Capturing security requirements for software systems

Directory of Open Access Journals (Sweden)

Hassan El-Hadary

2014-07-01

Full Text Available Security is often an afterthought during software development. Realizing security early, especially in the requirement phase, is important so that security problems can be tackled early enough before going further in the process and avoid rework. A more effective approach for security requirement engineering is needed to provide a more systematic way for eliciting adequate security requirements. This paper proposes a methodology for security requirement elicitation based on problem frames. The methodology aims at early integration of security with software development. The main goal of the methodology is to assist developers elicit adequate security requirements in a more systematic way during the requirement engineering process. A security catalog, based on the problem frames, is constructed in order to help identifying security requirements with the aid of previous security knowledge. Abuse frames are used to model threats while security problem frames are used to model security requirements. We have made use of evaluation criteria to evaluate the resulting security requirements concentrating on conflicts identification among requirements. We have shown that more complete security requirements can be elicited by such methodology in addition to the assistance offered to developers to elicit security requirements in a more systematic way.

Capturing security requirements for software systems

Science.gov (United States)

El-Hadary, Hassan; El-Kassas, Sherif

2014-01-01

Security is often an afterthought during software development. Realizing security early, especially in the requirement phase, is important so that security problems can be tackled early enough before going further in the process and avoid rework. A more effective approach for security requirement engineering is needed to provide a more systematic way for eliciting adequate security requirements. This paper proposes a methodology for security requirement elicitation based on problem frames. The methodology aims at early integration of security with software development. The main goal of the methodology is to assist developers elicit adequate security requirements in a more systematic way during the requirement engineering process. A security catalog, based on the problem frames, is constructed in order to help identifying security requirements with the aid of previous security knowledge. Abuse frames are used to model threats while security problem frames are used to model security requirements. We have made use of evaluation criteria to evaluate the resulting security requirements concentrating on conflicts identification among requirements. We have shown that more complete security requirements can be elicited by such methodology in addition to the assistance offered to developers to elicit security requirements in a more systematic way. PMID:25685514

COLLABORATIVE NETWORK SECURITY MANAGEMENT SYSTEM BASED ON ASSOCIATION MINING RULE

Directory of Open Access Journals (Sweden)

Nisha Mariam Varughese

2014-07-01

Full Text Available Security is one of the major challenges in open network. There are so many types of attacks which follow fixed patterns or frequently change their patterns. It is difficult to find the malicious attack which does not have any fixed patterns. The Distributed Denial of Service (DDoS attacks like Botnets are used to slow down the system performance. To address such problems Collaborative Network Security Management System (CNSMS is proposed along with the association mining rule. CNSMS system is consists of collaborative Unified Threat Management (UTM, cloud based security centre and traffic prober. The traffic prober captures the internet traffic and given to the collaborative UTM. Traffic is analysed by the Collaborative UTM, to determine whether it contains any malicious attack or not. If any security event occurs, it will reports to the cloud based security centre. The security centre generates security rules based on association mining rule and distributes to the network. The cloud based security centre is used to store the huge amount of tragic, their logs and the security rule generated. The feedback is evaluated and the invalid rules are eliminated to improve the system efficiency.

17 CFR 41.24 - Rule amendments to security futures products.

Science.gov (United States)

2010-04-01

... rule amendment relating to a security futures product if the registered derivatives transaction... 17 Commodity and Securities Exchanges 1 2010-04-01 2010-04-01 false Rule amendments to security futures products. 41.24 Section 41.24 Commodity and Securities Exchanges COMMODITY FUTURES TRADING...

Effective software-oriented cryptosystem in complex PC security software

Directory of Open Access Journals (Sweden)

A. Moldovyan

1995-02-01

Full Text Available To ensure high encryption rate and good data security, an organization of an encipherement program in the form of two modules was proposed. The first module is used for customizing the second one, the latter being the resident of the program, which maintains all application calls about encryption procedures. This approach is shown to be perspective for the elaboration of the cryptosystems with indefinite cryptalgorithm. Several typical software-oriented cryptoschemes are considered. The developed cryptomodules have high encipherement rate (2-10 Mbps for Intel 386 and secure high information protection level Organization of a new computer security software complex COBRA is considered. High enciphering rate and good data protection are provided by the resident cryptomodule using less than 1 kbyte of the main memory and working in dynamic encryption mode.

76 FR 65558 - Rescission of Social Security Ruling 97-2p

Science.gov (United States)

2011-10-21

...-800-325-0778, or visit our Internet site, Social Security Online, at http://www.socialsecurity.gov... SOCIAL SECURITY ADMINISTRATION [Docket No. SSA 2007-0092] Rescission of Social Security Ruling 97-2p AGENCY: Social Security Administration. ACTION: Notice of rescission of Social Security Ruling...

Recent Developments in Low-Level Software Security

OpenAIRE

Agten , Pieter; Nikiforakis , Nick; Strackx , Raoul; Groef , Willem ,; Piessens , Frank

2012-01-01

Part 1: Keynotes; International audience; An important objective for low-level software security research is to develop techniques that make it harder to launch attacks that exploit implementation details of the system under attack. Baltopoulos and Gordon have summarized this as the principle of source-based reasoning for security: security properties of a software system should follow from review of the source code and its source-level semantics, and should not depend on details of the compi...

Security patterns in practice designing secure architectures using software patterns

CERN Document Server

Fernandez-Buglioni, Eduardo

2013-01-01

Learn to combine security theory and code to produce secure systems Security is clearly a crucial issue to consider during the design and implementation of any distributed software architecture. Security patterns are increasingly being used by developers who take security into serious consideration from the creation of their work. Written by the authority on security patterns, this unique book examines the structure and purpose of security patterns, illustrating their use with the help of detailed implementation advice, numerous code samples, and descriptions in UML. Provides

Technology safeguards needed as security rule audits loom.

Science.gov (United States)

Gersh, Deborah; Hoey, Laura G; McCrystal, Timothy M; Tolley, David C

2012-05-01

The Department of Health and Human Services will conduct security rule audits that will involve on-site visits and include: Compliance-focused interviews with key organizational leaders. Scrutiny of physical operations controls, especially regarding storage, maintenance, and use of protected health information. Assessment of organizational policies and procedures to ensure compliance with privacy and security rules. Identification of regulatory compliance areas of concern.

Addressing software security and mitigations in the life cycle

Science.gov (United States)

Gilliam, David; Powell, John; Haugh, Eric; Bishop, Matt

2004-01-01

Traditionally, security is viewed as an organizational and Information Technology (IT) systems function comprising of firewalls, intrusion detection systems (IDS), system security settings and patches to the operating system (OS) and applications running on it. Until recently, little thought has been given to the importance of security as a formal approach in the software life cycle. The Jet Propulsion Laboratory has approached the problem through the development of an integrated formal Software Security Assessment Instrument (SSAI) with six foci for the software life cycle.

Security Risks: Management and Mitigation in the Software Life Cycle

Science.gov (United States)

Gilliam, David P.

2004-01-01

A formal approach to managing and mitigating security risks in the software life cycle is requisite to developing software that has a higher degree of assurance that it is free of security defects which pose risk to the computing environment and the organization. Due to its criticality, security should be integrated as a formal approach in the software life cycle. Both a software security checklist and assessment tools should be incorporated into this life cycle process and integrated with a security risk assessment and mitigation tool. The current research at JPL addresses these areas through the development of a Sotfware Security Assessment Instrument (SSAI) and integrating it with a Defect Detection and Prevention (DDP) risk management tool.

Extending the agile development process to develop acceptably secure software

NARCIS (Netherlands)

Ben Othmane, L.; Angin, P.; Weffers, H.T.G.; Bhargava, B.

2013-01-01

The agile software development approach makes developing secure software challenging. Existing approaches for extending the agile development process, which enables incremental and iterative software development, fall short of providing a method for efficiently ensuring the security of the software

The HIPAA Security Rule: implications for biomedical devices.

Science.gov (United States)

2004-11-01

The HIPAA Security Rule, with which hospitals must become compliant by April 2005, is broad in scope. Some aspect of this rule will affect virtually every function and department within a healthcare organization. The functions and departments that deal with biomedical technologies face special challenges due to the great diversity of technologies, the variety of data maintained and transmitted, and the risks associated with compromises to data security--combined with the presence of older technology and the absence of integrated expertise. It is essential that hospitals recognize this challenge and initiate steps now to implement appropriate information security management.

17 CFR 240.17a-1 - Recordkeeping rule for national securities exchanges, national securities associations...

Science.gov (United States)

2010-04-01

... national securities exchanges, national securities associations, registered clearing agencies and the... Certain Stabilizing Activities § 240.17a-1 Recordkeeping rule for national securities exchanges, national...) Every national securities exchange, national securities association, registered clearing agency and the...

49 CFR 393.124 - What are the rules for securing concrete pipe?

Science.gov (United States)

2010-10-01

... 49 Transportation 5 2010-10-01 2010-10-01 false What are the rules for securing concrete pipe? 393... Specific Securement Requirements by Commodity Type § 393.124 What are the rules for securing concrete pipe? (a) Applicability. (1) The rules in this section apply to the transportation of concrete pipe on...

A rule-based software test data generator

Science.gov (United States)

Deason, William H.; Brown, David B.; Chang, Kai-Hsiung; Cross, James H., II

1991-01-01

Rule-based software test data generation is proposed as an alternative to either path/predicate analysis or random data generation. A prototype rule-based test data generator for Ada programs is constructed and compared to a random test data generator. Four Ada procedures are used in the comparison. Approximately 2000 rule-based test cases and 100,000 randomly generated test cases are automatically generated and executed. The success of the two methods is compared using standard coverage metrics. Simple statistical tests showing that even the primitive rule-based test data generation prototype is significantly better than random data generation are performed. This result demonstrates that rule-based test data generation is feasible and shows great promise in assisting test engineers, especially when the rule base is developed further.

Integrating semantic web and software agents : Exchanging RIF and BDI rules

NARCIS (Netherlands)

Gong, Y.; Overbeek, S.J.

2011-01-01

Software agents and rules are both used for creating flexibility. Exchanging rules between Semantic Web and agents can ensure consistency in rules and support easy updating and changing of rules. The Rule Interchange Format (RIF) is a new W3C recommendation Semantic Web standard for exchanging rules

Software Design Level Security Vulnerabilities

OpenAIRE

S. Rehman; K. Mustafa

2011-01-01

Several thousand software design vulnerabilities have been reported through established databases. But they need to be structured and classified to be optimally usable in the pursuit of minimal and effective mitigation mechanism. In order we developed a criterion set for a communicative description of the same to serve the purpose as a taxonomic description of security vulnerabilities, arising in the design phase of Software development lifecycle. This description is a part of an effort to id...

FAS: Using FPGA to Accelerate and Secure SDN Software Switches

Directory of Open Access Journals (Sweden)

Wenwen Fu

2018-01-01

Full Text Available Software-Defined Networking (SDN promises the vision of more flexible and manageable networks but requires certain level of programmability in the data plane to accommodate different forwarding abstractions. SDN software switches running on commodity multicore platforms are programmable and are with low deployment cost. However, the performance of SDN software switches is not satisfactory due to the complex forwarding operations on packets. Moreover, this may hinder the performance of real-time security on software switch. In this paper, we analyze the forwarding procedure and identify the performance bottleneck of SDN software switches. An FPGA-based mechanism for accelerating and securing SDN switches, named FAS (FPGA-Accelerated SDN software switch, is proposed to take advantage of the reconfigurability and high-performance advantages of FPGA. FAS improves the performance as well as the capacity against malicious traffic attacks of SDN software switches by offloading some functional modules. We validate FAS on an FPGA-based network processing platform. Experiment results demonstrate that the forwarding rate of FAS can be 44% higher than the original SDN software switch. In addition, FAS provides new opportunity to enhance the security of SDN software switches by allowing the deployment of bump-in-the-wire security modules (such as packet detectors and filters in FPGA.

Coordination and organization of security software process for power information application environment

Science.gov (United States)

Wang, Qiang

2017-09-01

As an important part of software engineering, the software process decides the success or failure of software product. The design and development feature of security software process is discussed, so is the necessity and the present significance of using such process. Coordinating the function software, the process for security software and its testing are deeply discussed. The process includes requirement analysis, design, coding, debug and testing, submission and maintenance. In each process, the paper proposed the subprocesses to support software security. As an example, the paper introduces the above process into the power information platform.

An Analysis of Open Source Security Software Products Downloads

Science.gov (United States)

Barta, Brian J.

2014-01-01

Despite the continued demand for open source security software, a gap in the identification of success factors related to the success of open source security software persists. There are no studies that accurately assess the extent of this persistent gap, particularly with respect to the strength of the relationships of open source software…

Software For Computer-Security Audits

Science.gov (United States)

Arndt, Kate; Lonsford, Emily

1994-01-01

Information relevant to potential breaches of security gathered efficiently. Automated Auditing Tools for VAX/VMS program includes following automated software tools performing noted tasks: Privileged ID Identification, program identifies users and their privileges to circumvent existing computer security measures; Critical File Protection, critical files not properly protected identified; Inactive ID Identification, identifications of users no longer in use found; Password Lifetime Review, maximum lifetimes of passwords of all identifications determined; and Password Length Review, minimum allowed length of passwords of all identifications determined. Written in DEC VAX DCL language.

