Auditing for ISO 9001 requirements in the context of agile software processes

ISO 9001 demands of (software) organizations that a rigorous demonstration of their software processes be implemented and a set of guidelines followed at various levels of abstraction. What these organizations need to show, in other words, is that their software processes have been designed and implemented in a way that allows for a level of configuration and operation that complies with ISO 9001 requirements. For software organizations needing ISO 9001 certification, it is important that they establish a software process life cycle that can manage the requirements imposed by this certification standard. However, software organizations that develop their software products using the agile software processes, such as Extreme Programming (agile-XP), face a number of challenges in their effort to demonstrate that their process activities conform to ISO 9001 requirements, major ones being: product construction, traceability, and measurement. Agile software organizations must provide evidence of ISO 9001 conformity, and they need to develop their own procedures, tools, and methodologies to do so. As yet, there is no consensus on how to audit the agile software organization to ensure that their software processes have been designed and implemented in conformity with ISO 9001 requirements. Moreover, it is challenging to ensure that such lightweight documentation methodologies meet these requirements for certification purposes. The motivation of this research is to help software organizations that use agile software processes in their effort to meet the ISO 9001 certification requirements. This research project is also aimed at helping IS auditors extract auditing evidence that demonstrates conformity to the ISO 9001 requirements that must be met by agile software organizations. Extreme programming (agile-XP) has been selected for improvement as a candidate agile process. This selection was based on the literature indicating a higher adoption of agile-XP over other agile software processes. The goal of this research project is to improve the ability of the agile-XP process to meet the auditing requirements of ISO 9001. The goal of the research also focuses on helping agile software organizations in their effort to become ISO 9001 certified. The main objective of this research project is to design an auditing model that covers the measurement and traceability requirements of ISO 9001. The auditing model should provide IS auditors with auditing evidence that the software projects developed with the agile-XP process have fulfilled the requirements of ISO 9001. The objective also proposes several sub processes to enhance the early planning activities of agile-XP according to ISO 9001 requirements. To achieve these objectives, the main phases of the research methodology are: Investigation of the capability of agile-XP to achieve the requirements of ISO 9001 software process certification; modification of the early phases of agile-XP (i.e. release planning phase) using CMMI-DEV; and design of an auditing model for ISO 9001 traceability and measurement requirements. The main outcome of this research study, which is an auditing model that is aligned with the principles of agile-XP and focuses on ISO 9001 traceability and measurement requirements to provide the IS auditors with a methodological approach for the auditing process. The auditing model has been assessed based on case studies selected from the literature

Authentication techniques in smart grid: a systematic review

Smart Grid (SG) provides enhancement to existing grids with two-way communication between the utility, sensors, and consumers, by deploying smart sensors to monitor and manage power consumption. However due to the vulnerability of SG, secure component authenticity necessitates robust authentication approaches relative to limited resource availability (i.e. in terms of memory and computational power). SG communication entails optimum efficiency of authentication approaches to avoid any extraneous burden. This systematic review analyses 27 papers on SG authentication techniques and their effectiveness in mitigating certain attacks. This provides a basis for the design and use of optimized SG authentication approaches

Advanced security testing using a cyber-attack forecasting model: A case study of financial institutions

As the number of cyber-attacks on financial institutions has increased over the past few years, an advanced system that is capable of predicting the target of an attack is essential. Such a system needs to be integrated into the existing detection systems of financial institutions as it provides them with proactive controls with which to halt an attack by predicting patterns. Advanced prediction systems also enhance the software design and security testing of new advanced cyber-security measures by providing new testing scenarios supported by attack forecasting. This present study developed a model that forecasts future network-based cyber-attacks on financial institutions using a deep neural network. The dataset that was used to train and test the model consisted of some of the biggest cyber-attacks on banking institutions over the past three years. This provided insight into new patterns that may end with a cyber-crime. These new attacks were also evaluated to determine behavioral similarities with the nearest known attack or a combination of several existing attacks. The performance of the forecasting model was then evaluated in a real banking environment and provided a forecasting accuracy of 90.36%. As such, financial institutions can use the proposed forecasting model to improve their security testing measures.Dado que el número de ciberataques a instituciones financieras ha aumentado en los últimos años, es esencial contar con un sistema avanzado que sea capaz de predecir el objetivo de un ataque. Un sistema de este tipo debe integrarse en los sistemas de detección existentes de las instituciones financieras, ya que les proporciona controles proactivos con los que detener un ataque mediante la predicción de patrones. Los sistemas de predicción avanzados también mejoran el diseño de software y las pruebas de seguridad de nuevas medidas avanzadas de ciberseguridad al proporcionar nuevos escenarios de prueba respaldados por la previsión de ataques. Este presente estudio desarrolló un modelo que pronostica futuros ciberataques basados ​​en redes contra instituciones financieras utilizando una red neuronal profunda. El conjunto de datos que se utilizó para entrenar y probar el modelo consistió en algunos de los mayores ataques cibernéticos a instituciones bancarias en los últimos tres años. Esto proporcionó información sobre nuevos patrones que pueden terminar en un delito cibernético. Estos nuevos ataques también fueron evaluados para determinar similitudes de comportamiento con el ataque conocido más cercano o una combinación de varios ataques existentes. Luego se evaluó el desempeño del modelo de pronóstico en un entorno bancario real y proporcionó una precisión de pronóstico del 90,36%. Como tal, las instituciones financieras pueden utilizar el modelo de pronóstico propuesto para mejorar sus medidas de prueba de seguridad.2022-2

Software Design and Experimental Evaluation of a Reduced AES for IoT Applications

IoT devices include RFID tags, microprocessors, sensors, readers, and actuators. Their main characteristics are their limited resources and computing capabilities, which pose critical challenges to the reliability and security of their applications. Encryption is necessary for security when using these limited-resource devices, but conventional cryptographic algorithms are too heavyweight and resource-demanding to run on IoT infrastructures. This paper presents a lightweight version of AES (called LAES), which provides competitive results in terms of randomness levels and processing time, operating on GF(24). Detailed mathematical operations and proofs are presented concerning LAES rounds design fundamentals. The proposed LAES algorithm is evaluated based on its randomness, performance, and power consumption; it is then compared to other cryptographic algorithm variants, namely Present, Clefia, and AES. The design of the randomness and performance analysis is based on six measures developed with the help of the NIST test statistical suite of cryptographic applications. The performance and power consumption of LAES on a low-power, 8-bit microcontroller unit were evaluated using an Arduino Uno board. LAES was found to have competitive randomness levels, processing times, and power consumption compared to Present, Clefia, and AES

Mitigating Evil Twin Attacks in Wireless 802.11 Networks at Jordan

<div> <div> <div> <p>Thinking twice before connecting to a public Wi-Fi at a coffee shop, hotel or an airport lounge is a must nowadays. Every Wi-Fi user should be cautious whether this free Wi-Fi hotspot that is allowed to be connected to is authentic or nothing but a rogue access point. Rogue access points (aka evil twin access point) allows the attacker to eavesdrop network traffic and to intercept the victims exchanged data or to even to alter the data while en route. The objective of this study that is going to be conducted somewhere in Jordan is to assess the security level in this area and to put a remedy to the weaknesses wherever found. This paper gives a statistical survey to illustrate the threatening level of such fake access point then to analyze the weaknesses and strengths of security measures in order to raise people awareness toward this kind of attacks. </p> </div> </div> </div