580,643 research outputs found
Idea-caution before exploitation:the use of cybersecurity domain knowledge to educate software engineers against software vulnerabilities
The transfer of cybersecurity domain knowledge from security experts (‘Ethical Hackers’) to software engineers is discussed in terms of desirability and feasibility. Possible mechanisms for the transfer are critically examined. Software engineering methodologies do not make use of security domain knowledge in its form of vulnerability databases (e.g. CWE, CVE, Exploit DB), which are therefore not appropriate for this purpose. An approach based upon the improved use of pattern languages that encompasses security domain knowledge is proposed
Persistent issues in encryption software: A heuristic and cognitive walkthrough
The support information accompanying security software can be difficult to understand by end-users, who have little knowledge in cyber security. One mechanism for ensuring the integrity and confidentiality of information is encryption software. Unfortunately, software usability issues can hinder an end-user’s capability to properly utilise the security features effectively. To date there has been little research in investigating the usability of encryption software and proposing solutions for improving them. This research paper analysed the usability of encryption software targeting end-users. The research identified several issues that could impede the ability of a novice end-user to adequately utilise the encryption software. A set of proposed recommendations are suggested to improve encryption software which could be empirically verified through further research
Mining Threat Intelligence about Open-Source Projects and Libraries from Code Repository Issues and Bug Reports
Open-Source Projects and Libraries are being used in software development
while also bearing multiple security vulnerabilities. This use of third party
ecosystem creates a new kind of attack surface for a product in development. An
intelligent attacker can attack a product by exploiting one of the
vulnerabilities present in linked projects and libraries.
In this paper, we mine threat intelligence about open source projects and
libraries from bugs and issues reported on public code repositories. We also
track library and project dependencies for installed software on a client
machine. We represent and store this threat intelligence, along with the
software dependencies in a security knowledge graph. Security analysts and
developers can then query and receive alerts from the knowledge graph if any
threat intelligence is found about linked libraries and projects, utilized in
their products
The Effect of Security Education and Expertise on Security Assessments: the Case of Software Vulnerabilities
In spite of the growing importance of software security and the industry
demand for more cyber security expertise in the workforce, the effect of
security education and experience on the ability to assess complex software
security problems has only been recently investigated. As proxy for the full
range of software security skills, we considered the problem of assessing the
severity of software vulnerabilities by means of a structured analysis
methodology widely used in industry (i.e. the Common Vulnerability Scoring
System (\CVSS) v3), and designed a study to compare how accurately individuals
with background in information technology but different professional experience
and education in cyber security are able to assess the severity of software
vulnerabilities. Our results provide some structural insights into the complex
relationship between education or experience of assessors and the quality of
their assessments. In particular we find that individual characteristics matter
more than professional experience or formal education; apparently it is the
\emph{combination} of skills that one owns (including the actual knowledge of
the system under study), rather than the specialization or the years of
experience, to influence more the assessment quality. Similarly, we find that
the overall advantage given by professional expertise significantly depends on
the composition of the individual security skills as well as on the available
information.Comment: Presented at the Workshop on the Economics of Information Security
(WEIS 2018), Innsbruck, Austria, June 201
Integrating Security into the Undergraduate Software Engineering Curriculum
This research included a thorough examination of the existing software assurance or what is commonly called software security knowledge, methodologies and what information security technologies is currently being recommended by the information technology community. Finally it is demonstrated how this security knowledge could be incorporated into the curriculum for undergraduate software engineering
A comparative study of cloud services use by prospective IT professionals in five countries
Individuals and organizations utilise the cloud technology and its services in various ways. Cloud-based services are becoming increasingly popular, while there is no adequate knowledge offered for their secure use in the education for future IT professionals. It is important to understand how security and privacy issues are perceived and handled by male/female users and IT professionals of different cultures. The authors aim at presenting and scrutinizing information about cloud services’ use by prospective IT professionals in five countries, namely China, Finland, Greece, Nepal, and the UK. In particular the authors, wanting to find out what are the future IT professionals’ conceptualisations and awareness, collected data from male and female IT students in higher education, who use (or not) cloud services. The authors further illustrate the research findings by proceeding to a comparative analysis considering different perspectives such as: gender, education background, national culture (values and culture), and IT-related knowledge. The final research outcomes reveal attention-grabbing information for future IT professionals’ skills, knowledge, and digital competencies. For the IT professionals and software quality engineering communities the latter comprise a body of realistic knowledge, worthy of note when designing curricula for security technology by accommodating practical and accessible solutions (e.g., cryptography-based cloud security) for developing and enhancing the IT professionals’ role
Game Based Learning for Safety and Security Education
Safety and security education are important part of technology related education, because of recent number of increase in safety and security related incidents. Game based learning is an emerging and rapidly advancing forms of computer-assisted instruction. Game based learning for safety and security education enables students to learn concepts and skills without the risk of physical injury and security breach. In this paper, a pedestal grinder safety game and physical security game have been developed using industrial standard modeling and game development software. The average score of the knowledge test of grinder safety game was 82%, which is higher than traditional lecture only instruction method. In addition, the survey of physical security game shows 84% average satisfaction ratio from high school students who played the game during the summer camp. The results of these studies indicated that game based learning method can enhance students' learning without potential harm to the students
Verification of primitive Sub-Ghz RF replay attack techniques based on visual signal analysis
As the low-cost options for radio traffic capture, analysis and transmission are becoming available, some security researchers have developed open-source tools that potentially make it easier to assess the security of the devices that rely on radio communications without the need for extensive knowledge and understanding of the associated concepts. Recent research in this area suggests that primitive visual analysis techniques may be applied to decode selected radio signals successfully. This study builds upon the previous research in the area of sub-GHz radio communications and aims to outline the associated methodology as well as verify some of the reported techniques for carrying out radio frequency replay attacks using low-cost materials and freely available software
- …