SPCC- Software Elements for Security Partition Communication Controller

Science.gov (United States)

Herpel, H. J.; Willig, G.; Montano, G.; Tverdyshev, S.; Eckstein, K.; Schoen, M.

2016-08-01

Future satellite missions like Earth Observation, Telecommunication or any other kind are likely to be exposed to various threats aiming at exploiting vulnerabilities of the involved systems and communications. Moreover, the growing complexity of systems coupled with more ambitious types of operational scenarios imply increased security vulnerabilities in the future. In the paper we will describe an architecture and software elements to ensure high level of security on-board a spacecraft. First the threats to the Security Partition Communication Controller (SPCC) will be addressed including the identification of specific vulnerabilities to the SPCC. Furthermore, appropriate security objectives and security requirements are identified to be counter the identified threats. The security evaluation of the SPCC will be done in accordance to the Common Criteria (CC). The Software Elements for SPCC has been implemented on flight representative hardware which consists of two major elements: the I/O board and the SPCC board. The SPCC board provides the interfaces with ground while the I/O board interfaces with typical spacecraft equipment busses. Both boards are physically interconnected by a high speed spacewire (SpW) link.

Restrictions on Software for Personal and Professional Use

CERN Multimedia

2004-01-01

A growing number of computer security incidents detected at CERN are due to additional software installed for personal and professional use. As a consequence, the smooth operation of CERN is put at risk and often many hours are lost solving the problems. To reduce this security risk, installation and/or use of software on CERN's computing and network infrastructure needs to be restricted. Therefore: Do NOT install software for personal use Do NOT install 'free' or other software unless you have the expertise to configure and maintain it securely. Please comply to these rules to keep our computer systems safe. Further explanation of these restrictions is at http://cern.ch/security/software-restrictions Restricted software, known to cause security and/or network problems (e.g. KaZaA and other P2P/Peer-to-Peer file sharing applications, Skype P2P telephony software, ICQ, VNC, ...), is listed at: http://cern.ch/security/software-restrictions/list

Security Awareness in Software-Defined Multi-Domain 5G Networks

Directory of Open Access Journals (Sweden)

Jani Suomalainen

2018-03-01

Full Text Available Fifth generation (5G technologies will boost the capacity and ease the management of mobile networks. Emerging virtualization and softwarization technologies enable more flexible customization of network services and facilitate cooperation between different actors. However, solutions are needed to enable users, operators, and service providers to gain an up-to-date awareness of the security and trustworthiness of 5G systems. We describe a novel framework and enablers for security monitoring, inferencing, and trust measuring. The framework leverages software-defined networking and big data technologies to customize monitoring for different applications. We present an approach for sharing security measurements across administrative domains. We describe scenarios where the correlation of multi-domain information improves the accuracy of security measures with respect to two threats: end-user location tracking and Internet of things (IoT authentication storms. We explore the security characteristics of data flows in software networks dedicated to different applications with a mobile network testbed.

Security Vulnerability Profiles of NASA Mission Software: Empirical Analysis of Security Related Bug Reports

Science.gov (United States)

Goseva-Popstojanova, Katerina; Tyo, Jacob P.; Sizemore, Brian

2017-01-01

NASA develops, runs, and maintains software systems for which security is of vital importance. Therefore, it is becoming an imperative to develop secure systems and extend the current software assurance capabilities to cover information assurance and cybersecurity concerns of NASA missions. The results presented in this report are based on the information provided in the issue tracking systems of one ground mission and one flight mission. The extracted data were used to create three datasets: Ground mission IVV issues, Flight mission IVV issues, and Flight mission Developers issues. In each dataset, we identified the software bugs that are security related and classified them in specific security classes. This information was then used to create the security vulnerability profiles (i.e., to determine how, why, where, and when the security vulnerabilities were introduced) and explore the existence of common trends. The main findings of our work include:- Code related security issues dominated both the Ground and Flight mission IVV security issues, with 95 and 92, respectively. Therefore, enforcing secure coding practices and verification and validation focused on coding errors would be cost effective ways to improve mission's security. (Flight mission Developers issues dataset did not contain data in the Issue Category.)- In both the Ground and Flight mission IVV issues datasets, the majority of security issues (i.e., 91 and 85, respectively) were introduced in the Implementation phase. In most cases, the phase in which the issues were found was the same as the phase in which they were introduced. The most security related issues of the Flight mission Developers issues dataset were found during Code Implementation, Build Integration, and Build Verification; the data on the phase in which these issues were introduced were not available for this dataset.- The location of security related issues, as the location of software issues in general, followed the Pareto

Modelling mobility aspects of security policies

NARCIS (Netherlands)

Hartel, Pieter H.; van Eck, Pascal; Etalle, Sandro; Wieringa, Roelf J.; Barthe, G.; Burdy, L.; Huisman, Marieke; Lanet, J.-L.; Muntean, T.

Security policies are rules that constrain the behaviour of a system. Different, largely unrelated sets of rules typically govern the physical and logical worlds. However, increased hardware and software mobility forces us to consider those rules in an integrated fashion. We present SPIN models of

New fire and security rules change USA nuclear power plant emergency plans

International Nuclear Information System (INIS)

Garrou, A.L.

1978-01-01

New safety and security rules for nuclear power plants have resulted from the Energy Reorganisation Act and also from a review following the Browns Ferry fire. The content of the emergency plan which covers personnel, plant, site, as well as a general emergency, is outlined. New fire protection rules, the plan for security, local and state government assistance are also discussed, with a brief reference to the impact of the new rules on continuity of operations. (author)

Security in Computer Applications

CERN Multimedia

CERN. Geneva

2004-01-01

Computer security has been an increasing concern for IT professionals for a number of years, yet despite all the efforts, computer systems and networks remain highly vulnerable to attacks of different kinds. Design flaws and security bugs in the underlying software are among the main reasons for this. This lecture addresses the following question: how to create secure software? The lecture starts with a definition of computer security and an explanation of why it is so difficult to achieve. It then introduces the main security principles (like least-privilege, or defense-in-depth) and discusses security in different phases of the software development cycle. The emphasis is put on the implementation part: most common pitfalls and security bugs are listed, followed by advice on best practice for security development. The last part of the lecture covers some miscellaneous issues like the use of cryptography, rules for networking applications, and social engineering threats. This lecture was first given on Thursd...

77 FR 67724 - Rescission of Social Security Acquiescence Ruling 05-1(9)

Science.gov (United States)

2012-11-13

...-1213 or TTY 1-800-325-0778, or visit our Internet site, Social Security Online, at http://www... SOCIAL SECURITY ADMINISTRATION [Docket No. SSA-2012-0058] Rescission of Social Security Acquiescence Ruling 05-1(9) AGENCY: Social Security Administration. [[Page 67725

Software for security event management: Development and utilization

Directory of Open Access Journals (Sweden)

Aleksandr V. Kuznetcov

2017-11-01

Full Text Available We address the challenge to the information security coming from the lack of algorithmic machinery for managing the security events. We start with a mathematical formulation of the problem for a tabular processor by introducing an appropriate target function. Details of corresponding algorithm can be found by following the provided links. We describe our original software module that implements the algorithm for determining the registered security events. The module is based on the tabular processor certified by the Russian Federal Service for Technical and Export Control. We present a control sample for testing the developed module. The sample has the dimension 30x20 and contains 14 choices for threshold values of security events number. The results of the tests comply with the specified boundary conditions and demonstrate a nonlinear dependence of the objective function on the number of registered security events, as well as a nonlinear dependence of the percentage of the detected security event on the total initial number of security events to be registered at the event source. The performance of the module specifically, the central processing unit usage is found acceptable (not exceeding 33%, which allows one to use the software for typical automated workplaces equipped with appropriate tabular processors. Our approach is universal with respect to the application areas.

Demographic-Based Perceptions of Adequacy of Software Security's Presence within Individual Phases of the Software Development Life Cycle

Science.gov (United States)

Kramer, Aleksey

2013-01-01

The topic of software security has become paramount in information technology (IT) related scholarly research. Researchers have addressed numerous software security topics touching on all phases of the Software Development Life Cycle (SDLC): requirements gathering phase, design phase, development phase, testing phase, and maintenance phase.…

Software Security Assurance: A State-of-Art Report (SAR)

Science.gov (United States)

2007-07-31

analysis of security management processes: includes organizational assessment, asset valuation , threat identification, vulnerability assessment...Available from: http://www.cigital.com/papers/download/bsi2-misuse.pdf 200 Meledath Damodaran , “Secure Software Development Using Use Cases and Misuse

Automatic Learning of Fine Operating Rules for Online Power System Security Control.

Science.gov (United States)

Sun, Hongbin; Zhao, Feng; Wang, Hao; Wang, Kang; Jiang, Weiyong; Guo, Qinglai; Zhang, Boming; Wehenkel, Louis

2016-08-01

Fine operating rules for security control and an automatic system for their online discovery were developed to adapt to the development of smart grids. The automatic system uses the real-time system state to determine critical flowgates, and then a continuation power flow-based security analysis is used to compute the initial transfer capability of critical flowgates. Next, the system applies the Monte Carlo simulations to expected short-term operating condition changes, feature selection, and a linear least squares fitting of the fine operating rules. The proposed system was validated both on an academic test system and on a provincial power system in China. The results indicated that the derived rules provide accuracy and good interpretability and are suitable for real-time power system security control. The use of high-performance computing systems enables these fine operating rules to be refreshed online every 15 min.

Software Development Initiatives to Identify and Mitigate Security Threats - Two Systematic Mapping Studies

Directory of Open Access Journals (Sweden)

Paulina Silva

2016-12-01

Full Text Available Software Security and development experts have addressed the problem of building secure software systems. There are several processes and initiatives to achieve secure software systems. However, most of these lack empirical evidence of its application and impact in building secure software systems. Two systematic mapping studies (SM have been conducted to cover the existent initiatives for identification and mitigation of security threats. The SMs created were executed in two steps, first in 2015 July, and complemented through a backward snowballing in 2016 July. Integrated results of these two SM studies show a total of 30 relevant sources were identified; 17 different initiatives covering threats identification and 14 covering the mitigation of threats were found. All the initiatives were associated to at least one activity of the Software Development Lifecycle (SDLC; while 6 showed signs of being applied in industrial settings, only 3 initiatives presented experimental evidence of its results through controlled experiments, some of the other selected studies presented case studies or proposals.

78 FR 5565 - Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under...

Science.gov (United States)

2013-01-25

... RIN 0945-AA03 Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules... HIPAA Privacy, Security, Breach Notification, and Enforcement Rules (the HIPAA Rules) to improve their... entities Total cost Notices of Privacy Practices.. 700,000 covered $55.9 million. entities. Breach...

Security Vulnerability Profiles of Mission Critical Software: Empirical Analysis of Security Related Bug Reports

Science.gov (United States)

Goseva-Popstojanova, Katerina; Tyo, Jacob

2017-01-01

While some prior research work exists on characteristics of software faults (i.e., bugs) and failures, very little work has been published on analysis of software applications vulnerabilities. This paper aims to contribute towards filling that gap by presenting an empirical investigation of application vulnerabilities. The results are based on data extracted from issue tracking systems of two NASA missions. These data were organized in three datasets: Ground mission IVV issues, Flight mission IVV issues, and Flight mission Developers issues. In each dataset, we identified security related software bugs and classified them in specific vulnerability classes. Then, we created the security vulnerability profiles, i.e., determined where and when the security vulnerabilities were introduced and what were the dominating vulnerabilities classes. Our main findings include: (1) In IVV issues datasets the majority of vulnerabilities were code related and were introduced in the Implementation phase. (2) For all datasets, around 90 of the vulnerabilities were located in two to four subsystems. (3) Out of 21 primary classes, five dominated: Exception Management, Memory Access, Other, Risky Values, and Unused Entities. Together, they contributed from 80 to 90 of vulnerabilities in each dataset.

A Novel Rules Based Approach for Estimating Software Birthmark

Science.gov (United States)

Binti Alias, Norma; Anwar, Sajid

2015-01-01

Software birthmark is a unique quality of software to detect software theft. Comparing birthmarks of software can tell us whether a program or software is a copy of another. Software theft and piracy are rapidly increasing problems of copying, stealing, and misusing the software without proper permission, as mentioned in the desired license agreement. The estimation of birthmark can play a key role in understanding the effectiveness of a birthmark. In this paper, a new technique is presented to evaluate and estimate software birthmark based on the two most sought-after properties of birthmarks, that is, credibility and resilience. For this purpose, the concept of soft computing such as probabilistic and fuzzy computing has been taken into account and fuzzy logic is used to estimate properties of birthmark. The proposed fuzzy rule based technique is validated through a case study and the results show that the technique is successful in assessing the specified properties of the birthmark, its resilience and credibility. This, in turn, shows how much effort will be required to detect the originality of the software based on its birthmark. PMID:25945363

Personal computer security: part 1. Firewalls, antivirus software, and Internet security suites.

