The Security Engineering discipline has become more and more important in the recent years. Security requirements engineering is essential to assure the Quality of the resulting software. An increasing part of the communication and sharing of information in our society utilize Web Applications. Last two years have
seen a significant surge in the amount of Web Application specific vulnerabilities that are disclosed to the public because of the importance of Security Requirements Engineering for Web based systems and as it is still underestimated. Integration of Web and object technologies offer a foundation for expanding the Web to a new generation of applications. In this paper, we outline our proposed Model- Oriented Security Requirement Engineering (MOSRE) Framework for Web Applications. By applying Object-Oriented technologies and modeling to Security Requirement phase. So the completeness, consistency, traceability and reusability of Security Requirements can be cost effectively improved. We implemented our MOSRE Framework for E-Voting Application and set of Security Requirements are identified.
Research Article On Web Application SecuritySaadSaif6
This Is The Totally Hand Written Research Article On
Web Application Security
(Improving Critical Web-based Applications Quality Through In depth Security Analysis)
This Research Article Was Made By Me After The Hard Working Of One Month. Its Best And Suitable For Your Research Paper And Also Used In Class For Present It And For Submission.
Software Reliability and Quality Assurance Challenges in Cyber Physical Syste...CSCJournals
Software Reliability is the probability of failure-free software operation for a specified period of time in a specified environment. Cyber threats on software security have been prevailing and have increased exponentially, posing a major challenge on software reliability in the cyber physical systems (CPS) environment. Applying patches after the software has been developed is outdated and a major security flaw. However, this has posed a major software reliability challenge as threat actors are exploiting unpatched and insecure software configuration vulnerabilities that are not identified at the design phase. This paper aims to investigate the SDLC approach to software reliability and quality assurance challenges in CPS security. To demonstrate the applicability of our work, we review existing security requirements engineering concepts and methodologies such as TROPOS, I*, KAOS, Tropos and Secure Tropos to determine their relevance in software security. We consider how the methodologies and function points are used to implement constraints to improve software reliability. Finally, the function points concepts are implemented into the CPS security components. The results show that software security threats in CPS can be addressed by integrating the SRE approach and function point analysis in the development to improve software reliability.
QUALITY ASSURANCE AND INTEGRATION TESTING ASPECTS IN WEB BASED APPLICATIONSIJCSEA Journal
Integration testing is one the important phase in software testing life cycle (STLC). With the fast growth of internet and web services, web-based applications are also growing rapidly and their importance and complexity is also increasing. Heterogeneous and diverse nature of distributed components, applications, along with their multi-platform support and cooperativeness make these applications more complex and swiftly increasing in their size. Quality assurance of these applications is becoming more crucial and important. Testing is one of the key processes to achieve and ensure the quality of these software or Webbased products. There are many testing challenges involved in Web-based applications. But most importantly integration is the most critical testing associated with Web-based applications. There are number of challenging factors involved in integration testing efforts. These factors have almost 70 percent to 80 percent impact on overall quality of Web-based applications. In software industry different kind of testing approaches are used by practitioners to solve the issues associated with integration which are due
to ever increasing complexities of Web-based applications.
The dependence of users on smartphones to accomplish their daily works is growing increasingly. Every day many mobile applications are downloaded and installed by the users to perform different desirable tasks for them. Before it can be installed in the smartphone, the mobile application requests from the user granting some sort of permissions, which may include the access right to users’ sensitive resources. In absence of a security mechanism that can enforce fine-grained permission control, the application may abuse the granted permissions and thus violates the security of sensitive resources. This paper proposes an attribute-based permission model ABP for Android smartphones to control how the mobile application can exercise the granted permissions. The finer granularity of the permission language used by ABP model ensures that the mobile application cannot violate the user’s security. By using ABP model, the users can enjoy the useful tasks the mobile applications provide while protecting sensitive resources from unauthorized use.
SECURING SOFTWARE DEVELOPMENT STAGES USING ASPECT-ORIENTATION CONCEPTSijseajournal
The document summarizes research on securing software development stages using aspect-orientation concepts. It proposes a model called the Aspect-Oriented Software Security Development Life Cycle (AOSSDLC) which incorporates security activities into each stage of the software development life cycle. The model aims to efficiently integrate security as a cross-cutting concern using aspect orientation. It is concluded that aspect orientation allows security features to be installed without changing the existing software structure, providing benefits over other approaches.
1. The document proposes a Business Oriented Framework for Enhancing Web Security Service (BOF4EWSS) to address security issues faced by e-businesses interacting over web services.
2. BOF4EWSS is a nine-phase framework based on the waterfall model, with an emphasis on negotiations and agreements between businesses.
3. The framework aims to provide comprehensive guidance for e-businesses to holistically manage inter-organizational security and trust when interacting over web services.
IRJET- Underpinning the Impact of Web Application Security on Businesses ...IRJET Journal
This document discusses web application security and its impact on businesses. It begins by defining web applications and how they have evolved beyond simple web pages. The document then explores common web application functions, security vulnerabilities like SQL injection and session hijacking, and solutions to those vulnerabilities. It emphasizes that web application security is crucial for organizations and discusses additional security measures for hardening web servers and applications.
This document discusses an ontology-based context-sensitive software security knowledge management modeling approach. It begins with an introduction describing the need for secure software development practices and security management systems. It then reviews related work incorporating ontologies and context modeling for software security. The proposed method involves an ontology-based context model with two parts: a software security domain model and an application context model. It describes the components of each model and establishes a hierarchical relationship between them. Finally, it discusses criteria for context-driven security modeling, including usability and quality. The overall aim is to develop a framework that assists practitioners in software security analysis and decision making based on application context.
Research Article On Web Application SecuritySaadSaif6
This Is The Totally Hand Written Research Article On
Web Application Security
(Improving Critical Web-based Applications Quality Through In depth Security Analysis)
This Research Article Was Made By Me After The Hard Working Of One Month. Its Best And Suitable For Your Research Paper And Also Used In Class For Present It And For Submission.
Software Reliability and Quality Assurance Challenges in Cyber Physical Syste...CSCJournals
Software Reliability is the probability of failure-free software operation for a specified period of time in a specified environment. Cyber threats on software security have been prevailing and have increased exponentially, posing a major challenge on software reliability in the cyber physical systems (CPS) environment. Applying patches after the software has been developed is outdated and a major security flaw. However, this has posed a major software reliability challenge as threat actors are exploiting unpatched and insecure software configuration vulnerabilities that are not identified at the design phase. This paper aims to investigate the SDLC approach to software reliability and quality assurance challenges in CPS security. To demonstrate the applicability of our work, we review existing security requirements engineering concepts and methodologies such as TROPOS, I*, KAOS, Tropos and Secure Tropos to determine their relevance in software security. We consider how the methodologies and function points are used to implement constraints to improve software reliability. Finally, the function points concepts are implemented into the CPS security components. The results show that software security threats in CPS can be addressed by integrating the SRE approach and function point analysis in the development to improve software reliability.
QUALITY ASSURANCE AND INTEGRATION TESTING ASPECTS IN WEB BASED APPLICATIONSIJCSEA Journal
Integration testing is one the important phase in software testing life cycle (STLC). With the fast growth of internet and web services, web-based applications are also growing rapidly and their importance and complexity is also increasing. Heterogeneous and diverse nature of distributed components, applications, along with their multi-platform support and cooperativeness make these applications more complex and swiftly increasing in their size. Quality assurance of these applications is becoming more crucial and important. Testing is one of the key processes to achieve and ensure the quality of these software or Webbased products. There are many testing challenges involved in Web-based applications. But most importantly integration is the most critical testing associated with Web-based applications. There are number of challenging factors involved in integration testing efforts. These factors have almost 70 percent to 80 percent impact on overall quality of Web-based applications. In software industry different kind of testing approaches are used by practitioners to solve the issues associated with integration which are due
to ever increasing complexities of Web-based applications.
The dependence of users on smartphones to accomplish their daily works is growing increasingly. Every day many mobile applications are downloaded and installed by the users to perform different desirable tasks for them. Before it can be installed in the smartphone, the mobile application requests from the user granting some sort of permissions, which may include the access right to users’ sensitive resources. In absence of a security mechanism that can enforce fine-grained permission control, the application may abuse the granted permissions and thus violates the security of sensitive resources. This paper proposes an attribute-based permission model ABP for Android smartphones to control how the mobile application can exercise the granted permissions. The finer granularity of the permission language used by ABP model ensures that the mobile application cannot violate the user’s security. By using ABP model, the users can enjoy the useful tasks the mobile applications provide while protecting sensitive resources from unauthorized use.
SECURING SOFTWARE DEVELOPMENT STAGES USING ASPECT-ORIENTATION CONCEPTSijseajournal
The document summarizes research on securing software development stages using aspect-orientation concepts. It proposes a model called the Aspect-Oriented Software Security Development Life Cycle (AOSSDLC) which incorporates security activities into each stage of the software development life cycle. The model aims to efficiently integrate security as a cross-cutting concern using aspect orientation. It is concluded that aspect orientation allows security features to be installed without changing the existing software structure, providing benefits over other approaches.
1. The document proposes a Business Oriented Framework for Enhancing Web Security Service (BOF4EWSS) to address security issues faced by e-businesses interacting over web services.
2. BOF4EWSS is a nine-phase framework based on the waterfall model, with an emphasis on negotiations and agreements between businesses.
3. The framework aims to provide comprehensive guidance for e-businesses to holistically manage inter-organizational security and trust when interacting over web services.
IRJET- Underpinning the Impact of Web Application Security on Businesses ...IRJET Journal
This document discusses web application security and its impact on businesses. It begins by defining web applications and how they have evolved beyond simple web pages. The document then explores common web application functions, security vulnerabilities like SQL injection and session hijacking, and solutions to those vulnerabilities. It emphasizes that web application security is crucial for organizations and discusses additional security measures for hardening web servers and applications.
This document discusses an ontology-based context-sensitive software security knowledge management modeling approach. It begins with an introduction describing the need for secure software development practices and security management systems. It then reviews related work incorporating ontologies and context modeling for software security. The proposed method involves an ontology-based context model with two parts: a software security domain model and an application context model. It describes the components of each model and establishes a hierarchical relationship between them. Finally, it discusses criteria for context-driven security modeling, including usability and quality. The overall aim is to develop a framework that assists practitioners in software security analysis and decision making based on application context.
This document proposes and evaluates a context-based access control (CBAC) mechanism for Android systems. The CBAC mechanism allows users to set configuration policies over applications' usage of device resources and services based on the user's context. The proposed system uses context sensing and machine learning to classify contexts and then dynamically grants or revokes application privileges. Experiments show the CBAC mechanism incurs negligible energy overhead compared to the stock Android system. The CBAC framework provides improved privacy and security over existing location-based policy systems.
