Evaluating the Impact of Software Security Tactics: A Design Perspective

Design architecture is the edifice that strengthens the functionalities as well as the security of web applications.In order to facilitate architectural security from the web application’s design phase itself,practitioners are now adopting the novel mechanism of security tactics.With the intent to conduct a research from the perspective of security tactics,the present study employs a hybrid multi-criteria decision-making approach named fuzzy analytic hierarchy process-technique for order preference by similarity ideal solution(AHP-TOPSIS)method for selecting and assessing multi-criteria decisions.The adopted methodology is a blend of fuzzy analytic hierarchy process(fuzzy AHP)and fuzzy technique for order preference by similarity ideal solution(fuzzy TOPSIS).To establish the efficacy of this methodology,the results are obtained after the evaluation have been tested on fifteen different web application projects(Online Quiz competition,Entrance Test,and others)of the Babasaheb Bhimrao Ambedkar University,Lucknow,India.The tabulated outcomes demonstrate that the methodology of the Multi-Level Fuzzy Hybrid system is highly effective in providing accurate estimation for strengthening the security of web applications.The proposed study will help experts and developers in developing and managing security from any web application design phase for better accuracy and higher security.

Software Vulnerability Mining and Analysis Based on Deep Learning

In recent years,the rapid development of computer software has led to numerous security problems,particularly software vulnerabilities.These flaws can cause significant harm to users’privacy and property.Current security defect detection technology relies on manual or professional reasoning,leading to missed detection and high false detection rates.Artificial intelligence technology has led to the development of neural network models based on machine learning or deep learning to intelligently mine holes,reducing missed alarms and false alarms.So,this project aims to study Java source code defect detection methods for defects like null pointer reference exception,XSS(Transform),and Structured Query Language(SQL)injection.Also,the project uses open-source Javalang to translate the Java source code,conducts a deep search on the AST to obtain the empty syntax feature library,and converts the Java source code into a dependency graph.The feature vector is then used as the learning target for the neural network.Four types of Convolutional Neural Networks(CNN),Long Short-Term Memory(LSTM),Bi-directional Long Short-Term Memory(BiLSTM),and Attention Mechanism+Bidirectional LSTM,are used to investigate various code defects,including blank pointer reference exception,XSS,and SQL injection defects.Experimental results show that the attention mechanism in two-dimensional BLSTM is the most effective for object recognition,verifying the correctness of the method.

Comparison of SETAM with Security Use Case and Security Misuse Case:A Software Security Testing Study

A software security testing behavior model,SETAM,was proposed in our previous work as the integrated model for describing software security testing requirements behavior,which is not only compatible with security functions and latent typical misuse behaviors,but also with the interaction of them.In this paper,we analyze the differences between SETAM with security use case and security misuse case in different types of security test requirements.To illustrate the effectiveness of SETAM,we compare them in a practical case study by the number of test cases and the number of faults detected by them.The results show that SETAM could decrease about 34.87% use cases on average,and the number of faults detected by SETAM increased by 71.67% in average,which means that our model can detect more faults with fewer test cases for software security testing.

Research on the Construction of Computer Network Security System in Middle School Campus Network

In order to improve the security of high school campus networks,this paper introduces the goal,system composition,and function of the network security of high school campus networks,and puts forward a series of strategies,including the establishment of network security protection system,data backup and recovery mechanism,and strengthening network security management and training.Through these strategies,the safety and stable operation of the campus network can be ensured,the quality of education can be improved,and school’s development can be promoted.

Security Threat and Vulnerability Assessment and Measurement in Secure Software Development

Security is critical to the success of software,particularly in today’s fast-paced,technology-driven environment.It ensures that data,code,and services maintain their CIA(Confidentiality,Integrity,and Availability).This is only possible if security is taken into account at all stages of the SDLC(Software Development Life Cycle).Various approaches to software quality have been developed,such as CMMI(Capabilitymaturitymodel integration).However,there exists no explicit solution for incorporating security into all phases of SDLC.One of the major causes of pervasive vulnerabilities is a failure to prioritize security.Even the most proactive companies use the“patch and penetrate”strategy,inwhich security is accessed once the job is completed.Increased cost,time overrun,not integrating testing and input in SDLC,usage of third-party tools and components,and lack of knowledge are all reasons for not paying attention to the security angle during the SDLC,despite the fact that secure software development is essential for business continuity and survival in today’s ICT world.There is a need to implement best practices in SDLC to address security at all levels.To fill this gap,we have provided a detailed overview of secure software development practices while taking care of project costs and deadlines.We proposed a secure SDLC framework based on the identified practices,which integrates the best security practices in various SDLC phases.A mathematical model is used to validate the proposed framework.A case study and findings show that the proposed system aids in the integration of security best practices into the overall SDLC,resulting in more secure applications.

