Re-examining the Information Systems Security Problem from a Systems Theory Perspective

This theoretical paper discusses a recent shift in cyber attackers’ interest away from traditional network and operating systems vulnerabilities and towards application level security flaws in end user systems. The authors argue that this shift signals a strong need to re-examine the way that security is addressed during the systems development process. Most of the systems development methodologies currently used do not contain formal processes for dealing with the interconnected complexity and risks associated with today’s computing environments. Using systems theory as a theoretical lens, the fundamental processes of current systems development methodologies are analyzed and weaknesses in their ability to deal with these environmental factors are discussed. The authors then present a proposed holistic framework for integrating security into existing systems development methods. The paper concludes with a discussion of the need for more scholarly research in this area and suggestions for future research directions are offered

CyberSecurity Challenges: Serious Games for Awareness Training in Industrial Environments

Awareness of cybersecurity topics, e.g., related to secure coding guidelines, enables software developers to write secure code. This awareness is vital in industrial environments for the products and services in critical infrastructures. In this work, we introduce and discuss a new serious game designed for software developers in the industry. This game addresses software developers' needs and is shown to be well suited for raising secure coding awareness of software developers in the industry. Our work results from the experience of the authors gained in conducting more than ten CyberSecurity Challenges in the industry. The presented game design, which is shown to be well accepted by software developers, is a novel alternative to traditional classroom training. We hope to make a positive impact in the industry by improving the cybersecurity of products at their early production stages.Comment: Preprint accepted for publication at the 17. Deutscher IT-Sicherheitskongress. arXiv admin note: substantial text overlap with arXiv:2102.0534

Cybersecurity challenges: Serious games for awareness training in industrial environments

Awareness of cybersecurity topics, e.g., related to secure coding guidelines, enables software developers to write secure code. This awareness is vital in industrial environments for the products and services in critical infrastructures. In this work, we introduce and discuss a new serious game designed for software developers in the industry. This game addresses software developers’ needs and is shown to be well suited for raising secure coding awareness of software developers in the industry. Our work results from the experience of the authors gained in conducting more than ten CyberSecurity Challenges in the industry. The presented game design, which is shown to be well accepted by software developers, is a novel alternative to traditional classroom training. We hope to make a positive impact in the industry by improving the cybersecurity of products at their early production stages.info:eu-repo/semantics/acceptedVersio

БЕЗПЕЧНЕ ПРОГРАМНЕ ЗАБЕЗПЕЧЕННЯ, ЩО РОЗРОБЛЯЄ РЕКОМЕНДАЦІЇ

Adverse effects on information in the functioning computer systems of various purpose is carried out in order to violate their confidentiality, integrity and accessibility. These threats arise from software vulnerabilities and result in unauthorized access to data or leakage of sensitive information To solve this problem, firstly, an analysis of the software life cycle was carried out in order to determine the stages of software development. Secondly, taking into account the stages obtained, possible threats to information were identified. A buffer overflow vulnerability was considered as a basic example of a threat. Possible ways of exploiting this vulnerability are given, the pros and cons of detection and counteraction tools are analyzed. As a result, recommendations on the development of safe software are presented, both in general terms and more specific in order to avoid the buffer overflow vulnerability. Having using such recommendations, enterprises could reduce the risk of sensitive information breach and minimize outlane. The results obtained in the paper can also be used to make decisions about the possibility of operating the relevant software.Шкідливий вплив на інформацію в процесі функціонування комп'ютерних систем різного призначення здійснюється з метою порушення конфіденційності, цілісності і доступності і є можливим внаслідок експлуатації наявних вразливостей. Результатом такого впливу може бути несанкціонований доступ до даних або витік конфіденційної інформації. Актуальність розробки рекомендацій по створенню безпечного програмного забезпечення (ПЗ) полягає у вдосконаленні підходів до розробки ПЗ з метою ліквідації вразливостей для нового ПЗ та досліджень вже створеного ПЗ на предмет відсутності в ньому вразливостей. Для вирішення цієї проблеми, по-перше, було проведено аналіз життєвих циклів програмного забезпечення з метою визначення основних етапів його розробки. Наступним кроком були визначені можливі загрози для інформації на кожному з етапів розробки.  Розглянуто уразливість переповнення буферу як приклад. Наведено можливі способи експлуатації цієї вразливості, проаналізовано переваги і недоліки засобів виявлення та протидії. Як результат, запропоновано рекомендації щодо розробки безпечного програмного забезпечення як на загальному рівні, так і більш конкретні стосовно переповнення буфера. Практичною цінністю рекомендацій є зменшення ризиків порушення властивостей інформації, що підлягає захисту, і мінімізація витрат організації. Отримані в роботі результати також можуть бути використані для прийняття рішень про можливість експлуатації відповідного програмного забезпечення

