Your search keyword '"COMPUTER software security"' showing total 169 results

1. CPL-Net: A Malware Detection Network Based on Parallel CNN and LSTM Feature Fusion.

Author

Lu, Jun, Ren, Xiaokai, Zhang, Jiaxin, and Wang, Ting

Subjects

COMPUTER security, CONVOLUTIONAL neural networks, COMPUTER software security, MALWARE, COMPUTER network security, INTERNET security, FEATURE extraction

Abstract

Malware is a significant threat to the field of cyber security. There is a wide variety of malware, which can be programmed to threaten computer security by exploiting various networks, operating systems, software and physical security vulnerabilities. So, detecting malware has become a significant part of maintaining network security. In this paper, data enhancement techniques are used in the data preprocessing stage, then a novel detection mode—CPL-Net employing malware texture image—is proposed. The model consists of a feature extraction component, a feature fusion component and a classification component, the core of which is based on the parallel fusion of spatio-temporal features by Convolutional Neural Networks (CNN) and Long Short-Term Memory networks (LSTM). Through experiments, it has been proven that CPL-Net can achieve an accuracy of 98.7% and an F1 score of 98.6% for malware. The model uses a novel feature fusion approach and achieves a comprehensive and precise malware detection. [ABSTRACT FROM AUTHOR]

Published

2023

2. A machine learning approach for digital watermarking.

Author

Nematollahi, Mohammad Ali

Subjects

*INFORMATION technology security, *MACHINE learning, *DIGITAL watermarking, *COMPUTER security, *DIGITAL learning, *DEEP learning, *COMPUTER software security

Abstract

Recently, machine learning (ML) has been applying in almost all scientific fields to model and simulate the behaviour of complex systems. At the same time, the number of the proposed watermarking techniques have been increasing every year. Although most of the researchers in the watermarking and data hiding field put all their effort to compete each other to develop more efficient algorithm, the selection of the most efficient one is almost impossible for industries or software developers. In other words, comparison among all the watermarking techniques in order to select one watermarking technique would be cumbersome task. Moreover, the computer security is becoming more advanced which a single watermark technique cannot fulfil all the required criteria and there is a chance that an anti-watermarking is developed to remove the embedded watermark from the host data. This gap of knowledge to use the watermarking technology for a highly secure application is a real nightmare for the information security engineers and software designers. In this paper, two new approaches are proposed to train deep learning and shallow learning models based on the state-of-the-arts watermarking techniques. For these proposed approaches, several ML algorithms are applied to model various watermarked data, which are watermarked by different watermarking techniques in various spectrums and domains. An experimental setup is constructed based on several speeches, audios, images and videos beside the Amazon Sagemaker as ML modelling to implement the proposed approach. The experimental results show that apart from an overall effectiveness of the model, it would resolve some ambiguities by applying the proposed ML approach as a general watermarking workflow. [ABSTRACT FROM AUTHOR]

Published

2023

3. Context-Based Support to Enhance Developers' Learning of Software Security.

Author

Wen, Shao-Fang

Subjects

COMPUTER software security, INFORMATION technology security, COMPUTER security, SCIENTIFIC method, SOFTWARE engineering, DATA security

Abstract

Software security is an ongoing problem, largely due to a lack of security knowledge among software developers from diverse backgrounds. To counter this, security experts are attempting to offer a broad range of knowledge resources to enlighten developers about increasing cybersecurity threats. Unfortunately, the abundance of knowledge resources does not seem to have much of an impact on reducing the issue of software security. The ineffective teaching and learning approaches for software security have created difficulties for developers in learning security knowledge. This research employs a four-cycle of Design Science Research Methodology (DSRM) to integrate necessary elements in the development of a context-based learning system for security education and learning. The final artifact is an ontology-based web application that facilitates a contextualized learning process by providing security knowledge through contextual software cases. Through evaluation in pedagogical and software development environments, it is proven to contribute a viable solution to the problem domain. While these results are positive, the innovative context-based artifact benefits not only the domain of software engineering but also other educational fields, such as information security and computer security. [ABSTRACT FROM AUTHOR]

Published

2023

4. Fuzzing: Hack, Art, and Science.

Author

GODEFROID, PATRICE

Subjects

*COMPUTER software security, *COMPUTER security, *COMPUTER software development

Abstract

The article discusses the software security concept of fuzz testing, also known as fuzzing, and its significance in discovering computer security vulnerabilities. It also examines static program analyzers and manual code inspection.

Published

2020

5. Survey of Approaches and Techniques for Security Verification of Computer Systems.

Author

ERATA, FERHAT, SHUWEN DENG, ZAGHLOUL, FAISAL, WENJIE XIONG, DEMIR, ONUR, and SZEFER, JAKUB

Subjects

COMPUTER security, VERIFICATION of computer systems, COMPUTER software security, COMPUTER systems, LANDSCAPE assessment

Abstract

This article surveys the landscape of security verification approaches and techniques for computer systems at various levels: from a software-application level all the way to the physical hardware level. Different existing projects are compared, based on the tools used and security aspects being examined. Since many systems require both hardware and software components to work together to provide the system's promised security protections, it is not sufficient to verify just the software levels or just the hardware levels in a mutually exclusive fashion. This survey especially highlights system levels that are verified by the different existing projects and presents to the readers the state of the art in hardware and software system security verification. Few approaches come close to providing full-system verification, and there is still much room for improvement. [ABSTRACT FROM AUTHOR]

Published

2023

6. How to live in a post-meltdown and -spectre world.

Author

Bennett, Rich, Callahan, Craig, Jones, Stacy, Levine, Matt, Miller, Merrill, and Ozment, Andy

Subjects

*COMPUTER security, *COMPUTER software security, *RISK assessment, *RISK managers, *RISK management in business, *COMPUTING platforms

Abstract

Learn from the past to prepare for the next battle. [ABSTRACT FROM AUTHOR]

Published

2018

7. Formally Verified Software in the Real World.

Author

KLEIN, GERWIN, ANDRONICK, JUNE, FERNANDEZ, MATTHEW, KUZ, IHOR, MURRAY, TOBY, and HEISER, GERNOT

Subjects

*AUTONOMOUS vehicles, *COMPUTER software security, *COMPUTER architecture, *COMPUTER security

Abstract

The article discusses the use of formally verified software to protect an autonomous helicopter against cyber attacks. Topics include the testing of vehicles by the U.S. Defense Advanced Research Projects Agency (DARPA) through its High-Assurance Cyber Military Systems (HACMS) program, the role of a trusted computing base (TCB) in computer architecture for security, and the componentization of systems.