Science.gov (United States)

Caruso, Ronald D

2003-01-01

Personal computer (PC) security in the era of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) involves two interrelated elements: safeguarding the basic computer system itself and protecting the information it contains and transmits, including personal files. HIPAA regulations have toughened the requirements for securing patient information, requiring every radiologist with such data to take further precautions. Security starts with physically securing the computer. Account passwords and a password-protected screen saver should also be set up. A modern antivirus program can easily be installed and configured. File scanning and updating of virus definitions are simple processes that can largely be automated and should be performed at least weekly. A software firewall is also essential for protection from outside intrusion, and an inexpensive hardware firewall can provide yet another layer of protection. An Internet security suite yields additional safety. Regular updating of the security features of installed programs is important. Obtaining a moderate degree of PC safety and security is somewhat inconvenient but is necessary and well worth the effort. Copyright RSNA, 2003

Do you write secure code?

CERN Multimedia

Computer Security Team

2011-01-01

At CERN, we are excellent at producing software, such as complex analysis jobs, sophisticated control programs, extensive monitoring tools, interactive web applications, etc. This software is usually highly functional, and fulfils the needs and requirements as defined by its author. However, due to time constraints or unintentional ignorance, security aspects are often neglected. Subsequently, it was even more embarrassing for the author to find out that his code flawed and was used to break into CERN computers, web pages or to steal data…   Thus, if you have the pleasure or task of producing software applications, take some time before and familiarize yourself with good programming practices. They should not only prevent basic security flaws in your code, but also improve its readability, maintainability and efficiency. Basic rules for good programming, as well as essential books on proper software development, can be found in the section for software developers on our security we...

Integrating a flexible modeling framework (FMF) with the network security assessment instrument to reduce software security risk

Science.gov (United States)

Gilliam, D. P.; Powell, J. D.

2002-01-01

This paper presents a portion of an overall research project on the generation of the network security assessment instrument to aid developers in assessing and assuring the security of software in the development and maintenance lifecycles.

Extracting classification rules from an informatic security incidents repository by genetic programming

Directory of Open Access Journals (Sweden)

Carlos Javier Carvajal Montealegre

2015-04-01

Full Text Available This paper describes the data mining process to obtain classification rules over an information security incident data collection, explaining in detail the use of genetic programming as a mean to model the incidents behavior and representing such rules as decision trees. The described mining process includes several tasks, such as the GP (Genetic Programming approach evaluation, the individual's representation and the algorithm parameters tuning to upgrade the performance. The paper concludes with the result analysis and the description of the rules obtained, suggesting measures to avoid the occurrence of new informatics attacks. This paper is a part of the thesis work degree: Information Security Incident Analytics by Data Mining for Behavioral Modeling and Pattern Recognition (Carvajal, 2012.

77 FR 54646 - Social Security Acquiescence Ruling (AR) 12-1(8); Correction; Petersen v. Astrue, 633 F.3d 633...

Science.gov (United States)

2012-09-05

... II of the Social Security Act AGENCY: Social Security Administration. ACTION: Notice of Social Security Acquiescence Ruling; Correction. SUMMARY: The Social Security Administration published a document... SOCIAL SECURITY ADMINISTRATION [Docket No. SSA-2012-0046] Social Security Acquiescence Ruling (AR...

Verifying Architectural Design Rules of the Flight Software Product Line

Science.gov (United States)

Ganesan, Dharmalingam; Lindvall, Mikael; Ackermann, Chris; McComas, David; Bartholomew, Maureen

2009-01-01

This paper presents experiences of verifying architectural design rules of the NASA Core Flight Software (CFS) product line implementation. The goal of the verification is to check whether the implementation is consistent with the CFS architectural rules derived from the developer's guide. The results indicate that consistency checking helps a) identifying architecturally significant deviations that were eluded during code reviews, b) clarifying the design rules to the team, and c) assessing the overall implementation quality. Furthermore, it helps connecting business goals to architectural principles, and to the implementation. This paper is the first step in the definition of a method for analyzing and evaluating product line implementations from an architecture-centric perspective.

The study on network security based on software engineering

Science.gov (United States)

Jia, Shande; Ao, Qian

2012-04-01

Developing a SP is a sensitive task because the SP itself can lead to security weaknesses if it is not conform to the security properties. Hence, appropriate techniques are necessary to overcome such problems. These techniques must accompany the policy throughout its deployment phases. The main contribution of this paper is then, the proposition of three of these activities: validation, test and multi-SP conflict management. Our techniques are inspired by the well established techniques of the software engineering for which we have found some similarities with the security domain.

Framework for Securing Mobile Software Agents

OpenAIRE

Mwakalinga, G Jeffy; Yngström, Louise

2006-01-01

Information systems are growing in size and complexity making it infeasible for human administrators to manage them. The aim of this work is to study ways of securing and using mobile software agents to deter attackers, protect information systems, detect intrusions, automatically respond to the intrusions and attacks, and to produce recovery services to systems after attacks. Current systems provide intrusion detection, prevention, protection, response, and recovery services but most of thes...

End-to-end Information Flow Security Model for Software-Defined Networks

Directory of Open Access Journals (Sweden)

D. Ju. Chaly

2015-01-01

Full Text Available Software-defined networks (SDN are a novel paradigm of networking which became an enabler technology for many modern applications such as network virtualization, policy-based access control and many others. Software can provide flexibility and fast-paced innovations in the networking; however, it has a complex nature. In this connection there is an increasing necessity of means for assuring its correctness and security. Abstract models for SDN can tackle these challenges. This paper addresses to confidentiality and some integrity properties of SDNs. These are critical properties for multi-tenant SDN environments, since the network management software must ensure that no confidential data of one tenant are leaked to other tenants in spite of using the same physical infrastructure. We define a notion of end-to-end security in context of software-defined networks and propose a semantic model where the reasoning is possible about confidentiality, and we can check that confidential information flows do not interfere with non-confidential ones. We show that the model can be extended in order to reason about networks with secure and insecure links which can arise, for example, in wireless environments.The article is published in the authors’ wording.

Software Assurance in Acquisition: Mitigating Risks to the Enterprise. A Reference Guide for Security-Enhanced Software Acquisition and Outsourcing

Science.gov (United States)

2009-02-01

Monitoring ISO /IEC 12207 2008(E) IEEE 1062 1998 PMBOK 3.0 Initiating Closing 3. Monitoring & Controlling 1. Planning 2. Executing Follow-on...software life cycles [ ISO /IEC 15026]. Software assurance is a key element of national security and homeland security. It is critical because dramatic...they are met. This may also include a plan for testing that SwA requirements are met. The [NDIA] and [ ISO /IEC 15026] provide details on structure and

Secure Coding for Safety I and C Systems on Nuclear Power Plants

International Nuclear Information System (INIS)

Kim, Y. M.; Park, H. S.; Kim, T. H.

2015-01-01

This paper addresses secure coding technologies which can reduce the software vulnerabilities and provides secure coding application guidelines for nuclear safety I and C systems. The use of digital equipment may improve their reliability and reduce maintenance costs. But, the design characteristics of nuclear I and C systems are becoming more complex and the possibility of cyber-attacks using software vulnerabilities has been increased. Software defects, bugs and logic flaws have been consistently the primary causes of software vulnerabilities which can introduce security vulnerabilities. In this study, we described a applying methods for secure coding which can reduce the software vulnerabilities. Software defects lists, countermeasures for each defect and coding rules can be applied properly depending on target system's condition. We expect that the results of this study can help developing the secure coding guidelines and significantly reducing or eliminating vulnerabilities in nuclear safety I and C software

Secure Coding for Safety I and C Systems on Nuclear Power Plants

Energy Technology Data Exchange (ETDEWEB)

Kim, Y. M.; Park, H. S. [Korea Institute of Nuclear Safety, Daejeon (Korea, Republic of); Kim, T. H. [Formal Works Inc., Seoul (Korea, Republic of)

2015-10-15

This paper addresses secure coding technologies which can reduce the software vulnerabilities and provides secure coding application guidelines for nuclear safety I and C systems. The use of digital equipment may improve their reliability and reduce maintenance costs. But, the design characteristics of nuclear I and C systems are becoming more complex and the possibility of cyber-attacks using software vulnerabilities has been increased. Software defects, bugs and logic flaws have been consistently the primary causes of software vulnerabilities which can introduce security vulnerabilities. In this study, we described a applying methods for secure coding which can reduce the software vulnerabilities. Software defects lists, countermeasures for each defect and coding rules can be applied properly depending on target system's condition. We expect that the results of this study can help developing the secure coding guidelines and significantly reducing or eliminating vulnerabilities in nuclear safety I and C software.

Software Implementation of a Secure Firmware Update Solution in an IOT Context

Directory of Open Access Journals (Sweden)

Lukas Kvarda

2016-01-01

Full Text Available The present paper is concerned with the secure delivery of firmware updates to Internet of Things (IoT devices. Additionally, it deals with the design of a safe and secure bootloader for a UHF RFID reader. A software implementation of a secure firmware update solution is performed. The results show there is space to integrate even more security features into existing devices.

A coverage and slicing dependencies analysis for seeking software security defects.

Science.gov (United States)

He, Hui; Zhang, Dongyan; Liu, Min; Zhang, Weizhe; Gao, Dongmin

2014-01-01

Software security defects have a serious impact on the software quality and reliability. It is a major hidden danger for the operation of a system that a software system has some security flaws. When the scale of the software increases, its vulnerability has becoming much more difficult to find out. Once these vulnerabilities are exploited, it may lead to great loss. In this situation, the concept of Software Assurance is carried out by some experts. And the automated fault localization technique is a part of the research of Software Assurance. Currently, automated fault localization method includes coverage based fault localization (CBFL) and program slicing. Both of the methods have their own location advantages and defects. In this paper, we have put forward a new method, named Reverse Data Dependence Analysis Model, which integrates the two methods by analyzing the program structure. On this basis, we finally proposed a new automated fault localization method. This method not only is automation lossless but also changes the basic location unit into single sentence, which makes the location effect more accurate. Through several experiments, we proved that our method is more effective. Furthermore, we analyzed the effectiveness among these existing methods and different faults.

Interactive Synthesis of Code Level Security Rules

Science.gov (United States)

2017-04-01

Proceedings of the 9th ACM conference on Computer and communications security, pages 235–244. ACM, 2002. [19] J. Davis. Hacking of government computers...Inductive programming meets the real world. Communications of the ACM, 58(11):90–99, 2015. [24] S. Hallem, B. Chelf, Y. Xie, and D. Engler. A system and...Software Engineering, pages 462–473. ACM, 2015. [37] S. H. Muggleton, D. Lin, and A. Tamaddoni-Nezhad. Meta-interpretive learning of higher- order dyadic

Knowledge Base for an Intelligent System in order to Identify Security Requirements for Government Agencies Software Projects

Directory of Open Access Journals (Sweden)

Adán Beltrán G.

2016-01-01

Full Text Available It has been evidenced that one of the most common causes in the failure of software security is the lack of identification and specification of requirements for information security, it is an activity with an insufficient importance in the software development or software acquisition We propose the knowledge base of CIBERREQ. CIBERREQ is an intelligent knowledge-based system used for the identification and specification of security requirements in the software development cycle or in the software acquisition. CIBERREQ receives functional software requirements written in natural language and produces non-functional security requirements through a semi-automatic process of risk management. The knowledge base built is formed by an ontology developed collaboratively by experts in information security. In this process has been identified six types of assets: electronic data, physical data, hardware, software, person and service; as well as six types of risk: competitive disadvantage, loss of credibility, economic risks, strategic risks, operational risks and legal sanctions. In addition there are defined 95 vulnerabilities, 24 threats, 230 controls, and 515 associations between concepts. Additionally, automatic expansion was used with Wikipedia for the asset types Software and Hardware, obtaining 7125 and 5894 software and hardware subtypes respectively, achieving thereby an improvement of 10% in the identification of the information assets candidates, one of the most important phases of the proposed system.

Adaptive Conflict-Free Optimization of Rule Sets for Network Security Packet Filtering Devices

Directory of Open Access Journals (Sweden)

Andrea Baiocchi

2015-01-01

Full Text Available Packet filtering and processing rules management in firewalls and security gateways has become commonplace in increasingly complex networks. On one side there is a need to maintain the logic of high level policies, which requires administrators to implement and update a large amount of filtering rules while keeping them conflict-free, that is, avoiding security inconsistencies. On the other side, traffic adaptive optimization of large rule lists is useful for general purpose computers used as filtering devices, without specific designed hardware, to face growing link speeds and to harden filtering devices against DoS and DDoS attacks. Our work joins the two issues in an innovative way and defines a traffic adaptive algorithm to find conflict-free optimized rule sets, by relying on information gathered with traffic logs. The proposed approach suits current technology architectures and exploits available features, like traffic log databases, to minimize the impact of ACO development on the packet filtering devices. We demonstrate the benefit entailed by the proposed algorithm through measurements on a test bed made up of real-life, commercial packet filtering devices.

