Techniques and Trends Towards Various Dimensions of Robust Security Testing in Global Software Engineering

With the growth of software vulnerabilities, the demand for security integration is increasingly necessary to more effectively achieve the goal of secure software development globally. Different practices are used to keep the software intact. These practices should also be examined to obtain better results depending on the level of security. The security of a software program device is a characteristic that permeates the whole system. To resolve safety issues in a software program security solutions have to be implemented continually throughout each web page. The motive of this study is to offer a complete analysis of safety, wherein protection testing strategies and equipment can be categorized into: technical evaluation strategies and non-technical assessment strategies. This study presents high-level ideas in an easy form that would help professionals and researchers solve software security testing problems around the world. One way to achieve these goals is to separate security issues from other enforcement issues so that they can be resolved independently and applied globally.

Download Full-text

Techniques and Trends Towards Various Dimensions of Robust Security Testing in Global Software Engineering

Human Factors in Global Software Engineering - Advances in Systems Analysis, Software Engineering, and High Performance Computing ◽

10.4018/978-1-5225-9448-2.ch009 ◽

2019 ◽

pp. 219-251

Author(s):

Muhammad Sulleman Memon ◽

Mairaj Nabi Bhatti ◽

Manzoor Ahmed Hashmani ◽

Muhammad Shafique Malik ◽

Naveed Murad Dahri

Keyword(s):

Complete Analysis ◽

Security Testing ◽

Safety Issues ◽

Software Vulnerabilities ◽

Security Issues ◽

Evaluation Strategies ◽

Software Program ◽

High Level ◽

Technical Assessment ◽

Global Software Engineering

Download Full-text

A Case Study on Testing for Software Security

Advanced Automated Software Testing ◽

10.4018/978-1-4666-0089-8.ch005 ◽

2012 ◽

pp. 89-112

Author(s):

Natarajan Meghanathan ◽

Alexander Roy Geoghegan

Keyword(s):

Software Security ◽

Denial Of Service ◽

Source Code ◽

Code Analysis ◽

Software Vulnerabilities ◽

Static Code Analysis ◽

Software Program ◽

Automated Tools ◽

High Level

The high-level contribution of this book chapter is to illustrate how to conduct static code analysis of a software program and mitigate the vulnerabilities associated with the program. The automated tools used to test for software security are the Source Code Analyzer and Audit Workbench, developed by Fortify, Inc. The first two sections of the chapter are comprised of (i) An introduction to Static Code Analysis and its usefulness in testing for Software Security and (ii) An introduction to the Source Code Analyzer and the Audit Workbench tools and how to use them to conduct static code analysis. The authors then present a detailed case study of static code analysis conducted on a File Reader program (developed in Java) using these automated tools. The specific software vulnerabilities that are discovered, analyzed, and mitigated include: (i) Denial of Service, (ii) System Information Leak, (iii) Unreleased Resource (in the context of Streams), and (iv) Path Manipulation. The authors discuss the potential risk in having each of these vulnerabilities in a software program and provide the solutions (and the Java code) to mitigate these vulnerabilities. The proposed solutions for each of these four vulnerabilities are more generic and could be used to correct such vulnerabilities in software developed in any other programming language.

Download Full-text

Users’ attitude on perceived security of enterprise systems mobility: an empirical study

Information and Computer Security ◽

10.1108/ics-05-2020-0069 ◽

2021 ◽

Vol ahead-of-print (ahead-of-print) ◽

Author(s):

Ramaraj Palanisamy ◽

Yang Wu

Keyword(s):