Published

2018

8. A Vulnerable System: The History of Information Security in the Computer Age by Andrew Stewart (review).

Author

Slayton, Rebecca

Subjects

*COMPUTER security, *INFORMATION technology security, *INFORMATION storage & retrieval systems, *CYBERTERRORISM, *COMPUTER software security, *HISTORY of computers

Abstract

I A Vulnerable System i challenges this obsession, showing that many of the vulnerabilities that concern security practitioners today have a much longer history. Stewart also states that the crash would "shift the focus from short-termism back to fundamentals" (p. 77), thereby pivoting to the next chapter's discussion of Microsoft's security program. Chapter 4 discusses internet vulnerabilities and products that emerged during the dot-com boom of the late 1990s and highlights a "lucrative feedback loop", wherein hackers exposed vulnerabilities and then were paid to help fix those vulnerabilities. [Extracted from the article]

Published

2023

9. Hiding Secrets in Software: A Cryptographic Approach to Program Obfuscation.

Author

Garg, Sanjam, Gentry, Craig, Halevi, Shai, Raykova, Mariana, Sahai, Amit, and Waters, Brent

Subjects

*COMPUTER software security, *COMPUTER security software, *CRYPTOGRAPHY, *DATA encryption, *COMPUTER security

Abstract

Can we hide secrets in software? Can we obfuscate programs-- that is, make programs unintelligible while preserving their functionality? What exactly do we mean by "unintelligible"? Why would we even want to do this? In this article, we describe some rigorous cryptographic answers to these quasi-philosophical questions. We also discuss our recent "candidate indistinguishability obfuscation" scheme and its implications. [ABSTRACT FROM AUTHOR]

Published

2016

10. Privacy and Security Putting Trust in Security Engineering: Proposing a stronger foundation for an engineering discipline to support the design of secure systems.

Author

Schneider, Fred B.

Subjects

*SYSTEMS engineering, *COMPUTER security, *COMPUTER software security, *COMPUTER engineering, *TRUST

Abstract

The article discusses the role of engineering and assurance in designing secure computer systems. Topics include the notion of trust in relation to assumptions as system vulnerabilities, the role of proof checking based on axiomatic trust in system security, the role of program rewriters in synthetic trust for system security.

Published

2018

11. Hacker Behavior, Network Effects, and the Security Software Market.

Author

Dey, Debabrata, Lahiri, Atanu, and Zhang, Guoying

Subjects

COMPUTER software security, COMPUTER security, ECONOMIC models, NETWORK effect, INDUSTRIAL organization (Economic theory), COMPUTER hacking

Abstract

The market for security software has witnessed an unprecedented growth in recent years. A closer examination of this market reveals certain idiosyncrasies that are not observed in a traditional market. For example, it is a highly competitive market with over 80 vendors. Yet the market coverage is relatively low. Prior research has not attempted to explain what makes this market so different. In this paper, we develop an economic model to find possible answers to this question. Our model uses existing classification of different types of attacks and models their resulting network effects. We find that the negative network effect from indirect attacks, which is further enhanced by value-based targeted attacks, provides a possible explanation for the unique structure of this market. Overall, our results highlight the unique nature of the security software market, furnish rigorous arguments for several counterintuitive observations in the real world, and provide managerial insights for vendors on market competition. [ABSTRACT FROM AUTHOR]

Published

2012

12. Designing User Incentives for Cybersecurity.

Author

August, Terrence, August, Robert, and Hyoduk Shin

Subjects

*COMPUTER security, *INTERNET security, *COMPUTER software security, *DATA security, *COMPUTER systems

Abstract

The article discusses improving user security practices and behavior for cybersecurity. Topics discussed include the flaws in the traditional approach to managing software vulnerabilities and cybersecurity risk, proposal for an adaptation of software producer offerings involving patching rights of users and for users to be charged for the right to control patching of their individual copies of software.

Published

2014

13. Microsoft to Release Security AI Product to Help Clients Track Hackers.

Author

Bass, Dina

Subjects

ARTIFICIAL intelligence, COMPUTER hackers, COMPUTER security, LABOR market, COMPUTER software security, FREEWARE (Computer software)

Abstract

Microsoft plans to release artificial intelligence tools called Copilot for Security on April 1 to help cybersecurity workers detect and summarize suspicious incidents and uncover hackers' methods. The software combines OpenAI's model with Microsoft's security-specific information to address risks and generate reports. The Copilot works with all of Microsoft's security and privacy software, freeing up experienced cybersecurity workers for more complex tasks and helping newer ones get up to speed more quickly. In tests, newer security workers performed faster and more accurately with the AI program. The software can also link to security software from rival companies. [Extracted from the article]

Published

2024

14. Trendbeitrag Security.

Subjects

*INFRASTRUCTURE (Economics), *INTERNET security, *COMPUTER security, *COMPUTER software security, *BUSINESS intelligence, *INTERNET of things, *DATA encryption, *SMALL business, *ENCRYPTION protocols, *PLANT engineering

Abstract

The IT security situation in Germany is considered critical, especially in the machinery and plant engineering sector. The Federal Office for Information Security warns of alarming developments regarding IT security, which also affect production facilities. There is a risk of economic espionage and attacks on the economy and critical infrastructure. Companies should perform immediate updates, refrain from unnecessary functions, and strengthen supply chain security. There is a great need for further education in the field of software security. Smaller companies should better prepare for the security of their products and services. [Extracted from the article]

Published

2022

15. Toward More Secure Software.

Author

Denning, Dorothy E.