Mitigating Privilege-Escalation Attacks on Android ReportVinoth Kanna
This document summarizes previous work on mitigating privilege-escalation attacks on Android. It discusses how Android's open framework allows applications to potentially gain unauthorized access to data. It reviews common privilege-escalation attacks like confused deputy attacks and inter-app collusion. The document also summarizes existing security extensions that aim to prevent these attacks, but notes limitations in addressing confused deputy and collusion attacks specifically. It proposes extending reference monitoring at the kernel level in addition to the middleware to better prevent these types of attacks.
Software reusabilitydevelopment through NFL approach For identifying security...IJECEIAES
In component based software reusability development process, the software developers have to choose the best components which are self adaptive future to overcome the functional errors, framework mismatches, violation of user level privacy issues and data leakage feasibilities. The software developers can build high quality software applications by taking the consideration of the reusable components which are more suitable to provide high level data security and privacy. This paper has proposing the neural based fuzzy framework based approach to estimate the reusable components which are directly and indirectly involve the security and privacy to improve the quality of the software system. This approach has considered the twenty effecting factors and fifty three attribute matrices. It has formed with three stages of execution scenarios. The first stage has executed with eleven effecting factors and eighteen attribute matrices for identification of supporting software reusability components, the second stage has executed with four effecting factors and thirty five attribute matrices for identification of subinternal relationships in terms of security-privacy, and the third stage has executed with eight effecting factors and six attribute matrices for identification of sub of sub-internal relationships in terms of security risk estimation. This analytical finding proposes a fuzzy logic model to evaluate the most feasible effecting factors that influence the enterprise level data security-privacy practices at real time environment.
Unique Security Challenges in the Datacenter Demand Innovative SolutionsJuniper Networks
The ability to leverage attacker intelligence across the infrastructure can improve security and simplify enforcement. Find out how to secure the network at campus edge, data center edge and data center core.
There have been reports such as ‘there is high rate of web application vulnerability’ as well as a range of ways in which web hackers attack web applications. Since the discovery that web applications convey the best content to users, there have been attempts to determine ways in which these systems can be hacked into through defacing, damage and defrauding. As the culture of conveying information across the internet continues to gain ground, there are increasing cases of vulnerabilities of these sites to cyber criminals.
Information security plays an important role in
governments. Its realm has been increased nowadays, especially
with resent viruses’ attacks in different governmental
organizations. The authentication is aspect of information
security, its current scheme used nowadays in the systems is
depend on the login by user name and password in addition to
one-time password or traditional secret questions, which in turn
is usually easy to predicate. This paper proposes enhanced
knowledge based authentication solution which ensures and
provides more security and usability levels for governmental
organizations.
A Smart Receptionist Implementing Facial Recognition and Voice InteractionCSCJournals
The purpose of this research is to implement a smart receptionist system with facial recognition and voice interaction using deep learning. The facial recognition component is implemented using real time image processing techniques, and it can be used to learn new faces as well as detect and recognize existing faces. The first time a customer uses this system, it will take the person’s facial data to create a unique user facial model, and this model will be triggered if the person comes the second time. The recognition is done in real time and after which voice interaction will be applied. Voice interaction is used to provide a life-like human communication and improve user experience. Our proposed smart receptionist system could be integrated into the self check-in kiosks deployed in hospitals or smart buildings to streamline the user recognition process and provide customized user interactions. This system could also be used in smart home environment where smart cameras have been deployed and voice assistants are in place.
This document summarizes research on challenges and issues in web security. It finds that 85% of websites are vulnerable to hacking, though organizations that provide software security training and centralize security controls experience fewer vulnerabilities. Recommendations include understanding which vulnerabilities pose the greatest risk and focusing on them, using pre-existing security controls instead of writing custom ones, and treating all user inputs as untrusted. Overall web security remains an ongoing challenge.
A Bring Your Own Device Risk Assessment ModelCSCJournals
Bring Your Own Device (BYOD), a technology where individuals or employees use their own devices on the organization’s network to perform tasks assigned to them by the organization has been widely embraced. The reasons for adoption are diverse in every organization. In spite of the security control strategies implemented by these organizations to safeguard their information resources, there has been an upsurge in information security breaches as a result of existing vulnerabilities in these systems and the legacy systems in use. Various approaches have been employed to deal with security challenges in BYOD, but according to literature, risk assessment has proved to be the first key step towards improving security of the BYOD environment in an enterprise. Risk assessment models have been proposed by various researchers, although, most are largely influenced by the degree of technological advancement and utilization as well as the working cultures within institutions. The existing models were largely developed in technologically advanced countries and thus do not fit well in developing countries. This study sought to develop flexible BYOD risk assessment model that can be adopted by varied institutions to secure their information resources. The study was carried out in Five (5) purposively selected state universities in Kenya. The research adopted a mixed research design approach with mixed sampling technique utilized to select the participants. Reliability and validity of data collection tools were evaluated and recommended by IT security and network experts. The qualitative and quantitative data was collected by interviewing experts and administering a questionnaire to sampled participants. The developed model was validated both statistically and by experts. The findings revealed that threats and vulnerabilities contributed to 39.9% and 69.2% respectively to the risk of the BYOD environment while Data Encryption (DE) and Software Updates (SU) came out strongly as intervening variables which have a major impact on the relationship between the dependent and independent variables.
This document discusses key concepts in software architecture including:
- The core activities of software architecture are architectural analysis, synthesis (design), evaluation, and evolution.
- Important supporting activities are knowledge management, design reasoning, documentation, and architecture description.
- Common views for documenting architecture include logical, process, physical, development, and use case views.
- Architectural styles and patterns provide reusable solutions for common architectural problems.
This document proposes a Rational Unified Treatment approach for Web Application Vulnerability Assessment (WVA). It implements the Rational Unified Process (RUP) framework to iteratively identify vulnerabilities. The approach discovers assets, audits for risks and threats, exploits identified vulnerabilities, and provides mitigation steps. It was tested on a web application using the w3af security scanner. The results generated reports on discovered vulnerabilities in different formats to help secure the application.
This document summarizes a survey of cloud-based secure web applications. It begins with an introduction to cloud computing and the security risks of web applications. It then presents two tables: 1) a comparison of related work on web application security that analyzes the attacks, algorithms, languages, models, studies, and test cases used; and 2) a comparison of Python to PHP and Ruby programming languages in terms of their version, purpose, creator, influences, popular sites built with each, usability, and ease of learning. The document concludes that there is a need for solutions that allow users to securely test websites for vulnerabilities in the cloud.
A LITERATURE SURVEY AND ANALYSIS ON SOCIAL ENGINEERING DEFENSE MECHANISMS AND...IJNSA Journal
This document provides a summary of a literature review on social engineering defense mechanisms and information security policies. It discusses previous research on social engineering attacks and defenses. It also describes a taxonomy of social engineering targets and defenses developed by the authors. Surveys were conducted to measure employee awareness of defenses and the incorporation of information security policies in organizations. The results found over half of employees were unaware of social engineering and organizations only incorporated about 50% of recommended security policies on average. This highlights the need for better education and policies to protect against social engineering attacks.
A Review paper on Securing PHP based websites From Web Application Vulnerabil...Editor IJMTER
In today’s Era, Web applications are one of the most part ubiquitous platforms for
information sharing and services over Internet which play significant role in individual life as well
as in any country’s growth. Web applications have gone through a very rapid Growth As they are
increasingly used for the financial organization, government, hospitality and many critical services.
Web applications become a popular and precious target for security attacks. at the present time,
billions of transactions are done online through net banking, online shopping, online billing and
many more. Even though these applications are used by lots of people modern web applications
often implements the complex structure requires for user to carry out actions in given order, in
many cases the security level is too low, which makes them vulnerable to get compromised. Even
though a large number of techniques have been developed to build up web applications and
mitigate the attacks toward web applications, there is little effort constant to drawing relations
among these techniques and building a big picture of web application security(WAS) research. In
this paper, we present a survey on various types of web application vulnerabilities(WAV).
Web Application Testing (Major Challenges and Techniques)Editor IJMTER
Web-based systems represent a young, but rapidly growing technology. As the number of
web applications continues to grow, these systems enter a critical role in a multitude of companies.
The way web systems impact business aspects, combined with an ever-growing internet user mass,
emphasize the importance of developing high-quality products. Thus, proper testing plays a distinctive
part in ensuring reliable, robust and high performing operation of web applications. Issues such as the
security of the web application, the basic functionality of the site, its accessibility to handicapped users
and fully able users, as well as readiness for expected traffic and number of users and the ability to
survive a massive spike in user traffic, both of which are related to load testing. The testing of web
based applications has much in common with the testing of desktop systems like testing of
functionality, configuration, and compatibility. Web application testing consists of the analysis of the
web fault compared to the generic software faults. Other faults are strictly dependent on the interaction
mode because of web application multi-tier architecture. Some web specific faults are authentication
problem, incorrect multi language support, hyperlink problem, cross-browser portability problem,
incorrect form construction, incorrect cookie value, incorrect session management, incorrect
generation of error page, etc.
Validation of early testing method for e government projects by requirement ...Conference Papers
The document describes a validation study of an Early Requirement Testing Method (ERTM) for e-government projects. Test engineers used the ERTM, which involves reviewing requirements documents and providing feedback, on six e-government projects. The number of defects found before and after applying the ERTM and providing interventions was compared using a statistical test. The results showed that overall, there was a statistically significant reduction in the number of defects found after applying the ERTM, suggesting it is useful for improving requirements documentation. However, one project saw an increase in defects due to additional requirements added later in the project.
This document presents a technique to enhance password-username authentication by addressing SQL injection and online password guessing attacks. The technique combines cryptographic hashing of passwords, recognition-based graphical passwords, and parameterized queries. Users register with a username, password, and graphical password. The password is hashed with a salt during registration. Login allows two attempts with the username and password before requiring the graphical password. IPs are blocked after one failed graphical attempt to prevent brute force attacks while still allowing legitimate users access. Security testing showed the technique prevented SQL injection and online password guessing attacks.
A model based security requirements engineering frameworkiaemedu
This document presents a framework for security requirements engineering. It discusses how security requirements are often not properly considered early in the development process. It reviews related work on security requirements engineering, including a previous framework by Haley et al. that defined criteria for adequate security requirements. The proposed framework aims to improve on previous approaches by integrating security requirements elicitation and analysis into the core requirements engineering activities from the start. It then compares the proposed framework to Haley's framework, highlighting differences in how security requirements are treated.
A model based security requirements engineering frameworkIAEME Publication
This document presents a framework for security requirements engineering. It discusses how security requirements are often not properly considered early in the development process. It reviews related work on security requirements engineering, including a previous framework by Haley et al. that defined criteria for adequate security requirements. The proposed framework aims to improve on previous approaches by integrating security requirements elicitation and analysis into mainstream requirements activities from the beginning. It then compares the proposed framework to Haley's framework.
The advancements in cloud computing and leveraging the benefits from
cloud computing to the service providers have increased the deployment of
traditional applications to the cloud. The applications once deployed on the
cloud, due to various reasons, need migration from development
infrastructure to operational infrastructure, one operational instance to other
operational instances due to load balancing and the cycle continues due to the
use of DevOps as development strategies for cloud computing applications.
