An Ontology for Security Patterns Vale, Anelis Pereira; Fernandez, Eduardo B.
2019 38th International Conference of the Chilean Computer Science Society (SCCC),
2019-Nov.
Conference Proceeding
Security is a fundamental requirement that we must keep in mind when developing a system. We approach the secure construction of software through the use of security patterns, as a way to mitigate ...their threats. We propose an ontological approach to security patterns, with the aim of adding semantics to the elements that surround security patterns. We have added ontological descriptions to pattern descriptions to make their use more precise, to allow the development of appropriate tools to present to the developer the relevant patterns in each stage and to be able to build better pattern catalogs. A final objective would be the construction of a complete catalog where each pattern includes ontological descriptions. Our contributions are (i) a representation of security patterns in the form of ontology; (ii) examples through queries on the use of the ontology and (iii) a discussion of the possible uses of this ontology for secure software development.
Mobile apps exploit embedded sensors and wireless connectivity of a device to empower users with portable computations, context-aware communication, and enhanced interaction. Specifically, mobile ...health apps (mHealth apps for short) are becoming integral part of mobile and pervasive computing to improve the availability and quality of healthcare services. Despite the offered benefits, mHealth apps face a critical challenge, i.e., security of health-critical data that is produced and consumed by the app. Several studies have revealed that security specific issues of mHealth apps have not been adequately addressed. The objectives of this study are to empirically (a) investigate the challenges that hinder development of secure mHealth apps, (b) identify practices to develop secure apps, and (c) explore motivating factors that influence secure development. We conducted this study by collecting responses of 97 developers from 25 countries - across 06 continents - working in diverse teams and roles to develop mHealth apps for Android, iOS, and Windows platform. Qualitative analysis of the survey data is based on (i) 8 critical challenges, (ii) taxonomy of best practices to ensure security, and (iii) 6 motivating factors that impact secure mHealth apps. This research provides empirical evidence as practitioners' view and guidelines to develop emerging and next generation of secure mHealth apps.
From the early 1970s, the U.S. government began to recognize that simple penetration testing could not assure the security quality of products. The results of penetration testing such as identified ...vulnerabilities and faults can vary depending on the capabilities of the team. In other words, the penetration testing team cannot assure that “vulnerabilities are not found” is equal to “product does not have any vulnerabilities”. So the U.S. government realized that in order to improve the security quality of products, the development process itself should be managed in a strict, systematic manner. The US government began to publish various standards related to development methodology and evaluation procurement systems, embedding the “Security-by-Design” concept from the 1980s. Security-by-Design involves reducing a product’s complexity by considering security from the early phase of the development life-cycle such as during the product requirements analysis and design phase to ultimately achieve trustworthiness of the product. Since then, the Security-by-Design concept has spread to the private sector, since 2002 this has often come in the form of Secure SDLC by Microsoft and IBM, this system is currently being used in various fields such as automotive and advanced weapon systems. However, the problem is that it is not easy to implement in the field because the standards or guidelines related to Secure SDLC contain only abstract and declarative content. Therefore, in this paper, we present a new framework that specifies the level of Secure SDLC desired by enterprises. We propose the CIA (functional Correctness, safety Integrity, security Assurance)-level based Security-by-Design framework which combines an evidence-based security approach standard with existing Secure SDLC. By using our methodology, we can quantitatively show any differences in Secure SDLC process level employed between the company in question one of its competitors. In addition, our framework is very useful when you want to build Secure SDLC in the field because you can easily derive detailed security activities and documents to build the desired level of Secure SDLC.
Software Security and development experts have addressed the problem of building secure software systems. There are several processes and initiatives to achieve secure software systems. However, most ...of these lack empirical evidence of its application and impact in building secure software systems. Two systematic mapping studies (SM) have been conducted to cover the existent initiatives for identification and mitigation of security threats. The SMs created were executed in two steps, first in 2015 July, and complemented through a backward snowballing in 2016 July. Integrated results of these two SM studies show a total of 30 relevant sources were identified; 17 different initiatives covering threats identification and 14 covering the mitigation of threats were found. All the initiatives were associated to at least one activity of the Software Development Lifecycle (SDLC); while 6 showed signs of being applied in industrial settings, only 3 initiatives presented experimental evidence of its results through controlled experiments, some of the other selected studies presented case studies or proposals.