Subjects

*COMPUTER security vulnerabilities, *PRODUCT liability, *COMPUTER security, *COMPUTER software security, *LABOR incentives, *DEBUGGING, *TWENTY-first century, *HISTORY

Abstract

The article examines two proposals intended to reduce the number of software security flaws, the first of which calls for the U.S. government to corner the vulnerability market and the second which calls for holding companies liable for faulty software. Topics include software bug bounty programs run by large software companies that reward private individuals for uncovering security flaws; a discussion of the incentivization of both programs; and the way current licensing laws shield software companies from damages arising from faults in their products.

Published

2015

16. Sofeware crack prevention for changing PE format.

Author

Tae-Hyoung Kim and Jong-Uk Jang

Subjects

COMPUTER software security, COMPUTER security, DEBUGGING, PORTABLE document software, COMPUTER hackers

Published

2017

17. An Integration of Threat Modeling with Attack Pattern and Misuse Case for Effective Security Requirement Elicitation.

Author

Ansari, Tarique Jamal and Pandey, Dhirendra

Subjects

COMPUTER software security, COMPUTER software development, COMPUTER software developers, CYBERTERRORISM, COUNTERTERRORISM, COMPUTER security

Abstract

Today's security is becoming a brainstorming issue due to inventive attacks. To elicit effective security requirement to the system, software developers need to think like an attacker. This paper considers three effective security requirement elicitation techniques, Threat modelling, Misuse case and Attack pattern. Threat Modeling is a technique to prevent the system from any undesired event by modeling all the information which has the potential to harm the system. It is a process for eliciting security requirement by identifying harmful threats to the system. Misuse case represents negative use cases to model threats and mis-actors to represent attackers. Misuse cases are capable of modeling threat and risk analysis process. Attack Pattern works as a method to identify the attacker's perspective. Specifically, Threat modelling, Attack pattern and Misuse case are compared on the basis of some parameters. The comparative analysis provides some merits and demerits of these techniques. This paper investigates how misuse cases enhance the performance of threat modeling. This paper also describes an effective way for security requirement elicitation by integrating threat modeling with attack pattern and misuse cases. [ABSTRACT FROM AUTHOR]

Published

2017

18. The practice of secure software development in SDLC: an investigation through existing model and a case study.

Author

Karim, Nor Shahriza Abdul, Albuolayan, Arwa, Saba, Tanzila, and Rehman, Amjad

Subjects

COMPUTER software development, INTERNET security, COMPUTER software security, COMPUTER security, SOURCE code, WEB-based user interfaces

Abstract

Software security is an essential requirement for software systems. However, recent investigation indicates that many software development methodologies do not explicitly include methods for incorporating information security into the software development life cycles (SDLC). This research investigates, using case study, the methodologies being used in software development in Saudi Arabia and describes a model for integrating security into the SDLC. The aim is to identify the appropriate means of introducing security measures much earlier in the SDLC. This model is designed to be an extension to the existing SDLC. For achieving the research objectives and answering the research questions, the research followed a case study research design in an information-based organization. The research identified various important elements as security standards, policies, processes being practiced, and tools used within SDLC projects. In this regard, recommendations and verification were gathered to elicit the actual activities that are appropriate to be conducted at each phase of SDLC. The non-functional security requirements were also found, to the use of fortify and hp alm for source code review and web application testing. Copyright © 2016 John Wiley & Sons, Ltd. [ABSTRACT FROM AUTHOR]

Published

2016

19. Combinatorial Methods in Security Testing.

Author

Simos, Dimitris E., Kuhn, Rick, Voyiatzis, Artemios G., and Kacker, Raghu

Subjects

*COMPUTER security, *COMBINATORICS, *COMPUTER software security, *COMPUTER network protocols, *INTERNET of things

Abstract

Combinatorial methods can make software security testing much more efficient and effective than conventional approaches. [ABSTRACT FROM PUBLISHER]

Published

2016

20. Traffic classification for managing Applications' networking profiles.

Author

Alizadeh, Hassan and Zúquete, André

Subjects

INTRUSION detection systems (Computer security), COMPUTER security, NETWORK PC (Computer), COMPUTER system failure prevention, COMPUTER software security, MALWARE

Abstract

Along with the growing number of applications and end-users, online network attacks and advanced generations of malware have continuously proliferated. Many studies have addressed the issue of intrusion detection by inspecting aggregated network traffic with no knowledge of the responsible applications/services. Such systems fail to detect intrusions in applications whenever their abnormal traffic fits into the network normality profiles. We address the problem of detecting intrusions in (known) applications when their traffic exhibits anomalies. Building traffic profiles for each separate application is the main challenge of this problem. This paper surveys traffic classification methodologies, within a taxonomy framework, to find out the best possible traffic classification methodologies that could help us answer the following question: given a traffic sample, generated by a particular application, does it conforms to the expected application's traffic? The key requirements for a practical solution are discussed. Then, the referred traffic classification methodologies are assessed in terms of their capabilities, limitations and challenges for being used as a part of this solution. The approaches based on 'multiple sub-flows' have shown the potential to be used for building robust and practical per-application profiles in near real-time. An overview of a blend of real-time approaches is also described. Copyright © 2016 John Wiley & Sons, Ltd. [ABSTRACT FROM AUTHOR]

