81,274 research outputs found
Vulnerability anti-patterns:a timeless way to capture poor software practices (Vulnerabilities)
There is a distinct communication gap between the software engineering and cybersecurity communities when it comes to addressing reoccurring security problems, known as vulnerabilities. Many vulnerabilities are caused by software errors that are created by software developers. Insecure software development practices are common due to a variety of factors, which include inefficiencies within existing knowledge transfer mechanisms based on vulnerability databases (VDBs), software developers perceiving security as an afterthought, and lack of consideration of security as part of the software development lifecycle (SDLC). The resulting communication gap also prevents developers and security experts from successfully sharing essential security knowledge. The cybersecurity community makes their expert knowledge available in forms including vulnerability databases such as CAPEC and CWE, and pattern catalogues such as Security Patterns, Attack Patterns, and Software Fault Patterns. However, these sources are not effective at providing software developers with an understanding of how malicious hackers can exploit vulnerabilities in the software systems they create. As developers are familiar with pattern-based approaches, this paper proposes the use of Vulnerability Anti-Patterns (VAP) to transfer usable vulnerability knowledge to developers, bridging the communication gap between security experts and software developers. The primary contribution of this paper is twofold: (1) it proposes a new pattern template – Vulnerability Anti-Pattern – that uses anti-patterns rather than patterns to capture and communicate knowledge of existing vulnerabilities, and (2) it proposes a catalogue of Vulnerability Anti-Patterns (VAP) based on the most commonly occurring vulnerabilities that software developers can use to learn how malicious hackers can exploit errors in software
Towards a Layered Architectural View for Security Analysis in SCADA Systems
Supervisory Control and Data Acquisition (SCADA) systems support and control
the operation of many critical infrastructures that our society depend on, such
as power grids. Since SCADA systems become a target for cyber attacks and the
potential impact of a successful attack could lead to disastrous consequences
in the physical world, ensuring the security of these systems is of vital
importance. A fundamental prerequisite to securing a SCADA system is a clear
understanding and a consistent view of its architecture. However, because of
the complexity and scale of SCADA systems, this is challenging to acquire. In
this paper, we propose a layered architectural view for SCADA systems, which
aims at building a common ground among stakeholders and supporting the
implementation of security analysis. In order to manage the complexity and
scale, we define four interrelated architectural layers, and uses the concept
of viewpoints to focus on a subset of the system. We indicate the applicability
of our approach in the context of SCADA system security analysis.Comment: 7 pages, 4 figure
Idea-caution before exploitation:the use of cybersecurity domain knowledge to educate software engineers against software vulnerabilities
The transfer of cybersecurity domain knowledge from security experts (‘Ethical Hackers’) to software engineers is discussed in terms of desirability and feasibility. Possible mechanisms for the transfer are critically examined. Software engineering methodologies do not make use of security domain knowledge in its form of vulnerability databases (e.g. CWE, CVE, Exploit DB), which are therefore not appropriate for this purpose. An approach based upon the improved use of pattern languages that encompasses security domain knowledge is proposed
Cyberpsychology and Human Factors
The online environment has become a significant focus of the everyday behaviour and activities of individuals and organisations in contemporary society. The increasing mediation of communication has led to concerns about the potential risks and associated negative experiences which can occur to users, particularly children and young people. This is related to the emergence of the online environment as a location for criminal and abusive behaviour (e.g., harassment, sexual exploitation, fraud, hacking, malware). One of the key aspects of understanding online victimisation and engagement in criminal behaviours is the characteristics of online communication that are related to the affordances of the technologies, services and applications which constitute digital environments. The aim of this paper is to examine the influence of these characteristics on individual and group behaviour, as well as the associated opportunities for victimisation and criminal behaviour. These issues are of relevance for those involved in the design and implementation of technologies and services, as the ability to assess their potential use in this way can enhance strategies for improving the security of systems and users. It can also inform educational strategies for increasing user understanding of potential informational, privacy and personal risks, and associated steps to improve their security and privacy. Each of the main characteristics of mediated communication is examined, as well as their potential impact on individual and group behaviour, and associated opportunities for victimisation and offending. The article ends by considering the importance of recognising these issues when designing and implementing new technologies, services and applications
Web development evolution: the business perspective on security
Protection of data, information, and knowledge is a hot topic in today’s business environment. Societal, legislative and consumer pressures are forcing companies to examine business strategies, modify processes and acknowledge security to accept and defend accountability. Research indicates that a significant portion of the financial losses is due to straight forward software design errors. Security should be addressed throughout the application development process via an independent methodology containing customizable components. The methodology is designed to integrate with an organization’s existing software development processes while providing structure to implement secure applications, helping companies mitigate hard and soft costs
- …