Vår avhengighet av systemer som styres av programvare øker raskere enn vår evne til å sikre systemene. En løsning er å bygge inn sikkerhet som en del av programvareutviklingen. Det er utfordrende å måle programvaresikkerhet, men modenhet på programvaresikkerhetsarbeidet kan måles med BSIMM-rammeverket.
VMobile is a Bulgarian telecommunications company that provides landline, mobile, and VoIP services using their own network infrastructure. Their business model combines traditional and alternative telecom approaches to eliminate flaws while maintaining advantages. VMobile aims to optimize voice services through extremely low cost landline and mobile calls, as well as universal service for both personal and corporate customers.
Surgical management of non pediatric ectopia lentiscrisnemato
Ectopia lentis is a partial displacement of the lens caused by the weakness of the zonule. Non traumatic cases can be primary or associated to diseases like Marfan syndrom, homocystinuria and others. The aim of our study is to compare two different surgical techniques for the management of severe cases of ectopia lentis using escleral fixation procedures vs iris-claw lenses.
We performed an interventional consecutive case. The first group included 10 eyes from 5 patients were treated with lens aspiration and Cionni ring scleral fixation and in the bag intraocular IOL or scleral fixated IOL. In the second group we have included 12 eyes from 6 patients treated with pars plana lensectomy, iridectomy and iris-claw anterior IOL. The patients underwent a full ophthalmologic examination including: CVA, keratometry, pachymetry, slit-lamp evaluation, intraocular pressure measurement, posterior segment evaluation, endothelial cell count.
Patients aged 2 to 16 yo. Minimum postoperative follow-up was 2 years in the first group and 6 months in the second group. All patients improved visual acuity by 2 or more Snellen lines after surgery. Complications included scleral-fixated complex subluxation in 2 eyes, IOL dislocation in 1 eye, retinal detachment in 3 eyes and endophthalmitis in 1 eye.
Both techniques are useful for the management of ectopia lentis. Complications in both groups were similar. Scleral-fixated IOL have a higher rate of dislocation and iris-claw IOL require a close follow-up of corneal endothelial cells count. Our actual choice is the second technique because of its simplicity and easier reversibility.
Presentation given at "Change, Challenge and Collaborate" event held at De Montfort University Kimberlin Library on 22nd May 2012, an event organised by the East Midlands ARL Group of CILIP.
Luis Enrique Lopez has over 15 years of experience in clinical sales, project management, and operations management. At Boston Scientific from 2009 to present, he exceeded sales quotas by 6% in 2009. From 2005 to 2008 at Rockwell Automation, he achieved a 65% hit rate on proposals in 2007 and 63% in 2008. As Operations & Sales Manager at FC Enterprises from 1996 to 2003, he reduced operations costs by 12% and delivery time by 18% through lean initiatives. He also surpassed annual sales targets by 20% one year.
Streamline Your Research with the Transcreener ADP2 AssayBellbrookLabs
The document discusses several fluorescence-based assay readout formats for measuring ATP conversion that are validated for multimode readers and provide good signal stability over 8 hours. It recommends using the enzyme at 60-85% of its saturating concentration to accurately determine IC50 values directly from raw fluorescence data without needing to run a standard curve. The assay can accommodate a wide range of ATP concentrations from 0.1 to 1000 μM by adjusting the antibody concentration based on a provided linear equation.
Cairneagle Education Insight - 7 Major Shifts for UK Education - June 2013Ian Koxvold
Our assessment of the seven major factors driving large changes in education practises: student devices, digital content, blended learning, realtime student-level assessment, "big data" analysis, interfunctional school systems and a tougher sell to schools.
This document discusses sales strategies and mindsets for business owners. It addresses topics like developing the right business mindset, conducting market research, preparing sales materials and scripts, taking daily action through sales activities, and planning next steps for business growth. The overall message is on building a successful "business within a business" through establishing the proper sales processes, strategies, and routines.
Vår avhengighet av systemer som styres av programvare øker raskere enn vår evne til å sikre systemene. En løsning er å bygge inn sikkerhet som en del av programvareutviklingen. Det er utfordrende å måle programvaresikkerhet, men modenhet på programvaresikkerhetsarbeidet kan måles med BSIMM-rammeverket.