Published

2016

21. Security Rule Checking in IC Design.

Author

Xiao, Kan, Nahiyan, Adib, and Tehranipoor, Mark

Subjects

*INTEGRATED circuit design, *MATHEMATICAL models, *ALGORITHMS, *CRYPTOSYSTEMS, *COMPUTER software security

Published

2016

22. A uniform approach for access control and business models with explicit rule realization.

Author

Karimi, Vahid, Alencar, Paulo, and Cowan, Donald

Subjects

*ACCESS control, *COMPUTER software security, *COMPUTER security, *BUSINESS models, *SYNTAX in programming languages

Abstract

Access control is an important part of security in software, such as business applications, since it determines the access of users to objects and operations and the constraints of this access. Business and access control models are expressed using different representations. In addition, access control rules are not generally defined explicitly from access control models. Even though the business model and access control model are two separate modeling abstractions, they are inter-connected as access control is part of any business model. Therefore, the first goal is to add access control models to business models using the same fundamental building blocks. The second goal is to use these models and define general access control rules explicitly from these models so that the connection between models and their realizations are also present. This paper describes a new common representation for business models and classes of access control models based on the Resource-Event-Agent (REA) modeling approach to business models. In addition, the connection between models and their represented rules is clearly defined. We present a uniform approach to business and access control models. First, access control primitives are mapped onto REA-based access control patterns. Then, REA-based access control patterns are combined to define access control models. Based on these models, general access control rules are expressed in Extended Backus-Naur Form. [ABSTRACT FROM AUTHOR]

Published

2016

23. Experiences in Developing and Delivering a Programme of Part-Time Education in Software and Systems Security.

Author

Simpson, Andrew, Martin, Andrew, Cremers, Cas, Flechais, Ivan, Martinovic, Ivan, and Rasmussen, Kasper

Subjects

EDUCATION software, SOFTWARE engineering, COMPUTER software security, COMPUTER security

Abstract

We report upon our experiences in developing and delivering a programme of part-time education in Software and Systems Security at the University of Oxford. The MSc in Software and Systems Security is delivered as part of the Software Engineering Programme at Oxford -- a collection of one-week intensive courses aimed at individuals who are responsible for the procurement, development, deployment and maintenance of large-scale software-based systems. We expect that our experiences will be useful to those considering a similar journey. [ABSTRACT FROM AUTHOR]

Published

2015

24. FIXING YOUR FLAWS: Why companies are failing to manage vulnerabilities in critical systems and applications.

Author

Ringold, James

Subjects

RISK management in business, COMPUTER software security, COMPUTER security, SECURITIES analysts, CYBERTERRORISM, INFORMATION technology security

Abstract

The article offers information on the management of software vulnerabilities in companies Topics discussed include the difference between patch management and vulnerability management process, the need of accurate information for conducting vulnerability assessments by security analysts, and the identification of business risk in the systems and software through vulnerability management.

Published

2017

25. Four Software Security Findings.

Author

McGraw, Gary

Subjects

*COMPUTER software security, *COMPUTER security software, *COMPUTER network security software, *COMPUTER security, *DATA security

Abstract

Analyzing data from 78 firms using the Building Security In Maturity Model (BSIMM) revealed four truths about software security that will help firms protect and secure their assets. [ABSTRACT FROM AUTHOR]

Published

2016

26. Security risk analysis of system changes exemplified within the oil and gas domain.

Author

Refsdal, Atle, Solhaug, Bjørnar, and Stølen, Ketil

Subjects

*COMPUTER software security, *COMPUTER security, *OFFSHORE structures, *PROGRAMMING languages, *DECISION support systems

Abstract

Changes, such as the introduction of new technology, may have considerable impact on the risk to which a system or organization is exposed. For example, in the oil and gas domain, introduction of technology that allows offshore installations to be operated from onshore means that fewer people are exposed to risk on the installation, but it also introduces new risks and vulnerabilities. We need suitable methods and techniques to understand how a change will affect the risk picture. This paper presents an approach that offers specialized support for analysis of risk with respect to change. The approach allows links between elements of the target of analyses and the related parts of the risk model to be explicitly captured, which facilitates tool support for identifying the parts of a risk model that need to be reconsidered when a change is made to the target. Moreover, the approach offers language constructs for capturing the risk picture before and after a change. The approach is demonstrated on a case concerning new software technology to support decision making on petroleum installations. [ABSTRACT FROM AUTHOR]

Published

2015

27. The Need for Measuring the Quality of Application Security.

Author

SHUBHAMANGALA, B. R., SAHA, SNEHANSHU, and JAYALAKSHMI, M.

Subjects

APPLICATION software security measures, COMPUTER software security, COMPUTER security, COMPUTER software development, COMPUTER software quality control

Abstract

Application security attacks are growing in sophistication. The impact of these attacks has prompted businesses to undertake efforts to eliminate application security attacks and breaches. Currently no metric is available to measure the level of security present in applications. As a result, organizations perceive the level of security. This perception may or may not match the existing level of security in applications. The mismatch leads to a greater chance of attack on applications. The authors of this article believe that once the level of security present in applications is evaluated accurately, further measures may be deployed to enhance the current level of security to the desired extent. Such actions improve the prospects of attacks being minimized. To address this challenge, the authors introduce a new concept, quality of application security (QAS). QAS is quantified through a metric application security quality metric (QASM). Application classification, vulnerability intensity, threat resistance, compliance index, and breach cost determination are the major sections of the metric formulation process. Using the QASM, quality of application security can be gauged accurately. Appropriate measures can be applied to get the desired level of quality in applications. This metric also solves the security questions regarding the adequacy of security, compliance, efficiency, and effectiveness of security measures. QASM can also be used to calculate the risk and to optimize the application security risk. Once the current quality of applications is discovered through the QASM, an organization may implement key steps to thwart security threats and attacks. [ABSTRACT FROM AUTHOR]

