Towards a Security Engineering Process Model for Electronic Business Processes

Business process management (BPM) and accompanying systems aim at enabling enterprises to become adaptive. In spite of the dependency of enterprises on secure business processes, BPM languages and techniques provide only little support for security. Several complementary approaches have been proposed for security in the domain of BPM. Nevertheless, support for a systematic procedure for the development of secure electronic business processes is still missing. In this paper, we pinpoint the need for a security engineering process model in the domain of BPM and identify key requirements for such process model.Comment: Ninth European Dependable Computing Conference (EDCC 2012

Security Risk Assessments: Modeling and Risk Level Propagation

Security risk assessment is an important task in systems engineering. It is used to derive security requirements for a secure system design and to evaluate design alternatives as well as vulnerabilities. Security risk assessment is also a complex and interdisciplinary task, where experts from the application domain and the security domain have to collaborate and understand each other. Automated and tool-supported approaches are desired to help manage the complexity. However, the models used for system engineering usually focus on functional behavior and lack security-related aspects. Therefore, we present our modeling approach that alleviates communication between the involved experts and features steps of computer-aided modeling to achieve consistency and avoid omission errors. We demonstrate our approach with an example. We also describe how to model impact rating and attack feasibility estimation in a modular fashion, along with the propagation and aggregation of these estimations through the model. As a result, experts can make local decisions or changes in the model, which in turn provides the impact of these decisions or changes on the overall risk profile. Finally, we discuss the advantages of our model-based method

Peroxisomal very long-chain fatty acid transport is targeted by herpesviruses and the antiviral host response

Very long-chain fatty acids (VLCFA) are critical for human cytomegalovirus replication and accumulate upon infection. Here, we used Epstein-Barr virus (EBV) infection of human B cells to elucidate how herpesviruses target VLCFA metabolism. Gene expression profiling revealed that, despite a general induction of peroxisome-related genes, EBV early infection decreased expression of the peroxisomal VLCFA transporters ABCD1 and ABCD2, thus impairing VLCFA degradation. The mechanism underlying ABCD1 and ABCD2 repression involved RNA interference by the EBV-induced microRNAs miR-9-5p and miR-155, respectively, causing significantly increased VLCFA levels. Treatment with 25-hydroxycholesterol, an antiviral innate immune modulator produced by macrophages, restored ABCD1 expression and reduced VLCFA accumulation in EBV-infected B-lymphocytes, and, upon lytic reactivation, reduced virus production in control but not ABCD1-deficient cells. Finally, also other herpesviruses and coronaviruses target ABCD1 expression. Because viral infection might trigger neuroinflammation in X-linked adrenoleukodystrophy (X-ALD, inherited ABCD1 deficiency), we explored a possible link between EBV infection and cerebral X-ALD. However, neither immunohistochemistry of post-mortem brains nor analysis of EBV seropositivity in 35 X-ALD children supported involvement of EBV in the onset of neuroinflammation. Collectively, our findings indicate a previously unrecognized, pivotal role of ABCD1 in viral infection and host defence, prompting consideration of other viral triggers in cerebral X-ALD

SecEPM: A security engineering process model for electronic business processes

Business process management (BPM) and accompanying systems allow organizations to react faster both to environmental and market changes. Therefore, BPM is widely applied in industry. Although organizations depend on the secure enactment of electronic business processes, existing BPM languages and techniques provide only little support for security. Several approaches have been proposed to close the gap for security in the domain of BPM. Nevertheless, an approach to develop secure electronic business processes systematically is still missing. In this paper, we provide the design as well as key entities of our Security Engineering Process Model (SecEPM) for electronic business processes. SecEPM guides security, business process, and domain experts through the development of secur e business processes from the identification of security goals to the selection and configuration of security controls. It integrates security in the development life cycle of electronic business processes in a flexible way, thus allowing for a secure, adaptable organization

Modell-basiertes Security Engineering elektronischer Geschäftsprozesse

In this thesis we develop a security engineering framework in the domain of business process management that bridges the gap between business process models on one side and the design of proper controls and their configuration on the other side. Our proposal aims at capacitating people with low security background, providing flexibility as well as means for customization, and offering integration possibilities into existing development processes and tool chains. Our study indicates the utility of our framework in order to develop secure electronic business processes. Furthermore, we lay out advantages of our framework over existing approaches applying systematically derived evaluation criteria.In dieser Arbeit entwickeln wir ein Rahmenwerk für das Security Engineering im Anwendungsbereich des Geschäftsprozessmanagements, welches eine Brücke von Geschäftsprozessmodellen zu dem Entwurf angemessener Schutzmaßnahmen und deren Konfiguration schlägt. Unser Vorschlag zielt auf die Einbeziehung von Personen mit geringen Sicherheitskenntnissen ab und stellt flexible Mittel für Anpassungen an die Umgebung sowie die Integration in existierende Entwicklungsprozesse und Werkzeugketten bereit. Unsere Untersuchungen zeigen den Nutzen des Rahmenwerks, um sichere, elektronische Geschäftsprozesse zu entwickeln. Anhand von systematisch entwickelten Bewertungskriterien können wir zudem die Vorteile unseres Rahmenwerkes gegenüber bestehenden Ansätzen verdeutlichen

Testing Production Systems Safely: Common Precautions in Penetration Testing

Unlike testing in a laboratory or test bed situation, the testing of production systems requires precautions to avoid side effects that might damage or disturb the system, its environment, or its users. This paper outlines safety precautions to be taken when testing production systems. Specifically we discuss precautions for penetration testing aiming at identifying security vulnerabilities. We generalize and document experience we gained as penetration testers, describing how the risks of testing can be mitigated through selection of test cases and techniques, partial isolation of subsystems and organizational measures. Though some of the precautions are specific to security testing, our experience might be helpful to anyone testing production systems