Advocates of hybrid and public clouds observe cloud computing makes it
possible for organizations to avert or minimize upfront IT infrastructure
expenses. Proponents also assert that cloud computing systems permit
businesses to receive their software up and running faster, using improved
manageability and less maintenance, so it empowers IT teams to rapidly
adapt tools to meet the varying and unpredictable requirements. DevOps is a
lot of practices that mechanizes the procedures between programming
improvement and IT groups, all together that they can fabricate, test, and
discharge programming quicker and even more dependably. The idea of
DevOps is established on building a culture of a joint effort between groups
that generally worked in relative siloes. The guaranteed advantages
incorporate expanded trust, quicker programming discharges, capacity to
explain basic issues rapidly and better oversee impromptu work. Thus, this
work identifies the need for providing multiple security protocols during the
complete life cycle of cloud application development and deployment. This
work proposes a novel framework for automatic selection and deployment of
the security protocols during cloud service deployments. The framework
identifies the need for security aspects and selects the appropriate security
algorithms for virtual machines. The proposed framework demonstrates
nearly 80% improvement over the security policy deployment time.
DEPENDABLE WEB SERVICES SECURITY ARCHITECTURE DEVELOPMENT THEORETICAL AND PRA...cscpconf
This research “Designing Dependable Web Services Security Architecture Solutions” addresses
the innovative idea of Web Services Security Engineering using Web Services Security
Architecture with a research motivation of Secure Service Oriented Analysis and Design. It deals
with Web Services Security Architecture for Web Services Secure application design, for
Authentication and authorization, using Model Driven Architecture (MDA) based Agile Modeled
Layered Security Architecture design, which eventually results in enhanced dependable (privacy)
management. All the above findings are validated with appropriate case studies of Web 2.0
Services, its extension to Web 2.0 Mashups Spatial Web Services and various financial
applications. In this paper we discuss about Research Methodology for Designing Dependable Agile Layered Security Architectures, with validations on Spatial Web Services Case study.
Unified V- Model Approach of Re-Engineering to reinforce Web Application Deve...IOSR Journals
The document discusses approaches for reengineering web applications. It proposes using a unified V-model approach to reinforce web application development through reengineering. Specifically, it discusses:
1) Using reverse engineering to analyze existing web applications and recover designs, followed by forward engineering to restructure the applications based on new requirements.
2) Applying the V-model at each phase of the web development process during reengineering to incorporate methodology.
3) The reengineering process involves reverse engineering, transformations to adapt to new technologies/requirements, and forward engineering to implement the new design.
This document proposes and evaluates a context-based access control (CBAC) mechanism for Android systems. The CBAC mechanism allows users to set configuration policies over applications' usage of device resources and services based on the user's context. The proposed system uses context sensing and machine learning to classify contexts and then dynamically grants or revokes application privileges. Experiments show the CBAC mechanism incurs negligible energy overhead compared to the stock Android system. The CBAC framework provides improved privacy and security over existing location-based policy systems.
Mitigating Privilege-Escalation Attacks on Android ReportVinoth Kanna
This document summarizes previous work on mitigating privilege-escalation attacks on Android. It discusses how Android's open framework allows applications to potentially gain unauthorized access to data. It reviews common privilege-escalation attacks like confused deputy attacks and inter-app collusion. The document also summarizes existing security extensions that aim to prevent these attacks, but notes limitations in addressing confused deputy and collusion attacks specifically. It proposes extending reference monitoring at the kernel level in addition to the middleware to better prevent these types of attacks.
Software reusabilitydevelopment through NFL approach For identifying security...IJECEIAES
In component based software reusability development process, the software developers have to choose the best components which are self adaptive future to overcome the functional errors, framework mismatches, violation of user level privacy issues and data leakage feasibilities. The software developers can build high quality software applications by taking the consideration of the reusable components which are more suitable to provide high level data security and privacy. This paper has proposing the neural based fuzzy framework based approach to estimate the reusable components which are directly and indirectly involve the security and privacy to improve the quality of the software system. This approach has considered the twenty effecting factors and fifty three attribute matrices. It has formed with three stages of execution scenarios. The first stage has executed with eleven effecting factors and eighteen attribute matrices for identification of supporting software reusability components, the second stage has executed with four effecting factors and thirty five attribute matrices for identification of subinternal relationships in terms of security-privacy, and the third stage has executed with eight effecting factors and six attribute matrices for identification of sub of sub-internal relationships in terms of security risk estimation. This analytical finding proposes a fuzzy logic model to evaluate the most feasible effecting factors that influence the enterprise level data security-privacy practices at real time environment.
Unique Security Challenges in the Datacenter Demand Innovative SolutionsJuniper Networks
The ability to leverage attacker intelligence across the infrastructure can improve security and simplify enforcement. Find out how to secure the network at campus edge, data center edge and data center core.
There have been reports such as ‘there is high rate of web application vulnerability’ as well as a range of ways in which web hackers attack web applications. Since the discovery that web applications convey the best content to users, there have been attempts to determine ways in which these systems can be hacked into through defacing, damage and defrauding. As the culture of conveying information across the internet continues to gain ground, there are increasing cases of vulnerabilities of these sites to cyber criminals.
Information security plays an important role in
governments. Its realm has been increased nowadays, especially
with resent viruses’ attacks in different governmental
organizations. The authentication is aspect of information
security, its current scheme used nowadays in the systems is
depend on the login by user name and password in addition to
one-time password or traditional secret questions, which in turn
is usually easy to predicate. This paper proposes enhanced
knowledge based authentication solution which ensures and
provides more security and usability levels for governmental
organizations.
A Smart Receptionist Implementing Facial Recognition and Voice InteractionCSCJournals
The purpose of this research is to implement a smart receptionist system with facial recognition and voice interaction using deep learning. The facial recognition component is implemented using real time image processing techniques, and it can be used to learn new faces as well as detect and recognize existing faces. The first time a customer uses this system, it will take the person’s facial data to create a unique user facial model, and this model will be triggered if the person comes the second time. The recognition is done in real time and after which voice interaction will be applied. Voice interaction is used to provide a life-like human communication and improve user experience. Our proposed smart receptionist system could be integrated into the self check-in kiosks deployed in hospitals or smart buildings to streamline the user recognition process and provide customized user interactions. This system could also be used in smart home environment where smart cameras have been deployed and voice assistants are in place.
This document summarizes research on challenges and issues in web security. It finds that 85% of websites are vulnerable to hacking, though organizations that provide software security training and centralize security controls experience fewer vulnerabilities. Recommendations include understanding which vulnerabilities pose the greatest risk and focusing on them, using pre-existing security controls instead of writing custom ones, and treating all user inputs as untrusted. Overall web security remains an ongoing challenge.
A Bring Your Own Device Risk Assessment ModelCSCJournals
Bring Your Own Device (BYOD), a technology where individuals or employees use their own devices on the organization’s network to perform tasks assigned to them by the organization has been widely embraced. The reasons for adoption are diverse in every organization. In spite of the security control strategies implemented by these organizations to safeguard their information resources, there has been an upsurge in information security breaches as a result of existing vulnerabilities in these systems and the legacy systems in use. Various approaches have been employed to deal with security challenges in BYOD, but according to literature, risk assessment has proved to be the first key step towards improving security of the BYOD environment in an enterprise. Risk assessment models have been proposed by various researchers, although, most are largely influenced by the degree of technological advancement and utilization as well as the working cultures within institutions. The existing models were largely developed in technologically advanced countries and thus do not fit well in developing countries. This study sought to develop flexible BYOD risk assessment model that can be adopted by varied institutions to secure their information resources. The study was carried out in Five (5) purposively selected state universities in Kenya. The research adopted a mixed research design approach with mixed sampling technique utilized to select the participants. Reliability and validity of data collection tools were evaluated and recommended by IT security and network experts. The qualitative and quantitative data was collected by interviewing experts and administering a questionnaire to sampled participants. The developed model was validated both statistically and by experts. The findings revealed that threats and vulnerabilities contributed to 39.9% and 69.2% respectively to the risk of the BYOD environment while Data Encryption (DE) and Software Updates (SU) came out strongly as intervening variables which have a major impact on the relationship between the dependent and independent variables.
This document discusses key concepts in software architecture including:
- The core activities of software architecture are architectural analysis, synthesis (design), evaluation, and evolution.
- Important supporting activities are knowledge management, design reasoning, documentation, and architecture description.
- Common views for documenting architecture include logical, process, physical, development, and use case views.
- Architectural styles and patterns provide reusable solutions for common architectural problems.
This document proposes a Rational Unified Treatment approach for Web Application Vulnerability Assessment (WVA). It implements the Rational Unified Process (RUP) framework to iteratively identify vulnerabilities. The approach discovers assets, audits for risks and threats, exploits identified vulnerabilities, and provides mitigation steps. It was tested on a web application using the w3af security scanner. The results generated reports on discovered vulnerabilities in different formats to help secure the application.
This document summarizes a survey of cloud-based secure web applications. It begins with an introduction to cloud computing and the security risks of web applications. It then presents two tables: 1) a comparison of related work on web application security that analyzes the attacks, algorithms, languages, models, studies, and test cases used; and 2) a comparison of Python to PHP and Ruby programming languages in terms of their version, purpose, creator, influences, popular sites built with each, usability, and ease of learning. The document concludes that there is a need for solutions that allow users to securely test websites for vulnerabilities in the cloud.
A LITERATURE SURVEY AND ANALYSIS ON SOCIAL ENGINEERING DEFENSE MECHANISMS AND...IJNSA Journal
This document provides a summary of a literature review on social engineering defense mechanisms and information security policies. It discusses previous research on social engineering attacks and defenses. It also describes a taxonomy of social engineering targets and defenses developed by the authors. Surveys were conducted to measure employee awareness of defenses and the incorporation of information security policies in organizations. The results found over half of employees were unaware of social engineering and organizations only incorporated about 50% of recommended security policies on average. This highlights the need for better education and policies to protect against social engineering attacks.
A Review paper on Securing PHP based websites From Web Application Vulnerabil...Editor IJMTER
In today’s Era, Web applications are one of the most part ubiquitous platforms for
information sharing and services over Internet which play significant role in individual life as well
as in any country’s growth. Web applications have gone through a very rapid Growth As they are
increasingly used for the financial organization, government, hospitality and many critical services.
Web applications become a popular and precious target for security attacks. at the present time,
billions of transactions are done online through net banking, online shopping, online billing and
many more. Even though these applications are used by lots of people modern web applications
often implements the complex structure requires for user to carry out actions in given order, in
many cases the security level is too low, which makes them vulnerable to get compromised. Even
though a large number of techniques have been developed to build up web applications and
mitigate the attacks toward web applications, there is little effort constant to drawing relations
among these techniques and building a big picture of web application security(WAS) research. In
this paper, we present a survey on various types of web application vulnerabilities(WAV).
Web Application Testing (Major Challenges and Techniques)Editor IJMTER
Web-based systems represent a young, but rapidly growing technology. As the number of
web applications continues to grow, these systems enter a critical role in a multitude of companies.