Published

2015

28. Enhancing Software Engineering Education: Teaching Software Security Requirements and Design.

Author

Moore, Maria, Huiming Yu, Xiaohong Yuan, and Chu, Bill

Subjects

*SOFTWARE engineering education, *COMPUTER software security, *COMPUTER software development, *COMPUTER security, *COMPUTER science education, *CURRICULUM

Abstract

Software security requirements and design is critical because it removes the flaws in software systems and minimizes the impacts of security vulnerability when it is discovered. In order to effectively teaching knowledge of secure software engineering we have developed a course module titled "Software Security Requirements and Design". This paper presents the content of this module and reports our teaching experiences. This module has been successfully taught in COMP 510 Software Engineering class in Spring 2011 in the Department of Computer Science at North Carolina A&T State University. Our experience exhibits that teaching this module in junior and senior levels help students not only understand the impacts of unsecure software, but also gain significant knowledge of secure software development practice. Students' survey and feedback reflected that this module is very valuable in their educational experience. This module could be taught in junior and senior classes of Software Engineering, Computer Science and Information Technology. [ABSTRACT FROM AUTHOR]

Published

2012

29. Software Security Test Data Generation Based on Genetic Algorithms.

Author

Qiong Li and Jinhua Li

Subjects

COMPUTER software security, COMPUTER security, DATA analysis, GENETIC algorithms, TESTING, MATHEMATICAL series, COMPUTER systems

Abstract

Software security is an important quality. The software security testing is one of the most important kinds of the software testing. How to test the software security, and especially to automatically generate security test cases are major problems. An improved method of the test data generation based on Genetic Algorithm is put forwarded. A software security test algorithm is developed. The algorithm generates and optimizes test cases in order to discover security vulnerabilities in software. A series of experiments showed that the algorithm is superior to random algorithms in generating security test cases. At the same time, the experiments results validated the correctness and efficiency of the algorithm. [ABSTRACT FROM AUTHOR]

Published

2009

30. Security Requirements Engineering; State of the Art and Research Challenges.

Author

Hadavi, M. A., Hamishagi, V. S., and Sangchi, H. M.

Subjects

COMPUTER software security, SOFTWARE engineering, COMPUTER security, SECURITY systems, ENGINEERING

Abstract

In recent years software has faced a new challenge called security. The new idea in software security which has attracted the world's attention is to keep security in mind during development process. As requirements analysis plays an infrastructural role in this process, software security requirements would naturally be considered fundamental in secure software development. Stating peculiarities and deficiencies in security requirements engineering, this paper draws a picture from the current research situation by reviewing and classifying the efforts into four main categories; security requirements in the standard software development processes, security requirements engineering consist of eliciting and modeling security requirements, and threat modeling as a basis for security requirements engineering. Presenting challenges and open problems for each category, the paper will then set forth the research outlooks and future directions in security requirements. [ABSTRACT FROM AUTHOR]

Published

2008

31. Gauging the Impact of FISMA on Software Security.

Author

Gandhi, Robin A., Crosby, Keesha, Siy, Harvey, and Mandal, Sayonnha

Subjects

*COMPUTER software security, *DATA protection laws, *COMPUTER security, FEDERAL Information Security Management Act of 2002 (U.S.)

Abstract

A newly developed instrument provides sophisticated content analysis to help determine the relevance for software security of the National Institute of Standards and Technology's FISMA-mandated security controls. [ABSTRACT FROM PUBLISHER]

Published

2014

32. A Method for Memory Integrity Authentication Based on Bloom Filter.

Author

Nianmin, Yao, Haifeng, Ma, and Yong, Han

Subjects

COMPUTER storage capacity, DATA integrity, COMPUTER security, COMPUTER software security, COMPUTER viruses

Abstract

Secure processor architectures can provide secure computing environments. All kinds of applications that need high security should be immune to both physical and software attacks through the secure architectures. Memory integrity verification is a key problem while implementing secure processors. This paper proposed a scheme called IV-BF to ensure data integrity. The scheme is one-level hash structure, and it has three advantages over existing mainstream hash tree based schemes: lower computation overhead, lower space overhead and adjustable level of security. This paper evaluated the overhead and the security of IV-BF and compared it with an efficient integrity checking scheme-BMT. The evaluation result shows that for most benchmarks, the overhead of the IV-BF is lower and the IV-BF has 1%-7% performance improvement than the BMT. [ABSTRACT FROM AUTHOR]

Published

2014

33. An Empirical Validation of Object Oriented Design Security Quantification Model.

Author

Khan, Suhel Ahmad and Khan, Raees Ahmad

Subjects

OBJECT-oriented methods (Computer science), COMPUTER security, PREDICATE calculus, COMPUTER software security, COMPUTATIONAL complexity, EMPIRICAL research

Abstract

Software security is a multifaceted and comprehensive property, which can be properly captured only through many different quality attributes. The idea of software security covers both conventional security attributes and classical dependability attributes. Software security involves multiple attributes such as authentication, authorization, confidentiality, integrity, availability and non repudiation. The values of security are not identified by single step. It can be measured through the whole development process by collective values of its attributes. Security quantification models have been developed on the basis of established relationship between complexity factors and security attributes and validated through proper data set for model acceptance. The aim of addressing security at design phase is to defend software from the external threats and attacks. [ABSTRACT FROM AUTHOR]

Published

2014

34. The real threats revealed.

Author

Taylor, Nathan

Subjects

COMPUTER security, WEB browser security, RANSOMWARE, COMPUTER software security, COMPUTER hacking

Abstract

The article discusses various computer security issues such as security of social media websites, browser password mangers, and information theft. Topics discussed include hacking of computer system through ransomware such as Cryptolocker virus; use of Australian government website Scamwatch for knowing current security issues and common scams; and avoid sharing of personal information such as phone numbers in social media accounts.