VMobile is a Bulgarian telecommunications company that provides landline, mobile, and VoIP services using their own network infrastructure. Their business model combines traditional and alternative telecom approaches to eliminate flaws while maintaining advantages. VMobile aims to optimize voice services through extremely low cost landline and mobile calls, as well as universal service for both personal and corporate customers.
Surgical management of non pediatric ectopia lentiscrisnemato
Ectopia lentis is a partial displacement of the lens caused by the weakness of the zonule. Non traumatic cases can be primary or associated to diseases like Marfan syndrom, homocystinuria and others. The aim of our study is to compare two different surgical techniques for the management of severe cases of ectopia lentis using escleral fixation procedures vs iris-claw lenses.
We performed an interventional consecutive case. The first group included 10 eyes from 5 patients were treated with lens aspiration and Cionni ring scleral fixation and in the bag intraocular IOL or scleral fixated IOL. In the second group we have included 12 eyes from 6 patients treated with pars plana lensectomy, iridectomy and iris-claw anterior IOL. The patients underwent a full ophthalmologic examination including: CVA, keratometry, pachymetry, slit-lamp evaluation, intraocular pressure measurement, posterior segment evaluation, endothelial cell count.
Patients aged 2 to 16 yo. Minimum postoperative follow-up was 2 years in the first group and 6 months in the second group. All patients improved visual acuity by 2 or more Snellen lines after surgery. Complications included scleral-fixated complex subluxation in 2 eyes, IOL dislocation in 1 eye, retinal detachment in 3 eyes and endophthalmitis in 1 eye.
Both techniques are useful for the management of ectopia lentis. Complications in both groups were similar. Scleral-fixated IOL have a higher rate of dislocation and iris-claw IOL require a close follow-up of corneal endothelial cells count. Our actual choice is the second technique because of its simplicity and easier reversibility.
Presentation given at "Change, Challenge and Collaborate" event held at De Montfort University Kimberlin Library on 22nd May 2012, an event organised by the East Midlands ARL Group of CILIP.
Luis Enrique Lopez has over 15 years of experience in clinical sales, project management, and operations management. At Boston Scientific from 2009 to present, he exceeded sales quotas by 6% in 2009. From 2005 to 2008 at Rockwell Automation, he achieved a 65% hit rate on proposals in 2007 and 63% in 2008. As Operations & Sales Manager at FC Enterprises from 1996 to 2003, he reduced operations costs by 12% and delivery time by 18% through lean initiatives. He also surpassed annual sales targets by 20% one year.
Streamline Your Research with the Transcreener ADP2 AssayBellbrookLabs
The document discusses several fluorescence-based assay readout formats for measuring ATP conversion that are validated for multimode readers and provide good signal stability over 8 hours. It recommends using the enzyme at 60-85% of its saturating concentration to accurately determine IC50 values directly from raw fluorescence data without needing to run a standard curve. The assay can accommodate a wide range of ATP concentrations from 0.1 to 1000 μM by adjusting the antibody concentration based on a provided linear equation.
Cairneagle Education Insight - 7 Major Shifts for UK Education - June 2013Ian Koxvold
Our assessment of the seven major factors driving large changes in education practises: student devices, digital content, blended learning, realtime student-level assessment, "big data" analysis, interfunctional school systems and a tougher sell to schools.
This document discusses sales strategies and mindsets for business owners. It addresses topics like developing the right business mindset, conducting market research, preparing sales materials and scripts, taking daily action through sales activities, and planning next steps for business growth. The overall message is on building a successful "business within a business" through establishing the proper sales processes, strategies, and routines.
1) Interlimb transfer training involves using the less affected limb to train first in order to promote greater use of the affected limb. It relies on the principle that skills learned by one limb can transfer to the other limb.
2) Research has found that unilateral resistance training can produce moderate strength increases of around 7-8% in the untrained contralateral limb. The magnitude of cross-education is around 35% of the strength gains achieved in the trained limb.