The way web systems impact business aspects, combined with an ever-growing internet user mass,
emphasize the importance of developing high-quality products. Thus, proper testing plays a distinctive
part in ensuring reliable, robust and high performing operation of web applications. Issues such as the
security of the web application, the basic functionality of the site, its accessibility to handicapped users
and fully able users, as well as readiness for expected traffic and number of users and the ability to
survive a massive spike in user traffic, both of which are related to load testing. The testing of web
based applications has much in common with the testing of desktop systems like testing of
functionality, configuration, and compatibility. Web application testing consists of the analysis of the
web fault compared to the generic software faults. Other faults are strictly dependent on the interaction
mode because of web application multi-tier architecture. Some web specific faults are authentication
problem, incorrect multi language support, hyperlink problem, cross-browser portability problem,
incorrect form construction, incorrect cookie value, incorrect session management, incorrect
generation of error page, etc.
Validation of early testing method for e government projects by requirement ...Conference Papers
The document describes a validation study of an Early Requirement Testing Method (ERTM) for e-government projects. Test engineers used the ERTM, which involves reviewing requirements documents and providing feedback, on six e-government projects. The number of defects found before and after applying the ERTM and providing interventions was compared using a statistical test. The results showed that overall, there was a statistically significant reduction in the number of defects found after applying the ERTM, suggesting it is useful for improving requirements documentation. However, one project saw an increase in defects due to additional requirements added later in the project.
This document presents a technique to enhance password-username authentication by addressing SQL injection and online password guessing attacks. The technique combines cryptographic hashing of passwords, recognition-based graphical passwords, and parameterized queries. Users register with a username, password, and graphical password. The password is hashed with a salt during registration. Login allows two attempts with the username and password before requiring the graphical password. IPs are blocked after one failed graphical attempt to prevent brute force attacks while still allowing legitimate users access. Security testing showed the technique prevented SQL injection and online password guessing attacks.
A model based security requirements engineering frameworkiaemedu
This document presents a framework for security requirements engineering. It discusses how security requirements are often not properly considered early in the development process. It reviews related work on security requirements engineering, including a previous framework by Haley et al. that defined criteria for adequate security requirements. The proposed framework aims to improve on previous approaches by integrating security requirements elicitation and analysis into the core requirements engineering activities from the start. It then compares the proposed framework to Haley's framework, highlighting differences in how security requirements are treated.
A model based security requirements engineering frameworkIAEME Publication
This document presents a framework for security requirements engineering. It discusses how security requirements are often not properly considered early in the development process. It reviews related work on security requirements engineering, including a previous framework by Haley et al. that defined criteria for adequate security requirements. The proposed framework aims to improve on previous approaches by integrating security requirements elicitation and analysis into mainstream requirements activities from the beginning. It then compares the proposed framework to Haley's framework.
The advancements in cloud computing and leveraging the benefits from
cloud computing to the service providers have increased the deployment of
traditional applications to the cloud. The applications once deployed on the
cloud, due to various reasons, need migration from development
infrastructure to operational infrastructure, one operational instance to other
operational instances due to load balancing and the cycle continues due to the
use of DevOps as development strategies for cloud computing applications.
Advocates of hybrid and public clouds observe cloud computing makes it
possible for organizations to avert or minimize upfront IT infrastructure
expenses. Proponents also assert that cloud computing systems permit
businesses to receive their software up and running faster, using improved
manageability and less maintenance, so it empowers IT teams to rapidly
adapt tools to meet the varying and unpredictable requirements. DevOps is a
lot of practices that mechanizes the procedures between programming
improvement and IT groups, all together that they can fabricate, test, and
discharge programming quicker and even more dependably. The idea of
DevOps is established on building a culture of a joint effort between groups
that generally worked in relative siloes. The guaranteed advantages
incorporate expanded trust, quicker programming discharges, capacity to
explain basic issues rapidly and better oversee impromptu work. Thus, this
work identifies the need for providing multiple security protocols during the
complete life cycle of cloud application development and deployment. This
work proposes a novel framework for automatic selection and deployment of
the security protocols during cloud service deployments. The framework
identifies the need for security aspects and selects the appropriate security
algorithms for virtual machines. The proposed framework demonstrates
nearly 80% improvement over the security policy deployment time.
DEPENDABLE WEB SERVICES SECURITY ARCHITECTURE DEVELOPMENT THEORETICAL AND PRA...cscpconf
This research “Designing Dependable Web Services Security Architecture Solutions” addresses
the innovative idea of Web Services Security Engineering using Web Services Security
Architecture with a research motivation of Secure Service Oriented Analysis and Design. It deals
with Web Services Security Architecture for Web Services Secure application design, for
Authentication and authorization, using Model Driven Architecture (MDA) based Agile Modeled
Layered Security Architecture design, which eventually results in enhanced dependable (privacy)
management. All the above findings are validated with appropriate case studies of Web 2.0
Services, its extension to Web 2.0 Mashups Spatial Web Services and various financial
applications. In this paper we discuss about Research Methodology for Designing Dependable Agile Layered Security Architectures, with validations on Spatial Web Services Case study.
Unified V- Model Approach of Re-Engineering to reinforce Web Application Deve...IOSR Journals
The document discusses approaches for reengineering web applications. It proposes using a unified V-model approach to reinforce web application development through reengineering. Specifically, it discusses:
1) Using reverse engineering to analyze existing web applications and recover designs, followed by forward engineering to restructure the applications based on new requirements.
2) Applying the V-model at each phase of the web development process during reengineering to incorporate methodology.
3) The reengineering process involves reverse engineering, transformations to adapt to new technologies/requirements, and forward engineering to implement the new design.
DESQA a Software Quality Assurance FrameworkIJERA Editor
In current software development lifecycles of heterogeneous environments, the pitfalls businesses have to face are that software defect tracking, measurements and quality assurance do not start early enough in the development process. In fact the cost of fixing a defect in a production environment is much higher than in the initial phases of the Software Development Life Cycle (SDLC) which is particularly true for Service Oriented Architecture (SOA). Thus the aim of this study is to develop a new framework for defect tracking and detection and quality estimation for early stages particularly for the design stage of the SDLC. Part of the objectives of this work is to conceptualize, borrow and customize from known frameworks, such as object-oriented programming to build a solid framework using automated rule based intelligent mechanisms to detect and classify defects in software design of SOA. The implementation part demonstrated how the framework can predict the quality level of the designed software. The results showed a good level of quality estimation can be achieved based on the number of design attributes, the number of quality attributes and the number of SOA Design Defects. Assessment shows that metrics provide guidelines to indicate the progress that a software system has made and the quality of design. Using these guidelines, we can develop more usable and maintainable software systems to fulfill the demand of efficient systems for software applications. Another valuable result coming from this study is that developers are trying to keep backwards compatibility when they introduce new functionality. Sometimes, in the same newly-introduced elements developers perform necessary breaking changes in future versions. In that way they give time to their clients to adapt their systems. This is a very valuable practice for the developers because they have more time to assess the quality of their software before releasing it. Other improvements in this research include investigation of other design attributes and SOA Design Defects which can be computed in extending the tests we performed.
1) The document discusses applying data mining techniques to various phases of the web engineering process to improve business intelligence applications.
2) It proposes a 3-phase algorithm involving extracting web data, applying web mining techniques like association rule mining and clustering, and associating the results with the web engineering process.
3) The goal is to use mining insights to improve aspects like website structure and navigation to better meet business and user needs, thereby increasing business profits.
A Resiliency Framework For An Enterprise CloudJeff Nelson
The document summarizes a research paper that proposes a resiliency framework called the Cloud Computing Adoption Framework (CCAF) for enterprise clouds. CCAF includes four major emerging services - software resilience, service components, guidelines, and real case studies - that are designed to improve an organization's security when adopting cloud computing. The framework was validated through a large survey that provided user requirements to guide the system's design and development. CCAF aims to illustrate how software resilience and security can be improved for enterprises moving to the cloud.
Vulnerability Management in IT InfrastructureIRJET Journal
This document discusses the development of a web portal to automate vulnerability management in IT infrastructure. It aims to make identifying vulnerabilities, assigning risk treatments, and remediating vulnerabilities more efficient. The portal was built using MongoDB, Node.js, Express.js, and React.js. It allows security leads to view vulnerability reports and assign risk treatments. Asset owners can then view assets assigned to them to remediate. This addresses the inefficiencies of previous manual processes. The portal provides a more structured way to manage vulnerabilities through the entire lifecycle from identification to remediation.
Software Engineering Process in Web Application DevelopmentIOSR Journals
This document discusses the software engineering process for developing web applications. It begins by noting that conventional software engineering models cannot be directly applied to web development due to the unique characteristics of web applications. The document then outlines the conventional software development process and various models used. It describes how web engineering adapts these conventional processes, using an incremental development approach better suited to evolving web requirements. The document identifies differences between traditional software and web engineering, and proposes a modified process model for web application development.
This document discusses the differences between conventional software engineering processes and web application development processes. It notes that web applications have large user bases, evolving requirements, and frequent changes, requiring an incremental development approach. The document outlines the typical phases of conventional software development (analysis, design, coding, testing, implementation) and various process models (waterfall, V-model, etc.). It then describes adaptations needed for web engineering, including incorporating analysis of content, interactions, functions and configurations. The design phase in web engineering includes aesthetic and navigation design elements not present in conventional models. Testing for web applications must also consider functionality, usability, interfaces, compatibility and security across various hardware/software environments.
Running head APPLICATIONS RELATIVE TO COURSE OBJECTIVES .docxtoddr4
Running head: APPLICATIONS RELATIVE TO COURSE OBJECTIVES 1
APPLICATIONS RELATIVE TO COURSE OBJECTIVES 2
Applications Relative To Course Objectives
Woodrow Rowell
5/3/20
In this case, I am dealing with a construction project. Successful implementation of the project will demand the creation of effective project metrics. The metrics are useful in that they help in controlling project costs, evaluating project success, project status, possible risks, and assessing the productivity and the quality of the project team. Such elements are crucial in making sure that the project has been completed as planned. Time, costs, and scope have got limits, which are determined during the project planning stage. Project managers focus on completing the project within the scheduled time frame or less, incurring the planned cost or less, and working within the defined scope. Project metrics are useful in preventing adverse deviation from the expectation or plan.
Key characteristics of a metric that are properly designed are; first, the metric should be relevant to the project being undertaken. Secondly, the metric should be in proper alignment with the objectives and goals of the project. Third, it must be strategic. The formulation of the project should start from the identified goals and objectives, working backward. Fourth, the metric must be simple and easy to understand by the project team. Fifth, the metrics should be measurable to determine the extent to which they are being achieved.
In a metric-driven project, Key Performance Indicators (KPIs) mainly focus on the costs, resource use, and scheduled time. Some of the common KPIs used are project schedule, estimate to project completion, resource allocation, development backlog, among others. The KPIs are evaluated from time to time to evaluate whether the project is on the right track.
