Towards a Security Engineering Process Model for Electronic Business Processes

Business process management (BPM) and accompanying systems aim at enabling enterprises to become adaptive. In spite of the dependency of enterprises on secure business processes, BPM languages and techniques provide only little support for security. Several complementary approaches have been proposed for security in the domain of BPM. Nevertheless, support for a systematic procedure for the development of secure electronic business processes is still missing. In this paper, we pinpoint the need for a security engineering process model in the domain of BPM and identify key requirements for such process model.Comment: Ninth European Dependable Computing Conference (EDCC 2012

Security Risk Assessments: Modeling and Risk Level Propagation

Security risk assessment is an important task in systems engineering. It is used to derive security requirements for a secure system design and to evaluate design alternatives as well as vulnerabilities. Security risk assessment is also a complex and interdisciplinary task, where experts from the application domain and the security domain have to collaborate and understand each other. Automated and tool-supported approaches are desired to help manage the complexity. However, the models used for system engineering usually focus on functional behavior and lack security-related aspects. Therefore, we present our modeling approach that alleviates communication between the involved experts and features steps of computer-aided modeling to achieve consistency and avoid omission errors. We demonstrate our approach with an example. We also describe how to model impact rating and attack feasibility estimation in a modular fashion, along with the propagation and aggregation of these estimations through the model. As a result, experts can make local decisions or changes in the model, which in turn provides the impact of these decisions or changes on the overall risk profile. Finally, we discuss the advantages of our model-based method

Peroxisomal very long-chain fatty acid transport is targeted by herpesviruses and the antiviral host response

Very long-chain fatty acids (VLCFA) are critical for human cytomegalovirus replication and accumulate upon infection. Here, we used Epstein-Barr virus (EBV) infection of human B cells to elucidate how herpesviruses target VLCFA metabolism. Gene expression profiling revealed that, despite a general induction of peroxisome-related genes, EBV early infection decreased expression of the peroxisomal VLCFA transporters ABCD1 and ABCD2, thus impairing VLCFA degradation. The mechanism underlying ABCD1 and ABCD2 repression involved RNA interference by the EBV-induced microRNAs miR-9-5p and miR-155, respectively, causing significantly increased VLCFA levels. Treatment with 25-hydroxycholesterol, an antiviral innate immune modulator produced by macrophages, restored ABCD1 expression and reduced VLCFA accumulation in EBV-infected B-lymphocytes, and, upon lytic reactivation, reduced virus production in control but not ABCD1-deficient cells. Finally, also other herpesviruses and coronaviruses target ABCD1 expression. Because viral infection might trigger neuroinflammation in X-linked adrenoleukodystrophy (X-ALD, inherited ABCD1 deficiency), we explored a possible link between EBV infection and cerebral X-ALD. However, neither immunohistochemistry of post-mortem brains nor analysis of EBV seropositivity in 35 X-ALD children supported involvement of EBV in the onset of neuroinflammation. Collectively, our findings indicate a previously unrecognized, pivotal role of ABCD1 in viral infection and host defence, prompting consideration of other viral triggers in cerebral X-ALD

SecEPM: A security engineering process model for electronic business processes

Business process management (BPM) and accompanying systems allow organizations to react faster both to environmental and market changes. Therefore, BPM is widely applied in industry. Although organizations depend on the secure enactment of electronic business processes, existing BPM languages and techniques provide only little support for security. Several approaches have been proposed to close the gap for security in the domain of BPM. Nevertheless, an approach to develop secure electronic business processes systematically is still missing. In this paper, we provide the design as well as key entities of our Security Engineering Process Model (SecEPM) for electronic business processes. SecEPM guides security, business process, and domain experts through the development of secur e business processes from the identification of security goals to the selection and configuration of security controls. It integrates security in the development life cycle of electronic business processes in a flexible way, thus allowing for a secure, adaptable organization

Testing Production Systems Safely: Common Precautions in Penetration Testing

Unlike testing in a laboratory or test bed situation, the testing of production systems requires precautions to avoid side effects that might damage or disturb the system, its environment, or its users. This paper outlines safety precautions to be taken when testing production systems. Specifically we discuss precautions for penetration testing aiming at identifying security vulnerabilities. We generalize and document experience we gained as penetration testers, describing how the risks of testing can be mitigated through selection of test cases and techniques, partial isolation of subsystems and organizational measures. Though some of the precautions are specific to security testing, our experience might be helpful to anyone testing production systems

Supporting Security Engineering at Design Time with Adequate Tooling

Abstract—Security engineering is considered to be a challenging task in order to build systems that remain dependable in the face of malice, error, or mischance. Recent approaches propose the application of domain specific modeling languages (DSMLs) in order to facilitate security engineering activities. To support the development and application of adequate DSMLs, agile approaches and frameworks to provide appropriate tooling are needed. In this paper, we document our experiences developing modeling tools for two different DSMLs in the domain of security engineering. We sketch the language and implementation requirements for our modeling tools, design and implementation considerations, and report on pitfalls and remaining issues with regard to the development of modeling tools based on our experiences. I

Modeling security risk assessments

Security Risk Assessment is an important task in systems engineering and used to derive security requirements for a secure system design and the evaluation of design alternatives as well as vulnerabilities. Security Risk Assessment is a complex and interdisciplinary task, where experts from the application and the security domain have to collaborate and understand each other. Automated and tool-supported approaches are desired to help manage the complexity. However, the models used for system engineering usually focus on functional behavior and lack security-related aspects. For example, the consequences of security incidents, such as loss of intellectual property, are typically not modeled by system engineers. Therefore, we present our modeling approach that alleviates communication between the involved experts and features steps of computer aided modeling to achieve consistency and to avoid errors of omission. We demonstrate our approach with an example and discuss the resulting advantages