Cloud Computing ◽

Best Practices ◽

Empirical Study ◽

Mobile Systems ◽

Mobile Technologies ◽

Content Type ◽

Security Issues ◽

Study Results ◽

Perceived Security ◽

High Level

Purpose This study/ paper aims to empirically examine the user attitude on perceived security of enterprise systems (ES) mobility. Organizations are adopting mobile technologies for various business applications including ES to increase the flexibility and to gain sustainable competitive advantage. At the same time, end-users are exposed to security issues when using mobile technologies. The ES have seen breaches and malicious intrusions thereby more sophisticated recreational and commercial cybercrimes have been witnessed. ES have seen data breaches and malicious intrusions leading to more sophisticated cybercrimes. Considering the significance of security in ES mobility, the research questions in this study are: What are the security issues of ES mobility? What are the influences of users’ attitude towards those security issues? What is the impact of users’ attitude towards security issues on perceived security of ES mobility? Design/methodology/approach These questions are addressed by empirically testing a security model of mobile ES by collecting data from users of ES mobile systems. Hypotheses were evolved and tested by data collected through a survey questionnaire. The questionnaire survey was administered to 331 users from Chinese small and medium-sized enterprises (SME). The data was statistically analysed by tools such as correlation, factor analysis, regression and the study built a structural equation model (SEM) to examine the interactions between the variables. Findings The study results have identified the following security issues: users’ attitude towards mobile device security issues; users’ attitude towards wireless network security issues; users’ attitude towards cloud computing security issues; users’ attitude towards application-level security issues; users’ attitude towards data (access) level security issues; and users’ attitude towards enterprise-level security issues. Research limitations/implications The study results are based on a sample of users from Chinese SMEs. The findings may lack generalizability. Therefore, researchers are encouraged to examine the model in a different context. The issues requiring further investigation are the role of gender and type of device on perceived security of ES mobile systems. Practical implications The results show that the key security issues are related to a mobile device, wireless network, cloud computing, applications, data and enterprise. By understanding these issues and the best practices, organizations can maintain a high level of security of their mobile ES. Social implications Apart from understanding the best practices and the key issues, the authors suggest management and end-users to work collaboratively to achieve a high level of security of the mobile ES. Originality/value This is an empirical study conducted from the users’ perspective for validating the set of research hypotheses related to key security issues on the perceived security of mobile ES.

Download Full-text

Hydrotesting and In-Line Inspection: Now and in the Future

Volume 1: Pipelines and Facilities Integrity ◽

10.1115/ipc2016-64105 ◽

2016 ◽

Author(s):

Jerry Rau ◽

Mike Kirkwood

Keyword(s):

New Technologies ◽

Inert Gases ◽

Alternative Methods ◽

Operating Pressure ◽

Inherent Safety ◽

Safety Issues ◽

The Future ◽

Integrity Assurance ◽

High Level

Pressure testing of pipelines has been around in some form or another since the 1950s1–14. In its earliest form, operators used inert gases such as Nitrogen or even air to test for pipeline integrity. However, with the significant increases in pipeline pressures and inherent safety issues with a pressurized gas, the switch to using water happened in the late 1960’s15–17. Hydrostatic tests (referred to as hydrotests) have been used since then to set and reset the Maximum Allowable Operating Pressure (MAOP) for pipelines but as other technologies develop and gain acceptance will hydrotesting still play a key role in pipeline integrity in the years ahead? Currently, hydrotesting is a topic for the impending US Pipeline and Hazardous Materials Safety Administration’s (PHMSA) Proposed New Rule Making (PNRM)18. Under the NPRM, hydrotesting is required to verify MAOP on pre-1970s US “grandfathered” pipelines, as well as on pipelines of any age with incomplete or missing testing record and include a high level test with a “spike” in pressure. But hydrotesting may not be the only method. Alternative methods and new technologies — used alone or used in combination with hydrotesting — may help provide a more comprehensive way for operators to identify and address potential problems before they become a significant threat. This paper explores both sides of the argument. Before In-Line Inspection (ILI) technology was even available, hydrotesting was the absolute means of the proof of integrity. However, hydrotesting is under scrutiny for many reasons that this paper explores. ILI was introduced in the 1960’s with the first commercially available Magnetic Flux Leakage (MFL) tools that presented the industry with an alternative. Currently there are a huge array of available technologies on an ILI tool and so is the role of the hydrotest over? The paper looks at the benefits of the hydrotest and these are presented and balanced against available ILI technology. Furthermore, as pipelines are being developed in even more harsh environments such as deepwater developments, the actual logistics of performing a hydrotest become more challenging. The paper will also look at both applications onshore and offshore where regulators have accepted waivers to a hydrotest using alternative methods of proving integrity. The paper concludes with the current use and needs for hydrotesting, the regulatory viewpoint, the alternatives and also what the future developments need to focus on and how technology may be improved to provide at least a supplement if not a replacement to this means of integrity assurance.