Failure to consider value-based project management metrics leads to the selection of the wrong metrics and the inability to add value to the project as it continues, as the project team tends to focus more on the results and not the processes. Key factors to consider include; key performance indicators (current value) and Customer value management (maximizing the value of the customers) (EIRGASH et al., 2017).
Project dashboards play a crucial role in evaluating project performance. They are supposed to be designed in accordance with the number of stakeholders and key activities being executed within the project. The design has to incorporate the activity and milestone tracking capability, production of progress reports, task status, resource allocation, teamwork status, etc. Limitations of the dashboards are that they have got a limited number of individuals accessing them, the maximum number of widgets is twelve, shared Dashboards per view reach 50 for every analytics account, and edit permission to share. Such .
Reliability Improvement with PSP of Web-Based Software ApplicationsCSEIJJournal
In diverse industrial and academic environments, the quality of the software has been evaluated using
different analytic studies. The contribution of the present work is focused on the development of a
methodology in order to improve the evaluation and analysis of the reliability of web-based software
applications. The Personal Software Process (PSP) was introduced in our methodology for improving the
quality of the process and the product. The Evaluation + Improvement (Ei) process is performed in our
methodology to evaluate and improve the quality of the software system. We tested our methodology in a
web-based software system and used statistical modeling theory for the analysis and evaluation of the
reliability. The behavior of the system under ideal conditions was evaluated and compared against the
operation of the system executing under real conditions. The results obtained demonstrated the
effectiveness and applicability of our methodology
A Review On Data Security In Cloud ComputingYolanda Ivey
This document provides a review of approaches for ensuring data security in cloud computing. It summarizes 31 research papers on this topic published between 2007-2014. The key findings are:
1) The majority of approaches (45%) ensured data security through encryption methods like RSA encryption, merging Playfair and Vigenere ciphers with DES, and using SSL encryption.
2) Other common approaches included proposing guidelines (21%) and frameworks (16%) for data security, and using homomorphic tokens (7%) to enable encrypted data comparisons.
3) The approaches were categorized based on the technique used, with encryption being the most frequent, followed by guidelines, frameworks, homomorphic tokens, and other methods like harmonizing
Security has always been a great concern for all software systems due to the increased incursion of the wireless devices in recent years. Generally software engineering processes tries to compel the security measures during the various design phases which results into an inefficient measure. So this calls for a new process of software engineering in which we would try to give a proper framework for integrating the security requirements with the SDLC, and in this requirement engineers must discover all the security requirements related to a particular system, so security requirement could be analyzed and simultaneously prioritized in one go. In this paper we will present a new technique for prioritizing these requirement based on the risk measurement techniques. The true security requirements should be easily identified as early as possible so that these could be systematically analyzed and then every architecture team can choose the most appropriate mechanism to implement them.
Effective Information Flow Control as a Service: EIFCaaSIRJET Journal
This document presents a framework called Effective Information Flow Control as a Service (EIFCaaS) to detect vulnerabilities in Software as a Service (SaaS) applications in cloud computing environments. EIFCaaS analyzes application bytecode using static taint analysis to identify insecure information flows that could violate data confidentiality or integrity. The framework consists of four main components: a model generator, an information flow control engine, a vulnerability detector, and a result publisher. The framework was implemented as a prototype and evaluated on six open source applications, detecting SQL injection and NoSQL injection vulnerabilities. EIFCaaS aims to provide third-party security analysis and monitoring of SaaS applications as a cloud-based service.
A reliability estimation framework for OO design complexity perspective has been developed inthis paper. The proposed framework correlates the object oriented design constructs with complexity and also correlates complexity with reliability. No such framework has been available in the literature that estimates software reliability of OO design by taking complexity into consideration. The framework bridges the gap between object oriented design constructs, complexity and reliability. Framework measures and minimizes the complexity of software design at the early stage of software development life cycle leading to a reliable end product. Reliability and complexity estimation models have been proposed by following the proposed framework. Complexity estimation model has been developed which takes OO design constructs into consideration and proposed reliability estimation models take complexity in consideration for estimating reliability of OO design.
Ownux is an Information Security Consultation firm specializing in the field of Penetration Testing of every channel which classifies different security areas of interest within an organization. We are focused on Application Security, however, it is not limited to physical cyber security, reviewing the configurations of applications and security appliances. We have much more to offer.
Model for Identifying the Security of a System: A Case Study of Point Of Sale...IOSR Journals
This document presents a model for identifying security requirements of a system during the requirements analysis phase. The model uses use case diagrams along with security questionnaires tables. A use case diagram depicts the functional requirements and interactions between actors and the system. The proposed model adds a security questionnaires table for each use case/process in the diagram to identify related security requirements. The document implements the model on a point of sale system case study, presenting sample security questionnaires tables for the login, add product, and view product processes. The tables contain security-related questions to address during requirements. The model aims to incorporate security early in development to avoid later issues.
Want to know how to secure your web apps from cyber-attacks? Looking to know the Best Web Application Security Best Practices? Check this article, we delve into six essential web application security best practices that are important for safeguarding your web applications and preserving the sanctity of your valuable data.
DEPENDABLE PRIVACY REQUIREMENTS BY AGILE MODELED LAYERED SECURITY ARCHITECTUR...cscpconf
Software Engineering covers the definition of processes, techniques and models suitable for its
environment to guarantee quality of results. An important design artifact in any software
development project is the Software Architecture. Software Architecture’s important part is the
set of architectural design rules. A primary goal of the architecture is to capture the
architecture design decisions. An important part of these design decisions consists of
architectural design rules In an MDA (Model-Driven Architecture) context, the design of the
system architecture is captured in the models of the system. MDA is known to be layered
approach for modeling the architectural design rules and uses design patterns to improve the
quality of software system. And to include the security to the software system, security patterns
are introduced that offer security at the architectural level. More over, agile software
development methods are used to build secure systems. There are different methods defined in
agile development as extreme programming (XP), scrum, feature driven development (FDD),
test driven development (TDD), etc. Agile processing is includes the phases as agile analysis,
agile design and agile testing. These phases are defined in layers of MDA to provide security at
the modeling level which ensures that security at the system architecture stage will improve the
requirements for that system. Agile modeled Layered Security Architectures increase the
dependability of the architecture in terms of privacy requirements. We validate this with a case
study of dependability of privacy of Web Services Security Architectures, which helps for secure
service oriented security architecture. In this paper the major part is given to model
architectural design rules using MDA so that architects and developers are responsible to
automatic enforcement on the detailed design and easy to understand and use by both of them.
This MDA approach is implemented in use of Agile strategy in three different phases covering
three different layers to provide security to the system. With this procedure a premise
conclusion has been given that with the system security the requirements for that system are
improved. This paper summarizes that security is essential for every system at initial stage and
upon introduction of security at middle stage must lead to the change in the system i.e., an
improvement to system requirements.
Developing secure software using Aspect oriented programmingIOSR Journals
This document discusses using aspect-oriented programming (AOP) to develop more secure software by separating security concerns from core application logic. It provides motivation for this approach by explaining how security code can become tangled and scattered in object-oriented programs. The document then introduces AOP and AspectJ, using access control as an example of how AOP can improve modularity of a cross-cutting security concern. Specifically, it describes representing access control state using a pushdown automaton updated by AOP aspects.
Similar to IMPLEMENTATION OF MOSRE FRAMEWORK FOR A WEB APPLICATION - A CASE STUDY (20)
Elevate Your Nonprofit's Online Presence_ A Guide to Effective SEO Strategies...TechSoup
Whether you're new to SEO or looking to refine your existing strategies, this webinar will provide you with actionable insights and practical tips to elevate your nonprofit's online presence.
Beyond Degrees - Empowering the Workforce in the Context of Skills-First.pptxEduSkills OECD
Iván Bornacelly, Policy Analyst at the OECD Centre for Skills, OECD, presents at the webinar 'Tackling job market gaps with a skills-first approach' on 12 June 2024
A Visual Guide to 1 Samuel | A Tale of Two HeartsSteve Thomason
These slides walk through the story of 1 Samuel. Samuel is the last judge of Israel. The people reject God and want a king. Saul is anointed as the first king, but he is not a good king. David, the shepherd boy is anointed and Saul is envious of him. David shows honor while Saul continues to self destruct.
Chapter wise All Notes of First year Basic Civil Engineering.pptxDenish Jangid
Chapter wise All Notes of First year Basic Civil Engineering
Syllabus
Chapter-1
Introduction to objective, scope and outcome the subject
Chapter 2
Introduction: Scope and Specialization of Civil Engineering, Role of civil Engineer in Society, Impact of infrastructural development on economy of country.
Chapter 3
Surveying: Object Principles & Types of Surveying; Site Plans, Plans & Maps; Scales & Unit of different Measurements.
Linear Measurements: Instruments used. Linear Measurement by Tape, Ranging out Survey Lines and overcoming Obstructions; Measurements on sloping ground; Tape corrections, conventional symbols. Angular Measurements: Instruments used; Introduction to Compass Surveying, Bearings and Longitude & Latitude of a Line, Introduction to total station.
Levelling: Instrument used Object of levelling, Methods of levelling in brief, and Contour maps.
Chapter 4
Buildings: Selection of site for Buildings, Layout of Building Plan, Types of buildings, Plinth area, carpet area, floor space index, Introduction to building byelaws, concept of sun light & ventilation. Components of Buildings & their functions, Basic concept of R.C.C., Introduction to types of foundation
Chapter 5
Transportation: Introduction to Transportation Engineering; Traffic and Road Safety: Types and Characteristics of Various Modes of Transportation; Various Road Traffic Signs, Causes of Accidents and Road Safety Measures.
Chapter 6
Environmental Engineering: Environmental Pollution, Environmental Acts and Regulations, Functional Concepts of Ecology, Basics of Species, Biodiversity, Ecosystem, Hydrological Cycle; Chemical Cycles: Carbon, Nitrogen & Phosphorus; Energy Flow in Ecosystems.
Water Pollution: Water Quality standards, Introduction to Treatment & Disposal of Waste Water. Reuse and Saving of Water, Rain Water Harvesting. Solid Waste Management: Classification of Solid Waste, Collection, Transportation and Disposal of Solid. Recycling of Solid Waste: Energy Recovery, Sanitary Landfill, On-Site Sanitation. Air & Noise Pollution: Primary and Secondary air pollutants, Harmful effects of Air Pollution, Control of Air Pollution. . Noise Pollution Harmful Effects of noise pollution, control of noise pollution, Global warming & Climate Change, Ozone depletion, Greenhouse effect
Text Books:
1. Palancharmy, Basic Civil Engineering, McGraw Hill publishers.
2. Satheesh Gopi, Basic Civil Engineering, Pearson Publishers.
3. Ketki Rangwala Dalal, Essentials of Civil Engineering, Charotar Publishing House.
4. BCP, Surveying volume 1
How Barcodes Can Be Leveraged Within Odoo 17Celine George
In this presentation, we will explore how barcodes can be leveraged within Odoo 17 to streamline our manufacturing processes. We will cover the configuration steps, how to utilize barcodes in different manufacturing scenarios, and the overall benefits of implementing this technology.