Social Security Rulings on Federal Old-Age, Survivors, Disability, Health Insurance, Supplemental Security Income, and Black Lung Benefits. Cumulative Bulletin 1976.

Science.gov (United States)

Social Security Administration (DHEW), Washington, DC.

The purpose of this publication is to make available to the public official rulings relating to the Federal old-age, survivors, disability, health insurance, supplemental security income, and miners' benefit programs. The rulings contain precedential case decisions, statements of policy and interpretations of the law and regulations. Included is a…

Using Bayesian Networks and Decision Theory to Model Physical Security

National Research Council Canada - National Science Library

Roberts, Nancy

2003-01-01

.... Cameras, sensors and other components used along with the simple rules in the home automation software provide an environment where the lights, security and other appliances can be monitored and controlled...

Security Situation Assessment of All-Optical Network Based on Evidential Reasoning Rule

Directory of Open Access Journals (Sweden)

Zhong-Nan Zhao

2016-01-01

Full Text Available It is important to determine the security situations of the all-optical network (AON, which is more vulnerable to hacker attacks and faults than other networks in some cases. A new approach of the security situation assessment to the all-optical network is developed in this paper. In the new assessment approach, the evidential reasoning (ER rule is used to integrate various evidences of the security factors including the optical faults and the special attacks in the AON. Furthermore, a new quantification method of the security situation is also proposed. A case study of an all-optical network is conducted to demonstrate the effectiveness and the practicability of the new proposed approach.

Strengthening Software Authentication with the ROSE Software Suite

International Nuclear Information System (INIS)

White, G

2006-01-01

Many recent nonproliferation and arms control software projects include a software authentication regime. These include U.S. Government-sponsored projects both in the United States and in the Russian Federation (RF). This trend toward requiring software authentication is only accelerating. Demonstrating assurance that software performs as expected without hidden ''backdoors'' is crucial to a project's success. In this context, ''authentication'' is defined as determining that a software package performs only its intended purpose and performs said purpose correctly and reliably over the planned duration of an agreement. In addition to visual inspections by knowledgeable computer scientists, automated tools are needed to highlight suspicious code constructs, both to aid visual inspection and to guide program development. While many commercial tools are available for portions of the authentication task, they are proprietary and not extensible. An open-source, extensible tool can be customized to the unique needs of each project (projects can have both common and custom rules to detect flaws and security holes). Any such extensible tool has to be based on a complete language compiler. ROSE is precisely such a compiler infrastructure developed within the Department of Energy (DOE) and targeted at the optimization of scientific applications and user-defined libraries within large-scale applications (typically applications of a million lines of code). ROSE is a robust, source-to-source analysis and optimization infrastructure currently addressing large, million-line DOE applications in C and C++ (handling the full C, C99, C++ languages and with current collaborations to support Fortran90). We propose to extend ROSE to address a number of security-specific requirements, and apply it to software authentication for nonproliferation and arms control projects

Text Messaging to Communicate With Public Health Audiences: How the HIPAA Security Rule Affects Practice

Science.gov (United States)

Karasz, Hilary N.; Eiden, Amy; Bogan, Sharon

2013-01-01

Text messaging is a powerful communication tool for public health purposes, particularly because of the potential to customize messages to meet individuals’ needs. However, using text messaging to send personal health information requires analysis of laws addressing the protection of electronic health information. The Health Insurance Portability and Accountability Act (HIPAA) Security Rule is written with flexibility to account for changing technologies. In practice, however, the rule leads to uncertainty about how to make text messaging policy decisions. Text messaging to send health information can be implemented in a public health setting through 2 possible approaches: restructuring text messages to remove personal health information and retaining limited personal health information in the message but conducting a risk analysis and satisfying other requirements to meet the HIPAA Security Rule. PMID:23409902

The EU’s Cybercrime and Cyber-Security Rule-Making: Mapping the Internal and External Dimensions of EU Security

NARCIS (Netherlands)

Fahey, E.

2014-01-01

EU Security impacts significantly upon individuals and generates many questions of the rule of law, legal certainty and fundamental rights. These are not always central concerns for EU risk regulation, especially given that EU risk regulation has sought to draw close correlations between EU risk and

A taxonomy and discussion of software attack technologies

Science.gov (United States)

Banks, Sheila B.; Stytz, Martin R.

2005-03-01

Software is a complex thing. It is not an engineering artifact that springs forth from a design by simply following software coding rules; creativity and the human element are at the heart of the process. Software development is part science, part art, and part craft. Design, architecture, and coding are equally important activities and in each of these activities, errors may be introduced that lead to security vulnerabilities. Therefore, inevitably, errors enter into the code. Some of these errors are discovered during testing; however, some are not. The best way to find security errors, whether they are introduced as part of the architecture development effort or coding effort, is to automate the security testing process to the maximum extent possible and add this class of tools to the tools available, which aids in the compilation process, testing, test analysis, and software distribution. Recent technological advances, improvements in computer-generated forces (CGFs), and results in research in information assurance and software protection indicate that we can build a semi-intelligent software security testing tool. However, before we can undertake the security testing automation effort, we must understand the scope of the required testing, the security failures that need to be uncovered during testing, and the characteristics of the failures. Therefore, we undertook the research reported in the paper, which is the development of a taxonomy and a discussion of software attacks generated from the point of view of the security tester with the goal of using the taxonomy to guide the development of the knowledge base for the automated security testing tool. The representation for attacks and threat cases yielded by this research captures the strategies, tactics, and other considerations that come into play during the planning and execution of attacks upon application software. The paper is organized as follows. Section one contains an introduction to our research

Fault Tree Analysis for Safety/Security Verification in Aviation Software

Directory of Open Access Journals (Sweden)

Andrew J. Kornecki

2013-01-01

Full Text Available The Next Generation Air Traffic Management system (NextGen is a blueprint of the future National Airspace System. Supporting NextGen is a nation-wide Aviation Simulation Network (ASN, which allows integration of a variety of real-time simulations to facilitate development and validation of the NextGen software by simulating a wide range of operational scenarios. The ASN system is an environment, including both simulated and human-in-the-loop real-life components (pilots and air traffic controllers. Real Time Distributed Simulation (RTDS developed at Embry Riddle Aeronautical University, a suite of applications providing low and medium fidelity en-route simulation capabilities, is one of the simulations contributing to the ASN. To support the interconnectivity with the ASN, we designed and implemented a dedicated gateway acting as an intermediary, providing logic for two-way communication and transfer messages between RTDS and ASN and storage for the exchanged data. It has been necessary to develop and analyze safety/security requirements for the gateway software based on analysis of system assets, hazards, threats and attacks related to ultimate real-life future implementation. Due to the nature of the system, the focus was placed on communication security and the related safety of the impacted aircraft in the simulation scenario. To support development of safety/security requirements, a well-established fault tree analysis technique was used. This fault tree model-based analysis, supported by a commercial tool, was a foundation to propose mitigations assuring the gateway system safety and security. 

Understanding How the "Open" of Open Source Software (OSS) Will Improve Global Health Security.

Science.gov (United States)

Hahn, Erin; Blazes, David; Lewis, Sheri

2016-01-01

Improving global health security will require bold action in all corners of the world, particularly in developing settings, where poverty often contributes to an increase in emerging infectious diseases. In order to mitigate the impact of emerging pandemic threats, enhanced disease surveillance is needed to improve early detection and rapid response to outbreaks. However, the technology to facilitate this surveillance is often unattainable because of high costs, software and hardware maintenance needs, limited technical competence among public health officials, and internet connectivity challenges experienced in the field. One potential solution is to leverage open source software, a concept that is unfortunately often misunderstood. This article describes the principles and characteristics of open source software and how it may be applied to solve global health security challenges.

Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; other modifications to the HIPAA rules.

Science.gov (United States)

2013-01-25

The Department of Health and Human Services (HHS or ``the Department'') is issuing this final rule to: Modify the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Enforcement Rules to implement statutory amendments under the Health Information Technology for Economic and Clinical Health Act (``the HITECH Act'' or ``the Act'') to strengthen the privacy and security protection for individuals' health information; modify the rule for Breach Notification for Unsecured Protected Health Information (Breach Notification Rule) under the HITECH Act to address public comment received on the interim final rule; modify the HIPAA Privacy Rule to strengthen the privacy protections for genetic information by implementing section 105 of Title I of the Genetic Information Nondiscrimination Act of 2008 (GINA); and make certain other modifications to the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules (the HIPAA Rules) to improve their workability and effectiveness and to increase flexibility for and decrease burden on the regulated entities.

An Analysis of Security and Privacy Issues in Smart Grid Software Architectures on Clouds

Energy Technology Data Exchange (ETDEWEB)

Simmhan, Yogesh; Kumbhare, Alok; Cao, Baohua; Prasanna, Viktor K.

2011-07-09

Power utilities globally are increasingly upgrading to Smart Grids that use bi-directional communication with the consumer to enable an information-driven approach to distributed energy management. Clouds offer features well suited for Smart Grid software platforms and applications, such as elastic resources and shared services. However, the security and privacy concerns inherent in an information rich Smart Grid environment are further exacerbated by their deployment on Clouds. Here, we present an analysis of security and privacy issues in a Smart Grids software architecture operating on different Cloud environments, in the form of a taxonomy. We use the Los Angeles Smart Grid Project that is underway in the largest U.S. municipal utility to drive this analysis that will benefit both Cloud practitioners targeting Smart Grid applications, and Cloud researchers investigating security and privacy.

Secure eHealth-Care Service on Self-Organizing Software Platform

Directory of Open Access Journals (Sweden)

Im Y. Jung

2014-01-01

Full Text Available There are several applications connected to IT health devices on the self-organizing software platform (SoSp that allow patients or elderly users to be cared for remotely by their family doctors under normal circumstances or during emergencies. An evaluation of the SoSp applied through PAAR watch/self-organizing software platform router was conducted targeting a simple user interface for aging users, without the existence of extrasettings based on patient movement. On the other hand, like normal medical records, the access to, and transmission of, health information via PAAR watch/self-organizing software platform requires privacy protection. This paper proposes a security framework for health information management of the SoSp. The proposed framework was designed to ensure easy detection of identification information for typical users. In addition, it provides powerful protection of the user’s health information.

78 FR 9987 - Social Security Ruling, SSR 13-1p; Titles II and XVI: Agency Processes for Addressing Allegations...

Science.gov (United States)

2013-02-12

... SOCIAL SECURITY ADMINISTRATION [Docket No. SSA-2012-0071] Social Security Ruling, SSR 13-1p; Titles II and XVI: Agency Processes for Addressing Allegations of Unfairness, Prejudice, Partiality, Bias, Misconduct, or Discrimination by Administrative Law Judges (ALJs); Correction AGENCY: Social Security...

78 FR 22361 - Social Security Ruling, SSR 13-1p; Titles II and XVI: Agency Processes for Addressing Allegations...

Science.gov (United States)

2013-04-15

... SOCIAL SECURITY ADMINISTRATION [Docket No. SSA-2012-0071] Social Security Ruling, SSR 13-1p; Titles II and XVI: Agency Processes for Addressing Allegations of Unfairness, Prejudice, Partiality, Bias, Misconduct, or Discrimination by Administrative Law Judges (ALJs); Correction AGENCY: Social Security...

78 FR 12130 - Social Security Ruling, SSR 13-3p; Appeal of an Initial Medical Disability Cessation...

Science.gov (United States)

2013-02-21

... determination. This Ruling also clarifies how this policy applies at the Appeals Council (AC) level when the AC.... Policy Interpretation Ruling Title II: Appeal of an Initial Medical Disability Cessation Determination or...; Appeal of an Initial Medical Disability Cessation Determination or Decision AGENCY: Social Security...

Rules of thumb to increase the software quality through testing

Science.gov (United States)

Buttu, M.; Bartolini, M.; Migoni, C.; Orlati, A.; Poppi, S.; Righini, S.

2016-07-01

The software maintenance typically requires 40-80% of the overall project costs, and this considerable variability mostly depends on the software internal quality: the more the software is designed and implemented to constantly welcome new changes, the lower will be the maintenance costs. The internal quality is typically enforced through testing, which in turn also affects the development and maintenance costs. This is the reason why testing methodologies have become a major concern for any company that builds - or is involved in building - software. Although there is no testing approach that suits all contexts, we infer some general guidelines learned during the Development of the Italian Single-dish COntrol System (DISCOS), which is a project aimed at producing the control software for the three INAF radio telescopes (the Medicina and Noto dishes, and the newly-built SRT). These guidelines concern both the development and the maintenance phases, and their ultimate goal is to maximize the DISCOS software quality through a Behavior-Driven Development (BDD) workflow beside a continuous delivery pipeline. We consider different topics and patterns; they involve the proper apportion of the tests (from end-to-end to low-level tests), the choice between hardware simulators and mockers, why and how to apply TDD and the dependency injection to increase the test coverage, the emerging technologies available for test isolation, bug fixing, how to protect the system from the external resources changes (firmware updating, hardware substitution, etc.) and, eventually, how to accomplish BDD starting from functional tests and going through integration and unit tests. We discuss pros and cons of each solution and point out the motivations of our choices either as a general rule or narrowed in the context of the DISCOS project.

