Security patterns considered harmful?

While a useful source of repeatable security knowledge, ambiguity about what security patterns are and how they might be applied call into question their reliability as a design tool. To provoke discussion about their usefulness, this paper claims that security patterns should be considered harmful because: (i) they abdicate design responsibility, (ii) their implications are unclear, and (iii) abstractions are still an enemy. We also consider Strong Concepts as a more useful alternative for security design

Web Server Security and Survey on Web Application Security

A web server is a computer host configured and connected to Internet, for serving the web pages on request. Information on the public web server is accessed by anyone and anywhere on the Internet. Since web servers are open to public access they can be subjected to attempts by hackers to compromise the servers security. Hackers can deface websites and steal data valuable data from systems. This can translate into significant loss of revenue if it is a financial institution or e-commerce site. In the case of corporate or government systems, loss of important data means launch of information espionages or information warfare on their sites. Apart from data loss or theft, web defacement can also result in significant damage to the image of company [1]. The fact that an attacker can strike remotely makes a Web server an appealing target. Understanding threats to Web server and being able to identify appropriate countermeasures permits to anticipate many attacks and thwart the ever-growing numbers of attackers [3]. This work begins by reviewing the most common threats that affect Web servers. It then uses this perspective to find certain countermeasures. A key concept of this work focuses on the survey of most prevailing attacks that occurs due to certain vulnerabilities present in the web technology or programming which are exploited by attackers and also presents general countermeasures. In addition, various methods to detect and prevent those attacks are discussed and highlighted the summary and comparative analysis of the approaches on the basis of different attacks that shows you how to improve Web servers security

Security in DevOps: understanding the most efficient way to integrate security in the agile software development process

Modern development methodologies follow a fast and dynamic pace, which gives great attention to customers’ satisfaction in the delivery of new releases. On the other hand, the work pursued to secure a system, if not adapted to the new development trend, can risk to slow down the delivery of new software and the adaptability typical for an Agile environment. Therefore, it is paramount to think about a new way to integrate security into the development framework, in order to secure the software in the best way without slowing down the pace of the developers. Moreover, the implementation of automatic and repeatable security controls inside the development pipeline can help to catch the presence of vulnerabilities as early as possible, thus reducing costs, comparing to solving the issues at later stages. The thesis presents a series of recommendations on how to best deploy a so called DevSecOps approach and applies the theory to the use case of Awake.AI, a Finnish startup company focusing its business on the maritime industry. It is not always easy and feasible to practically apply all the suggestions presented in the literature to a real case scenario, but rather the recommendations need to be adapted and forged in a way that best suits the situation and the current target. It is undeniable that the presence of a strong and efficient secure development framework can give substantial advantage to the success of a company. In fact, not only it makes sure that the delivery of good quality code to the customers is not slowed down, but it also dramatically reduces the risk of incurring in expensive security incidents. Lastly, it is valuable to also mention that, being able to show a clean and efficient approach to security, the framework improves the reputation and trustfulness of the company under the eyes of the customers

Applying Cognitive Control Modes to Identify Security Fatigue Hotspots

Security tasks can burden the individual, to the extent that security fatigue promotes habits that undermine security. Here we revisit a series of user-centred studies which focus on security mechanisms as part of regular routines, such as two-factor authentication. By examining routine security behaviours, these studies expose perceived contributors and consequences of security fatigue, and the strategies that a person may adopt when feeling overburdened by security. Behaviours and strategies are framed according to a model of cognitive control modes, to explore the role of human performance and error in producing security fatigue. Security tasks are then considered in terms of modes such as unconscious routines and knowledge-based ad-hoc approaches. Conscious attention can support adaptation to novel security situations, but is error-prone and tiring; both simple security routines and technology-driven automation can minimise effort, but may miss cues from the environment that a nuanced response is required

Analyzing Information Security Model for Small-Medium Sized Businesses

As large organizations invest heavily in security frameworks, cyber criminals and malicious insiders are turning their attention to smaller businesses to steal or damage sensitive information. Unlike large enterprises, small businesses often pay little attention to hackers, cyber criminals, and malicious insiders. Furthermore, small-medium sized organizations are challenged to implement proper information security strategies due to insufficient resources. Very few methods and publications focus on information security for small and medium sized organizations._x000D_ This paper reviews the National Institute of Standards and technology (NIST) framework for security in small and medium-sized businesses. After discussing several concerns with NIST’s approach, our proposed methodology is introduced and examined to provide an information security framework suited for small and medium sized businesses

Developing Systems for Cyber Situational Awareness

In both military and commercial settings, the awareness of Cyber attacks and the effect of those attacks on the mission space of an organization has become a targeted information goal for leaders and commanders at all levels. We present in this paper a defining framework to understand situational awareness (SA)—especially as it pertains to the Cyber domain—and propose a methodology for populating the cognitive domain model for this realm based on adversarial knowledge involved with Cyber attacks. We conclude with considerations for developing Cyber SA systems of the future

