In recent years, web security has been viewed in the context of securing the web application layer from attacks by unauthorized users. The vulnerabilities existing in the web application layer have been attributed eit...In recent years, web security has been viewed in the context of securing the web application layer from attacks by unauthorized users. The vulnerabilities existing in the web application layer have been attributed either to using an inappropriate software development model to guide the development process, or the use of a software development model that does not consider security as a key factor. Therefore, this systematic literature review is conducted to investigate the various security vulnerabilities used to secure the web application layer, the security approaches or techniques used in the process, the stages in the software development in which the approaches or techniques are emphasized, and the tools and mechanisms used to detect vulnerabilities. The study extracted 519 publications from respectable scientific sources, i.e. the IEEE Computer Society, ACM Digital Library, Science Direct, Springer Link. After detailed review process, only 56 key primary studies were considered for this review based on defined inclusion and exclusion criteria. From the review, it appears that no one software is referred to as a standard or preferred software product for web application development. In our SLR, we have performed a deep analysis on web application security vulnerabilities detection methods which help us to identify the scope of SLR for comprehensively investigation in the future research. Further in this SLR considering OWASP Top 10 web application vulnerabilities discovered in 2012, we will attempt to categories the accessible vulnerabilities. OWASP is major source to construct and validate web security processes and standards.展开更多
With continuous evolution in software industry, security is becoming very important in software projects. However, in many development methodologies, security is thought to be added in the project at later stages of t...With continuous evolution in software industry, security is becoming very important in software projects. However, in many development methodologies, security is thought to be added in the project at later stages of the development lifecycle. There are also many proposed methodologies where the security measures are considered at requirement engineering stage of the development lifecycle, but many of them still do not seem adequate for applicability due to the reason that these approaches do not provide sufficient support for mapping the security requirements to the later stages of development. So, we are in need of a software requirement engineering approach, which is not only helpful in security requirement specification at requirement engineering stage but also provides support for using the specified security requirements at later stages of development. To meet this requirement, we introduce a new method Secure and Traceable Requirement Engineering Process (STREP). This method also helps the non-security-expert requirement engineers to specify requirements in such a way that the specified requirements can be used to derive security related test cases. STREP method not only deals with security issues of the system at requirement engineering stage, but also makes the security requirements more traceable to be used at later stages of development lifecycle, and as a result, secure systems are produced that are also usable as the customer wishes.展开更多
将SDL(Security Development Lifecycle)的开发过程的13个活动划分成了5个过程,并对5个过程中的各个活动作了详细描述,同时对每个过程的安全性作了分析。通过与传统的开发模式的对比,体现出SDL在软件开发方面更高的安全性,最后引入了微...将SDL(Security Development Lifecycle)的开发过程的13个活动划分成了5个过程,并对5个过程中的各个活动作了详细描述,同时对每个过程的安全性作了分析。通过与传统的开发模式的对比,体现出SDL在软件开发方面更高的安全性,最后引入了微软在实践中成功应用SDL的案例来说明SDL较高的实际应用价值。展开更多
通过研究微软安全开发生命周期SDL(Security Development Lifecycle)和《GB 20274信息系统安全保障评估框架》,结合江南农村商业银行信息系统建设的实践,提出适合国内中小银行信息系统开发的全生命周期安全保障框架。该框架将软件安全...通过研究微软安全开发生命周期SDL(Security Development Lifecycle)和《GB 20274信息系统安全保障评估框架》,结合江南农村商业银行信息系统建设的实践,提出适合国内中小银行信息系统开发的全生命周期安全保障框架。该框架将软件安全保障集成到信息系统开发生命周期的五个阶段中,详细阐述每个阶段要进行的安全控制措施,确保系统开发的安全性和可靠性。展开更多