Privacy and security of patient data in the pathology laboratory.

Science.gov (United States)

Cucoranu, Ioan C; Parwani, Anil V; West, Andrew J; Romero-Lauro, Gonzalo; Nauman, Kevin; Carter, Alexis B; Balis, Ulysses J; Tuthill, Mark J; Pantanowitz, Liron

2013-01-01

Data protection and security are critical components of routine pathology practice because laboratories are legally required to securely store and transmit electronic patient data. With increasing connectivity of information systems, laboratory work-stations, and instruments themselves to the Internet, the demand to continuously protect and secure laboratory information can become a daunting task. This review addresses informatics security issues in the pathology laboratory related to passwords, biometric devices, data encryption, internet security, virtual private networks, firewalls, anti-viral software, and emergency security situations, as well as the potential impact that newer technologies such as mobile devices have on the privacy and security of electronic protected health information (ePHI). In the United States, the Health Insurance Portability and Accountability Act (HIPAA) govern the privacy and protection of medical information and health records. The HIPAA security standards final rule mandate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of ePHI. Importantly, security failures often lead to privacy breaches, invoking the HIPAA privacy rule as well. Therefore, this review also highlights key aspects of HIPAA and its impact on the pathology laboratory in the United States.

Privacy and security of patient data in the pathology laboratory

Directory of Open Access Journals (Sweden)

Ioan C Cucoranu

2013-01-01

Full Text Available Data protection and security are critical components of routine pathology practice because laboratories are legally required to securely store and transmit electronic patient data. With increasing connectivity of information systems, laboratory work-stations, and instruments themselves to the Internet, the demand to continuously protect and secure laboratory information can become a daunting task. This review addresses informatics security issues in the pathology laboratory related to passwords, biometric devices, data encryption, internet security, virtual private networks, firewalls, anti-viral software, and emergency security situations, as well as the potential impact that newer technologies such as mobile devices have on the privacy and security of electronic protected health information (ePHI. In the United States, the Health Insurance Portability and Accountability Act (HIPAA govern the privacy and protection of medical information and health records. The HIPAA security standards final rule mandate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of ePHI. Importantly, security failures often lead to privacy breaches, invoking the HIPAA privacy rule as well. Therefore, this review also highlights key aspects of HIPAA and its impact on the pathology laboratory in the United States.

A Security Assessment Mechanism for Software-Defined Networking-Based Mobile Networks

Directory of Open Access Journals (Sweden)

Shibo Luo

2015-12-01

Full Text Available Software-Defined Networking-based Mobile Networks (SDN-MNs are considered the future of 5G mobile network architecture. With the evolving cyber-attack threat, security assessments need to be performed in the network management. Due to the distinctive features of SDN-MNs, such as their dynamic nature and complexity, traditional network security assessment methodologies cannot be applied directly to SDN-MNs, and a novel security assessment methodology is needed. In this paper, an effective security assessment mechanism based on attack graphs and an Analytic Hierarchy Process (AHP is proposed for SDN-MNs. Firstly, this paper discusses the security assessment problem of SDN-MNs and proposes a methodology using attack graphs and AHP. Secondly, to address the diversity and complexity of SDN-MNs, a novel attack graph definition and attack graph generation algorithm are proposed. In order to quantify security levels, the Node Minimal Effort (NME is defined to quantify attack cost and derive system security levels based on NME. Thirdly, to calculate the NME of an attack graph that takes the dynamic factors of SDN-MN into consideration, we use AHP integrated with the Technique for Order Preference by Similarity to an Ideal Solution (TOPSIS as the methodology. Finally, we offer a case study to validate the proposed methodology. The case study and evaluation show the advantages of the proposed security assessment mechanism.

A Security Assessment Mechanism for Software-Defined Networking-Based Mobile Networks.

Science.gov (United States)

Luo, Shibo; Dong, Mianxiong; Ota, Kaoru; Wu, Jun; Li, Jianhua

2015-12-17

Software-Defined Networking-based Mobile Networks (SDN-MNs) are considered the future of 5G mobile network architecture. With the evolving cyber-attack threat, security assessments need to be performed in the network management. Due to the distinctive features of SDN-MNs, such as their dynamic nature and complexity, traditional network security assessment methodologies cannot be applied directly to SDN-MNs, and a novel security assessment methodology is needed. In this paper, an effective security assessment mechanism based on attack graphs and an Analytic Hierarchy Process (AHP) is proposed for SDN-MNs. Firstly, this paper discusses the security assessment problem of SDN-MNs and proposes a methodology using attack graphs and AHP. Secondly, to address the diversity and complexity of SDN-MNs, a novel attack graph definition and attack graph generation algorithm are proposed. In order to quantify security levels, the Node Minimal Effort (NME) is defined to quantify attack cost and derive system security levels based on NME. Thirdly, to calculate the NME of an attack graph that takes the dynamic factors of SDN-MN into consideration, we use AHP integrated with the Technique for Order Preference by Similarity to an Ideal Solution (TOPSIS) as the methodology. Finally, we offer a case study to validate the proposed methodology. The case study and evaluation show the advantages of the proposed security assessment mechanism.

The influence of human factor on security of software intended for educational purposes

Directory of Open Access Journals (Sweden)

Valeriy Valentinovich Gurov

2016-06-01

Full Text Available The report considers the construction and analysis of attack tree on the software tools intended for educational purposes. This takes into account different groups of attackers. The criterion of security for such tools is introduced.

Informatics in Radiology (infoRAD): personal computer security: part 2. Software Configuration and file protection.

Science.gov (United States)

Caruso, Ronald D

2004-01-01

Proper configuration of software security settings and proper file management are necessary and important elements of safe computer use. Unfortunately, the configuration of software security options is often not user friendly. Safe file management requires the use of several utilities, most of which are already installed on the computer or available as freeware. Among these file operations are setting passwords, defragmentation, deletion, wiping, removal of personal information, and encryption. For example, Digital Imaging and Communications in Medicine medical images need to be anonymized, or "scrubbed," to remove patient identifying information in the header section prior to their use in a public educational or research environment. The choices made with respect to computer security may affect the convenience of the computing process. Ultimately, the degree of inconvenience accepted will depend on the sensitivity of the files and communications to be protected and the tolerance of the user. Copyright RSNA, 2004

Controls Over Operating System and Security Software Supporting the Defense Finance and Accounting Service

National Research Council Canada - National Science Library

1993-01-01

... programs from one another. Security software provides access controls that restrict the use of computer resources to authorized individuals and limit those individuals to the computer resources required to perform their jobs...

77 FR 51842 - Social Security Acquiescence Ruling (AR) 12-X(8); Petersen v. Astrue, 633 F.3d 633 (8th Cir. 2011...

Science.gov (United States)

2012-08-27

..., 1-800-772-1213 or TTY 1-800-325-0778, or visit our Internet site, Social Security Online, at http... SOCIAL SECURITY ADMINISTRATION [Docket No. SSA-2012-0046] Social Security Acquiescence Ruling (AR... Social Security Act AGENCY: Social Security Administration. ACTION: Notice of Social Security...

Secure it now or secure it later: the benefits of addressing cyber-security from the outset

Science.gov (United States)

Olama, Mohammed M.; Nutaro, James

2013-05-01

The majority of funding for research and development (R&D) in cyber-security is focused on the end of the software lifecycle where systems have been deployed or are nearing deployment. Recruiting of cyber-security personnel is similarly focused on end-of-life expertise. By emphasizing cyber-security at these late stages, security problems are found and corrected when it is most expensive to do so, thus increasing the cost of owning and operating complex software systems. Worse, expenditures on expensive security measures often mean less money for innovative developments. These unwanted increases in cost and potential slowing of innovation are unavoidable consequences of an approach to security that finds and remediate faults after software has been implemented. We argue that software security can be improved and the total cost of a software system can be substantially reduced by an appropriate allocation of resources to the early stages of a software project. By adopting a similar allocation of R&D funds to the early stages of the software lifecycle, we propose that the costs of cyber-security can be better controlled and, consequently, the positive effects of this R&D on industry will be much more pronounced.

17 CFR 249.1100 - Form MSD, application for registration as a municipal securities dealer pursuant to rule 15Ba2-1...

Science.gov (United States)

2010-04-01

... 17 Commodity and Securities Exchanges 3 2010-04-01 2010-04-01 false Form MSD, application for registration as a municipal securities dealer pursuant to rule 15Ba2-1 under the Securities Exchange Act of 1934 or amendment to such application. 249.1100 Section 249.1100 Commodity and Securities Exchanges SECURITIES AND EXCHANGE COMMISSION (CONTINUED...

An Embedded System for Safe, Secure and Reliable Execution of High Consequence Software

Energy Technology Data Exchange (ETDEWEB)

MCCOY,JAMES A.

2000-08-29

As more complex and functionally diverse requirements are placed on high consequence embedded applications, ensuring safe and secure operation requires an execution environment that is ultra reliable from a system viewpoint. In many cases the safety and security of the system depends upon the reliable cooperation between the hardware and the software to meet real-time system throughput requirements. The selection of a microprocessor and its associated development environment for an embedded application has the most far-reaching effects on the development and production of the system than any other element in the design. The effects of this choice ripple through the remainder of the hardware design and profoundly affect the entire software development process. While state-of-the-art software engineering principles indicate that an object oriented (OO) methodology provides a superior development environment, traditional programming languages available for microprocessors targeted for deeply embedded applications do not directly support OO techniques. Furthermore, the microprocessors themselves do not typically support nor do they enforce an OO environment. This paper describes a system level approach for the design of a microprocessor intended for use in deeply embedded high consequence applications that both supports and enforces an OO execution environment.

Supporting secure programming in web applications through interactive static analysis.

Science.gov (United States)

Zhu, Jun; Xie, Jing; Lipford, Heather Richter; Chu, Bill

2014-07-01

Many security incidents are caused by software developers' failure to adhere to secure programming practices. Static analysis tools have been used to detect software vulnerabilities. However, their wide usage by developers is limited by the special training required to write rules customized to application-specific logic. Our approach is interactive static analysis, to integrate static analysis into Integrated Development Environment (IDE) and provide in-situ secure programming support to help developers prevent vulnerabilities during code construction. No additional training is required nor are there any assumptions on ways programs are built. Our work is motivated in part by the observation that many vulnerabilities are introduced due to failure to practice secure programming by knowledgeable developers. We implemented a prototype interactive static analysis tool as a plug-in for Java in Eclipse. Our technical evaluation of our prototype detected multiple zero-day vulnerabilities in a large open source project. Our evaluations also suggest that false positives may be limited to a very small class of use cases.

Controls Over Operating System and Security Software Supporting the Defense Finance and Accounting Service

National Research Council Canada - National Science Library

McKinney, Terry

1994-01-01

This is the final in a series of three audits of management controls over the operating systems and security software used by the information processing centers that support the Defense Finance and Accounting Centers (DFAS...

Business rules for creating process flexibility : Mapping RIF rules and BDI rules

NARCIS (Netherlands)

Gong, Y.; Overbeek, S.J.; Janssen, M.

2011-01-01

Business rules and software agents can be used for creating flexible business processes. The Rule Interchange Format (RIF) is a new W3C recommendation standard for exchanging rules among disparate systems. Yet, the impact that the introduction of RIF has on the design of flexible business processes

Methodological approaches based on business rules

Directory of Open Access Journals (Sweden)

Anca Ioana ANDREESCU

2008-01-01

Full Text Available Business rules and business processes are essential artifacts in defining the requirements of a software system. Business processes capture business behavior, while rules connect processes and thus control processes and business behavior. Traditionally, rules are scattered inside application code. This approach makes it very difficult to change rules and shorten the life cycle of the software system. Because rules change more quickly than the application itself, it is desirable to externalize the rules and move them outside the application. This paper analyzes and evaluates three well-known business rules approaches. It also outlines some critical factors that have to be taken into account in the decision to introduce business rules facilities in a software system. Based on the concept of explicit manipulation of business rules in a software system, the need for a general approach based on business rules is discussed.

