Security Testing with Misuse Case Modeling

Having a comprehensive model of security requirements is a crucial step towards developing a reliable software system. An effective model of security requirements which describes the possible scenarios that may affect the security aspects of the system under development can be an effective approach for subsequent use in generating security test cases. Misuse case was first proposed by Sinder and Opdahl as an approach to extract the security requirements of the system under development [1]. A misuse case is a use case representing scenarios that might be followed by a system adversary in order to compromise the system; that is a behavior that should not happen in a system. As an effective approach used to model potential threats to the system under development, misuse cases are an effective approach for suggesting mitigation mechanisms. A mitigation use case is a use case that represents the countermeasure requirements of a misuse case. By describing the security threats that may be exploited from the adversary’s point of view, a misuse case provides an effective basis for security testing that addresses the interactions between the adversary and the system under development. Security testing also needs to verify the security mechanisms of the system against misuse cases. Thus, by representing the security requirements of the system, mitigation use cases can also be a good basis for security testing. Misuse cases and mitigation use cases are ordinarily described in natural language. Unfortunately, this approach has difficulties and limits the ability to generate security test cases from the misuse cases and mitigation use cases. This thesis presents a new, structured approach to generating security test cases based on the extracted security test model from the textual description of the misuse cases accompanying mitigation use cases, represented as a Predicate/Transition (PrT) net. This approach will enable the system developers to model the misuse cases accompanying mitigation use cases and then generating security test cases based on the resulting security test models, ensuring that the potential attacks are mitigated appropriately in the software development process. This approach has been applied to two real-world applications, FileZilla Server, a popular FTP server [19] in C++ and a Grant Proposal Management System (GPMS) in Java. Experiment results show that the generated security test cases are efficient test cases that can reveal many security vulnerabilities during the development of GPMS and can kill the majority of the FileZilla Server mutants with seeded vulnerabilities

Gonococcal Isolate Surveillance Project (GISP) and Enhanced GISP (eGISP) protocol

In 2020, Gonorrhea was the second most common notifiable sexually transmitted infection in the United States (US) with over 677,769 cases reported to the Centers for Disease Control and Prevention (CDC). The treatment and control of infections due to Neisseria gonorrhoeae have been complicated by the organism\u2019s ability to acquire antimicrobial resistance. The Gonococcal Isolate Surveillance Project (GISP), established in 1986, has functioned as the national surveillance system of antibiotic resistant gonorrhea in the US. It was established not only to monitor susceptibility trends in N. gonorrhoeae strains, but also to function as a rational basis for the selection of gonococcal therapies. GISP data of susceptibility trends from male gonococcal urethral isolates have provided critical data for the CDC's STD Treatment Guidelines, directly informing gonorrhea treatment recommendations in 1989, 1993, 1998, 2002, 2006, 2007, 2010, 2012, 2015, 2020, and 2021.In 2013, CDC released Antibiotic Resistance Threats in the United States, the first report to look at the burden and threats posed by antibiotic resistance on human health, which named antibiotic-resistant gonorrhea among the three most urgent threats of its kind in the country. This report was later updated in 2019 and maintained gonorrhea as one of its urgent threats in the US. In 2014, the White House developed the National Strategy to Combat Antibiotic-Resistant Bacteria (CARB), calling for the prevention, detection, and control of antibiotic resistance. Using CARB funds, the Antimicrobial Regional Laboratory Network (ARLN), a network of seven regional public health laboratories that provides cutting-edge antimicrobial resistance laboratory support, was established in 2016.The CDC Division of STD Prevention (DSTDP) supports activities that aim to slow the development of antimicrobial-resistant (AMR) gonorrhea and prevent its spread. To build robust capacity for culture-based antimicrobial susceptibility testing (AST) and genomic sequencing of N. gonorrhoeae isolates, four laboratories in the ARLN were funded for N. gonorrhoeae activities. Starting in 2017, these four laboratories began functioning as the regional laboratories for GISP.GISP_eGISP_Protocol_August_2022.pd

Gonococcal Isolate Surveillance Project (GISP) and Enhanced GISP (eGISP) protocol

