Model-Based Security Testing

Security testing aims at validating software system requirements related to security properties like confidentiality, integrity, authentication, authorization, availability, and non-repudiation. Although security testing techniques are available for many years, there has been little approaches that allow for specification of test cases at a higher level of abstraction, for enabling guidance on test identification and specification as well as for automated test generation. Model-based security testing (MBST) is a relatively new field and especially dedicated to the systematic and efficient specification and documentation of security test objectives, security test cases and test suites, as well as to their automated or semi-automated generation. In particular, the combination of security modelling and test generation approaches is still a challenge in research and of high interest for industrial applications. MBST includes e.g. security functional testing, model-based fuzzing, risk- and threat-oriented testing, and the usage of security test patterns. This paper provides a survey on MBST techniques and the related models as well as samples of new methods and tools that are under development in the European ITEA2-project DIAMONDS.Comment: In Proceedings MBT 2012, arXiv:1202.582

Impact assessment for vulnerabilities in open-source software libraries

Software applications integrate more and more open-source software (OSS) to benefit from code reuse. As a drawback, each vulnerability discovered in bundled OSS potentially affects the application. Upon the disclosure of every new vulnerability, the application vendor has to decide whether it is exploitable in his particular usage context, hence, whether users require an urgent application patch containing a non-vulnerable version of the OSS. Current decision making is mostly based on high-level vulnerability descriptions and expert knowledge, thus, effort intense and error prone. This paper proposes a pragmatic approach to facilitate the impact assessment, describes a proof-of-concept for Java, and examines one example vulnerability as case study. The approach is independent from specific kinds of vulnerabilities or programming languages and can deliver immediate results

Management information systems in social safety net programs : a look at accountability and control mechanisms

This paper is intended to provide task managers and World Bank Group clients working on Social Safety Net (SSN) programs with practical and systematic ways to use information management practices to mitigate risks by strengthening control and accountability mechanisms. It lays out practices and options to consider in the design and implementation of the Management Information System (MIS), and how to evaluate and mitigate operational risks originating from running a MIS. The findings of the paper are based on the review of several Conditional Cash Transfer (CCT) programs in the Latin American Region and various World Bank publications on CCTs. The paper presents a framework for the implementation of MIS and cross-cutting information management systems that is based on industry standards and information management practices. This framework can be applied both to programs that make use of information and communications technology (ICT) and programs that are paper based. It includes examples of MIS practices that can strengthen control and accountability mechanisms of SSN programs, and presents a roadmap for the design and implementation of an MIS in these programs. The application of the framework is illustrated through case studies from three fictitious countries. The paper concludes with some considerations and recommendations for task managers and government officials in charge of implementing CCTs and other safety nets program, and with a checklist for the implementation and monitoring of MIS.E-Business,Technology Industry,Education for Development (superceded),Labor Policies,Knowledge Economy

Patterns of information security postures for socio-technical systems and systems-of-systems

This paper describes a proposal to develop patterns of security postures for computer based socio-technical systems and systems-of-systems. Such systems typically span many organisational boundaries, integrating multiple computer systems, infrastructures and organisational processes. The paper describes the motivation for the proposed work, and our approach to the development, specification, integration and validation of security patterns for socio-technical and system-of-system scale systems

The organizational social context of mental health services and clinician attitudes toward evidence-based practice: a United States national study.

UnlabelledABSTBACKGROUND: Evidence-based practices have not been routinely adopted in community mental health organizations despite the support of scientific evidence and in some cases even legislative or regulatory action. We examined the association of clinician attitudes toward evidence-based practice with organizational culture, climate, and other characteristics in a nationally representative sample of mental health organizations in the United States.MethodsIn-person, group-administered surveys were conducted with a sample of 1,112 mental health service providers in a nationwide sample of 100 mental health service institutions in 26 states in the United States. The study examines these associations with a two-level Hierarchical Linear Modeling (HLM) analysis of responses to the Evidence-Based Practice Attitude Scale (EBPAS) at the individual clinician level as a function of the Organizational Social Context (OSC) measure at the organizational level, controlling for other organization and clinician characteristics.ResultsWe found that more proficient organizational cultures and more engaged and less stressful organizational climates were associated with positive clinician attitudes toward adopting evidence-based practice.ConclusionsThe findings suggest that organizational intervention strategies for improving the organizational social context of mental health services may contribute to the success of evidence-based practice dissemination and implementation efforts by influencing clinician attitudes