A resilient and secure software platform and architecture for distributed spacecraft

Science.gov (United States)

Otte, William R.; Dubey, Abhishek; Karsai, Gabor

2014-06-01

A distributed spacecraft is a cluster of independent satellite modules flying in formation that communicate via ad-hoc wireless networks. This system in space is a cloud platform that facilitates sharing sensors and other computing and communication resources across multiple applications, potentially developed and maintained by different organizations. Effectively, such architecture can realize the functions of monolithic satellites at a reduced cost and with improved adaptivity and robustness. Openness of these architectures pose special challenges because the distributed software platform has to support applications from different security domains and organizations, and where information flows have to be carefully managed and compartmentalized. If the platform is used as a robust shared resource its management, configuration, and resilience becomes a challenge in itself. We have designed and prototyped a distributed software platform for such architectures. The core element of the platform is a new operating system whose services were designed to restrict access to the network and the file system, and to enforce resource management constraints for all non-privileged processes Mixed-criticality applications operating at different security labels are deployed and controlled by a privileged management process that is also pre-configuring all information flows. This paper describes the design and objective of this layer.

78 FR 8217 - Social Security Ruling, SSR 13-1p; Titles II and XVI: Agency Processes for Addressing Allegations...

Science.gov (United States)

2013-02-05

... SOCIAL SECURITY ADMINISTRATION [Docket No. SSA-2012-0071] Social Security Ruling, SSR 13-1p; Titles II and XVI: Agency Processes for Addressing Allegations of Unfairness, Prejudice, Partiality, Bias... the third column, the fourth line under the ``Summary'' heading, change ``SSR-13-Xp'' to ``SSR-13-1p...

Machine Learning for Security

CERN Multimedia

CERN. Geneva

2015-01-01

Applied statistics, aka ‘Machine Learning’, offers a wealth of techniques for answering security questions. It’s a much hyped topic in the big data world, with many companies now providing machine learning as a service. This talk will demystify these techniques, explain the math, and demonstrate their application to security problems. The presentation will include how-to’s on classifying malware, looking into encrypted tunnels, and finding botnets in DNS data. About the speaker Josiah is a security researcher with HP TippingPoint DVLabs Research Group. He has over 15 years of professional software development experience. Josiah used to do AI, with work focused on graph theory, search, and deductive inference on large knowledge bases. As rules only get you so far, he moved from AI to using machine learning techniques identifying failure modes in email traffic. There followed digressions into clustered data storage and later integrated control systems. Current ...

Secure Web Developers Needed!

CERN Multimedia

Computer Security Team

2012-01-01

You’re about to launch a new website? Cool!! With today’s web programming languages like PHP, Java, Python or Perl, complex websites can be created, easily fulfilling all your use cases. But hold on. Did you ever think about how easily this can be abused? Attackers today are already using automatic tools which can quickly and easily find and exploit vulnerable web applications.   Web applications often suffer from security vulnerabilities, i.e. design flaws or programming bugs that remained undetected during the whole software development cycle. In production these vulnerabilities become security holes, providing an opportunity for exploitation, and can pose immense security risks (and there is no reason to believe that CERN is immune to this). The costs associated with eliminating these bugs could be loosely described by the "1:10:100 rule", i.e. the relative costs for fixing are 1:10:100 for fixing them in the programming:testing:production phases. Thus, the...

Advanced I and C system of security level for nuclear power station

International Nuclear Information System (INIS)

Liu Yanyang

2001-01-01

Advanced I and C system of security level using for PWR developed by Framatome and Schneider collective, SPINLINE3, are introduced. The technology is used to outside reactor nuclear measurement system in Qinshan II period. It's succeed benefits by Framatome and Schneider's more years development experience in nuclear power station digitallization security level I and C system field, which improve security and reliability of PWR, and, easy operation and maintains. SPINLINE3 based on digitallization and modularization technical proposal, and covered entireness reactor protect system and correlative control system. The paper also introduce CLARISSE (computer aided design aid) and SCADE (embedded software aid) for developing SPINLINE3. SPINLINE3 fills correlative IS and rule, based on software and hardware unit which certificate and launch into operation. After brief review of Framatome and Schneider's experience, the paper are introducing design guideline, application technology and how to fill demand of security level I and C system

78 FR 17066 - Indirect Stock Transfers and Coordination Rule Exceptions; Transfers of Stock or Securities in...

Science.gov (United States)

2013-03-19

... Indirect Stock Transfers and Coordination Rule Exceptions; Transfers of Stock or Securities in Outbound... issue of the Federal Register, the IRS and the Treasury Department are issuing temporary regulations... stock transfers for certain outbound asset reorganizations. The temporary regulations also modify the...

Supporting secure programming in web applications through interactive static analysis

Science.gov (United States)

Zhu, Jun; Xie, Jing; Lipford, Heather Richter; Chu, Bill

2013-01-01

Many security incidents are caused by software developers’ failure to adhere to secure programming practices. Static analysis tools have been used to detect software vulnerabilities. However, their wide usage by developers is limited by the special training required to write rules customized to application-specific logic. Our approach is interactive static analysis, to integrate static analysis into Integrated Development Environment (IDE) and provide in-situ secure programming support to help developers prevent vulnerabilities during code construction. No additional training is required nor are there any assumptions on ways programs are built. Our work is motivated in part by the observation that many vulnerabilities are introduced due to failure to practice secure programming by knowledgeable developers. We implemented a prototype interactive static analysis tool as a plug-in for Java in Eclipse. Our technical evaluation of our prototype detected multiple zero-day vulnerabilities in a large open source project. Our evaluations also suggest that false positives may be limited to a very small class of use cases. PMID:25685513

Supporting secure programming in web applications through interactive static analysis

Directory of Open Access Journals (Sweden)

Jun Zhu

2014-07-01

Full Text Available Many security incidents are caused by software developers’ failure to adhere to secure programming practices. Static analysis tools have been used to detect software vulnerabilities. However, their wide usage by developers is limited by the special training required to write rules customized to application-specific logic. Our approach is interactive static analysis, to integrate static analysis into Integrated Development Environment (IDE and provide in-situ secure programming support to help developers prevent vulnerabilities during code construction. No additional training is required nor are there any assumptions on ways programs are built. Our work is motivated in part by the observation that many vulnerabilities are introduced due to failure to practice secure programming by knowledgeable developers. We implemented a prototype interactive static analysis tool as a plug-in for Java in Eclipse. Our technical evaluation of our prototype detected multiple zero-day vulnerabilities in a large open source project. Our evaluations also suggest that false positives may be limited to a very small class of use cases.

Software Quality and Security in Teachers' and Students' Codes When Learning a New Programming Language

Directory of Open Access Journals (Sweden)

Arnon Hershkovitz

2015-09-01

Full Text Available In recent years, schools (as well as universities have added cyber security to their computer science curricula. This topic is still new for most of the current teachers, who would normally have a standard computer science background. Therefore the teachers are trained and then teaching their students what they have just learned. In order to explore differences in both populations’ learning, we compared measures of software quality and security between high-school teachers and students. We collected 109 source files, written in Python by 18 teachers and 31 students, and engineered 32 features, based on common standards for software quality (PEP 8 and security (derived from CERT Secure Coding Standards. We use a multi-view, data-driven approach, by (a using hierarchical clustering to bottom-up partition the population into groups based on their code-related features and (b building a decision tree model that predicts whether a student or a teacher wrote a given code (resulting with a LOOCV kappa of 0.751. Overall, our findings suggest that the teachers’ codes have a better quality than the students’ – with a sub-group of the teachers, mostly males, demonstrate better coding than their peers and the students – and that the students’ codes are slightly better secured than the teachers’ codes (although both populations show very low security levels. The findings imply that teachers might benefit from their prior knowledge and experience, but also emphasize the lack of continuous involvement of some of the teachers with code-writing. Therefore, findings shed light on computer science teachers as lifelong learners. Findings also highlight the difference between quality and security in today’s programming paradigms. Implications for these findings are discussed.

Vehicle security encryption based on unlicensed encryption

Science.gov (United States)

Huang, Haomin; Song, Jing; Xu, Zhijia; Ding, Xiaoke; Deng, Wei

2018-03-01

The current vehicle key is easy to be destroyed and damage, proposing the use of elliptical encryption algorithm is improving the reliability of vehicle security system. Based on the encryption rules of elliptic curve, the chip's framework and hardware structure are designed, then the chip calculation process simulation has been analyzed by software. The simulation has been achieved the expected target. Finally, some issues pointed out in the data calculation about the chip's storage control and other modules.

An Application of Alloy to Static Analysis for Secure Information Flow and Verification of Software Systems

National Research Council Canada - National Science Library

Shaffer, Alan B

2008-01-01

Within a multilevel secure (MLS) system, flaws in design and implementation can result in overt and covert channels, both of which may be exploited by malicious software to cause unauthorized information flows...

Security Policy and Developments in Central Asia : Security Documents Compared with Security Challenges

NARCIS (Netherlands)

Haas, de M.

2016-01-01

This article examines the security policy of the Central Asian (CA) states, by comparing theory (security documents) with practice (the actual security challenges). The lack of CA regional (security) cooperation and authoritarian rule puts political and economic stability at stake. The internal and

Using Bayesian Networks and Decision Theory to Model Physical Security

Science.gov (United States)

2003-02-01

Home automation technologies allow a person to monitor and control various activities within a home or office setting. Cameras, sensors and other...components used along with the simple rules in the home automation software provide an environment where the lights, security and other appliances can be...monitored and controlled. These home automation technologies, however, lack the power to reason under uncertain conditions and thus the system can

Modelling security and trust with Secure Tropos

NARCIS (Netherlands)

Giorgini, P.; Mouratidis, H.; Zannone, N.; Mouratidis, H.; Giorgini, P.

2006-01-01

Although the concepts of security and trust play an important issue in the development of information systems, they have been mainly neglected by software engineering methodologies. In this chapter we present an approach that considers security and trust throughout the software development process.

A Proven Methodology for Developing Secure Software and Applying It to Ground Systems

Science.gov (United States)

Bailey, Brandon

2016-01-01

Part Two expands upon Part One in an attempt to translate the methodology for ground system personnel. The goal is to build upon the methodology presented in Part One by showing examples and details on how to implement the methodology. Section 1: Ground Systems Overview; Section 2: Secure Software Development; Section 3: Defense in Depth for Ground Systems; Section 4: What Now?

Methodological approaches based on business rules

OpenAIRE

Anca Ioana ANDREESCU; Adina UTA

2008-01-01

Business rules and business processes are essential artifacts in defining the requirements of a software system. Business processes capture business behavior, while rules connect processes and thus control processes and business behavior. Traditionally, rules are scattered inside application code. This approach makes it very difficult to change rules and shorten the life cycle of the software system. Because rules change more quickly than the application itself, it is desirable to externalize...

Security in software-defined wireless sensor networks: threats, challenges and potential solutions

CSIR Research Space (South Africa)

Pritchard, SW

2017-07-01

Full Text Available have focused on low resource cryptography methods to secure the network [27] - [29], [33]. Cryptography methods are separated into symmetric cryptography and asymmetric cryptography. While symmetric cryptography solutions are preferred due to low... implementation cost and efficiency [5], they present many problems when managing large networks and attempts to improve this cryptography for WSNs [11] have resulted in the cost of resources. Symmetric cryptography is also difficult to implement in software...

Automated Source Code Analysis to Identify and Remove Software Security Vulnerabilities: Case Studies on Java Programs

OpenAIRE

Natarajan Meghanathan

2013-01-01

The high-level contribution of this paper is to illustrate the development of generic solution strategies to remove software security vulnerabilities that could be identified using automated tools for source code analysis on software programs (developed in Java). We use the Source Code Analyzer and Audit Workbench automated tools, developed by HP Fortify Inc., for our testing purposes. We present case studies involving a file writer program embedded with features for password validation, and ...

Time Synchronization Prototype, Server Upgrade Procedure Support and Remote Software Development

Science.gov (United States)

Sanders, Shania R.

2014-01-01

Networks are roadways of communication that connect devices. Like all roadways, there are rules and regulations that govern whatever (information in this case) travels along them. One type of rule that is commonly used is called a protocol. More specifically, a protocol is a standard that specifies how data should be transmitted over a network. The project outlined in this document seeks to implement one protocol in particular, Precision Time Protocol, within the Kennedy Ground Control Subsystem network at Kennedy Space Center. This document also summarizes work completed for server upgrades, remote software developer training and how all three assignments demonstrated the importance of accountability and security.

Hybrid Security Policies

Directory of Open Access Journals (Sweden)

Radu CONSTANTINESCU

2006-01-01

Full Text Available Policy is defined as the rules and regulations set by the organization. They are laid down by management in compliance with industry regulations, law and internal decisions. Policies are mandatory. Security policies rules how the information is protected against security vulnerabilities and they are the basis for security awareness, training and vital for security audits. Policies are focused on desired results. The means of achieving the goals are defined on controls, standards and procedures.

New security measures are proposed for N-plants: Insider Rule package is issued by NRC

International Nuclear Information System (INIS)

Anon.