3) Neurophysiological studies show that intermanual transfer is associated with changes in interhemispheric inhibition between motor cortices and activation of bilateral motor areas. Reduced inhibition facilitates faster transfer of learning to the opposite limb.
This document provides an overview of the temporomandibular joint (TMJ), including its anatomy, biomechanics, and dysfunction. Specifically, it details the bones, ligaments, muscles, and motions involved in jaw function. The TMJ is described as a tri-joint complex that allows the mandible to open and close for chewing as well as carry out lateral, protrusive, and retrusive movements. Common dysfunctions like bruxism and disc displacement are also mentioned. The purpose seems to be to educate about the structural and functional aspects of the TMJ.
Chronic Regional Pain Syndrome- A syndrome of signs and symptoms which should be diagnosed at the earliest and treated by a multidisciplinary team of experts.. This presentation gives all about the syndrome, how to treat based on the best evidence available for a physiotherapist, occupational therapist, physician, vacational therapist, etc.
Mirror therapy is a rehabilitation technique that uses visual feedback to improve motor function. During mirror therapy, a patient positions their unaffected limb in front of a mirror so that it is visually superimposed over the reflected image of the affected limb. This creates the illusion that both limbs are moving normally. Several studies have found mirror therapy to be effective at improving motor function, especially for patients recovering from stroke and Complex Regional Pain Syndrome. Combining mirror therapy with other interventions such as neuromuscular electrical stimulation may produce even greater functional gains.
This document discusses the anatomy, classification, causes, mechanisms, and assessment of brachial plexus injuries. It begins with an anatomy review and discusses the formation and branches of the brachial plexus. It describes various causes of brachial plexus injury including trauma, tumors, and iatrogenic lesions. Traumatic injuries are most commonly caused by traction or compression forces that stretch the brachial plexus between its points of attachment. Physical examination involves assessing range of motion, motor strength, sensation, and performing special tests to evaluate specific nerves and muscles.
The document discusses the results of a study on the impact of COVID-19 lockdowns on air pollution. Researchers analyzed data from dozens of countries and found that lockdowns led to an average decline of nearly 30% in nitrogen dioxide levels across major cities. However, they also observed that the reductions in air pollution were temporary and that levels began to rise again as restrictions eased and human activity increased.
The document discusses letting go of expectations and instead focusing on giving to others without expecting anything in return. It advises being polite to people but not expecting politeness back, and doing good deeds for others while accepting whatever life provides without demands. The overall message is to believe that life is guiding you towards salvation by killing expectations and making a new, enlightened self each day.
The document discusses how technology can help companies overcome common problems in decision making, coordination, and organization. It describes three challenges: overcoming HiPPO decision making, overcoming isolation of different parts of large organizations, and overcoming difficulties of coordination in large enterprises. It then presents ways that technology can help address each challenge by enabling more data-driven, scientific decision making; better monitoring to tighten orchestration; and allowing greater self-organization across organizational boundaries.
This document discusses the evolution of our understanding of the universe from simply gazing at the stars to exploring deeper with tools like Hubble. It also discusses the growth of the social media universe, comparing platforms and user numbers between the West and China. Finally, it argues that social media in China has changed online behavior and that businesses must monitor their online reputation and brand health using social media analytics to understand costumers in different cultural contexts.
Sepharim Group is a boutique research and advisory firm focused on mobility and its ecosystem. Mobility is driving seismic shifts in how people interact, transact, live, work and play. Their team helps executives understand insights to make critical product and business decisions to gain tomorrow's advantages today. Mobile is rewriting all the rules as over 5 billion consumers are expected to have 10 connections each by 2020, driving the digital economy from web to mobile. This perfect storm of low cost devices, ubiquitous access and anticipatory needs represents both opportunities and challenges for businesses.
1) Interlimb transfer training involves using the less affected limb to train first in order to promote greater use of the affected limb. It relies on the principle that skills learned by one limb can transfer to the other limb.
2) Research has found that unilateral resistance training can produce moderate strength increases of around 7-8% in the untrained contralateral limb. The magnitude of cross-education is around 35% of the strength gains achieved in the trained limb.