Raccoon: Automated Verification of Guarded Race Conditions in Web Applications

Web applications are distributed, asynchronous applications that can span multiple concurrent processes. They are intended to be used by a large amount of users at the same time. As concurrent applications, web applications have to account for race conditions that may occur when database access happens concurrently. Unlike vulnerability classes, such as XSS or SQL Injection, dbms based race condition flaws have received little attention even though their impact is potentially severe. In this paper, we present Raccoon, an automated approach to detect and verify race condition vulnerabilities in web application. Raccoon identifies potential race conditions through interleaving execution of user traces while tightly monitoring the resulting database activity. Based on our methodology we create a proof of concept implementation. We test four different web applications and ten use cases and discover six race conditions with security implications. Raccoon requires neither security expertise nor knowledge about implementation or database layout, while only reporting vulnerabilities, in which the tool was able to successfully replicate a practical attack. Thus, Raccoon complements previous approaches that did not verify detected possible vulnerabilities

When should an organisation start vulnerability management?

Haavoittuvuuksien hallinnan aloittaminen voi olla suuri haaste monille organisaatioille, mutta näillä organisaatioilla on vaatimuksia tehdä haavoittuvuuksien hallintaa esimerkiksi standardien, regulaatioiden tai bisnessuhteiden kautta. Tutkimuksen tavoitteena oli tuottaa helposti ymmärrettävä dokumentaatio kyberturvallisuudesta, joka avustaa organisaatioita haavoittuvuuksien hallinnan aloittamisessa. Kyberturvallisuuden tueksi haavoittuvuuksien hallinnan aloittamiselle tarvittiin vertailua eri kyberturvallisuusviitekehyksistä, kyberturvallisuuden kypsyysmalleista ja haavoittuvuuksien hallinnan käyttöönottoprosesseista. Tutkimus aloitettiin etsimällä sopivia tutkimuskohteita kyberturvallisuusviitekehyksistä, kyberturvallisuuden kypsyysmalleista ja haavoittuvuuksien hallinnan käyttöönottoprosesseista. Löydettyihin tutkimuskohteisiin perehdyttiin ja niiden ominaisuuksia vertailtiin analyyttisesti. Tutkimuskohteiden vertailussa tutkimuskohteista löydettiin niiden vahvuuksia ja heikkouksia sekä ominaispiirteitä. Tutkimuksen johtopäätöksenä voitiin todeta, että lopullista kaikille organisaatioille sopivaa kyberturvallisuuden viitekehystä, kyberturvallisuuden kypsyysmallia tai haavoittuvuuksien hallinnan käyttöönottoprosessia ei löytynyt. Voidaan kuitenkin todeta, että tutkimus tuotti riittävän dokumentaation organisaatioiden kyberturvallisuuden rakentamiselle ja haavoittuvuuksien hallinnan aloittamiselle.Organisations may find vulnerability management very difficult to start conducting, but they are obligated to perform vulnerability management due to various requirements which may come from standards, regulations or business relationships. The objective of the research was to compile an easy to understand document about cyber security program for an organisation which allows them to begin vulnerability management. To support this cyber security program a strong base for vulnerability management cyber security frameworks and cyber security maturity models needed to be compared and presented. The research started by searching good research subjects for cyber security frameworks, cyber security maturity models and vulnerability management implantation processes. Once these research subjects were studied and similar features were compared analytically. The comparison results and analysis found some strengths and weaknesses of the research subjects. As the conclusion for the research there was no definite answer for all organisations, about cyber security frameworks, cyber security maturity models or vulnerability management models. The research should provide decent support for organisations to build strong basis for their cyber security program and beginning the vulnerability management

Reference models for network trace anonymization

Network security research can benefit greatly from testing environments that are capable of generating realistic, repeatable and configurable background traffic. In order to conduct network security experiments on systems such as Intrusion Detection Systems and Intrusion Prevention Systems, researchers require isolated testbeds capable of recreating actual network environments, complete with infrastructure and traffic details. Unfortunately, due to privacy and flexibility concerns, actual network traffic is rarely shared by organizations as sensitive information, such as IP addresses, device identity and behavioral information can be inferred from the traffic. Trace data anonymization is one solution to this problem. The research community has responded to this sanitization problem with anonymization tools that aim to remove sensitive information from network traces, and attacks on anonymized traces that aim to evaluate the efficacy of the anonymization schemes. However there is continued lack of a comprehensive model that distills all elements of the sanitization problem in to a functional reference model.;In this thesis we offer such a comprehensive functional reference model that identifies and binds together all the entities required to formulate the problem of network data anonymization. We build a new information flow model that illustrates the overly optimistic nature of inference attacks on anonymized traces. We also provide a probabilistic interpretation of the information model and develop a privacy metric for anonymized traces. Finally, we develop the architecture for a highly configurable, multi-layer network trace collection and sanitization tool. In addition to addressing privacy and flexibility concerns, our architecture allows for uniformity of anonymization and ease of data aggregation