In 2019, Gonorrhea was the second most commonly reported notifiable disease in the United States (US) with over 616,392 cases reported to the Centers for Disease Control and Prevention (CDC). The treatment and control of infections due to Neisseria gonorrhoeae have been complicated by the organism\u2019s ability to acquire antimicrobial resistance. The Gonococcal Isolate Surveillance Project (GISP), established in 1986, has functioned as the national surveillance system of antibiotic resistant gonorrhea in the US. It was established not only to monitor susceptibility trends in N. gonorrhoeae strains, but also to function as a rational basis for the selection of gonococcal therapies. GISP data of susceptibility trends from male gonococcal urethral isolates have provided critical data for the CDC's STD Treatment Guidelines, directly informing gonorrhea treatment recommendations in 1989, 1993, 1998, 2002, 2006, 2007, 2010, 2012, 2015, 2020, and 2021.In 2013, CDC released Antibiotic Resistance Threats in the United States, the first report to look at the burden and threats posed by antibiotic resistance on human health, which named antibiotic-resistant gonorrhea among the three most urgent threats of its kind in the country. This report was later updated in 2019 and maintained gonorrhea as one of its urgent threats in the US. In 2014, the White House developed the National Strategy to Combat Antibiotic-Resistant Bacteria (CARB), calling for the prevention, detection, and control of antibiotic resistance. Using CARB funds, the Antimicrobial Regional Laboratory Network (ARLN), a network of seven regional public health laboratories that provides cutting-edge antimicrobial resistance laboratory support, was established in 2016.The CDC Division of STD Prevention (DSTDP) supports activities that aim to slow the development of antimicrobial-resistant (AMR) gonorrhea and prevent its spread. To build robust capacity for culture-based antimicrobial susceptibility testing (AST) and genomic sequencing of N. gonorrhoeae isolates, four laboratories in the ARLN were funded for N. gonorrhoeae activities. Starting in 2017, these four laboratories began functioning as the regional laboratories for GISP.In 2017, GISP was also expanded in a subset of clinical sites to conduct N. gonorrhoeae surveillance in nonurethral isolates (i.e., pharyngeal, rectal, and endocervical isolates) and to evaluate the burden of urethritis/cervicitis associated with N. meningitidis through surveillance of urethral and non-urethral isolates. The Enhanced Gonococcal Isolate Surveillance Program (eGISP) was established to help understand if the pharynx and/or rectum may be anatomic niches that select for or foster resistance and to evaluate if gonococcal susceptibility patterns may vary between men and women.Additionally, Neisseria species, including the two pathogens N. gonorrhoeae and N. meningitidis, have similar morphology on culture and Gram stain, requiring species-specific confirmatory tests to distinguish the Neisseria species. Given that N. meningitidis urethritis/cervicitis is not a reportable disease in the US, and that labs do not routinely test genitourinary specimens for N. meningitidis, additional data on the epidemiology and biology of N. meningitidis urethritis/cervicitis are needed.In 2021, a new surveillance component was added to eGISP to include the evaluation of known resistanceassociated genetic markers from remnant nucleic acid amplification tests (NAAT). This molecular surveillance project was added to improve the identification of resistant gonorrhea in a culture-independent manner. Culture remains the best way to detect novel AMR mutations in gonorrhea, but molecular surveillance has the potential to increase the availability of resistant gonorrhea detection in the US, especially in locations without culture capacity.gisp-egisp-protocol-august-2021.pdf20211019

A Perception of the Practice of Software Security and Performance Verification

Security and performance are critical nonfunctional requirements for software systems. Thus, it is crucial to include verification activities during software development to identify defects related to such requirements, avoiding their occurrence after release. Software verification, including testing and reviews, encompasses a set of activities that have a purpose of analyzing the software searching for defects. Security and performance verification are activities that look at defects related to these specific quality attributes. Few empirical studies have been focused on how is the state of the practice in security and performance verification. This paper presents the results of a case study performed in the context of Brazilian organizations aiming to characterize security and performance verification practices. Additionally, it provides a set of conjectures indicating recommendations to improve security and performance verification activities.acceptedVersio

Análisis, diseño, y construcción de una aplicación Web de videoconferencia utilizando el protocolo Web Real-time communication