3) Neurophysiological studies show that intermanual transfer is associated with changes in interhemispheric inhibition between motor cortices and activation of bilateral motor areas. Reduced inhibition facilitates faster transfer of learning to the opposite limb.
This document provides an overview of the temporomandibular joint (TMJ), including its anatomy, biomechanics, and dysfunction. Specifically, it details the bones, ligaments, muscles, and motions involved in jaw function. The TMJ is described as a tri-joint complex that allows the mandible to open and close for chewing as well as carry out lateral, protrusive, and retrusive movements. Common dysfunctions like bruxism and disc displacement are also mentioned. The purpose seems to be to educate about the structural and functional aspects of the TMJ.
Chronic Regional Pain Syndrome- A syndrome of signs and symptoms which should be diagnosed at the earliest and treated by a multidisciplinary team of experts.. This presentation gives all about the syndrome, how to treat based on the best evidence available for a physiotherapist, occupational therapist, physician, vacational therapist, etc.
Mirror therapy is a rehabilitation technique that uses visual feedback to improve motor function. During mirror therapy, a patient positions their unaffected limb in front of a mirror so that it is visually superimposed over the reflected image of the affected limb. This creates the illusion that both limbs are moving normally. Several studies have found mirror therapy to be effective at improving motor function, especially for patients recovering from stroke and Complex Regional Pain Syndrome. Combining mirror therapy with other interventions such as neuromuscular electrical stimulation may produce even greater functional gains.
This document discusses the anatomy, classification, causes, mechanisms, and assessment of brachial plexus injuries. It begins with an anatomy review and discusses the formation and branches of the brachial plexus. It describes various causes of brachial plexus injury including trauma, tumors, and iatrogenic lesions. Traumatic injuries are most commonly caused by traction or compression forces that stretch the brachial plexus between its points of attachment. Physical examination involves assessing range of motion, motor strength, sensation, and performing special tests to evaluate specific nerves and muscles.
The document discusses the results of a study on the impact of COVID-19 lockdowns on air pollution. Researchers analyzed data from dozens of countries and found that lockdowns led to an average decline of nearly 30% in nitrogen dioxide levels across major cities. However, they also observed that the reductions in air pollution were temporary and that levels began to rise again as restrictions eased and human activity increased.
The document discusses letting go of expectations and instead focusing on giving to others without expecting anything in return. It advises being polite to people but not expecting politeness back, and doing good deeds for others while accepting whatever life provides without demands. The overall message is to believe that life is guiding you towards salvation by killing expectations and making a new, enlightened self each day.
The document discusses how technology can help companies overcome common problems in decision making, coordination, and organization. It describes three challenges: overcoming HiPPO decision making, overcoming isolation of different parts of large organizations, and overcoming difficulties of coordination in large enterprises. It then presents ways that technology can help address each challenge by enabling more data-driven, scientific decision making; better monitoring to tighten orchestration; and allowing greater self-organization across organizational boundaries.
This document discusses the evolution of our understanding of the universe from simply gazing at the stars to exploring deeper with tools like Hubble. It also discusses the growth of the social media universe, comparing platforms and user numbers between the West and China. Finally, it argues that social media in China has changed online behavior and that businesses must monitor their online reputation and brand health using social media analytics to understand costumers in different cultural contexts.
Sepharim Group is a boutique research and advisory firm focused on mobility and its ecosystem. Mobility is driving seismic shifts in how people interact, transact, live, work and play. Their team helps executives understand insights to make critical product and business decisions to gain tomorrow's advantages today. Mobile is rewriting all the rules as over 5 billion consumers are expected to have 10 connections each by 2020, driving the digital economy from web to mobile. This perfect storm of low cost devices, ubiquitous access and anticipatory needs represents both opportunities and challenges for businesses.
