorized individuals, entities, or processes”. Issues about information availability, understood as “being accessible and usable upon demand by an authorized entity” , are not usually seen as a problem of the whole company. Lack of access to data is easily explained away by leave, the lack of electricity, a virus, or missed key. The third main property of information system security is integrity, that is to say, “safeguarding the accuracy and completeness of assets”. It may be considered at a technical level. Then it concerns the structure and configuration of network devices and applications. However, problems of integrity are mainly related to the activities of workers collecting and processing data. Failure to comply with integrity may cause delays in decision-making by management or a lack of actions to minimize the effect of existing threats.