scholarly journals Powerful authentication regime applicable to naval OFP integrated development (PARANOID): a vision for non-circumventable code signing and traceability for embedded avionics software

2021 ◽  
Vol ahead-of-print (ahead-of-print) ◽  
Author(s):  
Joe Garcia ◽  
Russell Shannon ◽  
Aaron Jacobson ◽  
William Mosca ◽  
Michael Burger ◽  
...  
Keyword(s):  
Software Development ◽  
Security Policy ◽  
Development Environment ◽  
Critical Function ◽  
Content Type ◽  
Fine Grain ◽  
System Integrity ◽  
Development Tools ◽  
Build System ◽  
Viable Approach

Purpose This paper aims to describe an effort to provide for a robust and secure software development paradigm intended to support DevSecOps in a naval aviation enterprise (NAE) software support activity (SSA), with said paradigm supporting strong traceability and provability concerning the SSA’s output product, known as an operational flight program (OFP). Through a secure development environment (SDE), each critical software development function performed on said OFP during its development has a corresponding record represented on a blockchain. Design/methodology/approach An SDE is implemented as a virtual machine or container incorporating software development tools that are modified to support blockchain transactions. Each critical software development function, e.g. editing, compiling, linking, generates a blockchain transaction message with associated information embedded in the output of a said function that, together, can be used to prove integrity and support traceability. An attestation process is used to provide proof that the toolchain containing SDE is not subject to unauthorized modification at the time said critical function is performed. Findings Blockchain methods are shown to be a viable approach for supporting exhaustive traceability and strong provability of development system integrity for mission-critical software produced by an NAE SSA for NAE embedded systems software. Practical implications A blockchain-based authentication approach that could be implemented at the OFP point-of-load would provide for fine-grain authentication of all OFP software components, with each component or module having its own proof-of-integrity (including the integrity of the used development tools) over its entire development history. Originality/value Many SSAs have established control procedures for development such as check-out/check-in. This does not prove the SSA output software is secure. For one thing, a build system does not necessarily enforce procedures in a way that is determinable from the output. Furthermore, the SSA toolchain itself could be attacked. The approach described in this paper enforces security policy and embeds information into the output of every development function that can be cross-referenced to blockchain transaction records for provability and traceability that only trusted tools, free from unauthorized modifications, are used in software development. A key original concept of this approach is that it treats assigned developer time as a transferable digital currency.

The effect of onsite-offshore work division on project cost, schedule, and quality for re-engineering projects in Indian outsourcing software industry

2014 ◽  
Vol 7 (3) ◽  
pp. 198-225 ◽  
Author(s):  
Debasisha Mishra ◽  
Biswajit Mahanty
Keyword(s):  
Software Development ◽  
Cost Savings ◽  
Model Construction ◽  
Global Software Development ◽  
Project Schedule ◽  
Development Environment ◽  
Project Cost ◽  
Content Type ◽  
Software Development Environment ◽  
Engineering Projects

Purpose – The aim of this paper is to make an attempt to find good values of onsite–offshore team strength; number of hours of communication between business users and onsite team and between onsite and offshore team to reduce cost and improve schedule for re-engineering projects in global software development environment. Design/methodology/approach – The system dynamics technique is used for simulation model construction and policy run experimentation. The experts from Indian software outsourcing industry were consulted for model construction, validation and analysis of policy run results in both co-located and distributed software development environment. Findings – The study results show that there is a drop in the overall team productivity in outsourcing environment by considering the offshore options. But the project cost can be reduced by employing the offshore team for coding and testing work only with minimal training for imparting business knowledge. The research results show that there is a potential to save project cost by being flexible in project schedule. Research limitations/implications – The study found that there could be substantial cost saving for re-engineering projects with a loss of project schedule when an appropriate onsite–offshore combination is used. The quality and productivity drop, however, were rather small for such combinations. The cost savings are high when re-engineering work is sent to offshore location entirely after completion of requirement analysis work at onsite location and providing training to offshore team in business knowledge The research findings show that there is potential to make large cost savings by being flexible in project schedule for re-engineering projects. Practical implications – The software project manager can use the model results to divide the software team between onsite and offshore location during various phases of software development in distributed environment. Originality/value – The study is novel as there is little attempt at finding the team distribution between onsite and offshore location in global software development environment.

ACSESim: Agile and Lean software development in practice

2018 ◽  
Vol 8 (1) ◽  
pp. 1-25
Author(s):  
Andries Maritz ◽  
Fatima Hamdulay
Keyword(s):  
Software Development ◽  
Knowledge Work ◽  
Agile Software Development ◽  
Point Of View ◽  
Development Environment ◽  
Lean Thinking ◽  
Content Type ◽  
Software Development Environment ◽  
Agile Software ◽  
The Impact

