Ranking Secure Coding Guidelines for Software Developer Awareness Training in the Industry

Secure coding guidelines are essential material used to train and raise awareness of software developers on the topic of secure software development. In industrial environments, since developer time is costly, and training and education is part of non-productive hours, it is important to address and stress the most important topics first. In this work, we devise a method, based on publicly available real-world vulnerability databases and secure coding guideline databases, to rank important secure coding guidelines based on defined industry-relevant metrics. The goal is to define priorities for a teaching curriculum on raising cybersecurity awareness of software developers on secure coding guidelines. Furthermore, we do a small comparison study by asking computer science students from university on how they rank the importance of secure coding guidelines and compare the outcome to our results

Challenges to Cybersecurity: Current State of Affairs

Despite increasing investment in cybersecurity initiatives, incidents such as data breach, malware infections, and cyberattacks on cyberphysical systems show an upward trend. I identify the technical, economic, legal, and behavioral challenges that continue to obstruct any meaningful effort to achieve reasonable cybersecurity. I also summarize the recent initiatives that various stakeholders have taken to address these challenges and highlight the limitations of those initiatives

Sifu - a cybersecurity awareness platform with challenge assessment and intelligent coach

Software vulnerabilities, when actively exploited by malicious parties, can lead to catastrophic consequences. Proper handling of software vulnerabilities is essential in the industrial context, particularly when the software is deployed in critical infrastructures. Therefore, several industrial standards mandate secure coding guidelines and industrial software developers’ training, as software quality is a significant contributor to secure software. CyberSecurity Challenges (CSC) form a method that combines serious game techniques with cybersecurity and secure coding guidelines to raise secure coding awareness of software developers in the industry. These cybersecurity awareness events have been used with success in industrial environments. However, until now, these coached events took place on-site. In the present work, we briefly introduce cybersecurity challenges and propose a novel platform that allows these events to take place online. The introduced cybersecurity awareness platform, which the authors call Sifu, performs automatic assessment of challenges in compliance to secure coding guidelines, and uses an artificial intelligence method to provide players with solution-guiding hints. Furthermore, due to its characteristics, the Sifu platform allows for remote (online) learning, in times of social distancing. The CyberSecurity Challenges events based on the Sifu platform were evaluated during four online real-life CSC events. We report on three surveys showing that the Sifu platform’s CSC events are adequate to raise industry software developers awareness on secure coding.info:eu-repo/semantics/publishedVersio

The future of Cybersecurity in Italy: Strategic focus area

This volume has been created as a continuation of the previous one, with the aim of outlining a set of focus areas and actions that the Italian Nation research community considers essential. The book touches many aspects of cyber security, ranging from the definition of the infrastructure and controls needed to organize cyberdefence to the actions and technologies to be developed to be better protected, from the identification of the main technologies to be defended to the proposal of a set of horizontal actions for training, awareness raising, and risk management

Connected vehicles:organizational cybersecurity processes and their evaluation

Abstract. Vehicles have become increasingly network connected cyber physical systems and they are vulnerable to cyberattacks. In the wake of multiple vehicle hacks, automotive industry and governments have recognized the critical need of cybersecurity to be integrated into vehicle development framework and get manufactures involved in managing whole vehicle lifecycle. The United Nations Economic Commission for Europe (UNECE) WP.29 (World Forum for Harmonization of Vehicle Regulations) committee published in 2021 two new regulations for road vehicles type approval: R155 for cybersecurity and R156 for software update. The latter of these influence also to agricultural vehicle manufacturers, which is the empirical context of this study. Also new cybersecurity engineering standard from International Standardization Organization (ISO) and Society of Automotive Engineers (SAE) organizations change organizations risk management framework. The vehicle manufacturers must think security from an entirely new standpoint: how to reduce vehicle cybersecurity risk to other road users. This thesis investigates automotive regulations and standards related to cybersecurity and cybersecurity management processes. The methodology of the empirical part is design science that is a suitable method for the development of new artifacts and solutions. This study developed an organization status evaluation tool in the form of a questionnaire. Stakeholders can use the tool to collect information about organizational capabilities for comprehensive vehicles cybersecurity management process. As a main result this thesis provides base information for cybersecurity principles and processes for cybersecurity management, and an overview of current automotive regulation and automotive cybersecurity related standards.Verkotetut ajoneuvot : organisaation kyberturvallisuusprosessit ja niiden arviointi. Tiivistelmä. Ajoneuvoista on tullut kyberhyökkäyksille alttiita tietoverkkoon yhdistettyjä kyberfyysisiä järjestelmiä. Ajoneuvojen hakkeroinnit herättivät hallitukset ja ajoneuvoteollisuuden huomaamaan, että kyberturvallisuus on integroitava osaksi ajoneuvojen kehitysympäristöä ja valmistajat on saatava mukaan hallitsemaan ajoneuvon koko elinkaarta. Yhdistyneiden Kansakuntien Euroopan talouskomission (UNECE) WP.29 (World Forum for Harmonization of Vehicle Regulations) -komitean jäsenet julkaisivat vuonna 2021 kaksi uutta tyyppihyväksyntäsäädöstä maantiekäyttöön tarkoitetuille ajoneuvoille. Nämä ovat kyberturvallisuuteen R155 ja ohjelmistopäivitykseen R156 liittyvät säädökset, joista jälkimmäinen vaikuttaa myös maatalousajoneuvojen valmistajiin. Myös uusi International Standardization Organization (ISO) ja Society of Automotive Engineers (SAE) organisaatioiden yhdessä tekemä kyberturvallisuuden suunnittelustandardi muuttaa organisaatioiden riskienhallintaa. Ajoneuvovalmistajien on pohdittava turvallisuutta aivan uudesta näkökulmasta; kuinka pienentää ajoneuvojen kyberturvallisuusriskiä muille tienkäyttäjille. Tämä opinnäytetyö tutkii kyberturvallisuuteen liittyviä autoalan säädöksiä ja standardeja sekä kyberturvallisuuden johtamisprosesseja. Työn empiirinen osa käsittelee maatalousajonevoihin erikoistunutta yritystä. Empiirisen osan metodologia on suunnittelutiede, joka soveltuu uusien artefaktien ja ratkaisujen kehittämiseen. Tutkimuksen empiirisessä osassa kehitettiin uusi arviointityökalu, jolla sidosryhmät voivat kerätä tietoja organisaation valmiuksista ajoneuvojen kyberturvallisuuden hallintaan. Tämä opinnäytetyö tarjoaa pohjatietoa kyberturvallisuuden periaatteista ja kyberturvallisuuden hallinnan prosesseista sekä yleiskatsauksen nykyiseen autoalan sääntelyyn ja kyberturvallisuuteen liittyviin ajoneuvostandardeihin

