103,794 research outputs found
Proposing a secure component-based-application logic and system’s integration testing approach
Software engineering moved from traditional methods of software enterprise applications to com-ponent based development for distributed system’s applications. This new era has grown up forlast few years, with component-based methods, for design and rapid development of systems, butfact is that , deployment of all secure software features of technology into practical e-commercedistributed systems are higher rated target for intruders. Although most of research has been con-ducted on web application services that use a large share of the present software, but on the otherside Component Based Software in the middle tier ,which rapidly develops application logic, alsoopen security breaching opportunities .This research paper focus on a burning issue for researchersand scientists ,a weakest link in component based distributed system, logical attacks, that cannotbe detected with any intrusion detection system within the middle tier e-commerce distributed ap-plications. We proposed An Approach of Secure Designing application logic for distributed system,while dealing with logically vulnerability issue
Towards Guidelines for Preventing Critical Requirements Engineering Problems
Context] Problems in Requirements Engineering (RE) can lead to serious
consequences during the software development lifecycle. [Goal] The goal of this
paper is to propose empirically-based guidelines that can be used by different
types of organisations according to their size (small, medium or large) and
process model (agile or plan-driven) to help them in preventing such problems.
[Method] We analysed data from a survey on RE problems answered by 228
organisations in 10 different countries. [Results] We identified the most
critical RE problems, their causes and mitigation actions, organizing this
information by clusters of size and process model. Finally, we analysed the
causes and mitigation actions of the critical problems of each cluster to get
further insights into how to prevent them. [Conclusions] Based on our results,
we suggest preliminary guidelines for preventing critical RE problems in
response to context characteristics of the companies.Comment: Proceedings of the 42th Euromicro Conference on Software Engineering
and Advanced Applications, 201
On Evidence-based Risk Management in Requirements Engineering
Background: The sensitivity of Requirements Engineering (RE) to the context
makes it difficult to efficiently control problems therein, thus, hampering an
effective risk management devoted to allow for early corrective or even
preventive measures. Problem: There is still little empirical knowledge about
context-specific RE phenomena which would be necessary for an effective
context- sensitive risk management in RE. Goal: We propose and validate an
evidence-based approach to assess risks in RE using cross-company data about
problems, causes and effects. Research Method: We use survey data from 228
companies and build a probabilistic network that supports the forecast of
context-specific RE phenomena. We implement this approach using spreadsheets to
support a light-weight risk assessment. Results: Our results from an initial
validation in 6 companies strengthen our confidence that the approach increases
the awareness for individual risk factors in RE, and the feedback further
allows for disseminating our approach into practice.Comment: 20 pages, submitted to 10th Software Quality Days conference, 201
Vulnerability anti-patterns:a timeless way to capture poor software practices (Vulnerabilities)
There is a distinct communication gap between the software engineering and cybersecurity communities when it comes to addressing reoccurring security problems, known as vulnerabilities. Many vulnerabilities are caused by software errors that are created by software developers. Insecure software development practices are common due to a variety of factors, which include inefficiencies within existing knowledge transfer mechanisms based on vulnerability databases (VDBs), software developers perceiving security as an afterthought, and lack of consideration of security as part of the software development lifecycle (SDLC). The resulting communication gap also prevents developers and security experts from successfully sharing essential security knowledge. The cybersecurity community makes their expert knowledge available in forms including vulnerability databases such as CAPEC and CWE, and pattern catalogues such as Security Patterns, Attack Patterns, and Software Fault Patterns. However, these sources are not effective at providing software developers with an understanding of how malicious hackers can exploit vulnerabilities in the software systems they create. As developers are familiar with pattern-based approaches, this paper proposes the use of Vulnerability Anti-Patterns (VAP) to transfer usable vulnerability knowledge to developers, bridging the communication gap between security experts and software developers. The primary contribution of this paper is twofold: (1) it proposes a new pattern template – Vulnerability Anti-Pattern – that uses anti-patterns rather than patterns to capture and communicate knowledge of existing vulnerabilities, and (2) it proposes a catalogue of Vulnerability Anti-Patterns (VAP) based on the most commonly occurring vulnerabilities that software developers can use to learn how malicious hackers can exploit errors in software
Report from GI-Dagstuhl Seminar 16394: Software Performance Engineering in the DevOps World
This report documents the program and the outcomes of GI-Dagstuhl Seminar
16394 "Software Performance Engineering in the DevOps World".
The seminar addressed the problem of performance-aware DevOps. Both, DevOps
and performance engineering have been growing trends over the past one to two
years, in no small part due to the rise in importance of identifying
performance anomalies in the operations (Ops) of cloud and big data systems and
feeding these back to the development (Dev). However, so far, the research
community has treated software engineering, performance engineering, and cloud
computing mostly as individual research areas. We aimed to identify
cross-community collaboration, and to set the path for long-lasting
collaborations towards performance-aware DevOps.