Subject area Agile software development, Knowledge workers and Lean thinking as a management system Study level/applicability The case lends itself to students of business management, or aspiring consultants, who have been exposed to operations management in general and Lean thinking specifically. It is an advanced case study, assuming prior knowledge in these subjects and approaches the subject matter from an organisational development point of view, rather than a pure operations point of view. It is thus well suited to an elective on operational excellence on an MBA or in executive education courses in Lean thinking Case overview The case starts with Mark, manager of a software development team, hearing that he will have budget for two new developers who will join his team in the coming year. While the extra help could be useful, he was considering what the impact of new people would be on the productivity of the team, which he felt was already stretched. Mark continues to consider the entire development chain and how code changes were implemented to ACSESim’s (the company’s primary product) graphical user interfaces. Having recently been acquired by an American company, he was also under pressure to start to adopt some of the parent company’s systems, which would constitute a fairly disruptive, but necessary, change, particularly for future collaborations with other developers in the parent company. With two new developers, experience taught Mark that development could slow down owing to training efforts. To minimise disruption, he was wondering about how to get the new developers up-to-speed quickly and streamline their operations within a changing corporate environment. The case highlights the different mechanisms that were in place at ACSESim, including the use of issue trackers; Kanban boards; version control software; automated systems; stand-up meetings, etc. Each of these mechanisms is discussed briefly and shows the value they added to the development practices that were in place. This also allows students to understand Agile practices and what Lean thinking might mean in a knowledge work environment and then to consider what the proposed changes might mean and how they could be deployed. Expected learning outcomes To gain an understanding of how Lean and Agile principles can be applied in a software development environment and Lean knowledge work in general To consider the best way to manage new hires so that they can become productive in a Lean or Agile software development environment, whilst dealing with pressures to migrate to new systems. Supplementary materials Teaching notes are available for educators only. Please contact your library to gain login details or email [email protected] to request teaching notes. Subject code CSS: 9: Operations and Logistics.

User password repetitive patterns analysis and visualization

2016 ◽  
Vol 24 (1) ◽  
pp. 93-115 ◽  
Author(s):  
Xiaoying Yu ◽  
Qi Liao
Keyword(s):  
Security Policy ◽  
Large Data ◽  
Efficient Algorithms ◽  
Privacy And Security ◽  
Data Set ◽  
Web Based ◽  
Content Type ◽  
Word Cloud ◽  
Individual Privacy ◽  
Password Security

Purpose – Passwords have been designed to protect individual privacy and security and widely used in almost every area of our life. The strength of passwords is therefore critical to the security of our systems. However, due to the explosion of user accounts and increasing complexity of password rules, users are struggling to find ways to make up sufficiently secure yet easy-to-remember passwords. This paper aims to investigate whether there are repetitive patterns when users choose passwords and how such behaviors may affect us to rethink password security policy. Design/methodology/approach – The authors develop a model to formalize the password repetitive problem and design efficient algorithms to analyze the repeat patterns. To help security practitioners to analyze patterns, the authors design and implement a lightweight, Web-based visualization tool for interactive exploration of password data. Findings – Through case studies on a real-world leaked password data set, the authors demonstrate how the tool can be used to identify various interesting patterns, e.g. shorter substrings of the same type used to make up longer strings, which are then repeated to make up the final passwords, suggesting that the length requirement of password policy does not necessarily increase security. Originality/value – The contributions of this study are two-fold. First, the authors formalize the problem of password repetitive patterns by considering both short and long substrings and in both directions, which have not yet been considered in past. Efficient algorithms are developed and implemented that can analyze various repeat patterns quickly even in large data set. Second, the authors design and implement four novel visualization views that are particularly useful for exploration of password repeat patterns, i.e. the character frequency charts view, the short repeat heatmap view, the long repeat parallel coordinates view and the repeat word cloud view.

Identifying core control items of information security management and improvement strategies by applying fuzzy DEMATEL

2015 ◽  
Vol 23 (2) ◽  
pp. 161-177 ◽  
Author(s):  
Li-Hsing Ho ◽  
Ming-Tsai Hsu ◽  
Tieh-Min Yen
Keyword(s):  
Information Security ◽  
Security Policy ◽  
Security Management ◽  
Fuzzy Dematel ◽  
Information Security Management ◽  
Content Type ◽  
Cause And Effect ◽  
Information Security Management System ◽  
Security Control ◽  
Improvement Strategies

Purpose – The purpose of this paper is to analyze the cause-and-effect relationship and the mutually influential level among information security control items, as well as to provide organizations with a method for analyzing and making systematic decisions for improvement. Design/methodology/approach – This study utilized the Fuzzy DEMATEL to analyze cause-and-effect relationships and mutual influence of the 11 control items of the International Organization for Standardization (ISO) 27001 Information Security Management System (ISMS), which are discussed by seven experts in Taiwan to identify the core control items for developing the improvement strategies. Findings – The study has found that the three core control items of the ISMS are security policy (SC1), access control (SC7) and human resource security (SC4). This study provides organizations with a direction to develop improvement strategies and effectively manage the ISMS of the organization. Originality/value – The value of this study is for an organization to effectively dedicate resources to core control items, such that other control items are driven toward positive change by analyzing the cause-and-effect relation and the mutual influential level among information security control items, through a cause-and-effect matrix and a systematic diagram.

Sign in / Sign up

Export Citation Format

Share Document