HCAPP-SEC : selection and analysis of security assessment items based on heuristics and criteria

Orientador: Mario JinoTese (doutorado) - Universidade Estadual de Campinas, Faculdade de Engenharia Elétrica e de ComputaçãoResumo: Nos dias atuais, o software tem papel importante na maioria das indústrias e áreas de atividade. Os aspectos relacionados à segurança da informação são críticos, com forte impacto na qualidade dos sistemas. Como saber se uma determinada avaliação de segurança foi boa ou suficiente? Por meio de critérios e heurísticas é possível determinar a suficiência da avaliação de segurança e, consequentemente, analisar sua qualidade. Fontes de conhecimento (normas, padrões, conjuntos de casos de teste) e seus itens de avaliação são instrumentos essenciais para avaliar a segurança dos sistemas. Para criar projetos de avaliação de segurança mais efetivos é necessário saber as propriedades de segurança e as dimensões de avaliação abordadas em cada item de uma fonte de conhecimento de segurança. Nesta tese, uma abordagem para selecionar e analisar itens de avaliação de segurança (HCApp-Sec) é proposta; suas bases provêm de critérios e heurísticas de avaliação e visam a aumentar a cobertura das dimensões de avaliação e propriedades de segurança dos projetos de avaliação. A abordagem centra-se em selecionar itens de avaliação de forma sistemática. Sistematiza-se o processo de avaliação de segurança por meio da formalização conceitual da área de avaliação de segurança; uma ontologia (SecAOnto) é usada para explicitar os conceitos principais. HCApp-Sec pode ser aplicada a qualquer fonte de conhecimento de segurança para selecionar ou analisar itens de avaliação em relação a 11 propriedades de segurança e 6 dimensões de avaliação. A abordagem é flexível e permite que outras dimensões e propriedades sejam incorporadas. Nossa proposta visa a apoiar: (i) a geração de projetos de avaliação de segurança de alta cobertura que incluam itens mais abrangentes e com cobertura assegurada das principais características de segurança e (ii) a avaliação de fontes de conhecimento de segurança em relação à cobertura de aspectos de segurança. Em um estudo de caso, um mapeamento de fontes de conhecimento de segurança é apresentado. Então, aplica-se a proposta a uma fonte de conhecimento de segurança bem conhecida (ISO/IEC 27001); seus itens são analisadosAbstract: Nowadays, software plays an important role in most industries and application domains. The aspects related to information security are critical, with a strong impact on systems quality. How to know whether a particular security assessment was good or sufficient? By means of criteria and heuristics it is possible to determine the sufficiency of the security assessment and consequently to analyze its quality. Knowledge sources (standards, patterns, sets of test cases) and their assessment items are essential instruments for evaluation of systems security. To create security assessment designs with suitable assessment items we need to know which security properties and assessment dimensions are covered by each knowledge source. We propose an approach for selecting and analyzing security assessment items (HCApp-Sec); its foundations come from assessment criteria and heuristics and it aims to increase the coverage of assessment dimensions and security properties in assessment designs. Our proposal focuses on the selection of better assessment items in a systematic manner. We systematize the security assessment process by means of a conceptual formalization of the security assessment area; an ontology of security assessment makes explicit the main concepts. HCApp-Sec can be applied to any security knowledge source to select or analyze assessment items with respect to 11 security properties and 6 assessment dimensions. The approach is flexible and allows other dimensions and properties to be incorporated. Our proposal is meant to support: (i) the generation of high-coverage assessment designs which includes security assessment items with assured coverage of the main security characteristics and (ii) evaluation of security standards with respect to coverage of security aspects. We have applied our proposal to a well known security knowledge source (ISO/IEC 27001); their assessment items were analyzedDoutoradoEngenharia de ComputaçãoDoutor em Engenharia Elétric

Method and tool for generating table of relevance in literature review (MTTR)

Every day, researchers in computing and IT are challenged with several articles that they need to rate, classify and separate quickly and effectively to contextualize and further advance their research effectively. It is considered that literature review is the most important step of discovery. Notably, a literature review is a part that allows the researcher to adjust the perspectives and limitations of an area of study. However, there is a lack of effective methods and tools for this activity. Often, traditional knowledge management techniques result in the “Gordian Knot” slowing down the process of literature review considerably. In this article, we present a Method and Tool for Generating Table of Relevance in Literature Review (MTTR). The MTTR is an innovative organizing method supported by software tools that make the literature review activity more efficient, faster and cheaper. An interesting feature of MTTR is data visualization using the Heat Map technique, Word Cloud and statistical techniques in designating and comparing each scientific article with the other relevant articles. The productivity gains in MTTR occur due to the automation in structuring and sorting scientific articles. In addition to efficiency, the lowest cost has the potential to place the MTTR as a preferred tool for the researcher. The anecdotal evidence reported in this article suggests that it is possible to carry out a literature review in a much shorter time with MTTR than in the traditional manner

A security testing process supported by an ontology environment : a conceptual proposal

Information security is a critical issue in the context of complex and interconnected nowadays IT Systems. Innovative testing approaches are demanded to verify whether the main security characteristics are provided in the systems. The conceptual formalization level required by security test processes can be supplied by semantic technologies. STEPONE is the Security TEst Process supported by ONtology Environment; its foundations come from largely accepted testing processes and security testing standards. The STPO (Security Testing Process Ontology) formalizes and makes explicit the main concepts of the domain. We present a conceptual characterization of STEP-ONE and describe a usage scenario to illustrate how the proposal can be applied. The main contributions are the conceptual process and the ontology. Our proposal is meant to be applied for the evaluation of IT systems with respect to security characteristics as well as to make systematic the security testing activitiesIEEE/ACS 15th International Conference on Computer Systems and Applications (AICCSA

Brazil method of anti-malware evaluation and cyber defence impacts

Cyber risk profoundly affects all. In the context of cyber threats, malware is trending in various productive sectors. Nowadays, anti-malware is essential to combat cyber threats; however, their efficiency is often questioned, because malware is different for different regions in the world. Choosing an efficient anti-malware software solution is crucial to protect information from different institutions. The method confirmed the reality of evaluating the different known methodologies, showing another scenario of efficiency of the different testers. The method allowed visualizing an interesting panorama because 50% of malware collected on the Brazilian Internet were detected by anti-malware commercially available in Brazil