Level 3 NCEA - NZ: A Nation In the Making 1872 - 1900 SML.pptHenry Hollis
The History of NZ 1870-1900.
Making of a Nation.
From the NZ Wars to Liberals,
Richard Seddon, George Grey,
Social Laboratory, New Zealand,
Confiscations, Kotahitanga, Kingitanga, Parliament, Suffrage, Repudiation, Economic Change, Agriculture, Gold Mining, Timber, Flax, Sheep, Dairying,
Philippine Edukasyong Pantahanan at Pangkabuhayan (EPP) CurriculumMJDuyan
(𝐓𝐋𝐄 𝟏𝟎𝟎) (𝐋𝐞𝐬𝐬𝐨𝐧 𝟏)-𝐏𝐫𝐞𝐥𝐢𝐦𝐬
𝐃𝐢𝐬𝐜𝐮𝐬𝐬 𝐭𝐡𝐞 𝐄𝐏𝐏 𝐂𝐮𝐫𝐫𝐢𝐜𝐮𝐥𝐮𝐦 𝐢𝐧 𝐭𝐡𝐞 𝐏𝐡𝐢𝐥𝐢𝐩𝐩𝐢𝐧𝐞𝐬:
- Understand the goals and objectives of the Edukasyong Pantahanan at Pangkabuhayan (EPP) curriculum, recognizing its importance in fostering practical life skills and values among students. Students will also be able to identify the key components and subjects covered, such as agriculture, home economics, industrial arts, and information and communication technology.
𝐄𝐱𝐩𝐥𝐚𝐢𝐧 𝐭𝐡𝐞 𝐍𝐚𝐭𝐮𝐫𝐞 𝐚𝐧𝐝 𝐒𝐜𝐨𝐩𝐞 𝐨𝐟 𝐚𝐧 𝐄𝐧𝐭𝐫𝐞𝐩𝐫𝐞𝐧𝐞𝐮𝐫:
-Define entrepreneurship, distinguishing it from general business activities by emphasizing its focus on innovation, risk-taking, and value creation. Students will describe the characteristics and traits of successful entrepreneurs, including their roles and responsibilities, and discuss the broader economic and social impacts of entrepreneurial activities on both local and global scales.
This presentation was provided by Rebecca Benner, Ph.D., of the American Society of Anesthesiologists, for the second session of NISO's 2024 Training Series "DEIA in the Scholarly Landscape." Session Two: 'Expanding Pathways to Publishing Careers,' was held June 13, 2024.
Temple of Asclepius in Thrace. Excavation resultsKrassimira Luka
The temple and the sanctuary around were dedicated to Asklepios Zmidrenus. This name has been known since 1875 when an inscription dedicated to him was discovered in Rome. The inscription is dated in 227 AD and was left by soldiers originating from the city of Philippopolis (modern Plovdiv).
Gender and Mental Health - Counselling and Family Therapy Applications and In...PsychoTech Services
A proprietary approach developed by bringing together the best of learning theories from Psychology, design principles from the world of visualization, and pedagogical methods from over a decade of training experience, that enables you to: Learn better, faster!
IMPLEMENTATION OF MOSRE FRAMEWORK FOR A WEB APPLICATION - A CASE STUDY
1. International Journal on Web Service Computing (IJWSC), Vol.3, No.3, September 2012
DOI : 10.5121/ijwsc.2012.3309 95
IMPLEMENTATION OF MOSRE FRAMEWORK
FOR A WEB APPLICATION - A CASE STUDY
P.Salini1
and S.Kanmani2
1
Department of Computer Science and Engineering
salini@pec.edu
2
Deparment of Information Technology
skanmani@pec.edu
1 and 2
Pondicherry Engineering College, Puducherry, India
ABSTRACT
The Security Engineering discipline has become more and more important in the recent years. Security
requirements engineering is essential to assure the Quality of the resulting software. An increasing part of
the communication and sharing of information in our society utilize Web Applications. Last two years have
seen a significant surge in the amount of Web Application specific vulnerabilities that are disclosed to the
public because of the importance of Security Requirements Engineering for Web based systems and as it is
still underestimated. Integration of Web and object technologies offer a foundation for expanding the Web
to a new generation of applications. In this paper, we outline our proposed Model- Oriented Security
Requirement Engineering (MOSRE) Framework for Web Applications. By applying Object-Oriented
technologies and modeling to Security Requirement phase. So the completeness, consistency, traceability
and reusability of Security Requirements can be cost effectively improved. We implemented our MOSRE
Framework for E-Voting Application and set of Security Requirements are identified.
KEYWORDS
Object-Oriented, Security Requirements, Security Requirements Engineering and Web Applications
1. INTRODUCTION
The development of Web systems usually involves more heterogeneous stakeholders than the
construction of traditional software. Therefore a thorough Security Requirements analysis is even
more relevant. The requirements must be clear, comprehensive, consistent and unambiguous.
Most requirement documents were written in ambiguous natural languages which are less formal
and imprecise and it is hard to analyze and integrate with artifacts in other phases of software life
cycle. This statement has significance for security requirements and if you say application must
be secure, it is not security requirements. It is hard to construct secure web applications or to
make statements about security unless we know what to secure, against whom and at what extent.
To this day, not one web application technology has shown itself invulnerable to the inevitable
discovery of vulnerabilities that affect its owners’ and users’ security and privacy. Most security
professionals have traditionally focused on network and operating system security. Assessment
services have typically relied heavily on automated tools to help find holes in those layers.
Security Requirements engineering (SRE), a phase that comes before design and programming,
will play a more important role that determines the success of Web Applications Design.
2. International Journal on Web Service Computing (IJWSC), Vol.3, No.2, September 2012
96
In fact Security requirements engineering should be as complex and well thought out as the
design and programming, yet its insufficiencies have led to many projects with poor Security
requirements and blamed as the major reason for many web applications’ failures. Therefore,
Security requirements engineering is now moving to the forefront of gaining increased
significance in software engineering for service oriented web applications. Web application
requirements have new characteristics causing them to change more rapidly. This makes
traditional Security requirements modeling and validation methods insufficient to provide
adequate support for web applications.
The Security requirements of the web applications come from not only the general domain
analysis and the personalized, diverse users' requirements, but also the availability of the related
web services. Web applications Security requirements are also evolving while they are widely
used. Most of the methodologies that have been proposed for the development of Web
applications focus only on Non Security requirements and paying no attention to the Security
requirements engineering. Therefore, SRE for Web applications is challenged to explore sound
engineering approaches for eliciting, describing, validating and managing Security requirements
of Web applications and its integration with the artifacts of other phases can be cost effectively
improved and can effect a significant reduction of the problems currently encountered in the
SDLC for Web Applications due to poor Security Requirements Engineering and Management.
In this paper, section 2 discuss on related works and present an overview of Model Oriented
Security Requirements Engineering framework for Web Applications in section 3. Section 4 gives
the implementation of the MOSRE framework to E-Voting Web Application- a case study, while
section 4 presents the result analysis and discussion, and the last section concludes with future
works.
2. RELATED WORKS
There are many requirements engineering approach for the development of Web Applications, but
only some considers security requirements and also as non functional requirements. Some models
are object oriented and in this section some of the related works are discussed. SOHDM:
Scenario-based Object-Oriented Hypermedia Design Methodology [9] was the first approach
stressing the importance of a process that allows the analysts to capture and define the application
requirements. RNA: Relationship-Navigational Analysis [10] is a methodology that offers a
sequence of steps to develop Web applications focusing mainly on analysis. HFPM: Hypermedia
Flexible Process Modeling Olsina [11] is a wide engineering-based approach, which includes
analysis-oriented descriptive and prescriptive process modeling strategies. It includes technical,
management, cognitive and participatory tasks. HDM: Object Oriented Hypermedia Design
Model is a widely accepted method for the development of Web applications [12] , whose first
versions focused on design and did not include requirements engineering. The capture and
definition of requirements were introduced later in OOHDM by Vilain, Schwabe and Sieckenius
[13], proposing the use of user interaction diagrams (UIDs). UWE: UML-based Web Engineering
UWE classifies requirements into two groups: functional and non-functional. Moreover, UWE
proposes interviews, questionnaires and checklists as appropriated techniques for the
requirements capture, and use cases, scenarios and glossaries for the requirements specification.
To validate them, UWE proposes walk-through, audits and prototypes [14]. Design-driven
Requirements Elicitation is a part of the design-driven process proposed by Lowe and Eklund
[15] in order to develop Web applications. It consists of capturing, defining and validating
requirements during the design process, i.e. The design activities should be carried out in such a
way that the requirements could be handled and managed at the same time. The process is based
on prototyping in order to explore possible solutions and problems to be solved. Users and
customers define the requirements based on the study of these prototypes. It is an iterative
process, which consists of reducing customers and clients’ doubts. The cycle has three phases:
3. International Journal on Web Service Computing (IJWSC), Vol.3, No.2, September 2012
97
evaluation, specification and construction. In Haley and colleagues security requirements
engineering framework [16] they have 4 steps to elicit and analyze security requirements but does
not cover all the phases of requirements engineering and it is a complex process for the
developers.
2.1. Object oriented Security Requirements Engineering
Object-oriented Requirements are a widely accepted method for the development of Web
applications. Most Web applications are still developed in an ad hoc manner. One reason is the
gap between established software design concepts and the low-level Web implementation model.
So to have a good design and the Web implementation model the Security Requirements
Engineering should be done in the early stage with the object oriented concepts. Identify all the
objects of a Web application, and then develop the components with a higher level of abstraction.
Security Requirements Engineering embodies object-oriented principles such as reuse,
modularity, abstraction and encapsulation.
Most requirement documents were written in ambiguous natural languages which are less formal
and imprecise. Without modeling the Security requirement documents, the knowledge of the
requirement is hard to be kept in a way, which can be analyzed and integrated with artifacts in
other phases of software life cycle. Therefore, maintaining the traceability and consistency of
requirement documents and software artifacts in other phases is costly and error prone. This paper
presents a systematic approach to eliciting and analyzing Object-Oriented Security Requirements
based on models.
3. OVERVIEW OF MOSRE FRAMEWORK
The web application has become more and more critical in every domain of the human society.
Transportation, communications, entertainment, health care, military, e-commerce, and education;
the list is almost endless. These systems are used not only by major corporations and
governments but also across networks of organizations and by individual users. Such a wide use
has resulted in these systems containing a large amount of critical information and processes
which inevitably need to remain secure. Therefore, although it is important to ensure that Web
Applications are developed according to the user needs, it is equally important to ensure that these
applications are secure.
However, the common approach towards the inclusion of security within a Web Application is to
identify security requirements after analysis, means that security enforcement mechanisms have
to be fitted into a pre-existing design, leading to serious design challenges that usually translate
into the emergence of computer systems afflicted with security vulnerabilities. Recent research
has argued that from the viewpoint of the traditional security paradigm, it should be possible to
eliminate such problems through better integration of security and requirements engineering.
Security should be considered from the early stages of the development process and security
requirements should be defined alongside with the system requirements specification.