A Six Sigma Security Software Quality Management

Today, the demand for security software is Six Sigma quality, i.e. practically zero-defects. A practical and stochastic method is proposed for a Six Sigma security software quality management. Monte Carlo Simulation is used in a Six Sigma DMAIC (Define, Measure, Analyze, Improve, Control) approach to security software testing. This elaboration used a published real project’s data from the final product testing lasted for 15 weeks, after which the product was delivered. The experiment utilised the first 12 weeks’ data to allow the results verification on the actual data from the last three weeks. A hypothetical testing project was applied, supposed to be completed in 15 weeks. The product due-date was Week 16 with zero-defects quality assurance aim. The testing project was analysed at the end of the 12th week with three weeks of testing remaining. Running a Monte Carlo Simulation with data from the first 12 weeks produced results which indicated that the product would not be able to meet its due-date with the desired zero-defects quality. To quantify an improvement, another simulation was run to find when zero-defects would be achieved. Simulation predicted that zero-defects would be achieved in week 35 with 56% probability, and there would be 82 defects from Weeks 16 - 35. Therefore, to meet the quality goals, either more resources should be allocated to the project, or the deadline for the project should be moved to Week 36. The paper concluded that utilising Monte Carlo Simulations in a Six Sigma DMAIC structured framework is better than conventional approaches using static analysis methods. When the simulation results were compared to the actual data, it was found to be accurate within ﹣3.5% to +1.3%. This approach helps to improve software quality and achieve the zero-defects quality assurance goal, while assigning quality confidence levels to scheduled product releases.

Fuzzing:Progress,Challenges,and Perspectives

As one of the most effective techniques for finding software vulnerabilities,fuzzing has become a hot topic in software security.It feeds potentially syntactically or semantically malformed test data to a target program to mine vulnerabilities and crash the system.In recent years,considerable efforts have been dedicated by researchers and practitioners towards improving fuzzing,so there aremore and more methods and forms,whichmake it difficult to have a comprehensive understanding of the technique.This paper conducts a thorough survey of fuzzing,focusing on its general process,classification,common application scenarios,and some state-of-the-art techniques that have been introduced to improve its performance.Finally,this paper puts forward key research challenges and proposes possible future research directions that may provide new insights for researchers.

Collaborative Reversing of Input Formats and Program Data Structures for Security Applications

Reversing the syntactic format of program inputs and data structures in binaries plays a vital role for understanding program behaviors in many security applications.In this paper,we propose a collaborative reversing technique by capturing the mapping relationship between input fields and program data structures.The key insight behind our paper is that program uses corresponding data structures as references to parse and access different input fields,and every field could be identified by reversing its corresponding data structure.In details,we use a finegrained dynamic taint analysis to monitor the propagation of inputs.By identifying base pointers for each input byte,we could reverse data structures and conversely identify fields based on their referencing data structures.We construct several experiments to evaluate the effectiveness.Experiment results show that our approach could effectively reverse precise input formats,and provide unique benefits to two representative security applications,exploit diagnosis and malware analysis.

Selecting Best Software Vulnerability Scanner Using Intuitionistic Fuzzy Set TOPSIS

Software developers endeavor to build their products with the least number of bugs.Despite this,many vulnerabilities are detected in software that threatens its integrity.Various automated software i.e.,vulnerability scanners,are available in the market which helps detect and manage vulnerabilities in a computer,application,or a network.Hence,the choice of an appropriate vulnerability scanner is crucial to ensure efficient vulnerability management.The current work serves a dual purpose,first,to identify the key factors which affect the vulnerability discovery process in a network.The second,is to rank the popular vulnerability scanners based on the identified attributes.This will aid the firm in determining the best scanner for them considering multiple aspects.The multi-criterion decision making based ranking approach has been discussed using the Intuitionistic Fuzzy set(IFS)and Technique for Order of Preference by Similarity to Ideal Solution(TOPSIS)to rank the various scanners.Using IFS TOPSIS,the opinion of a whole group could be simultaneously considered in the vulnerability scanner selection.In this study,five popular vulnerability scanners,namely,Nessus,Fsecure Radar,Greenbone,Qualys,and Nexpose have been considered.The inputs of industry specialists i.e.,people who deal in software security and vulnerability management process have been taken for the ranking process.Using the proposed methodology,a hierarchical classification of the various vulnerability scanners could be achieved.The clear enumeration of the steps allows for easy adaptability of the model to varied situations.This study will help product developers become aware of the needs of the market and design better scanners.And from the user’s point of view,it will help the system administrators in deciding which scanner to deploy depending on the company’s needs and preferences.The current work is the first to use a Multi Criterion Group Decision Making technique in vulnerability scanner selection.