2. Lars Hopland Nestås
• MSc fra UiB, Institutt for informatikk:
«Building Trust in Remote Internet Voting»
• Konsulent i Bouvet ASA siden august 2010
• Risiko- og sårbarhetsanalyser
• Sikkerhetstesting av webapplikasjoner
• Kildekodegjennomgang
• Utvikler (Java og PHP)
• Sikkerhetskurs i regi av Bouvet
2
3. Oversikt
• Forvaltningsteam i Bouvet
– Fordeler
– Utfordringer
• Sikkerhet som en naturlig del av
utviklingsprosessen
– Microsoft SDL
– Hva og hvordan gjør vi det i forvaltningsteamet?
3
5. Forvaltningsteamet i Bouvet
• 6 konsulenter +/-
• Java, PHP, iPhone og Android
• Benytter Scrum som prosjektmetodikk
• Utvikling av nye løsninger
• Forvaltning av eksisterende løsninger
Noen
kunder
siste
6
mnd.
5
6. Fordeler
• Godt miljø for deling av kompetanse
• Flere konsulenter har kompetanse og kunnskap til
å utføre arbeid på alle prosjektene (god overlapp)
• Kunden betaler kun for utført arbeid
Utfordringer
• Ofte bytte av uviklingsmiljø
• Sikkerhet som en naturlig del av
utviklingsprosessen
– Mange små uviklingsoppgaver
• En «typisk» oppgave er estimert til 4-8 timer
6
8. MS Security Development Lifecycle
«So now, when we face a choice between adding features
and resolving security issues, we need to choose security.»
8 http://www.microsoft.com/security/sdl/
9. Aktiviteter i SDL*
Manuell og
automatisert testing
Analysere angrepsflate Verifisering av Sikker
Sikkerhetstrening
og utarbeide trusselmodell og forvaltning
trusselmodell angrepsflate
Opplæring Design Verifikasjon Oppfølging
Kravspek. Implementasjon Produksjon
Etablere målbilde
for sikkerhetsnivå Spesifisere verktøy Utarbeide
beredskapsplan
Analysere Håndheve
implementasjons- Sikkerhetsgjennomgang
sikkerhets- og
personvernsrisiko regler
Arkivering av
Statisk
sikkerhetsrelatert
kodeanalyse
prossessdokumentasjon
9 *Fritt etter MS Security Development Lifecycle
10. Sikker programutvikling*
Opplæring
Kravspek.
Design
Implementasjon
Verifikasjon
Produksjon
Oppfølging
10 *Etter mal fra MS Security Development Lifecycle
11. Agile Security Development Lifecycle
Manuell og
automatisert testing Håndheve
implementasjons-
Verifisering av regler
Sikkerhetstrening trusselmodell og
angrepsflate
Spesifisere verktøy
Arkivering av Sikkerhetsgjennomgang
sikkerhetsrelatert
prossessdokumentasjon Analysere Analysere
angrepsflate og sikkerhets- og
utarbeide personvernsrisiko
Etablere målbilde trusslemodell
Statisk
for sikkerhetsnivå
Utarbeide kodeanalyse
beredskapsplan
Ak:viteter
i
hver
sprint Engangsak:viteter Regelmessige
ak:viteter
12. Agile Security Development Lifecycle
Analysere angrepsflate og
utarbeide trusselmodell
Analysere sikkerhets- og
personvernsrisiko
Verifisering av
Håndheve trusselmodell og
implementasjonsregler angrepsflate
Arkivering av Spesifisere verktøy Manuell og
sikkerhetsrelatert Etablere målbilde automatisert testing
prossessdokumentasjon for sikkerhetsnivå Sikkerhetsgjennomgang
Statisk
kodeanalyse Utarbeide
Sikkerhetstrening
beredskapsplan
Ak:viteter
i
hver
sprint Engangsak:viteter Regelmessige
ak:viteter
14. Opplæring
• Kurs i applikasjonssikkerhet
– Kjennskap til mest vanlige angrepsteknikkene
– Lære å beskytte seg mot de vanligste angrepene
– Lære å identifisere sårbarheter/typiske problemområder i
applikasjoner og kildekode
– Kjennskap til noen verktøy for testing
– Strategi for sikker programutvikling
14
15. Opplæring
Oppgave
8
-‐
Lagret
XSS
• Legge inn ondsinnet kode i kommentarfelter i forumet
• Hint 1: Utvikleren prøver å vaske inndata ved å fjerne
<script>-tagger for å hindre at brukere kan legge inn
javascript
Oppgave
12b
-‐
SQL
injec:on
• Hent filen etc/passwd ved hjelp av SQL-injection
15
16. Kravspesifikasjon og design
• Utføres som workshop sammen Analysere
angrepsflate
med kunden for å kartlegge:
– Informasjonsverdier
Design
– Angrepsflate
Kravspek.