Secure coding intention via protection motivation theory based survey

Abstract. According to studies, programming skills are obtained by a large number of persons but most of them lack the ability to produce secure software. This statement reflects the essence of this thesis and provides a direction to problem solving. The focus of this study is a research into the possibility of using a questionnaire prepared with the use of a protection motivation theory (PMT) to provide a indication of intention for software developers towards secure programming techniques. This study answers the following research question: Can secure programming intention be aroused with a PMT questionnaire? The questionnaire consists of three categories: background-, awareness-/knowledge- and PMT questions. Background questions are used to identify the focus group. Awareness and knowledge questions are used to provide secure coding information which is reflected by cognitive thinking via PMT questions. The questionnaire was built as web survey and distributed via professional social network. The questionnaire uses focused subject group working in micro and small enterprises (<50 employees). The study results are analysed against PMT components to validate focus group selection as a correct choice. Survey findings analysed in qualitative manner (partly in quantitative), indicates that majority of subjects created intention towards studying or using secure coding techniques. The focus group PMT analysis results shows that in each PMT section, at least over half indicated positive response into it. These results will provide a deeper research direction for how to promote secure coding

Empirical assessment of the effort needed to attack programs protected with client/server code splitting

Context. Code hardening is meant to fight malicious tampering with sensitive code executed on client hosts. Code splitting is a hardening technique that moves selected chunks of code from client to server. Although widely adopted, the effective benefits of code splitting are not fully understood and thoroughly assessed. Objective. The objective of this work is to compare non protected code vs. code splitting protected code, considering two levels of the chunk size parameter, in order to assess the effectiveness of the protection - in terms of both attack time and success rate - and to understand the attack strategy and process used to overcome the protection. Method. We conducted an experiment with master students performing attack tasks on a small application hardened with different levels of protection. Students carried out their task working at the source code level. Results. We observed a statistically significant effect of code splitting on the attack success rate that, on the average, was reduced from 89% with unprotected clear code to 52% with the most effective protection. The protection variant that moved some small-sized code chunks turned out to be more effective than the alternative moving fewer but larger chunks. Different strategies were identified yielding different success rates. Moreover, we discovered that successful attacks exhibited different process w.r.t. failed ones.Conclusions We found empirical evidence of the effect of code splitting, assessed the relative magnitude, and evaluated the influence of the chunk size parameter. Moreover, we extracted the process used to overcome such obfuscation technique

Buenas prácticas de seguridad para sistemas ERP

En la actualidad los sistemas ERP son usados no solo por las grandes empresas sino que además las pequeñas y medianas, ellas han encontrado la importancia que tienen estos sistemas y las ventajas competitivas que pueden lograr con su uso e implementación. Los sistemas ERP bajo código libre, se han convertido en los favoritos para estas empresas, debido a la reducción de costos que representan y a la calidad que cada día se hace más notoria en el mundo. Sin embargo, si hay algo que la mayoría de las empresas temen frente a este tipo de sistemas y a los de código libre en general, es el tema de la seguridad. Esta propuesta busca identificar las debilidades de seguridad de estos sistemas a través del uso de metodologías y estándares probados y usados por comunidades internacionales, no solo en el ERP como tal sino además, en todo el entorno que se requiere para su instalación y administración. Una vez identificadas las debilidades se propondrán una serie de buenas prácticas que de manera general, aumenten la seguridad de los sistemas, éstas serán aplicadas sobre un ERP específico y validado sobre otro, de manera que se pueda demostrar la aplicabilidad de ellas. Además, se pondrán en conocimiento a las comunidades que aportan al crecimiento y desarrollo de los ERP algunas de las debilidades detectadas, con el fin de que solucionen estos problemas y los divulguen en toda la comunidad y así lograr un aporte al mejoramiento de estos sistemas. Finalmente, el análisis de los resultados obtenidos con la aplicación de las buenas prácticas, demostrara su eficacia, realizando la comparación entre los ERP antes y después de su implementaciónToday ERP systems are part of not only of big companies, but also small and medium have found the importance of these systems and competitive advantages can be achieved with its use and implementation. Under open source ERP has become a favorite for these companies, due to cost reduction and quality that each day becomes more evident worldwide, but if there is something that most companies fear against such systems and open source in general is the issue of security. This proposal seeks to identify security weaknesses of these systems through the use of methodologies and standards tested and used by international communities, not only in the ERP as such but also in the whole environment that is required for installation and administration. Having identified the weaknesses will propose a series of good practice that in general, increase the security of the ERP, these will be applied to a specific ERP and validated on another so as to demonstrate the applicability of these. Besides the weaknesses identified will be delivered to communities that contribute to the growth and development of ERP in order to solve these problems and replicated throughout the community and thus make a contribution to improving these systems