Evaluating the Impacts of Security-Durability Characteristic:Data Science Perspective

Since the beginning of web applications,security has been a critical study area.There has been a lot of research done to figure out how to define and identify security goals or issues.However,high-security web apps have been found to be less durable in recent years;thus reducing their business continuity.High security features of a web application are worthless unless they provide effective services to the user and meet the standards of commercial viability.Hence,there is a necessity to link in the gap between durability and security of the web application.Indeed,security mechanisms must be used to enhance durability as well as the security of the web application.Although durability and security are not related directly,some of their factors influence each other indirectly.Characteristics play an important role in reducing the void between durability and security.In this respect,the present study identifies key characteristics of security and durability that affect each other indirectly and directly,including confidentiality,integrity availability,human trust and trustworthiness.The importance of all the attributes in terms of their weight is essential for their influence on the whole security during the development procedure of web application.To estimate the efficacy of present study,authors employed the Hesitant Fuzzy Analytic Hierarchy Process(H-Fuzzy AHP).The outcomes of our investigations and conclusions will be a useful reference for the web application developers in achieving a more secure and durable web application.

Enhancing Mobile Cloud Computing Security Using Steganography

Cloud computing is an emerging and popular method of accessing shared and dynamically configurable resources via the computer network on demand. Cloud computing is excessively used by mobile applications to offload data over the network to the cloud. There are some security and privacy concerns using both mobile devices to offload data to the facilities provided by the cloud providers. One of the critical threats facing cloud users is the unauthorized access by the insiders (cloud administrators) or the justification of location where the cloud providers operating. Although, there exist variety of security mechanisms to prevent unauthorized access by unauthorized user by the cloud administration, but there is no security provision to prevent unauthorized access by the cloud administrators to the client data on the cloud computing. In this paper, we demonstrate how steganography, which is a secrecy method to hide information, can be used to enhance the security and privacy of data (images) maintained on the cloud by mobile applications. Our proposed model works with a key, which is embedded in the image along with the data, to provide an additional layer of security, namely, confidentiality of data. The practicality of the proposed method is represented via a simple case study.

Mobile Software Assurance Informed through Knowledge Graph Construction: The OWASP Threat of Insecure Data Storage

Many organizations,to save costs,are moving to the Bring Your Own Mobile Device(BYOD)model and adopting applications built by third-parties at an unprecedented rate.Our research examines software assurance methodologies specifically focusing on security analysis coverage of the program analysis for mobile malware detection,mitigation,and prevention.This research focuses on secure software development of Android applications by developing knowledge graphs for threats reported by the Open Web Application Security Project(OWASP).OWASP maintains lists of the top ten security threats to web and mobile applications.We develop knowledge graphs based on the two most recent top ten threat years and show how the knowledge graph relationships can be discovered in mobile application source code.We analyze 200+healthcare applications from GitHub to gain an understanding of their software assurance of their developed software for one of the OWASP top ten mobile threats,the threat of“Insecure Data Storage.”We find that many of the applications are storing personally identifying information(PII)in potentially vulnerable places leaving users exposed to higher risks for the loss of their sensitive data.

Automated and controlled patch generation for enhanced fixing of communication software vulnerabilities

Software is a crucial component in the communication systems,and its security is of paramount importance.However,it is susceptible to different types of attacks due to potential vulnerabilities.Meanwhile,significant time and effort is required to fix such vulnerabilities.We propose an automated program repair method based on controlled text generation techniques.Specifically,we utilize a fine-tuned language model for patch generation and introduce a discriminator to evaluate the generation process,selecting results that contribute most to vulnerability fixes.Additionally,we perform static syntax analysis to expedite the patch verification process.The effectiveness of the proposed approach is validated using QuixBugs and Defects4J datasets,demonstrating significant improvements in generating correct patches compared to other existing methods.

Control Flow Obfuscation Based Protection Method for Android Applications

With the popularization and rapid development of mobile intelligent terminals(MITs), the number of mobile applications, or apps, has increased exponentially. It is increasingly common for malicious code to be inserted into counterfeit apps, which can cause significant economic damage and threaten the security of users. Code obfuscation techniques are a highly efficient group of methods for code security protection. In this paper, we propose a novel control flow obfuscation based method for Android code protection. First, algorithms to insert irrelevant code and flatten the control flow are employed that minimize the cost of obfuscation while ensuring its strength. Second, we improve the traditional methods of control flow flattening to further reduce the costs of obfuscation. Lastly, the use of opaque predicates is strengthened by establishing an access control strategy, which converts the identification of opaque predicates in the entire program into a graph traversal problem, and thereby increases the strength of the code protection. We did some experiments to evaluate our method, and the results show that the proposed method can work well.