The Security Requirements Engineering is the process of eliciting, specifying, and analyzing the
security requirements for system fundamental ideas like "what" of security requirements is, it is
concerned with the prevention of harm in the real world and considering them as functional
requirements. Many methods have been developed that facilitate this kind of requirements
analysis and the development of security requirements. The internet has already created social and
economic opportunities for people around the world. But even there are many Challenges to Web
Applications Security like threats, attacks, Phishing spyware, worms, Trojans and virus which
cause to denial of service hacking into and defacing web sites and destroying. Here we present the
4. International Journal on Web Service Computing (IJWSC), Vol.3, No.2, September 2012
98
proposed work; MOSRE [24] a Model Oriented Security Requirements Engineering Framework
for Web Applications.
Our Framework shown in Figure 1 follows the spiral Framework model which is iterative and all
phases of Requirements Engineering are covered in this Framework.
Figure 1 MOSRE Framework for Web Applications
3.1 Inception
Inception is to establish the ground work, before to start the elicitation and analysis of security
requirements for web applications. Different steps are involved in the inception phase of MOSRE.
Step 1 Identify the Objective of the Web Applications
The Web Applications objective must be identified from the customer requirements who needs
the Web Application. This step will help to understand the domain of the application that
customer needs.
Step 2 Identify the Stakeholders
The identification of stakeholders plays an important role in security requirements engineering.
The stakeholders include the Architect, developer, customers/end users, security experts,
requirements engineering team and other interested people.
Step 3 Identify the Assets
The next step is to identify the assets of the targeted system. Assets may be business or system
assets (e.g.: Data, money, and password). From our survey it is found that asset identification is
5. International Journal on Web Service Computing (IJWSC), Vol.3, No.2, September 2012
99
an important step in security requirements engineering. The assets should be identified in the
context of the software system, so the objective of a software system is to be identified first. To
identify the assets different techniques like interview, questionnaire, and brainstorming can be
used. The stakeholders help in finding the assets. Assets should be viewed not only at developer
or customer/end user perspective but also in attacker’s point of view. Assets can be identified
from existing documents.
Inception phase of security requirements engineering should be working with high level of
collaboration and care.
3.2 Elicitation
The next phase in security requirements engineering is elicitation, the stakeholders and
requirements engineering team will work together to identify the problem, propose the solution
and specify the set of security requirements. There are different steps involved in the elicitation
phase of security requirements engineering.
Step 4 Select an Elicitation Technique
The elicitation phase starts some ground work to be done by selecting the elicitation technique.
Requirements elicitation is called as capturing, requirements discovery or requirements
acquisition. The step of requirements elicitation can be complex, mainly if the problem domain is
unknown for the analysts. Some of the elicitation techniques are, misuse cases, Issue Based
Information Systems (IBIS), Joint Application Development (JAD), Interviewing, Brainstorming,
Sketching and Storyboarding, Use Case Modeling and Questionnaire and Checklist A suitable
method can be chosen from these elicitation techniques based on the requirements engineering
community or expert’s choice, level of the security to achieve, cost –effort benefit and
organizational policies.
Step 5 High level of Architecture Diagram of Web Applications
With the objective of web application we can identify the number of tiers in the web applications.
So draw a rough architecture diagram with high level of abstraction of the web applications.
Network or hierarchical style of Architecture can be chosen based on the application domain.
This diagram can be extended in detail with low level of abstraction in the next phase of design.
Step 6 Elicit Non-Security goals and Requirements
Once the business goals are identified, and then the non-security goals and requirements of the
web applications are to be elicited. The collaborative requirement gathering is adopted to gather
non-security goals and requirements. A general classification of requirements for Web
applications are Functional requirements and Non Functional requirements. Functional
requirements are capabilities that a system must exhibit in order to solve a problem.
Functional requirements for web applications and nonfunctional requirements that act to constrain
the solution, e.g. Portability requirements; reuse requirements, usability requirements, availability
requirements, performance requirements are identified.
The non-security requirements are categorized as essential and nonessential requirements and
prioritized according to the Stakeholders preference.
6. International Journal on Web Service Computing (IJWSC), Vol.3, No.2, September 2012
100
Step 6 Generate Use Cases Diagram for the Web Applications
The non security requirements are gathered; for better understanding and then the use case
modeling of the web applications should be developed. Use Case Modeling is a technique which
was developed to define requirements [2]. A use case model consists of actors, use cases and
relationships between them [3]. It is used to represent the environment by actors and the scope of
the system by use cases (functional requirements). An actor is an external element of the system
that interacts with the system as a black box. A use case describes the sequence of interactions
between the system and its actors when a concrete function is executed. An actor can take part in
several use cases and a use case can interact with several actors. The use case is the set of
scenarios that encompass the non-security requirements of the system created by the developers
and users of the system. In Figure 2 the Use Case Diagram for the e-store with actors and use
cases are shown.
Figure 2 Use Case Diagram for the e-store
Step 7 Identify the Security Goals / Security Objectives
The security goals / security objectives can be identified with respect to assets, business goals and
organizational principles are the security policies of the organization. The list of security goals
can be identified and the security goals can be of the main goals and sub goals. The main goals
are the top goals, e.g. Confidentiality, Integrity and Availability, that to be identified in the web
applications based on the level of security we need. Security main goals [4] for web applications
are:
Authentication
Authentication addresses the question: who are you? It is the process of uniquely identifying the
clients of your applications and services. These might be end users, other services, processes, or
computers.
Authorization
Authorization addresses the question: what can you do? It is the process that governs the
resources and operations that the authenticated client is permitted to access. Resources include
files, databases, tables, rows, and so on, together with system-level resources such as registry
7. International Journal on Web Service Computing (IJWSC), Vol.3, No.2, September 2012
101
keys and configuration data. Operations include performing transactions such as purchasing a
product, transferring money from one account to another, or increasing a customer's credit rating.
Auditing
Effective auditing and logging is the key to non-repudiation. Non-repudiation guarantees that a
user cannot deny performing an operation or initiating a transaction. For example, in an e-
commerce system, non-repudiation mechanisms are required to make sure that a consumer cannot
be denied of ordering 100 copies of a particular book.
Confidentiality
Confidentiality, also referred as privacy, it is the process of making sure that data remains private
and confidential, and that it cannot be viewed by unauthorized users or eavesdroppers who
monitor the flow of traffic across a network. Encryption is frequently used to enforce
confidentiality. Access control lists (ACLs) are another means of enforcing confidentiality.
Integrity
Integrity is the guarantee that data is protected from accidental or deliberate (malicious)
modification. Like privacy, integrity is a key concern, particularly for data passed across
networks. Integrity of data in transit is typically provided by using hashing techniques and
message authentication codes.
Availability
From a security perspective, availability means that the systems remain available for legitimate
users. The goal for many attackers with denial of service attacks is to crash an application or to
make sure that it is sufficiently overwhelmed so that other users cannot access the application.
There are many security sub goals/objectives for web applications and are based on the
application domain and security policy of the organization, e.g. Prevent attackers from obtaining
sensitive customer data, including passwords and profile information which comes under
confidentiality. Prevent tampering, trail and access control which comes under the top security
goal Integrity. The techniques like Facilitated Application Specification Technique (FAST),
survey and interviews can be used to identify the security goals / security objectives.
Step 8 Identify threats and vulnerabilities
By identifying the assets, business goals and security goals the threats to the web applications can
be identified. The overall system threats and vulnerabilities can be identified during this step. The
list of threats and vulnerabilities can be developed for the web applications. The main threats to a
Web application are: Profiling, Denial of service, Unauthorized access, Arbitrary code execution,
Elevation of privileges, Information gathering, Sniffing, Spoofing, Session hijacking, SQL
injection, Network eavesdropping, Password cracking, Viruses, Trojan horses, and worms. Some
of the vulnerabilities to the web application are unnecessary protocols, Open ports, Web servers
providing configuration information in banners, Weak IIS Web access controls including Web
permissions, Weak NTFS permissions, Poor input validation in your Web applications, Unsafe,
dynamically constructed SQL commands, Weak or blank passwords, and Passwords that contain
everyday words.
Step 9 Risk Assessment
The next step is to assess and determine the risk when the threats and vulnerabilities occur. The
impact of threats and vulnerabilities are analyzed and risk determination process [20] is carried
out. To do risk determination process any of risk assessment test models [5] like National
8. International Journal on Web Service Computing (IJWSC), Vol.3, No.2, September 2012
102
Institute of Standards and Technology (NIST) model, NSA’s INFOSEC Assessment
Methodology, Butler’s Security Attribute Evaluation method (SAEM) , CMU’s “V-RATE”
method , Yacov Haimes’s RFRM model can be used or Microsoft risk based on DREAD method
[6] can be used.
Step 10 Categorize and Prioritize the Threats and Vulnerabilities for mitigation
The threats and vulnerabilities can be Categorized with respect to the security goals and security
policies of the organization and prioritized based on the level of security and assets to be secured.
This step can be done with the help of a survey or interview between the stakeholders.
Step 11 Generate Misuse Cases Diagram for the Web Applications
The detailed set of misuse case diagram [7] of the web applications should be developed that
encompass the most significant threats to the system. In the Figure 3 Misuse Case Diagram for
the e-store with Hacker as an actor and Misuse cases are shown.
Figure 3 Misuse Case Diagram for the e-store
Step 12 Identify Security Requirements
The security requirements [21] are the countermeasures that the Web Applications should have,
as the functional requirements.
Step 13 Generate Use Cases Diagram for the Web Applications considering Security
Requirements
The security requirements are gathered; for better understanding, the use case diagram of the Web
Applications should be generated, that encompasses the security requirements of the system
created by the developers and users of the system. In Figure 4 Use Case Diagram for the e-store
considering Security Requirement is shown.
9. International Journal on Web Service Computing (IJWSC), Vol.3, No.2, September 2012
103
Figure 4 Use case with security requirement
3.3 Elaboration
In this phase the detailed view of the web applications with security requirements can be
understood with models and diagrams, which gives a clear idea of the application in design and
implementation phase.
Step 14 Generate Structural Analysis models
The next step of security requirements engineering is to develop different analytical models.
These models form the solid foundation for the design of security requirements. The data models,
flow models and behavioral models are the structural analysis models that can be used to show
the functional requirements and data flow.
Step 15 Develop UML diagrams
Develop UML diagrams for detailed view of security requirements and for better understanding
of the secure web applications. The high level of class diagram and sequence diagrams can be
developed. These diagrams can be used to generate code and test cases for testing the security
requirements. The navigational model consists of a navigation class diagram and a navigation
structure diagram. Security based models can be developed using SecureUML [23] and UMLsec
[22].
3.4 Negotiation and Validation
In this phase the security requirements are categorized as essential and nonessential requirements
and prioritized according to the level of security and Stakeholders preference of security
requirements. Then rough effort time and cost are estimated to implement security requirements.