1984-01-01

New rules proposed by the Nuclear Regulatory Commission (NRC) will require background investigations and psychological assessments of new job candidates and continual monitoring of the behavior of all power plant workers with access to sensitive areas. Licensees will have to submit an ''access authorization'' program for approval describing how they will conduct these security activities. The employee checks will go back five years to examine credit, educational, and criminal histories. Implementation of the rules could involve the Edison Electric Institute as an intermediary to funnel criminal checks from the Justice Department and FBI. The NRC is also considering a clarification of areas designated as ''vital'' because current designations may be too strict

Quantitative Analysis of the Security of Software-Defined Network Controller Using Threat/Effort Model

Directory of Open Access Journals (Sweden)

Zehui Wu

2017-01-01

Full Text Available SDN-based controller, which is responsible for the configuration and management of the network, is the core of Software-Defined Networks. Current methods, which focus on the secure mechanism, use qualitative analysis to estimate the security of controllers, leading to inaccurate results frequently. In this paper, we employ a quantitative approach to overcome the above shortage. Under the analysis of the controller threat model we give the formal model results of the APIs, the protocol interfaces, and the data items of controller and further provide our Threat/Effort quantitative calculation model. With the help of Threat/Effort model, we are able to compare not only the security of different versions of the same kind controller but also different kinds of controllers and provide a basis for controller selection and secure development. We evaluated our approach in four widely used SDN-based controllers which are POX, OpenDaylight, Floodlight, and Ryu. The test, which shows the similarity outcomes with the traditional qualitative analysis, demonstrates that with our approach we are able to get the specific security values of different controllers and presents more accurate results.

Proactive Security Testing and Fuzzing

Science.gov (United States)

Takanen, Ari

Software is bound to have security critical flaws, and no testing or code auditing can ensure that software is flaw-less. But software security testing requirements have improved radically during the past years, largely due to criticism from security conscious consumers and Enterprise customers. Whereas in the past, security flaws were taken for granted (and patches were quietly and humbly installed), they now are probably one of the most common reasons why people switch vendors or software providers. The maintenance costs from security updates often add to become one of the biggest cost items to large Enterprise users. Fortunately test automation techniques have also improved. Techniques like model-based testing (MBT) enable efficient generation of security tests that reach good confidence levels in discovering zero-day mistakes in software. This technique is called fuzzing.

Key on demand (KoD) for software-defined optical networks secured by quantum key distribution (QKD).

Science.gov (United States)

Cao, Yuan; Zhao, Yongli; Colman-Meixner, Carlos; Yu, Xiaosong; Zhang, Jie

2017-10-30

Software-defined optical networking (SDON) will become the next generation optical network architecture. However, the optical layer and control layer of SDON are vulnerable to cyberattacks. While, data encryption is an effective method to minimize the negative effects of cyberattacks, secure key interchange is its major challenge which can be addressed by the quantum key distribution (QKD) technique. Hence, in this paper we discuss the integration of QKD with WDM optical networks to secure the SDON architecture by introducing a novel key on demand (KoD) scheme which is enabled by a novel routing, wavelength and key assignment (RWKA) algorithm. The QKD over SDON with KoD model follows two steps to provide security: i) quantum key pools (QKPs) construction for securing the control channels (CChs) and data channels (DChs); ii) the KoD scheme uses RWKA algorithm to allocate and update secret keys for different security requirements. To test our model, we define a security probability index which measures the security gain in CChs and DChs. Simulation results indicate that the security performance of CChs and DChs can be enhanced by provisioning sufficient secret keys in QKPs and performing key-updating considering potential cyberattacks. Also, KoD is beneficial to achieve a positive balance between security requirements and key resource usage.

Software To Secure Distributed Propulsion Simulations

Science.gov (United States)

Blaser, Tammy M.

2003-01-01

Distributed-object computing systems are presented with many security threats, including network eavesdropping, message tampering, and communications middleware masquerading. NASA Glenn Research Center, and its industry partners, has taken an active role in mitigating the security threats associated with developing and operating their proprietary aerospace propulsion simulations. In particular, they are developing a collaborative Common Object Request Broker Architecture (CORBA) Security (CORBASec) test bed to secure their distributed aerospace propulsion simulations. Glenn has been working with its aerospace propulsion industry partners to deploy the Numerical Propulsion System Simulation (NPSS) object-based technology. NPSS is a program focused on reducing the cost and time in developing aerospace propulsion engines

Security requirements engineering : the SI* modeling language and the Secure Tropos methodology

NARCIS (Netherlands)

Massacci, F.; Mylopoulos, J.; Zannone, N.; Ras, Z.W.; Tsay, L.-S.

2010-01-01

Security Requirements Engineering is an emerging field which lies at the crossroads of Security and Software Engineering. Much research has focused on this field in recent years, spurred by the realization that security must be dealt with in the earliest phases of the software development process as

What is Security? A perspective on achieving security

Energy Technology Data Exchange (ETDEWEB)

Atencio, Julian J.

2014-05-05

This presentation provides a perspective on achieving security in an organization. It touches upon security as a mindset, ability to adhere to rules, cultivating awareness of the reason for a security mindset, the quality of a security program, willingness to admit fault or acknowledge failure, peer review in security, science as a model that can be applied to the security profession, the security vision, security partnering, staleness in the security program, security responsibilities, and achievement of success over time despite the impossibility of perfection.

78 FR 66318 - Securities Investor Protection Corporation

Science.gov (United States)

2013-11-05

...] Securities Investor Protection Corporation AGENCY: Securities and Exchange Commission. ACTION: Proposed rule. SUMMARY: The Securities Investor Protection Corporation (``SIPC'') filed a proposed rule change with the... satisfaction of customer claims for standardized options under the Securities Investor Protection Act of 1970...

Automating risk analysis of software design models.

Science.gov (United States)

Frydman, Maxime; Ruiz, Guifré; Heymann, Elisa; César, Eduardo; Miller, Barton P

2014-01-01

The growth of the internet and networked systems has exposed software to an increased amount of security threats. One of the responses from software developers to these threats is the introduction of security activities in the software development lifecycle. This paper describes an approach to reduce the need for costly human expertise to perform risk analysis in software, which is common in secure development methodologies, by automating threat modeling. Reducing the dependency on security experts aims at reducing the cost of secure development by allowing non-security-aware developers to apply secure development with little to no additional cost, making secure development more accessible. To automate threat modeling two data structures are introduced, identification trees and mitigation trees, to identify threats in software designs and advise mitigation techniques, while taking into account specification requirements and cost concerns. These are the components of our model for automated threat modeling, AutSEC. We validated AutSEC by implementing it in a tool based on data flow diagrams, from the Microsoft security development methodology, and applying it to VOMS, a grid middleware component, to evaluate our model's performance.

Information Security Controls against Cross-Site Request Forgery Attacks on Software Applications of Automated Systems

Science.gov (United States)

Barabanov, A. V.; Markov, A. S.; Tsirlov, V. L.

2018-05-01

This paper presents statistical results and their consolidation, which were received in the study into security of various web-application against cross-site request forgery attacks. Some of the results were received in the study carried out within the framework of certification for compliance with information security requirements. The paper provides the results of consolidating information about the attack and protection measures, which are currently used by the developers of web-applications. It specifies results of the study, which demonstrate various distribution types: distribution of identified vulnerabilities as per the developer type (Russian and foreign), distribution of the security measures used in web-applications, distribution of the identified vulnerabilities as per the programming languages, data on the number of security measures that are used in the studied web-applications. The results of the study show that in most cases the developers of web-applications do not pay due attention to protection against cross-site request forgery attacks. The authors give recommendations to the developers that are planning to undergo a certification process for their software applications.

A Security Approach in System Development Life Cycle

OpenAIRE

P.Mahizharuvi; Dr.Alagarsamy

2011-01-01

Many software organizations today are confronted with challenge of building secure software systems. Traditional software engineering principles place little emphasis on security. These principles tend to tread security as one of a long list of quality factors that are expected from all professionally developed software. As software systems of today have a wide reach, security has become a more important factor than ever in the history of software engineering can no longer be treated as Separ...

Security Requirements Management in Software Product Line Engineering

Science.gov (United States)

Mellado, Daniel; Fernández-Medina, Eduardo; Piattini, Mario

Security requirements engineering is both a central task and a critical success factor in product line development due to the complexity and extensive nature of product lines. However, most of the current product line practices in requirements engineering do not adequately address security requirements engineering. Therefore, in this chapter we will propose a security requirements engineering process (SREPPLine) driven by security standards and based on a security requirements decision model along with a security variability model to manage the variability of the artefacts related to security requirements. The aim of this approach is to deal with security requirements from the early stages of the product line development in a systematic way, in order to facilitate conformance with the most relevant security standards with regard to the management of security requirements, such as ISO/IEC 27001 and ISO/IEC 15408.

Computer Security: the security marathon

CERN Multimedia

Computer Security Team

2014-01-01

If you believe that “security” is a sprint, that a quick hack is invulnerable, that quick bug fixing is sufficient, that plugging security measures on top of existing structures is good, that once you are secure your life will be easy... then let me convince you otherwise.   An excellent example of this is when the summer students join us at CERN. As the summer period is short, software projects must be accomplished quickly, like a sprint. Rush, rush! But often, this sprint ends with aching muscles. Regularly, these summer students approach us to have their project or web server made visible to the Internet. Regularly, quick security reviews of those web servers diagnose severe underperformance with regards to security: the web applications are flawed or use insecure protocols; the employed software tools, databases or web frameworks are sub-optimal and not adequately chosen for that project; the operating system is non-standard and has never been brought up-to-date; and ...

Signing and security of Hue software

NARCIS (Netherlands)

Anastasov, I.

2017-01-01

Developing software for the Hue devices poses plenty of challenges among the engineers at Philips Lighting. These challenges arise at each stage of the Software Development Life-Cycle (SDLC). Improvement of it is of immense importance to the Philips Lighting. This report describes a project which

Idioms-based Business Rule Extraction

NARCIS (Netherlands)

R Smit (Rob)

2011-01-01

htmlabstractThis thesis studies the extraction of embedded business rules, using the idioms of the used framework to identify them. Embedded business rules exist as source code in the software system and knowledge about them may get lost. Extraction of those business rules could make them accessible

Dynamic Rule Encryption for Mobile Payment

Directory of Open Access Journals (Sweden)

Emir Husni

2017-01-01

Full Text Available The trend of financial transactions by using a mobile phone or mobile payment increases. By using the mobile payment service, users can save money on mobile phone (handset and separate from the pulse. For protecting users, mobile payment service providers must complete the mobile payment service with the transaction security. One way to provide transaction security is to utilize a secure mobile payment application. This research provides a safety feature used for an Android-based mobile payment application. This security feature is making encryption rules dynamically named Dynamic Rule Encryption (DRE. DRE has the ability to protect data by means of encrypting data with dynamic rules, and DRE also has a token function for an authentication. DRE token raised with dynamic time-based rules. Here, the time is used as a reference with the order of the day in the year (day of the year. The processes of the DRE’s encryption, decryption, and the DRE’s functionality as the token are discussed in this paper. Here, the Hamming distance metric is employed for having maximum differences between plaintext and ciphertext.

Computer Security: Introduction to information and computer security (1/4)

CERN Multimedia

CERN. Geneva

2012-01-01

Sebastian Lopienski is CERN's Deputy Computer Security Officer. He works on security strategy and policies; offers internal consultancy and audit services; develops and maintains security tools for vulnerability assessment and intrusion detection; provides training and awareness raising; and does incident investigation and response. During his work at CERN since 2001, Sebastian has had various assignments, including designing and developing software to manage and support services hosted in the CERN Computer Centre; providing Central CVS Service for software projects at CERN; and development of applications for accelerator controls in Java. He graduated from the University of Warsaw (MSc in Computer Science) in 2002, and earned an MBA degree at the Enterprise Administration Institute in Aix-en-Provence and Haute Ecole de Gestion in Geneva in 2010. His professional interests include software and network security, distributed systems, and Web and mobile technologies. With the prevalence of modern information te...

Improving the Security and Performance of the BaBar Detector Controls System

International Nuclear Information System (INIS)

Kotturi, Karen D.

2003-01-01

It starts out innocently enough--users want to monitor Online data and so run their own copies of the detector control GUIs in their offices and at home. But over time, the number of processes making requests for values to display on GUIs, webpages and stripcharts can grow, and affect the performance of an Input/Output Controller (IOC) such that it is unable to respond to requests from requests critical to data-taking. At worst, an IOC can hang, its CPU having been allocated 100% to responding to network requests. For the BaBar Online Detector Control System, we were able to eliminate this problem and make great gains in security by moving all of the IOCs to a non-routed, virtual LAN and by enlisting a workstation with two network interface cards to act as the interface between the virtual LAN and the public BaBar network. On the interface machine, we run the Experimental Physics Industrial Control System (EPICS) Channel Access (CA) gateway software (originating from Advanced Photon Source). This software accepts as inputs, all the channels which are loaded into the EPICS databases on all the IOCs. It polls them to update its copy of the values. It answers requests from applications by sending them the currently cached value. We adopted the requirement that data-taking would be independent of the gateway, so that, in the event of a gateway failure, data-taking would be uninterrupted. In this way, we avoided introducing any new risk elements to data-taking. Security rules already in use by the IOC were propagated to the gateway's own security rules and the security of the IOCs themselves was improved by removing them from the public BaBar network

Coping with Security in Programming

OpenAIRE

Frank Schindler

2006-01-01

This article deals with importance of security issues in computer programming.Secure software can only be designed with security as a primary goal. To achieve that wewould have to redesign our computer systems with security in our mind including entirecomputer environment, e.g. hardware, programming languages and, of course, operatingsystems. In software development process the quality of resulting computer code should bethe most important aspect during the whole program development process. ...