Memory Safety Based on Probabilistic Memory Allocation

Some unsafe languages,like C and C++,let programmers maximize performance but are vulnerable to memory errors which can lead to program crashes and unpredictable behavior.Aiming to solve the problem,traditional memory allocating strategy is improved and a new probabilistic memory allocation technology is presented.By combining random memory allocating algorithm and virtual memory,memory errors are avoided in all probability during software executing.By replacing default memory allocator to manage allocation of heap memory,buffer overflows and dangling pointers are prevented.Experiments show it is better than Diehard of the following aspects:memory errors prevention,performance in memory allocation set and ability of controlling working set.So probabilistic memory allocation is a valid memory errors prevention technology and it can tolerate memory errors and provide probabilistic memory safety effectively.

Mitigating ROP Attacks via ARM-Specific In-Place Instruction Randomization

Defending against return-oriented programing(ROP) attacks is extremely challenging for modern operating systems.As the most popular mobile OS running on ARM,Android is even more vulnerable to ROP attacks due to its weak implementation of ASLR and the absence of effective control-flow integrity enforcement.In this paper,leveraging specific ARM features,an instruction randomization strategy to mitigate ROP attacks in Android even with the threat of single pointer leakage vulnerabilities is proposed.By popping out more registers in functions' epilogue instructions and reallocating registers in function scopes,branch targets in all(direct and indirect) branch instructions potential to be ROP gadgets are changed randomly.Without the knowledge of binaries' runtime instructions layout,adversary's repeated control flow transfer in ROP exploits will be subverted.Furthermore,this instruction randomization idea has been implemented in both Android Dalvik runtime and ART.Corresponding evaluations proved it is capable to introduce enough randomness for more than 99% discovered functions and thwart about 95% ROP gadgets in application's shared libraries and oat file compiled from Dalvik bytecode.Besides,evaluations on real-world exploits also confirmed its effectiveness on mitigating ROP attacks within acceptable performance overhead.

Structured Query Language Injection Penetration Test Case Generation Based on Formal Description

Aiming to improve the Structured Query Language( SQL) injection penetration test accuracy through the formalismguided test case generation,an attack purpose based attack tree model of SQL injection is proposed,and then under the guidance of this model, the formal descriptions for the SQL injection vulnerability feature and SQL injection attack inputs are established. Moreover,according to new coverage criteria,these models are instantiated and the executable test cases are generated.Experiments show that compared with the random enumerated test case used in other works,the test case generated by our method can detect the SQL injection vulnerability more effectively. Therefore,the false negative is reduced and the test accuracy is improved.

Exploration and Practice of Online Teaching Mode for“Three Preparations Before Class,Five Channels in Class and Five Tracking after Class”

Aiming at the characteristics of huge knowledge points,strong practicality and diversity of software security course,adhering to the“Π”scheme for emerging engineering education,based on Tencent classroom,Tencent conference and Lan ink cloud class,and guided by BOPPPS teaching model and deep learning theory,“three preparations before class,five channels in class and five tracking after class”is proposed.Three preparations before class and five tracking after class serve the five channels in class.Five channels in class take live teaching as the core,and teach students knowledge through five channels.Practice has proved that this mode can effectively solve the problem of teaching a large number of knowledge in limited class hours,improve students’practical ability and enhance the effect of classroom teaching.

An empirical study on the complexity, security and maintainability of Ethereum-based decentralized applications (DApps)

The Ethereum blockchain’s smart contract is a programmable transaction that performs general-purpose computations and can be executed automatically on the blockchain.Leveraging this component,blockchain technology(BT)has grown beyond the scope of cryptocurrencies and can now be applicable in various industries other than finance.In this paper,we investigated the current trends in Ethereum-based decentralized applications(DApps)to be able to categorize and analyze the DApps to measure the complexity of smart contracts behind them,their level of security and their correlation to the maintainability of the DApps.We leveraged the source code analysis,security analysis,and the developmental metadata of the DApps to infer this correlation.Based on our findings,we concluded that the maintainability of Ethereum DApps is proportional to the code size,number of functions,and,most importantly,the number of outgoing invocations and statements in the smart contracts.

Attacks and defences on intelligent connected vehicles:a survey

Intelligent vehicles are advancing at a fast speed with the improvement of automation and connectivity,which opens up new possibilities for different cyber-attacks,including in-vehicle attacks(e.g.,hijacking attacks)and vehicle-to-everything communicationattacks(e.g.,data theft).These problems are becoming increasingly serious with the development of 4G LTE and 5G communication technologies.Although many efforts are made to improve the resilience to cyber attacks,there are still many unsolved challenges.This paper first identifies some major security attacks on intelligent connected vehicles.Then,we investigate and summarize the available defences against these attacks and classify them into four categories:cryptography,network security,software vulnerability detection,and malware detection.Remaining challenges and future directions for preventing attacks on intelligent vehicle systems have been discussed as well.