The validation is done by the security experts and engineers with the requirements of the
stakeholders. Review or Walk-through is a technique which consists in reading and correcting the
requirements definition documentation and models. Such a technique only validates the good
interpretation of the information. Traceability Matrix consists of a comparison of the application
objectives with the requirements of the system [8]. A correspondence is established between
objectives and how they are covered by each requirement. This way, inconsistencies and non-
covered objectives will be detected.
3.5 Specification
The specification is the last phase in security requirements engineering Framework. The security
requirements specifications are modeled and they are validated with the stakeholders and this
10. International Journal on Web Service Computing (IJWSC), Vol.3, No.2, September 2012
104
specification forms the source for the design of security requirements. This phase is executed in
parallel with each other phases of requirements engineering. Scenario or use case modeling can
be used to specify the functional requirements with security requirements and non functional
requirements for web applications.
In this MOSRE Framework, object modeling is used to model the components of the web
applications and the concept of encapsulation with the functionality and data in the data model.
The reusability of some of the security requirements against different threats, and the functions
can be extended to implement the security requirements; the concept of inheritance is adopted
here.
4. IMPLEMENTATION OF MOSRE FRAMEWORK TO A CASE STUDY
Manual voting systems have been deployed for many years with enormous success. If those
systems were to be replaced with Electronic Voting Systems, we have to be absolutely sure that
they will perform at-least as efficient as the traditional voting systems without any security issues.
Failures or flaws in Online Voting Systems will put at risk to Democracy in the country
implementing them. The main focus of security requirements engineering is on defining and
describing what a software system should do to satisfy the informal requirements provided with a
statement of need. In this paper, we will define and describe what the secure Online Voting
System should do to ensure a secure, robust, accurate, secure and quality-based design and
implementation.
Security Requirements are defined during the early stages of system development as a
specification of what level of security should be implemented. In other words, they represent what
the system should do and have security from the stakeholders’ point of view. Performing a good
security analysis on E-Voting web application is an essential step in order to guarantee a
reasonable level of protection. However, different attacks and threats may be carried out
depending on the operational environment in which the system is used.
An E-Voting System should consider the following minimum requirements:
1. To ensure that only persons with the right to vote are able to cast a vote.
2. To ensure that every vote cast is counted and that each vote is counted only once.
3. To maintain the voter’s right to form and to express his or her opinion in a free manner,
without any coercion or undue influence.
4. To protect the secrecy of the vote at all stages of the voting process.
5. To guarantee accessibility to as many voters as possible, especially with regard to
persons with disabilities.
6. To increase voter confidence by maximizing the transparency of information on the
functioning of each system.
The MOSRE Framework was implemented in E-Voting web application to gather functional
requirements which include security requirements. The Figure 5 shows the architecture of the E-
Voting System.
11. International Journal on Web Service Computing (IJWSC), Vol.3, No.2, September 2012
105
Figure 5 E-Voting Architecture
Each step of the MOSRE Framework was applied to E-Voting web application. The list of the E-
Voting System security requirements based on business assets and system assets can be
identified.
5. RESULT ANALYSIS AND DISCUSSION
In the previous section we have identified the list of some security requirements and they are
based on the business and system assets by applying the MOSRE Framework for Online Voting
system. Based on the identified list of threats, vulnerabilities and security requirements we found
that using our MOSRE Framework for web applications we will be able to get a better set of
security requirements. There are many methods to elicit security requirements but concentrating
less on the phases of requirements engineering [15, 16, 17, 20 and 22]. In this section we
compare results obtained from MOSRE Framework, Haley and colleagues security requirements
engineering framework [11] and without using security requirements engineering using a chart.
We consider the percentage of vulnerabilities, threats and security requirements found with each
method as the parameters for comparison.
Figure 6 Percentage of vulnerability, threats and security requirements identified by MOSRE Framework,
SREF and without using SRE
The Figure 6 depicts the percentage of vulnerability, threats and security requirements identified
using MOSRE Framework are high than Haley’s SREF and without using any SRE. Figure 7
plots the percentage of vulnerability identified in E-Voting System implemented using MOSRE
Framework with without using any SRE methods after the first iteration of the testing phase of
the E-Voting application. It is clear from the chart that the number of vulnerabilities will be
increased when no security requirements engineering method is adopted.
12. International Journal on Web Service Computing (IJWSC), Vol.3, No.2, September 2012
106
Figure 7 Percentage of vulnerabilities identified by with and without MOSRE
From a technical point of view, the most difficult task of the methodology is where security
objectives are identified from functional descriptions, such as functional requirements. This has
been the observation from several projects using the MOSRE Framework to elicit security
requirements. MOSRE Framework requires expertise on at-least three dimensions: (i) information
structuring and analysis, (ii) requirements engineering, and (iii) security. It is rarely intuitive
what the overall security goals and objectives are, and it is not easy to simply extract these from
highly abstract system information, incomplete sets of functional Requirements and early draft
system architecture. MOSRE Framework provides some support, with use case, misuse case
models.
6. CONCLUSION
Security Requirements have to be considered in the early phase of Requirements Engineering [12,
13, and 14], so a Model oriented Security Requirements Engineering framework is developed for
Web Application and evaluated for an E-Voting Web Application, The main aim of MOSRE is to
extend security requirements engineering by seamlessly integrating elicitation, traceability and
analysis activities. The motivation for this is that requirements engineering activities are often
executed by other people than those writing the code, and often without much contact between the
two groups. This applies in particular to security requirements, which is a major quality, attribute
of today’s system. It is therefore important to develop both the ability of the people involved in
the development to identify potential security aspects, and the capabilities of the development
team to solve these needs in practice through secure design.
As future work the Security Requirements identified from RE Phase should be carried in the
design phase because good design will give Vulnerability free Web Applications and implement
them. We also intend to do penetration testing and find the results based how far our application
is vulnerable.
ACKNOWLEDGEMENTS
We would thank everyone for their valuable suggestion to do this research work.
Without MOSRE
With MOSRE
13. International Journal on Web Service Computing (IJWSC), Vol.3, No.2, September 2012
107
REFERENCES
[1] CLUSIF, Web Application Working Group, “Web application security, managing web application security
risks”, Technical Studies, http://www.clusif.asso.fr/, March 2010.
[2] Jacobson, I. (1995). Modeling with Use Cases: Formalizing Use Case Modelling. Journal of Object-
Oriented Programming.
[3] UML (2003). Unified Modeling Language. Version 1.5. www.omg.org
[4] J.D. Meier, Alex Mackman, Michael Dunner, Srinath Vasireddy, Ray Escamilla and Anandha Murukan ,
“Improving Web Application Security :Threats and Countermeasures”, Microsoft Corporation, Published:
June 2003
[5] R. Mead, E.D. Houg, and T.R. Stehney, Security Quality Requirements Engineering (Square)
Methodology, tech. report CMU/SEI-2005-TR-009, Software Eng. Inst., Carnegie Mellon Univ., 2005.
[6] Swiderski, Frank, Syndex, “Threat Modeling”, Microsoft Press, 2004
[7] Guttorm Sindre, AndreasL.Opdah,” Eliciting security requirements with misuse cases”. Requirements Eng
(2005)10:34–44, Springer-Verlag London Limited 2004.
[8] M. José Escalona, Nora Koch. “Requirements Engineering for Web Applications – A Comparative Study”,
Journal of Web Engineering, Vol. 2, No.3 (2004) 193-212, Rinton Press.
[9] Lee, H., Lee, C., Yoo, C. (1998). A Scenario-based Object-oriented Methodology for Developing
Hypermedia Information Systems. Proceedings of 31st Annual Conference on Systems Science.
[10] Bieber M., Galnares, R., Lu, Q. (1998). Web Engineering and Flexible Hypermedia. The Second Workshop
on Adaptive Hypertext and Hypermedia, Hypertext´98, Pittsburg, USA.
[11] Olsina, L. (1998). Building a Web-based Information System applying the Hypermedia Flexible Process
Modeling Strategy. 1st International Workshop on Hypermedia Development, Hypertext´98, Pittsburg,
USA.
[12] Schwabe D., Rossi G. (1998). Developing Hypermedia Applications using OOHDM. Workshop on
Hypermedia Development Process, Methods and Models, Hypertext´98, Pittsburg, USA.
[13] Vilain, P., Schwabe, D., Sieckenius, C. (2000). A diagrammatic Tool for Representing User Interaction in
UML. Lecture Notes in Computer Science. Proc. UML’2000. York, England.
[14] Koch, N. (2001). SoftwareEngineering for Adaptive Hypermedia Applications. Ph. Thesis, FAST Reihe
Softwaretechnik Vol (12), Uni-Druck, Munich, Germany.
[15] Lowe D., Eklund J. (2002). Client Needs and the Design Process in Web Projects. Web Engineering Track
of the WWW2002 Conference.
[16] C.B. Haley, R. Laney, J.D. Moffett, and B. Nuseibeh, “Security Requirements engineering: A Framework
for Representation and Analysis,” IEEE Transaction on Software Eng. Vol 34, no. 1, pp. 133-152, Jan/Feb
2008.
[17] Eric Dubois , Haralambos Mouratidis, “Guest editorial: security requirements engineering: past, present
and future”, Requirements Eng (2010) 15:1-5, Published online: 1 January 2010, Springer-Verlag London
Limited 2009.
[18] Benjamin Fabian , SedaGurses , Maritta Heisel,Thomas Santen • Holger Schmidt,” A comparison of
security requirements engineering methods”, Requirements Eng (2010) special issue security requirements
engineering ,15:7-40, Published online: 26 Nov 2009, Springer-Verlag London Limited 2009.
[19] Siv Hilde Houmb , Shareeful Islam ,Eric Knauss • Jan Jurjens • Kurt Schneider,” Eliciting security
requirements and tracing them to design: An integration of Common Criteria, heuristics, and UMLsec
Requirements Eng (2010) special issue security requirements engineering ,15:63-93, Published online: 28
Nov 2009, Springer-Verlag London Limited 2009.
[20] Dhirendra Pandey, Ugrasen Suman ,A. K. Ramani,“Security Requirement Engineering Issues in Risk
Management “, International Journal of Computer Applications (0975 – 8887)Volume 17– No.5, March
2011,pg:12-14.
[21] Donald Firesmith: “Engineering Security Requirements”, in Journal of Object Technology, vol. 2, no. 1,
January-February 2003, pages 53-68. http://www.jot.fm/issues/issue_2003_01/column6
[22] J.Jurjens.Umlsec:Extending uml for secure systems development. In ProcofUML'02, pages 412-
425.Springer,2002.
[23] T.Lodderstedt,D, A.Basin,and J.Doser, “Secureuml: A uml-based modeling language for model-driven
security. In UML'02:Proceedings of the 5th International Conference on The Unified Modeling
Language,pages 426-441,London,UK,2002.Springer-Verlag.
[24] P. Salini and S. Kanmani. “Model Oriented Security Requirements Engineering (MOSRE) Framework for
Web Applications”. In Proceedings of the Second International Conference on Advances in Computing and
Information Technology (ACITY 2012), India, July 13 - 15, 2012, Vol.2 and in Advances in Intelligent
and Soft Computing book Series, Vol.177, pp.341-353.