The main goal of the seminar was to bring together young researchers (PhD
students in a later stage of their PhD, as well as PostDocs or Junior
Professors) in the areas of (i) software engineering, (ii) performance
engineering, and (iii) cloud computing and big data to present their current
research projects, to exchange experience and expertise, to discuss research
challenges, and to develop ideas for future collaborations
A Longitudinal Study of Identifying and Paying Down Architectural Debt
Architectural debt is a form of technical debt that derives from the gap
between the architectural design of the system as it "should be" compared to
"as it is". We measured architecture debt in two ways: 1) in terms of
system-wide coupling measures, and 2) in terms of the number and severity of
architectural flaws. In recent work it was shown that the amount of
architectural debt has a huge impact on software maintainability and evolution.
Consequently, detecting and reducing the debt is expected to make software more
amenable to change. This paper reports on a longitudinal study of a healthcare
communications product created by Brightsquid Secure Communications Corp. This
start-up company is facing the typical trade-off problem of desiring
responsiveness to change requests, but wanting to avoid the ever-increasing
effort that the accumulation of quick-and-dirty changes eventually incurs. In
the first stage of the study, we analyzed the status of the "before" system,
which indicated the impacts of change requests. This initial study motivated a
more in-depth analysis of architectural debt. The results of this analysis were
used to motivate a comprehensive refactoring of the software system. The third
phase of the study was a follow-on architectural debt analysis which quantified
the improvements made. Using this quantitative evidence, augmented by
qualitative evidence gathered from in-depth interviews with Brightsquid's
architects, we present lessons learned about the costs and benefits of paying
down architecture debt in practice.Comment: Submitted to ICSE-SEIP 201
Calculation of the Risk of Lawsuits over Construction Flaws in Flat Roofs
In order to achieve sustainability objectives in the use of a building, its elements’ operating
problems should be minimized. From this premise, a total of 497 cases related to construction flaws
in flat roofs were analyzed in this research. A matrix was developed indicating the risk of lawsuits
by owners according to the degree of nuisance resulting from the construction flaws studied, their
technical importance, and the type of pathological origin. Based on these factors, it is possible to
predict a greater or lesser probability of an owner filing a lawsuit—risk factor (F). A wide range was
found for this probability, with the largest value being 865 times greater than the smallest value.
The value of F was divided into 5 categories to classify the diverse results obtained and determine the
number of cases and interrelations ascribed to each category. Additionally, the level of presence of
said cases was calculated through the analysis of 3 di erent demographic aspects, it being noted
that a greater purchasing power and a higher concentration of urban population lead to more
stringent requirements and, subsequently, to a greater number of lawsuits. With all these results,
building quality can be improved while resulting in greater constructive-financial sustainability
and in a reduction of the economic resources required of society (fewer lawsuits and associated
human resources)
Algorithm Selection Framework for Cyber Attack Detection
The number of cyber threats against both wired and wireless computer systems
and other components of the Internet of Things continues to increase annually.
In this work, an algorithm selection framework is employed on the NSL-KDD data
set and a novel paradigm of machine learning taxonomy is presented. The
framework uses a combination of user input and meta-features to select the best
algorithm to detect cyber attacks on a network. Performance is compared between
a rule-of-thumb strategy and a meta-learning strategy. The framework removes
the conjecture of the common trial-and-error algorithm selection method. The
framework recommends five algorithms from the taxonomy. Both strategies
recommend a high-performing algorithm, though not the best performing. The work
demonstrates the close connectedness between algorithm selection and the
taxonomy for which it is premised.Comment: 6 pages, 7 figures, 1 table, accepted to WiseML '2
The Federal Information Security Management Act of 2002: A Potemkin Village
Due to the daunting possibilities of cyberwarfare, and the ease with which cyberattacks may be conducted, the United Nations has warned that the next world war could be initiated through worldwide cyberattacks between countries. In response to the growing threat of cyberwarfare and the increasing importance of information security, Congress passed the Federal Information Security Management Act of 2002 (FISMA). FISMA recognizes the importance of information security to the national economic and security interests of the United States. However, this Note argues that FISMA has failed to significantly bolster information security, primarily because FISMA treats information security as a technological problem and not an economic problem. This Note analyzes existing proposals to incentivize heightened software quality assurance, and proposes a new solution designed to strengthen federal information security in light of the failings of FISMA and the trappings of Congress’s 2001 amendment to the Computer Fraud and Abuse Act
- …