Published

2015

35. Novel Secure Code Encryption Techniques Using Crypto Based Indexed Table for Highly Secured Software.

Author

Sasirekha, N. and Hemalatha, M.

Subjects

COMPUTER security, DATA encryption, CRYPTOGRAPHY, COMPUTER software, SOFTWARE protection, COMPUTER software security

Abstract

Software security has become one of the active areas of research due to various cyber threats and attacks that can be very dangerous. The main goals of software protection are Intellectual property protection, Protection beside function investigation in mobile environments, Protection beside illegal copy and use of software. Software security is dependent on both security code and software protection. Various techniques have been developed to deal with the software threats and attacks. However, the available software protection approaches in the literature do not offer trustworthy security in all the scenarios. In recent years, cryptographic techniques are observed to be very efficient in dealing with a number of software threats and attacks. Code encryption has received much attention in the field of software security. This paper proposes novel software protection code encryption schemes based on the index table. This approach uses three novel and efficient encryption techniques namely quasigroup encryption, quasi group encryption with transformation and KIST approach. [ABSTRACT FROM AUTHOR]

Published

2013

36. Cyber War is Inevitable (Unless We Build Security In).

Author

McGraw, Gary

Subjects

*INFORMATION warfare, *CYBER intelligence (Computer security), *INFORMATION technology security, *COMPUTER security, *COMPUTER software security, *CYBERWEAPONS

Abstract

The information systems controlling our critical infrastructure are vulnerable to cyber attack. Cyber war is therefore inevitable unless we improve our cyber defenses. The only way to do this is by building security into systems at the design stage. [ABSTRACT FROM AUTHOR]

Published

2013

37. Code Analysis for Software and System Security Using Open Source Tools.

Author

Chahar, Chandrapal, Chauhan, VishalSingh, and Das, ManikLal

Subjects

*COMPUTER software security, *COMPUTER security, *COMPUTER software, *LEAKS (Disclosure of information), *JAVA programming language, *PREVENTION

Abstract

Software security helps in identifying and managing risks. One of the effective ways to identify software vulnerabilities is to analyze its code. Code analysis (Chess & West, 2007) helps in catching common coding mistakes such as buffer overflow, unused variables, memory leaks, and various race conditions, which in turn optimizes computer programs, both in storage and computation aspects. Software developers use either open source tools or commercial tools for verification and validation of software. Without proper validation of a software/system using some standard guidelines, potential attackers can find ways to exploit vulnerabilities and bugs and then can gain control over a system, if they are successful. In this paper, we discuss some of the open source static code analysis and dynamic analysis tools, their merits, and limitations with respect to some target codes that contain possible threats. We consider C/C++ and Java programming languages for our experiments. For static code analyzers, we consider Flawfinder, Splint, and Cppcheck; PMD, Findbugs, and Valgrind for dynamic code analysis, and its plug-in, Memcheck, to perform dynamic analysis on executables. We provide our observations in a comparison table, highlighting these tools strengths and weaknesses. [ABSTRACT FROM AUTHOR]

Published

2012

38. SECURITY MONITORS FOR JAVA PROGRAMS WITH MPL.

Author

Leppänen, Ville and Mäkela, Jari-Matti

Subjects

JAVA programming language, COMPUTER software, COMPUTER security, MALWARE, COMPUTER software security

Abstract

Security breaches caused by various malicious programs/program fragments can be tackled by either preventing their existence in computer systems or by preventing them to cause any harm. We follow the latter approach by elaborating on the approach to subjugate executed programs under a security monitor. We have developed Modular Policy Language (MPL) for embedding rule-based security monitors into Java programs. Our monitors can capture and save all kind of information related to monitored program execution and then use that information to prevent unwanted, malicious program behavior. MPL descriptions are translated as Aspect programs which are woven into bytecode-based Java programs before the execution or when loading bytecode modules into the execution environment. We provide general advices and describe our experiences of using MPL for constructing security monitors. [ABSTRACT FROM AUTHOR]

Published

2012

39. Using complexity, coupling, and cohesion metrics as early indicators of vulnerabilities

Author

Chowdhury, Istehad and Zulkernine, Mohammad

Subjects

*COMPUTER software security, *COMPUTER security, *COMPUTER software development, *SOFTWARE architecture, *COMPUTER software quality control, *DATA mining, *DECISION trees, *LOGISTIC regression analysis, *SOFTWARE measurement

Abstract

Abstract: Software security failures are common and the problem is growing. A vulnerability is a weakness in the software that, when exploited, causes a security failure. It is difficult to detect vulnerabilities until they manifest themselves as security failures in the operational stage of software, because security concerns are often not addressed or known sufficiently early during the software development life cycle. Numerous studies have shown that complexity, coupling, and cohesion (CCC) related structural metrics are important indicators of the quality of software architecture, and software architecture is one of the most important and early design decisions that influences the final quality of the software system. Although these metrics have been successfully employed to indicate software faults in general, there are no systematic guidelines on how to use these metrics to predict vulnerabilities in software. If CCC metrics can be used to indicate vulnerabilities, these metrics could aid in the conception of more secured architecture, leading to more secured design and code and eventually better software. In this paper, we present a framework to automatically predict vulnerabilities based on CCC metrics. To empirically validate the framework and prediction accuracy, we conduct a large empirical study on fifty-two releases of Mozilla Firefox developed over a period of four years. To build vulnerability predictors, we consider four alternative data mining and statistical techniques – C4.5 Decision Tree, Random Forests, Logistic Regression, and Naïve-Bayes – and compare their prediction performances. We are able to correctly predict majority of the vulnerability-prone files in Mozilla Firefox, with tolerable false positive rates. Moreover, the predictors built from the past releases can reliably predict the likelihood of having vulnerabilities in the future releases. The experimental results indicate that structural information from the non-security realm such as complexity, coupling, and cohesion are useful in vulnerability prediction. [Copyright &y& Elsevier]