El presente documento tiene como objetivo detallar la construcción de un sistema de videoconferencia que permita a los usuarios de la Universidad Politécnica Salesiana poder recibir clases de manera virtual. Esto con el propósito de brindar una alternativa cuando se presente algún problema que pueda interferir con el cronograma de actividades que ya se encuentra establecido por la universidad. El desarrollo del programa fue realizado en base a los requerimientos de docentes y estudiantes. El sistema se encuentra alojado en una cloud, se utilizó un servidor Linux el cual se configuró para poder desarrollar el software, las configuraciones consistieron en la instalación de paquetes, dependencias, puertos de comunicación y protocolos. La estructura del documento se la detalla de la siguiente manera: en el capítulo 1 se encuentra toda la información referente a la universidad y los conceptos teóricos que se han utilizado para el desarrollo del software, en el capítulo 2 se puede encontrar el análisis realizado para definir los requerimientos del proyecto, el diseño en base a los diagramas que permitirán definir el comportamiento del sistema y los análisis de factibilidad para conocer si el proyecto es viable, y finalmente el capítulo 3 tiene toda la información relevante del código junto con las pruebas ejecutados en donde se puede verificar que el proyecto puede ser una alternativa ante otras soluciones.The objective of this document is to detail the construction of a videoconferencing system that allows users of the Salesian Polytechnic University to receive classes virtually. This in order to provide an alternative when there is a problem that may interfere with the schedule of activities that is already established by the university. The development of the program was carried out based on the requirements of teachers and students. The system is hosted in a cloud, a Linux server was used which was configured to be able to develop the software, the configurations consisted of the installation of packages, dependencies, communication ports and protocols. The structure of the document is detailed as follows: in chapter 1 you will find all the information regarding the university and the theoretical concepts that have been used for the development of the software, in chapter 2 you can find the analysis carried out for define the project requirements, the design based on the diagrams that will allow to define the behavior of the system and the feasibility analyzes to know if the project is viable, and finally chapter 3 has all the relevant information of the code together with the tests executed where it can be verified that the project can be an alternative to other solutions

Evaluation of Efficiency of Cybersecurity

Uurimistöö eesmärgiks on uurida, kuidas tõhus küberjulgeolek on olnud edukas. Uurimistöö kasutab parima võimaliku tulemuse saamiseks mitmesuguseid uurimismeetodeid ja kirjanduse ülevaade on süstemaatiline. Kuid uurimistöö järeldus on see, et uuring ei suuda kinnitada või tagasi lükata peamist töö hüpoteesi. Uuring ei õnnestunud, sest puuduvad korralikud teooriad, mis näitavad ohutuse ja küberjulgeoleku nähtusi ning puuduvad head näitajad, mis annaksid küberohutuse tõhususe kohta kehtivaid ja ratsionaalseid tulemusi, kui hästi on küberkuritegevuse abil õnnestunud küberkuritegevuse tõhusaks võitmiseks ja küberkuritegude tõhusaks vähendamiseks. Seepärast on küberjulgeoleku teadusteooria ja julgeoleku teadusteooria vähearenenud 2018. aastal. Uuringud on teinud küberjulgeoleku ja turvalisuse arendamise põhilisi avastusi. Edasiste põhiuuringute suund on luua üldine turbeteooria, mis kirjeldab ohtlike muutujate ohtlike muutujate kavatsust, ressursse, pädevust ja edusamme ohtlike muutujate ja aksioomide puhul, kus ohtlike muutujate mõõtmisel saab teha selle sisse loodetavas ja teooria kirjeldab, millised on tõhusad meetmed, et vältida ja leevendada ning millised ei ole ja lõpuks kehtestada nõuetekohased mõõdikud, et mõõta turvalisuse ja küberjulgeoleku tõhusust loodetavus ja kehtivusega.The purpose of the thesis is to research how effectively cybersecurity has succeeded on its mission. The thesis used multiple research methods to get best possible answer and the literature review has been systematic. However, the conclusion of the research was that the study is unable to either confirm or reject the main working hypothesis. The study is unable to do it because of the lack of proper theories to describe what are the phenomena in secu-rity and cybersecurity and the lack of proper metrics to give valid and sound conclusion about the effective of cybersecurity and how well have cybersecurity succeed on its mis-sion to effectively prevent and mitigate cybercrime. Therefore, the science of security and science of cybersecurity are underdeveloped in 2018. The research has made basic discov-eries of development of cybersecurity and security. A direction of further basic research is to establish a general theory of security which describes threat variables, threat variables intention, resources, competence and progress of the threat variables and axioms where measurement of threat variables can be made with reliability and the theory would describe which are effective measures to prevent and mitigate and which are not and finally, estab-lish proper metrics to measure efficiency of security and cybersecurity with reliability and validity

Conservation genomics: speciation of the Neotropical damselfly species Megaloprepus caerulatus – as a model for insect speciation in tropical rainforests

The work presented in this thesis is located at the interface between ecology, evolution and developmental biology. It addresses theories and questions in population biology, phylogeography and speciation as well as methodological approaches for applying Next Generation Sequencing (NGS) data. In the center of this thesis stands the world’s largest extant damselfly, Megaloprepus caerulatus, as a model system for primary rainforests