Risk in the Age of Software Security

For general applications, it is way too costly to aim for 100 % secure software; for complex systems it may even be impossible. To achieve effective software security at reasonable cost, it is thus necessary to identify which parts of the software are more critical regarding security, and determine which activities will be most efficient and effective in securing the software product.publishedVersio

Putting the "Account" into Cloud Accountability

Security concerns are often cited as the most prominent reason for not using cloud computing, but customers of cloud users, especially end-users, frequently do not understand the need to control access to personal information. On the other hand, some users might understand the risk, and yet have inadequate means to address it. In order to make the Cloud a viable alternative for all, accountability of the service providers is key, and with the advent of the EU General Data Protection Regulation (GDPR), ignoring accountability is something providers in the EU market will do at their peril. To be able to hold cloud service providers accountable for how they manage personal, sensitive and confidential information, there is a need for mechanisms that can mitigate risk, identify emerging risks, monitor policy violations, manage any incidents, and provide redress. We believe that being able to offer accountability as part of the service provision will represent a competitive edge for service providers catering to discerning cloud customers, also outside the GDPR sphere of influence. This paper will outline the fundamentals of accountability, and provide more details on what the actual "account'' is all about.publishedVersio

Exploring the need for a CERT for the Norwegian Construction Sector

This paper presents an empirical study on the need for sector-specific CERT capacity in the Norwegian construction sector. Findings from the interviews demonstrate a need for developing competence in ICT security in this sector. The actors express a desire for a forum for sharing information and learning from other actors within the industry. In our estimation, there is insufficient support in the industry to create a “full-blown” CERT/CSIRT. However, it seems that all the interviewees are positive about the idea of creating an ISAC-like forum.acceptedVersio

Five Things You Should Not Use Blockchain For

The Bitcoin fever notwithstanding, the underlying blockchain technology cannot solve all data exchange and product needs, as some seem to believe. This paper provides examples of problems that we believe are poorly suited to a blockchain solution.acceptedVersio

A Survey on Infrastructure-as-Code Solutions for Cloud Development

Cloud software is increasingly written according to the DevOps paradigm, where use of virtualization and Infrastructure-as-Code is prevalent. This paper surveys the state of the art of IaC cloud development, and proposes a combination of Cloud-Native software to build an on-premise PaaS for a Security Lab.acceptedVersio

Automating Security in a Continuous Integration Pipeline

Traditional approaches to software security are based on manual methods, which tend to stall development, leading to inefficiency. To speed up a software development lifecycle, security needs to be integrated and automated into the development process. This paper will identify solutions for automating the security phase into a continuous software delivery process, integrating security tools into a Github repository by using Github Actions to create automated vulnerability scanning workflows for a software project.acceptedVersio

Could the Outsourcing of Incident Response Management provide a Blueprint for Managing Other Cloud Security Requirements?

Postprin

GENERATOR DENAH MEJA UJIAN DENGAN IMPLEMENTASI ALGORITMA BACKTRACKING

Beberapa penelitian mengidentifikasikan bahwa teknik menyontek yang paling umum digunakan adalah bertukar jawaban dengan peserta didik yang berada pada posisi terdekat atau melihat jawaban tanpa sepengetahuan orang yang bersangkutan. (Davis, et al, 1998). Pada penelitian ini dibangun sebuah sistem generator denah meja ujian agar setiap meja ujian memiliki kode soal yang berbeda dari meja tetangganya baik secara vertikal, horizontal dan diagonal dengan mengimplementasikan algoritma backtracking. Pengujian kemudian dilakukan pada matriks dengan berbagai dimensi dimulai dari jumlah kode soal 1 hingga 9. Dari hasil pengujian disimpulkan bahwa untuk kode soal < 4, persoalan dinyatakan tidak akan memiliki solusi kecuali jumlah baris atau kolom pada matriks juga < 4. Untuk jumlah kode soal ≥ 4, persoalan pastilah memiliki solusi berapapun dimensi matriksnya. Kata Kunci: menyontek, algoritma backtracking, generator denah meja ujian, matriks, pembagian kode soal ujian. Some research have identified that the most commonly cheating technique used while exam are exchanging the exam answers with other classmates who sit at the closest range then copying their answer sheet without being noticed (Davis, et al, 1998). In this paper, exam class generator was built by implementing backtracking algorithm in order to arrange exam sheets, so each cell has different code with the cell around. The testing of system then performed on some matrix variety which have sum of exams code within 1 to 9. The results shows, for sum of code < 4, each case will never has any solution unless row or column of the matrix is also < 4. And for sum of code ≥ 4, every case will have solution regardless of the matrix dimension. Keyword: cheat in exam, backtracking algorithm, exam class generator, matrix, distribution of exams sheets

Saving Nine Without Stitching in Time: Integrity Check After-the-fact

Electrical substations transform voltage from high to low, or low to high for distribution and transmission, respectively, and are a critical part of our electricity infrastructure. The state of a substation is continuously measured for monitoring, controlling and protection purposes, using synchrophasor measurements. The IEC 61850 standard defines communication protocols for electrical substations, including transmission of synchrophasor measurements. However, IEC 61850 does not properly address cyber security, leaving this critical infrastructure highly vulnerable to cyber attacks. This paper describes the development and testing of a novel mechanism for delayed integrity check for synchrophasor measurements. The results show that the solution manages to detect when integrity of the synchrophasor transmission is compromised, without adding any delay to the time-critical synchrophasor transmission itself.acceptedVersio

Saving Nine Without Stitching in Time: Integrity Check After-the-fact

Electrical substations transform voltage from high to low, or low to high for distribution and transmission, respectively, and are a critical part of our electricity infrastructure. The state of a substation is continuously measured for monitoring, controlling and protection purposes, using synchrophasor measurements. The IEC 61850 standard defines communication protocols for electrical substations, including transmission of synchrophasor measurements. However, IEC 61850 does not properly address cyber security, leaving this critical infrastructure highly vulnerable to cyber attacks. This paper describes the development and testing of a novel mechanism for delayed integrity check for synchrophasor measurements. The results show that the solution manages to detect when integrity of the synchrophasor transmission is compromised, without adding any delay to the time-critical synchrophasor transmission itself.acceptedVersio