341,080 research outputs found

    Security Analysis and Improvement Model for Web-based Applications

    Get PDF
    Today the web has become a major conduit for information. As the World Wide Web?s popularity continues to increase, information security on the web has become an increasing concern. Web information security is related to availability, confidentiality, and data integrity. According to the reports from http://www.securityfocus.com in May 2006, operating systems account for 9% vulnerability, web-based software systems account for 61% vulnerability, and other applications account for 30% vulnerability. In this dissertation, I present a security analysis model using the Markov Process Model. Risk analysis is conducted using fuzzy logic method and information entropy theory. In a web-based application system, security risk is most related to the current states in software systems and hardware systems, and independent of web application system states in the past. Therefore, the web-based applications can be approximately modeled by the Markov Process Model. The web-based applications can be conceptually expressed in the discrete states of (web_client_good; web_server_good, web_server_vulnerable, web_server_attacked, web_server_security_failed; database_server_good, database_server_vulnerable, database_server_attacked, database_server_security_failed) as state space in the Markov Chain. The vulnerable behavior and system response in the web-based applications are analyzed in this dissertation. The analyses focus on functional availability-related aspects: the probability of reaching a particular security failed state and the mean time to the security failure of a system. Vulnerability risk index is classified in three levels as an indicator of the level of security (low level, high level, and failed level). An illustrative application example is provided. As the second objective of this dissertation, I propose a security improvement model for the web-based applications using the GeoIP services in the formal methods. In the security improvement model, web access is authenticated in role-based access control using user logins, remote IP addresses, and physical locations as subject credentials to combine with the requested objects and privilege modes. Access control algorithms are developed for subjects, objects, and access privileges. A secure implementation architecture is presented. In summary, the dissertation has developed security analysis and improvement model for the web-based application. Future work will address Markov Process Model validation when security data collection becomes easy. Security improvement model will be evaluated in performance aspect

    Security Analysis and Improvement Model for Web-based Applications

    Get PDF
    Today the web has become a major conduit for information. As the World Wide Web?s popularity continues to increase, information security on the web has become an increasing concern. Web information security is related to availability, confidentiality, and data integrity. According to the reports from http://www.securityfocus.com in May 2006, operating systems account for 9% vulnerability, web-based software systems account for 61% vulnerability, and other applications account for 30% vulnerability. In this dissertation, I present a security analysis model using the Markov Process Model. Risk analysis is conducted using fuzzy logic method and information entropy theory. In a web-based application system, security risk is most related to the current states in software systems and hardware systems, and independent of web application system states in the past. Therefore, the web-based applications can be approximately modeled by the Markov Process Model. The web-based applications can be conceptually expressed in the discrete states of (web_client_good; web_server_good, web_server_vulnerable, web_server_attacked, web_server_security_failed; database_server_good, database_server_vulnerable, database_server_attacked, database_server_security_failed) as state space in the Markov Chain. The vulnerable behavior and system response in the web-based applications are analyzed in this dissertation. The analyses focus on functional availability-related aspects: the probability of reaching a particular security failed state and the mean time to the security failure of a system. Vulnerability risk index is classified in three levels as an indicator of the level of security (low level, high level, and failed level). An illustrative application example is provided. As the second objective of this dissertation, I propose a security improvement model for the web-based applications using the GeoIP services in the formal methods. In the security improvement model, web access is authenticated in role-based access control using user logins, remote IP addresses, and physical locations as subject credentials to combine with the requested objects and privilege modes. Access control algorithms are developed for subjects, objects, and access privileges. A secure implementation architecture is presented. In summary, the dissertation has developed security analysis and improvement model for the web-based application. Future work will address Markov Process Model validation when security data collection becomes easy. Security improvement model will be evaluated in performance aspect

    Interplay of Misuse Case and Fault Tree Analysis for Security and Safety Analysis