Download Full-text

Understanding Continuance Usage of Natural Gas: A Theoretical Model and Empirical Evaluation

Energies ◽

10.3390/en11082019 ◽

2018 ◽

Vol 11 (8) ◽

pp. 2019 ◽

Cited By ~ 2

Author(s):

Victor Fernández-Guzmán ◽

Edgardo Bravo

Keyword(s):

Natural Gas ◽

Latin American ◽

Empirical Evaluation ◽

Structural Equations ◽

Perceived Usefulness ◽

Loyalty Programs ◽

Safety Issues ◽

Continuance Usage ◽

Relevant Role ◽

High Level

The adoption of natural gas increased notably last years, and there is some recognition that it improves the quality of life of inhabitants. While initial acceptance is an essential first step, the continued use is relevant to the long-term success of any technology. However, the literature on energy has focused on adoption and has devoted less attention to models that explain continuance usage. Accordingly, this study developed a model to explain continuance usage, grounded in Expectation-Confirmation Model (ECM). Unlike adoption models, confirmation of previous expectations and satisfaction with the experience of use have a relevant role in this phenomenon. Data was gathered through a questionnaire to 435 users of the service in a Latin American metropolis, and structural equations model was used for analysis. The results show that constructs of the ECM (perceived usefulness, disconfirmation, and satisfaction) influences on continuance intention. While the price impacts as expected, it is surprising that environmental consciousness strongly impacts the intention. These results may be useful for public agents to foster more comprehensive policies (beyond traditional: price and access), which include environmental and safety issues to consolidate the use of this energy source. Energy companies should develop strategies to manage consumer expectations and loyalty programs based on a high level of satisfaction.

Download Full-text

Mathematics Teachers’ Practice Level of Alternative Evaluation Strategies and Tools in Basic Education in Sultanate of Oman: درجة ممارسة معلمات الرياضيات لاستراتيجيات التقويم البديل وأدواته في مرحلة التعليم الأساسي في سلطنة عُمان

المجلة العربية للعلوم ونشر الأبحاث مجلة العلوم التربوية والنفسية ◽

10.26389/ajsrp.b070620 ◽

2020 ◽

Vol 4 (42) ◽

Author(s):

Manal Abdulrahman Al-Mandharia, Mohammed Nassir Al-Riyami

Keyword(s):

Mathematics Teachers ◽

Basic Education ◽

Statistical Processing ◽

Peer Evaluation ◽

Sultanate Of Oman ◽

Alternative Evaluation ◽

Self Evaluation ◽

Evaluation Strategies ◽

Authentic Evaluation ◽

High Level

The aim of this study was to investigate the degree of mathematics teachers’ practice of authentic evaluation strategies and tools in the basic education stage in the Sultanate of Oman. The researcher prepared a questionnaire to measure the degree of use of the authentic evaluation strategies and tools. The sample consisted of (266) teachers where (211) teachers from the first cycle and (55) teachers from the second cycle of basic education schools in the province of Muscat. After statistical processing using averages, frequencies and tests, the results of the study showed that the teachers’ use of authentic evaluation strategies and tools in both the first and second cycles in the basic education schools was high. The results showed that the strategies of self-evaluation and peer evaluation are the most widely used by the teachers. The strategy of evaluating the performance by the concept's maps obtained the least degree of use although it has a high level. The results also showed that there are statistically significant differences in the degree of practice the authentic evaluation strategies and these differences are in favor of the teachers who have an experience of more than ten years. The results showed no statistically significant differences among the teachers of both the first and second cycles in the practice of authentic evaluation strategies and tools. Consequently, the researcher recommended directing the institutions that are responsible for the preparation of new teachers to add training programs on authentic evaluation strategies and tools. The researcher also recommended conducting studies on the difficulties faced by teachers on the practice of all authentic evaluation strategies and tools in a balanced manner.

Download Full-text

Method Using Command Abstraction Library for Iterative Testing Security of Web Applications

Application Development and Design ◽

10.4018/978-1-5225-3422-8.ch008 ◽

2018 ◽

pp. 192-215

Author(s):

Seiji Munetoh ◽

Nobukazu Yoshioka

Keyword(s):

Web Application ◽

Agile Development ◽

Application Framework ◽

Security Testing ◽

Application Development ◽

Security Assurance ◽

Security Issues ◽

Application Logic ◽

Granularity Level ◽

Scripting Language

A framework based on a scripting language is commonly used in Web application development, and high development efficiency is often achieved by applying several Agile development techniques. However, the adaptation of security assurance techniques to support Agile development is still underway, particularly from the developer's perspective. The authors have addressed this problem by developing an iterative security testing method that splits the security test target application into two parts on the basis of the code lifecycle, application logic (“active development code”) and framework (“used code”). For the former, detailed security testing is conducted using static analysis since it contains code that is changed during the iterative development process. For the latter, an abstraction library at the command granularity level is created and maintained. The library identifies the behavior of an application from the security assurance standpoint. This separation reduces the amount of code to be statically inspected and provides a mechanism for sharing security issues among application developers using the same Web application framework. Evaluation demonstrated that this method can detect various types of Web application vulnerabilities.