During the initial stages of software development, the primary goal is to define precise and detailed requirements without concern for software realizations. Security constraints should be introduced ...then and must be based on the semantic aspects of applications, not on their software architectures, as it is the case in most secure development methodologies. In these stages, we need to identify threats as attacker goals and indicate what conceptual security defenses are needed to thwart these goals, without consideration of implementation details. We can consider the effects of threats on the application assets and try to find ways to stop them. These threats should be controlled with abstract security mechanisms that can be realized by
security patterns (ASPs)
, that include only the core functions of these mechanisms, which must be present in every implementation of them. An abstract security pattern describes a conceptual security mechanism that includes functions able to stop or mitigate a threat or comply with a regulation or institutional policy. We describe here the properties of ASPs and present a detailed example. We relate ASPs to each other and to Security Solution Frames, which describe families of related patterns. We show how to include ASPs to secure an application, as well as how to derive concrete patterns from them. Finally, we discuss their practical value, including their use in “security by design” and IoT systems design.
Security Thinking in Online Freelance Software Development Rauf, Irum; Petre, Marian; Tun, Thein ...
2023 IEEE/ACM 45th International Conference on Software Engineering: Software Engineering in Society (ICSE-SEIS)
Conference Proceeding
Open access
Online freelance software development (OFSD) is a significant part of the software industry and is a thriving online economy; a recent survey by Stack Overflow reported that nearly 15% of developers ...are independent contractors, freelancers, or self-employed. Although security is an important quality requirement for the social sustainability of software, existing studies have shown differences in the way security issues are handled by developers working in OFSD compared to those working in organisational environments. This paper investigates the security culture of OFSD developers, and identifies significant themes in how security is conceived, practiced, and compensated. Based on in-depth interviews with 20 freelance (FL) developers, we report that (a) security thinking is evident in descriptions of their work, (b) security thinking manifests in different ways within OFSD practice, and (c) the dynamics of the freelance development ecosystem influence financial investment in secure development. Our findings help to understand the reasons why insecure software development is evident in freelance development, and they contribute toward developing security interventions that are tailored to the needs of freelance software developers.General Summary- Online freelance software development (OFSD) is a significant part of the software industry and is a thriving online economy. Although security is an important quality requirement for the social sustainability of software, existing studies have shown differences in the way security issues are handled by developers working in OFSD compared to those working in organisational environments. Based on in-depth interviews with 20 freelance developers, this paper investigates the security culture of OFSD developers, and identifies significant themes in how security is conceived, practiced, and compensated.
This is an innovative practice full paper. The need to develop software securely cannot be over-emphasized. The changing legal and regulatory international and local landscape for software ...requirements is astounding. For example, the European Union's General Data Protection Regulation (GDPR), the United States' Health Insurance Portability and Accountability Act (HIPAA), the Chinese Cybersecurity laws, and the credit card industry's Payment Card Industry Data Security Standard (PCI-DSS) are all upholding higher standards for system development and deployment. Such legal and regulatory changes of necessity require modifications and updating in software development methods that must be incorporated into cybersecurity software development courses to properly prepare students for successfully working in the field. To address these and other changes within the computing field, the Accreditation Board for Engineering (ABET) recently proposed preliminary cybersecurity accreditation criteria for which fewer than 20 universities have both applied and become ABET Cybersecurity accredited. The accreditation requires maintaining continuous course improvement in the core courses including a secure software development course. This research first reports on important topics incorporated into a senior-level secure software development for cybersecurity majors. Our research then analyses student Institutional Review Board (IRB) approved surveys to learn which course components could benefit from continuous course improvements. We apply machine learning to help build categories for ABET continual improvement. Finally, we share lessons learned and plans for future work.
To meet growing demands in the United States market for cybersecurity professionals, the National Security Agency and Department of Homeland Security have jointly established the National Center for ...Academic Excellence. Until recently, cybersecurity efforts were focused on securing the network. However, numerous studies have revealed that significant vulnerabilities have been found within the software code. To teach programmers and software engineers having secure software engineering labs is critical. Experiential learning is the cornerstone of cybersecurity education. Laboratory exercises provide critical value to students. Real-world, malicious actors use varying tactics and techniques for cyber-attacks. Laboratory environments should mirror this dynamism, and students should be exposed to various tools and mitigation strategies.