– Aktører
• Angrepsscenario (Misuse cases)
Etablere målbilde
– Alle deltakerene rangerer for sikkerhetsnivå
scenarioene etter kritikalitet (lav til
Analysere
kritisk) hver for seg sikkerhets- og
personvernsrisiko
• Inngår som en viktig del av
trusselmodellen
16
17. Eksempel på angrepsscenario for aktøren «elev»
1 Ta over andre brukersesjoner
2 Endre passord på andre brukeres konto
3 Oppgradere egen konto til admin
Kri:sk
4 Levere oppgave for annen elev
5 Lesetilgang til andre elevers innleveringer
6 Gi andre elever utvidede rettigheter
7 Endre åpne- og lukketid for innleveringsmapper
8 Gi andre eller seg selv ekstratid på oppgaveinnleveringer
9 Lese kommentarer på andre elevers oppgaver
Stor
10 Legge til kommentarer på egne og andre elevers oppgaver
11 Opprette nye kontoer
12 Endre oppgavesammendrag på andre elevers innleveringer
13 Lese oppgavesammendrag på andre elevers innleveringer
Middels
14 Hindre at andre elever får levert oppgave (DoS-angrep)
15 Motta e-postvarsel når andre elever leverer oppgaver
16 Slette egne innleveringer
Lav
17 Se hvem som ikke har levert oppgave
17
18. Angrepsscenario
• Inngår som grunnlag i:
– Utarbeidelse av kravspesifikasjon
– Implementasjonsfasen for å identifisere typiske
«problemområder»
– Verifikasjonsfasen
– Utarbeidelse av beredskapsplan og i
sikkerhetsgjennomgang før produksjon
– Forvaltningsfasen ved utvikling av ny funksjonalitet
18
19. Implementasjon og verifikasjon
• For hver ny utviklingsoppgave utarbeider
utvikleren en testplan før implementeringen
begynner
• Testplanen inneholder:
– Kort beskrivelse av ny funksjonalitet
– Kort beskrivelse av hvordan dette implementeres/løses
– Krav til kodekvalitet
– Krav til sikkerhet
• En annen konsulent gjennomfører testplanen
innenfor estimatet for oppgaven
19
20. Eksempel på testplan:
• Som administrator vil jeg kunne slå av og på
logging for de ulike web servicene
Testkriterier
Funksjonalitet/Løsningsbeskrivelse:
Administrator for XXX skal ha mulighet til å aktivere og deaktivere logging av feil for de ulike WS (xxx.php og
zzz.php). Administrering av dette skjer i http://localhost:8888/xxx/yyy/zzz/index.php.
Når logging aktiveres/deaktiveres via admin-grensesnittet lagres i filen debug_config.php som ligger i mappen X.
Skriving til debug_config.php skjer via zzz/debug_admin.php som kalles via admin-grensesnittet
Kodekvalitet:
• Skal være formattert iht. etablert standard
• Koden skal være enkel å lese og ha gode kommentarer
Sikkerhet:
• Skriving til filer som skal inkluderes i applikasjonen kan være skummelt. Alle verdier som lagres i filen skal
være hardkodet (dvs. ingen inndata fra brukeren skal skrives til fil).
20
21. Oppsummering
• Opplæring
• Workshop for å utarbeide angrepsscenario
• Testplaner for alle utviklingsoppgaver
– Manuell testing av applikasjonen med fokus på sikkerhet
– Koderevisjon
– Kompetanseheving
• Automatiserte tester ved hjelp av verktøy
• Statisk kildekodeanalyse (i nær fremtid)
21