Download Full-text

High-Level Security Issues in Multimedia/Hypertext Systems

IFIP Advances in Information and Communication Technology - Communications and Multimedia Security II ◽

10.1007/978-0-387-35083-7_2 ◽

1996 ◽

pp. 13-24 ◽

Cited By ~ 2

Author(s):

Eduardo B. Fernandez ◽

Krishnakumar R. Nair ◽

Maria M. Larrondo-Petrie ◽

Yan Xu

Keyword(s):

Security Issues ◽

High Level

Download Full-text

Hybrid Botnet Detection Based on Host and Network Analysis

Journal of Computer Networks and Communications ◽

10.1155/2020/9024726 ◽

2020 ◽

Vol 2020 ◽

pp. 1-16

Author(s):

Suzan Almutairi ◽

Saoucene Mahfoudh ◽

Sultan Almutairi ◽

Jalal S. Alowibdi

Keyword(s):

Cyber Security ◽

False Positive Rate ◽

General Technique ◽

Botnet Detection ◽

Security Issues ◽

Positive Rate ◽

Communication Traffic ◽

And Performance ◽

High Level ◽

And Control

Botnet is one of the most dangerous cyber-security issues. The botnet infects unprotected machines and keeps track of the communication with the command and control server to send and receive malicious commands. The attacker uses botnet to initiate dangerous attacks such as DDoS, fishing, data stealing, and spamming. The size of the botnet is usually very large, and millions of infected hosts may belong to it. In this paper, we addressed the problem of botnet detection based on network’s flows records and activities in the host. Thus, we propose a general technique capable of detecting new botnets in early phase. Our technique is implemented in both sides: host side and network side. The botnet communication traffic we are interested in includes HTTP, P2P, IRC, and DNS using IP fluxing. HANABot algorithm is proposed to preprocess and extract features to distinguish the botnet behavior from the legitimate behavior. We evaluate our solution using a collection of real datasets (malicious and legitimate). Our experiment shows a high level of accuracy and a low false positive rate. Furthermore, a comparison between some existing approaches was given, focusing on specific features and performance. The proposed technique outperforms some of the presented approaches in terms of accurately detecting botnet flow records within Netflow traces.

Download Full-text

Evaluation of Dynamic Analysis Tools for Software Security

International Journal of Systems and Software Security and Protection ◽

10.4018/ijsssp.2018070102 ◽

2018 ◽

Vol 9 (3) ◽

pp. 34-59 ◽

Cited By ~ 1

Author(s):

Michael Lescisin ◽

Qusay H. Mahmoud

Keyword(s):

Dynamic Analysis ◽

Software Security ◽

Safety Issue ◽

Memory Safety ◽

Safety Issues ◽

Security Issues ◽

Analysis Tools ◽

Significant Difference ◽

Secure Software ◽

Input Validation

This article discusses the development of secure software by means of dynamic analysis tools. A secure software-based system should have security checks and balances integrated throughout its entire development lifecycle, including its deployment phase. Therefore, this article covers both using software security tools for testing code in development as well as monitoring code in deployment to ensure that it is operating securely. The security issues discussed in this article will be split into two categories – memory safety issues and input validation issues. Memory safety issues concern problems of unauthorized memory access such as buffer overflows, stack overflows, use-after-free, double-free, memory leaks, etc. Although not strictly a memory safety issue, concurrency issues, such as data races, will be considered as memory safety issues in this article. Input validation issues concern problems where untrusted input is directly passed to handlers which are designed to handle both data and commands. Examples of this include path traversal, SQL injection, command injection, JavaScript/HTML injection, etc. As a result of this significant difference between these two types of security vulnerabilities, two sets of tools are evaluated with one set focusing on memory safety issues and the other on input validation issues. This article explores the benefits and limitations of current software dynamic analysis tools by evaluating them against both the authors test cases as well as the OWASP Benchmark for Security Automation and proposes solutions for implementing secure software applications.

Download Full-text