Published

2011

40. Efficient file fuzz testing using automated analysis of binary file format

Author

Kim, Hyoung Chun, Choi, Young Han, and Lee, Dong Hoon

Subjects

*COMPUTER software testing, *COMPUTER software security, *ALGORITHMS, *COMPUTER software execution, *COMPUTER security, *WINDOWS (Graphical user interfaces), *COMPUTER files

Abstract

Abstract: Fuzz testing is regarded as the most useful technique in finding serious security holes in a software system. It inserts unexpected data into the input of the software system and finds the system’s bugs or errors. However, one of the disadvantages that fuzz testing executed using binary files has is that it requires a large number of fault-inserted files to cover every test case, which could be up to files. In order to overcome this drawback, we propose a novel algorithm that efficiently reduces the number of fault-inserted files, yet still maintain the maximum test case coverage. The proposed approach enables the automatic analysis of fields of binary files by tracking and analyzing stack frames, assembly codes, and registers as the software system parses the files. We evaluate the efficacy of the new method by implementing a practical tool, the Binary File Analyzer and Fault Injector (BFAFI), which traces the program execution and analyzes the fields in binary file format. Our experiments demonstrate that the BFAFI reduced the total number of fault-inserted files with maximum test case coverage as well as detected approximately 14 times more exceptions than did the general fuzzer. Also, the BFAFI found 11 causes of exceptions; five of them were found only by BFAFI. Ten of the 11 causes of exceptions that we found were generated by a graphic rendering engine (GDI32.dll); the other was generated by the system library (kernel32.dll) in Windows XP SP2. [Copyright &y& Elsevier]

Published

2011

41. Semiotics 101: Taking the Printed Matter Doctrine Seriously.

Author

Collins, Kevin Emerson

Subjects

*PATENT law, *SEMIOTICS, *COMPUTER security, *INTELLECTUAL property, *COMPUTER simulation, *COMPUTER software security

Abstract

The printed matter doctrine is a branch of the section 101 doctrine of patent eligibility that, among other things, prevents the patenting of technical texts and diagrams. The contemporary formulation of the doctrine is highly problematic. It borders on incoherency in many of its applications, and it lacks any recognized grounding in the Patent Act. Yet, despite its shortcomings, courts have not abandoned the printed matter doctrine, likely because the core applications of the doctrine place limits on the reach of the patent regime that are widely viewed as both intuitively "correct" and normatively desirable. Instead of abandoning the doctrine, courts have marginalized it. They have retained the substantive effects of the printed matter doctrine but avoided analyzing it whenever possible. This Article adopts a different approach: it takes the printed matter doctrine seriously. It reinterprets the printed matter doctrine as the sign doctrine, revealing both the conceptual coherence hidden in the doctrine's historical applications and the doctrine's as-of-yet unnoticed statutory grounding. The key to this reconceptualization is recognizing that the printed matter doctrine is in effect already based on semiotic principles. The printed matter doctrine purports to be about information, but it is actually about signs. It purports to curtail the patenting of worldly artifacts, but it actually curbs the reach of patent protection into mental representations in the human mind. To support these arguments, this Article offers a course in "Semiotics 101": a semiotics primer strategically targeted on the principles that prove to be relevant to the section 101 doctrine of patent eligibility. This Article also examines one unexpected consequence of taking the printed matter doctrine seriously and adopting a semiotic framework. It reconsiders the patentability of a class of software inventions which are defined here as "computer models." As a matter of semiotic logic, the routine patentability of newly invented computer models under the contemporary patent eligibility doctrine cannot be reconciled with the categorical unpatentability of mechanical measuring devices with new labels under the printed matter doctrine. [ABSTRACT FROM AUTHOR]

Published

2010

42. Software security analysis and assessment model for the web-based applications.

Author

Wang, Y., Lively, W. M., and Simmons, D. B.

Subjects

*COMPUTER software security, *COMPUTER security, *COMPUTER worms, *WORLD Wide Web, *DATA security, *SECURITY systems

Abstract

For web-based applications, a security analysis was conducted in order to identify software vulnerabilities and develop a new security assessment model. During such an analysis, the major security vulnerabilities observed in the open web proxy honeypot during the data collection time from February to March 2005 were computer worm attacks in Code Red and Nimda, AWSTAT attacks, unauthorized access request (HTTP error code 403), MS-SQL version overflow attacks, etc. To develop the security assessment model, we extended the generic security model for a single component system to multiple components using the multidimensional Markov process model. The resulting model was applied to the most popular software systems. The software system availability in security is computed using real data, and the mean time to security failure is calculated. This paper not only provides the software vulnerability analysis of the web-based applications, but also details the software security assessment for multiple component systems. [ABSTRACT FROM AUTHOR]

Published

2009

43. A METHOD TO PROTECT COMPUTER PROGRAMS: THE INTEGRATION OF COPYRIGHT, TRADE SECRETS, AND ANTICIRCUMVENTION MEASURES.

Author

Azar, Deborah

Subjects

*COMPUTER security, *COPYRIGHT, *COMPUTER software, *TRADE secrets, *PATENTS, *COMPUTER software security, *LICENSE agreements

Abstract

If nature has made any one thing less susceptible than all others of exclusive property, it is the action of the thinking power called an idea, which an individual may exclusively possess as long as he keeps it to himself; but the moment it is divulged, it forces itself into the possession of every one, and the receiver cannot dispossess himself of it. Its peculiar character, too, is that no one possesses the less, because every other possesses the whole of it. He who receives an idea from me, receives instruction himself without lessening mine; as he who lights his taper at mine, receives light without darkening me. That ideas should freely spread from one to another over the globe, for the moral and mutual instruction of man, and improvement of his condition, seems to have been peculiarly and benevolently designed by nature, when she made them, like fire, expansible over all space, without lessening their density in any point, and like the air in which we breathe, move, and have our physical being, incapable of confinement or exclusive appropriation. Inventions then cannot, in nature, be a subject of property. Your manuscript is both good and original; but the part that is good is not original, and the part that is original is not good. Software licenses are perhaps the only product besides half-eaten food, underwear and toothbrushes, which can't be resold. [ABSTRACT FROM AUTHOR]