Sensei : enforcing secure coding guidelines in the integrated development environment

We discuss the potential benefits, requirements, and implementation challenges of a security-by-design approach in which an integrated development environment (IDE) plugin assists software developers to write code that complies with secure coding guidelines. We discuss how such a plugin can enable a company's policy-setting security experts and developers to pass their knowledge on to each other more efficiently, and to let developers more effectively put that knowledge into practice. This is achieved by letting the team members develop customized rule sets that formalize coding guidelines and by letting the plugin check the compliance of code being written to those rule sets in real time, similar to an as-you-type spell checker. Upon detected violations, the plugin suggests options to quickly fix them and offers additional information for the developer. We share our experience with proof-of-concept designs and implementations rolled out in multiple companies, and present some future research and development directions

Secure software development practice selection model

Developing secure software is critical for organizations as highly-sensitive and confidential data are transacted through online applications. Insecure software can lead to loss of revenue and damage to business reputation. Although numerous methods, models and standards in regards to secure software development have been established, implementation of the whole model is quite challenging as it involves cost, skill, and time. Moreover, lack of knowledge and guidance on selection of suitable secure development practices becomes a challenge for project managers. On that account, this thesis developed a model which aims to guide the project managers to select secure software development practices based on the factors fulfilled by the project. Initially, a systematic literature review (SLR) was conducted, and as a result 18 influential factors were identified. To strengthen and enhance these findings, semistructured interviews were conducted with 21 software development experts from eight IT departments in Malaysian public sector, and 18 influential factors emerged from the interviews. The findings from both the SLR and interviews were consolidated, and analysed using the grounded theory techniques. As a result, 20 influential factors were finalized and grouped into four main categories that influenced software development outcomes: institutional context, software project content, people and action, and development processes. To assess the fulfilment of each factor, assessment criteria to determine the fulfilment of the factors were identified using secondary data analysis method. Subsequently, secure development practices which were suitable for the Malaysian public sector were identified through a survey, and as a result 24 practices were identified. The identified factors, assessment criteria, and practices were validated using the Delphi method, involving ten experts. In addition, the experts mapped the influential factors to each secure software development practice. As a result of the Delphi method which involved three phases, the lists of validated factors and assessment criteria were produced. Additionally, a list of practices mapped with the related influential factors was produced. The validated elements were used to formulate the Secure Software Development Practice Selection Model. The proposed model was finally evaluated using a multiple case study method that involved four software development projects in the Malaysian public sector. The project managers were provided with questionnaire to assess the fulfilment of factors, and identify practices that can be incorporated in their software development project. Thus, with the proposed Secure Software Development Practice Selection Model, suitable secure software development practices can be effectively identified by assessing the influential factors fulfilled by the software project. Furthermore, the average System Usability Scale score obtained for all agencies was 70.7; thus Secure Software Development Practice Selection Model was perceived to have ‘good’ usability which corresponds to the adjective scale. In sum, there are four significant contributions of this research: a validated list of factors influencing secure software development, a list of assessment criteria for the factors, mapping of secure software development practices with the influential factors, and evaluated Secure Software Development Practice Selection Model

Securely Handling Inter-Application Connection Credentials

The utilization of application-to-application (A2A) credentials within interpretive language scripts and application code has long been a security risk. The quandaries being how to protect and secure the credentials handled in the main body of code and avoid exploitation from rogue programmers, system administrators and other users with authorized high levels of privilege. Researchers report that A2A credentials cannot be protected and that there is no way to reduce the risk of the inevitable successful attack and subsequent exploit. Therefore, research efforts to date have primarily been focused on mitigating the impact of the attack rather than finding ways to reduce the attack surface. The work contained herein successfully addresses this serious cross-cutting concern and proves that it is in fact possible to significantly reduce the risk of attack. This reduction of risk was accomplished through implementing a method of credential obfuscation which applied advice with concerns utilizing a composition filter. The filter modified messages containing the credentials as they were sent from the interpretive language script to the remote data store. The modification extracted credentials from a secure password vault and inserted them into the message being sent to the remote data store. This modification moved the handling of the credentials from the main body of code to a secure library and out of the reach of attackers with authorized high levels of privilege. The relocation of the credential handling code lines significantly reduced the attack surface and the overall risk of attack