Raising Security Awareness using Cybersecurity Challenges in Embedded Programming Courses

Security bugs are errors in code that, when exploited, can lead to serious software vulnerabilities. These bugs could allow an attacker to take over an application and steal information. One of the ways to address this issue is by means of awareness training. The Sifu platform was developed in the industry, for the industry, with the aim to raise software developers' awareness of secure coding. This paper extends the Sifu platform with three challenges that specifically address embedded programming courses, and describes how to implement these challenges, while also evaluating the usefulness of these challenges to raise security awareness in an academic setting. Our work presents technical details on the detection mechanisms for software vulnerabilities and gives practical advice on how to implement them. The evaluation of the challenges is performed through two trial runs with a total of 16 participants. Our preliminary results show that the challenges are suitable for academia, and can even potentially be included in official teaching curricula. One major finding is an indicator of the lack of awareness of secure coding by undergraduates. Finally, we compare our results with previous work done in the industry and extract advice for practitioners.Comment: Preprint accepted for publication at the First International Conference on Code Quality (ICCQ 2021

Incremental Common Criteria certification processes using DevSecOps practices

The growing digitalisation of our economies and societies is driving the need for increased connectivity of critical applications and infrastructures to the point where failures can lead to important disruptions and consequences to our lives. One growing source of failures for critical applications and infrastructures originates from cybersecurity threats and vulnerabilities that can be exploited in attacks. One approach to mitigating these risks is verifying that critical applications and infrastructures are sufficiently protected by certification of products and services. However, reaching sufficient assurance levels for product certification may require detailed evaluation of product properties. An important challenge for product certification is dealing with product evolution: now that critical applications and infras- tructures are connected they are being updated on a more frequent basis. To ensure continuity of certification, updates must be analysed to verify the impact on certified cybersecurity properties. Impacted properties need to be re-certified. This paper proposes a lightweight and flexible incremental certification process that can be integrated with DevSecOps practices to automate as much as possible evidence gathering and certification activities. The approach is illustrated on the Common Criteria product certification scheme and a firewall update on an automotive case study. Only the impact analysis phase of the incremental certification process is illustrated

On the Secure and Resilient Design of Connected Vehicles: Methods and Guidelines

Vehicles have come a long way from being purely mechanical systems to systems that consist of an internal network of more than 100 microcontrollers and systems that communicate with external entities, such as other vehicles, road infrastructure, the manufacturer’s cloud and external applications. This combination of resource constraints, safety-criticality, large attack surface and the fact that millions of people own and use them each day, makes securing vehicles particularly challenging as security practices and methods need to be tailored to meet these requirements.This thesis investigates how security demands should be structured to ease discussions and collaboration between the involved parties and how requirements engineering can be accelerated by introducing generic security requirements. Practitioners are also assisted in choosing appropriate techniques for securing vehicles by identifying and categorising security and resilience techniques suitable for automotive systems. Furthermore, three specific mechanisms for securing automotive systems and providing resilience are designed and evaluated. The first part focuses on cyber security requirements and the identification of suitable techniques based on three different approaches, namely (i) providing a mapping to security levels based on a review of existing security standards and recommendations; (ii) proposing a taxonomy for resilience techniques based on a literature review; and (iii) combining security and resilience techniques to protect automotive assets that have been subject to attacks. The second part presents the design and evaluation of three techniques. First, an extension for an existing freshness mechanism to protect the in-vehicle communication against replay attacks is presented and evaluated. Second, a trust model for Vehicle-to-Vehicle communication is developed with respect to cyber resilience to allow a vehicle to include trust in neighbouring vehicles in its decision-making processes. Third, a framework is presented that enables vehicle manufacturers to protect their fleet by detecting anomalies and security attacks using vehicle trust and the available data in the cloud