Published

2008

44. Practical Security Issues for a Real Case Application.

Author

Vancea, Florin and Vancea, Codruta

Subjects

APPLICATION software, DATA protection, COMPUTER software security, WEB browsers, COMPUTER network security, PAYROLL software, INFORMATION technology security, COMPUTER security, DATA encryption

Abstract

Security techniques for application software and systems are well-known and of- ten used in various situations. They range from encryption to special data handling and good usage practices. However, providing proper levels of security for a complete application is not simple and requires careful design and implementation. The paper presents some design decisions and implementation aspects for a real case application used for distributing confidential payroll information to a large number of employees via browser-based technology. [ABSTRACT FROM AUTHOR]

Published

2008

45. New AspectJ Pointcuts for Integer Overflow and Underflow Detection.

Author

Alhadidi, D., Debbabi, M., and Bhattacharya, P.

Subjects

*ASPECT-oriented programming, *COMPUTER programming, *COMPUTER software security, *JAVA programming language, *PROGRAMMING languages, *COMPUTER security, *ARITHMETIC

Abstract

Aspect-oriented Programming (AOP) appears to be a promising paradigm for software security hardening. Using AOP, security experts can be responsible for coding security properties, and developers can concentrate on the basic functionality of the program. AspectJ extends the Java programming language to implement crosscutting concerns modularly in general. In this paper, we have extended AspectJ with new pointcuts in order to detect integer overflows and underflows in Java. Integer overflows and underflows in Java occur silently without throwing an exception. A malicious user can exploit them to produce a security breach. Hence, we implement new pointcuts: addition, multiplication, and subtraction that allow to write advices around integer arithmetic operations to detect integer overflow and underflow and consequently prevent considerable number of security breaches. [ABSTRACT FROM AUTHOR]

Published

2008

46. Security Requirements Engineering: A Framework for Representation and Analysis.

Author

Haley, Charles B., Laney, Robin, Moffett, Jonathan D., and Nuseibeh, Bashar

Subjects

*COMPUTER software security, *COMPUTER security standards, *COMPUTER security, *COMPUTER engineering, *SOFTWARE engineering management, *AIR traffic control electronic equipment, *CRIME victims

Abstract

This paper presents a framework for security requirements elicitation and analysis. The framework is based on constructing a context for the system, representing security requirements as constraints, and developing satisfaction arguments for the security requirements. The system context is described using a problem-oriented notation, then is validated against the security requirements through construction of a satisfaction argument. The satisfaction argument consists of two parts: a formal argument that the system can meet its security requirements and a structured informal argument supporting the assumptions expressed in the formal argument. The construction of the satisfaction argument may fail, revealing either that the security requirement cannot be satisfied in the context or that the context does not contain sufficient information to develop the argument, In this case, designers and architects are asked to provide additional design information to resolve the problems. We evaluate the framework by applying it to a security requirements analysis within an air traffic control technology evaluation project. [ABSTRACT FROM AUTHOR]

Published

2008

47. THE LAW AND ECONOMICS OF SOFTWARE SECURITY.

Author

Hahn, Robert W. and Layne-Farrar, Anne

Subjects

*COMPUTER software security, *SOFTWARE protection, *COMPUTER security, *COMPUTER viruses, *COMPUTER crimes

Abstract

The article seeks to address software security problems by presenting a comprehensive assessment of the software security issue using a law and economics framework. It provides definition of software security that demonstrates the complexity of the problem. Types and methods of software attacks, such as worms and viruses, are also cited. It also examines the different aspects of software system security as well as the underlying market failures that complicate efforts to address such problems.

Published

2006

48. Proactive Security: Build Stuff Right the First Time.

Author

MCGRAW, GARY

Subjects

INFORMATION services security measures, COMPUTER software security, COMPUTER security, KEY performance indicators (Management), MANAGEMENT science

Abstract

The article asserts that the idea behind proactive information security is to build software right the first time by following the strictures of software security and security screening. It indicates that chief security officers (CSOs) know well the importance of being able to discuss their security controls and plans externally as well as internal positioning. The article also defines key performance indicators (KPIs) and key risk indicators (KRI).

Published

2013

49. Can a Badness-ometer Address Third-Party Software?

Author

MCGRAW, GARY

Subjects

COMPUTER software security, TECHNICAL specifications, CUSTOMIZATION, SOFTWARE as a service, COMPUTER security

Abstract

The article examines the security of third-party software built and maintained by outside vendors. It states that third-party software can be custom built to specification, commercial off-the-shelf software (COTS), and in the cloud as part of a Software as a Service (SaaS) model. Basic options for software security and vendor control are described. Drawbacks to an approach like the building security in maturity model (BSIMM) vendor software security bar, the vBSIMM, are also noted.

Published

2013

50. Software Diversity for Future Systems Security.

Author

Gherbi, Abdelouahed, Charpentier, Robert, and Couture, Mario

Subjects

*COMPUTER software security, *CYBERTERRORISM, *SECURITY systems, *MALWARE, *COMPUTER viruses, *COMPUTER security

Abstract

Software security represents a major concern as cyber attacks continue to grow in number and sophistication. One security-weakening factor is related to the standardized software ecosystem that facilitates the spread of malware in systems that share common vulnerabilities. In this overview article, the ma concepts associated with diversity and software redundancy are described in the perspective of improving attack resistance. The remarkable progress made in this area, where commercial implementations are now emerging, is also highlighted. [ABSTRACT FROM AUTHOR]

Published

2011