    Get PDF
    Ohutus ja turvalisus infosüsteemides muutuvad aasta-aastalt üha olulisemaks. Seda seetõttu, et kaasaegsed infosüsteemid on üha enam levinud veebiteenustes, -võrgustikes ja –pilvedes. Ohutuse seisukohalt olulisi süsteeme, mida ei ole varem Internetis kasutatud, tehakse ümber, et muuta neid kasuatatvaks Internetis. Selle tulemusena on tekkinud vajadus leida uusi meetodeid, mis kindlustaks nii ohutuse kui turvalisuse tarkvarasüsteemides. Kui ohutust ja turvalisust ei käsitleta koos, võivad nad riske suurendada – olukorra ohutuks muutmine võib tekitada riski turvalisuses ning sellest tekib probleem. Näiteks lukustatud uksed ühiselamutes turvalisuse huvides, kaitsmaks sealseid elanikke röövide ning muude võimalike kuritegude eest. Uste avamiseks kasutavad ühiselamu elanikud kaarte, mis uksed avavad. Tulekahju korral aga avanevad uksed ohutuse eesmärgil automaatselt ning kurjategijad, lülitades sisse tuletõrjealarmi, pääsevad ühiselamu elanike vara juurde.Antud uurimistöös antakse ülevaade ohutusest ja turvalisusest kui ühtsest süsteemist, määratledes ohutuse ja turvalisuse mõisted ning otsides võimalikke viise nende integreerimiseks, arendades koosmõju ohutuse ja turvalisuse vahel kasutades misuse case´i ja fault tree analysis´i. Töös selgitatakse fault tree analysis´i sobivust ohutuse domeeni mudelisse ja püütakse leida koosmõju fault tree analysis´i ja misuse case´i tehnikate vahel. Kasutades nii ohutuse kui turvalisuse domeenimudeleid ning tekitades koosmõju tehnikate vahel, on oodatud tulemuseks ohutuse ja turvalisuse probleemi lahendamine tarkvarasüsteemides. Usutavasti aitab antud uurimistöö kaasa ohutuse ja turvalisuse integreerimisvõimaluste leidmisele selgitades fault tree analysis sobivust ohutuse domeenimudelisse, kasutades misuse case´i ja information security risk management´i seost ja kooskõlastades seda misuse case´i tehnikaga Samuti selgitatakse töös uut metoodikat, kuidas kasutada fault tree analysis-d ja misuse case´i selleks, et saavutada nii ohutus kui turvalisus kaasaegsetes infosüsteemides. Lisaks sellele testiti töös selgitatud sobivust usaldusväärse stsenaariumi korral, mis kinnitab sobivuse paikapidavust.Nowadays safety and security are becoming more and more important because of the fact that modern information systems are increasingly distributed over web-services, grids and clouds. Safety critical systems that were not utilizing usage over Internet are being re-engineered in order to be use over Internet. As a consequence of this situation there is need of new methods that cover both security and safety aspects of software systems, since these systems are used in transportation, health and process control systems that arises risk of physical injury or environmental damage. Additionally when safety and security aspects are not considered together they may violate each other while one situation is making a case safe it may violate security and this is a problem. Such as in the sample of lock doors at dormitories for security purpose to protect inhabitants against robbery and some other possible crimes, those inhabitants of dormitories use distance keys to unlock them but in case of a fire situation in the building for safety purposes these lock doors are unlocking themselves and by activating fire alarms attackers can get access to inhabitants properties. In current thesis we introduce integrated domain models of security and safety, extracting definitions from safety and security domains and finding possible pairs to integrate. Developing interplays between security and safety technique that is misuse cases and fault tree analysis. We demonstrate alignment of fault tree analysis to safety domain model and making interplay between techniques from fault tree analysis to misuse cases. By using the domain models of both security and safety and making interplay between techniques we proposed an integrated technique we expect to solve the problem to cover both safety aspects of software system benefiting from complementary strengths of security domain model and techniques. We believe that our study is contributing to the integration attempts of security and safety techniques by illustrating alignment of fault tree analysis with safety domain model benefitting from misuse cases and information security risk management relationship and making interplay with misuse case technique. And also we illustrate a new methodology on how to use fault tree analysis and misuse cases in order to elicit safety concerns in a new information system by having interplay with misuse case. Moreover, we test correctness of our methodology by making results comparison of a safety risk analyze done

    European Digital Libraries: Web Security Vulnerabilities

    Get PDF
    Purpose – The purpose of this paper is to investigate the web vulnerability challenges at European library web sites and how these issues can affect the data protection of their patrons. Design/methodology/approach – A web vulnerability testing tool was used to analyze 80 European library sites in four countries to determine how many security vulnerabilities each had and what were the most common types of problems. Findings – Analysis results from surveying the libraries show the majority have serious security flaws in their web applications. The research shows that despite country-specific laws mandating secure sites, system librarians have not implemented appropriate measures to secure their online information systems. Research limitations/implications – Further research on library vulnerability throughout the world can be taken to educate librarians in other countries of the serious nature of protecting their systems. Practical implications – The findings serve to remind librarians of the complexity in providing a secure online environment for their patrons and that a disregard or lack of awareness of securing systems could lead to serious vulnerabilities of the patrons' personal data and systems. Lack of consumer trust may result in a decreased use of online commerce and have serious repercussions for the municipal libraries. Several concrete examples of methods to improve security are provided. Originality/value – The paper serves as a current paper on data security issues at Western European municipal library web sites. It serves as a useful summary regarding technical and managerial measures librarians can take to mitigate inadequacies in their security implementation

    BOF4WSS : a business-oriented framework for enhancing web services security for e-business

    Get PDF
    When considering Web services' (WS) use for online business-to-business (B2B) collaboration between companies, security is a complicated and very topical issue. This is especially true with regard to reaching a level of security beyond the technological layer, that is supported and trusted by all businesses involved. With appreciation of this fact, our research draws from established development methodologies to develop a new, business-oriented framework (BOF4WSS) to guide e-businesses in defining, and achieving agreed security levels across these collaborating enterprises. The approach envisioned is such that it can be used by businesses-in a joint manner-to manage the comprehensive concern that security in the WS environment has become

    UK security breach investigations report: an analysis of data compromise cases

    Get PDF
    This report, rather than relying on questionnaires and self-reporting, concerns cases that were investigated by the forensic investigation team at 7Safe. Whilst removing any inaccuracies arising from self-reporting, the authors acknowledge that the limitation of the sample size remains. It is hoped that the unbiased reporting by independent investigators has yielded interesting facts about modern security breaches. All data in this study is based on genuine completed breach investigations conducted by the compromise investigation team over the last 18 months
    corecore