如今信息安全在信息社会扮演极为重要的角色,直接关系到政府运作、企业经营和人们的日常生活,信息安全服务也已成为信息安全保障体系的重要内容。然而国内信息安全服务行业却存在很多问题,管理者的信息安全意识不足,安全服务以事件应急...如今信息安全在信息社会扮演极为重要的角色,直接关系到政府运作、企业经营和人们的日常生活,信息安全服务也已成为信息安全保障体系的重要内容。然而国内信息安全服务行业却存在很多问题,管理者的信息安全意识不足,安全服务以事件应急响应为主,忽视为客户提供主动、系统的面向业务的服务。针对这一现状,本文提出了基于业务的信息安全服务体系(Business-based Information Security Service System,BISSS),利用企业架构(Enterprise Architecture,EA)对机构及其信息系统进行分析,以信息系统的业务属性为出发点和依据,为客户提供覆盖整个信息系统生命周期的安全服务。展开更多
文摘In recent years, web security has been viewed in the context of securing the web application layer from attacks by unauthorized users. The vulnerabilities existing in the web application layer have been attributed either to using an inappropriate software development model to guide the development process, or the use of a software development model that does not consider security as a key factor. Therefore, this systematic literature review is conducted to investigate the various security vulnerabilities used to secure the web application layer, the security approaches or techniques used in the process, the stages in the software development in which the approaches or techniques are emphasized, and the tools and mechanisms used to detect vulnerabilities. The study extracted 519 publications from respectable scientific sources, i.e. the IEEE Computer Society, ACM Digital Library, Science Direct, Springer Link. After detailed review process, only 56 key primary studies were considered for this review based on defined inclusion and exclusion criteria. From the review, it appears that no one software is referred to as a standard or preferred software product for web application development. In our SLR, we have performed a deep analysis on web application security vulnerabilities detection methods which help us to identify the scope of SLR for comprehensively investigation in the future research. Further in this SLR considering OWASP Top 10 web application vulnerabilities discovered in 2012, we will attempt to categories the accessible vulnerabilities. OWASP is major source to construct and validate web security processes and standards.
文摘With continuous evolution in software industry, security is becoming very important in software projects. However, in many development methodologies, security is thought to be added in the project at later stages of the development lifecycle. There are also many proposed methodologies where the security measures are considered at requirement engineering stage of the development lifecycle, but many of them still do not seem adequate for applicability due to the reason that these approaches do not provide sufficient support for mapping the security requirements to the later stages of development. So, we are in need of a software requirement engineering approach, which is not only helpful in security requirement specification at requirement engineering stage but also provides support for using the specified security requirements at later stages of development. To meet this requirement, we introduce a new method Secure and Traceable Requirement Engineering Process (STREP). This method also helps the non-security-expert requirement engineers to specify requirements in such a way that the specified requirements can be used to derive security related test cases. STREP method not only deals with security issues of the system at requirement engineering stage, but also makes the security requirements more traceable to be used at later stages of development lifecycle, and as a result, secure systems are produced that are also usable as the customer wishes.
文摘将SDL(Security Development Lifecycle)的开发过程的13个活动划分成了5个过程,并对5个过程中的各个活动作了详细描述,同时对每个过程的安全性作了分析。通过与传统的开发模式的对比,体现出SDL在软件开发方面更高的安全性,最后引入了微软在实践中成功应用SDL的案例来说明SDL较高的实际应用价值。
文摘通过研究微软安全开发生命周期SDL(Security Development Lifecycle)和《GB 20274信息系统安全保障评估框架》,结合江南农村商业银行信息系统建设的实践,提出适合国内中小银行信息系统开发的全生命周期安全保障框架。该框架将软件安全保障集成到信息系统开发生命周期的五个阶段中,详细阐述每个阶段要进行的安全控制措施,确保系统开发的安全性和可靠性。
文摘如今信息安全在信息社会扮演极为重要的角色,直接关系到政府运作、企业经营和人们的日常生活,信息安全服务也已成为信息安全保障体系的重要内容。然而国内信息安全服务行业却存在很多问题,管理者的信息安全意识不足,安全服务以事件应急响应为主,忽视为客户提供主动、系统的面向业务的服务。针对这一现状,本文提出了基于业务的信息安全服务体系(Business-based Information Security Service System,BISSS),利用企业架构(Enterprise Architecture,EA)对机构及其信息系统进行分析,以信息系统的业务属性为出发点和依据,为客户提供覆盖整个信息系统生命周期的安全服务。