A sharable cloud-based pancreaticoduodenectomy collaborative database for physicians: emphasis on security and clinical rule supporting.

Science.gov (United States)

Yu, Hwan-Jeu; Lai, Hong-Shiee; Chen, Kuo-Hsin; Chou, Hsien-Cheng; Wu, Jin-Ming; Dorjgochoo, Sarangerel; Mendjargal, Adilsaikhan; Altangerel, Erdenebaatar; Tien, Yu-Wen; Hsueh, Chih-Wen; Lai, Feipei

2013-08-01

Pancreaticoduodenectomy (PD) is a major operation with high complication rate. Thereafter, patients may develop morbidity because of the complex reconstruction and loss of pancreatic parenchyma. A well-designed database is very important to address both the short-term and long-term outcomes after PD. The objective of this research was to build an international PD database implemented with security and clinical rule supporting functions, which made the data-sharing easier and improve the accuracy of data. The proposed system is a cloud-based application. To fulfill its requirements, the system comprises four subsystems: a data management subsystem, a clinical rule supporting subsystem, a short message notification subsystem, and an information security subsystem. After completing the surgery, the physicians input the data retrospectively, which are analyzed to study factors associated with post-PD common complications (delayed gastric emptying and pancreatic fistula) to validate the clinical value of this system. Currently, this database contains data from nearly 500 subjects. Five medical centers in Taiwan and two cancer centers in Mongolia are participating in this study. A data mining model of the decision tree analysis showed that elderly patients (>76 years) with pylorus-preserving PD (PPPD) have higher proportion of delayed gastric emptying. About the pancreatic fistula, the data mining model of the decision tree analysis revealed that cases with non-pancreaticogastrostomy (PG) reconstruction - body mass index (BMI)>29.65 or PG reconstruction - BMI>23.7 - non-classic PD have higher proportion of pancreatic fistula after PD. The proposed system allows medical staff to collect and store clinical data in a cloud, sharing the data with other physicians in a secure manner to achieve collaboration in research. Copyright © 2013 Elsevier Ireland Ltd. All rights reserved.

Improving Intrusion Detection System Based on Snort Rules for Network Probe Attacks Detection with Association Rules Technique of Data Mining

Directory of Open Access Journals (Sweden)

Nattawat Khamphakdee

2015-07-01

Full Text Available The intrusion detection system (IDS is an important network security tool for securing computer and network systems. It is able to detect and monitor network traffic data. Snort IDS is an open-source network security tool. It can search and match rules with network traffic data in order to detect attacks, and generate an alert. However, the Snort IDS  can detect only known attacks. Therefore, we have proposed a procedure for improving Snort IDS rules, based on the association rules data mining technique for detection of network probe attacks.  We employed the MIT-DARPA 1999 data set for the experimental evaluation. Since behavior pattern traffic data are both normal and abnormal, the abnormal behavior data is detected by way of the Snort IDS. The experimental results showed that the proposed Snort IDS rules, based on data mining detection of network probe attacks, proved more efficient than the original Snort IDS rules, as well as icmp.rules and icmp-info.rules of Snort IDS.  The suitable parameters for the proposed Snort IDS rules are defined as follows: Min_sup set to 10%, and Min_conf set to 100%, and through the application of eight variable attributes. As more suitable parameters are applied, higher accuracy is achieved.

Software licenses: Stay honest!

CERN Multimedia

Computer Security Team

2012-01-01

Do you recall our article about copyright violation in the last issue of the CERN Bulletin, “Music, videos and the risk for CERN”? Now let’s be more precise. “Violating copyright” not only means the illegal download of music and videos, it also applies to software packages and applications.   Users must respect proprietary rights in compliance with the CERN Computing Rules (OC5). Not having legitimately obtained a program or the required licenses to run that software is not a minor offense. It violates CERN rules and puts the Organization at risk! Vendors deserve credit and compensation. Therefore, make sure that you have the right to use their software. In other words, you have bought the software via legitimate channels and use a valid and honestly obtained license. This also applies to “Shareware” and software under open licenses, which might also come with a cost. Usually, only “Freeware” is complete...

CERN Technical Training: new courses on computer security

CERN Multimedia

HR Department

2009-01-01

Two new trainings are available at CERN concerning computer security. • How to create secure software? The "Developing secure software" course (3.5 hours) is designed for software programmers, both for regular software and Web applications. It covers main aspects of security in different phases of the software development lifecycle. The last, optional hour discusses security issues of Web application developers. This course, although not hands-on, is interactive and full of real-life examples. The first session of this course will take place, in English, on 21 April in the CERN Technical Training Centre. More sessions will be scheduled in 2009. • How to safely navigate and send mails? The "Secure e-mail and Web browsing" course is an entry-level 1.5-hour course designed to show how to detect and avoid typical security pitfalls encountered when e-mailing and browsing the Web. It is designed for non-technical users of Internet Explorer and Outlook. The first sessions ...

CERN Technical Training: new courses on computer security

CERN Multimedia

HR Department

2009-01-01

Two new trainings are available at CERN concerning computer security. • How to create secure software? The "Developing secure software" course (3.5 hours) is designed for software programmers, both for regular software and Web applications. It covers main aspects of security in different phases of the software development lifecycle. The last, optional hour discusses security issues of Web application developers. This course, although not hands-on, is interactive and full of real-life examples. The first session of this course will take place, in English, on 21 April in the CERN Technical Training Centre. More sessions will be scheduled in 2009. • How to safely navigate and send mails? The "Secure e-mail and Web browsing" course is an entry-level 1.5-hour course designed to show how to detect and avoid typical security pitfalls encountered when e-mailing and browsing the Web. It is designed for non-technical users of Internet Explorer and Outlook. The first sessions o...

CERN Technical Training: new courses on computer security

CERN Multimedia

HR Department

2009-01-01

Two new trainings are available at CERN concerning computer security. • How to create secure software? The "Developing secure software" course (3.5 hours) is designed for software programmers, both for regular software and Web applications. It covers main aspects of security in different phases of the software development lifecycle. The last, optional hour discusses security issues of Web application developers. This course, although not hands-on, is interactive and full of real-life examples. The first session of this course will take place, in English, on 21 April in the CERN Technical Training Center. More sessions will be scheduled in 2009. • How to safely navigate and send mails? The "Secure e-mail and Web browsing" course is an entry-level 1.5-hour training aimed to show how to detect and avoid typical security pitfalls encountered when e-mailing and browsing the Web. It is designed for non-technical users of Internet Explorer and Outlook. The first sessions o...

Security: a Killer App for SDN?

Science.gov (United States)

2014-10-01

Software Defined Networking ( SDN ) has been developed...the possible opportunities that result. 15. SUBJECT TERMS Software Defined Network , SDN , Network Routing, Security 16. SECURITY CLASSIFICATION OF...highwayman.com Highwayman Associates Ltd. Ross Anderson Ross.Anderson@cl.cam.ac.uk University of Cambridge ABSTRACT Software Defined Networking ( SDN ) has

Access control, security, and trust a logical approach

CERN Document Server

Chin, Shiu-Kai

2010-01-01

Access Control, Security, Trust, and Logic Deconstructing Access Control Decisions A Logical Approach to Access Control PRELIMINARIES A Language for Access ControlSets and Relations Syntax SemanticsReasoning about Access Control Logical RulesFormal Proofs and Theorems Soundness of Logical RulesBasic Concepts Reference Monitors Access Control Mechanisms: Tickets and Lists Authentication Security PoliciesConfidentiality, Integrity, and Availability Discretionary Security Policies Mandatory Security Policies Military Security Policies Commercial PoliciesDISTRIBUTED ACCESS CONTROL Digital Authenti

78 FR 48076 - Facility Security Clearance and Safeguarding of National Security Information and Restricted Data

Science.gov (United States)

2013-08-07

...-2011-0268] RIN 3150-AJ07 Facility Security Clearance and Safeguarding of National Security Information..., Classified National Security Information. The rule would allow licensees flexibility in determining the means... licensee security education and training programs and enhances the protection of classified information...

Exploration of SWRL Rule Bases through Visualization, Paraphrasing, and Categorization of Rules

Science.gov (United States)

Hassanpour, Saeed; O'Connor, Martin J.; Das, Amar K.

Rule bases are increasingly being used as repositories of knowledge content on the Semantic Web. As the size and complexity of these rule bases increases, developers and end users need methods of rule abstraction to facilitate rule management. In this paper, we describe a rule abstraction method for Semantic Web Rule Language (SWRL) rules that is based on lexical analysis and a set of heuristics. Our method results in a tree data structure that we exploit in creating techniques to visualize, paraphrase, and categorize SWRL rules. We evaluate our approach by applying it to several biomedical ontologies that contain SWRL rules, and show how the results reveal rule patterns within the rule base. We have implemented our method as a plug-in tool for Protégé-OWL, the most widely used ontology modeling software for the Semantic Web. Our tool can allow users to rapidly explore content and patterns in SWRL rule bases, enabling their acquisition and management.

Crispen's Five Antivirus Rules.

Science.gov (United States)

Crispen, Patrick Douglas

2000-01-01

Explains five rules to protect computers from viruses. Highlights include commercial antivirus software programs and the need to upgrade them periodically (every year to 18 months); updating virus definitions at least weekly; scanning attached files from email with antivirus software before opening them; Microsoft Word macro protection; and the…

Improving cloud network security using tree-rule firewall

NARCIS (Netherlands)

He, Xiangjian; Chomsiri, Thawatchai; Nanda, Priyadarsi; Tan, Zhiyuan

This study proposes a new model of firewall called the ‘Tree-Rule Firewall’, which offers various benefits and is applicable for large networks such as ‘cloud’ networks. The recently available firewalls (i.e., Listed-Rule firewalls) have their limitations in performing the tasks and are inapplicable

Workflow-Based Software Development Environment

Science.gov (United States)

Izygon, Michel E.

2013-01-01

The Software Developer's Assistant (SDA) helps software teams more efficiently and accurately conduct or execute software processes associated with NASA mission-critical software. SDA is a process enactment platform that guides software teams through project-specific standards, processes, and procedures. Software projects are decomposed into all of their required process steps or tasks, and each task is assigned to project personnel. SDA orchestrates the performance of work required to complete all process tasks in the correct sequence. The software then notifies team members when they may begin work on their assigned tasks and provides the tools, instructions, reference materials, and supportive artifacts that allow users to compliantly perform the work. A combination of technology components captures and enacts any software process use to support the software lifecycle. It creates an adaptive workflow environment that can be modified as needed. SDA achieves software process automation through a Business Process Management (BPM) approach to managing the software lifecycle for mission-critical projects. It contains five main parts: TieFlow (workflow engine), Business Rules (rules to alter process flow), Common Repository (storage for project artifacts, versions, history, schedules, etc.), SOA (interface to allow internal, GFE, or COTS tools integration), and the Web Portal Interface (collaborative web environment

Farmland Tenure Security in China: Influencing Factors of Actual and Perceived Farmland Tenure Security

Science.gov (United States)

Ren, Guangcheng; Zhu, Xueqin; Heerink, Nico; van Ierland, Ekko; Feng, Shuyi

2017-04-01

Tenure security plays an important role in farm households' investment, land renting and other decisions. Recent literature distinguishes between actual farmland tenure security (i.e. farm households' actual control of farmland) and perceived farmland tenure security (i.e. farm households' subjective understanding of their farmland tenure situation and expectation regarding government enforcement and equality of the law). However little is known on what factors influence the actual and perceived farmland tenure security in rural China. Theoretically, actual farmland tenure security is related to village self-governance as a major informal governance rule in rural China. Both economic efficiency and equity considerations are likely to play a role in the distribution of land and its tenure security. Household perceptions of farmland tenure security depend not only on the actual farmland tenure security in a village, but may also be affected by households' investment in and ability of changing social rules. Our study examines what factors contribute to differences in actual and perceived farmland tenure security between different villages and farm households in different regions of China. Applying probit models to the data collected from 1,485 households in 124 villages in Jiangsu, Jiangxi, Liaoning and Chongqing, we find that development of farmland rental market and degree of self-governance of a village have positive impacts, and development of labour market has a negative effect on actual farmland tenure security. Household perceptions of tenure security depend not only on actual farmland tenure security and on households' investment in and ability of changing social rules, but also on risk preferences of households. This finding has interesting policy implications for future land reforms in rural China.

Security and trust requirements engineering

NARCIS (Netherlands)

Giorgini, P.; Massacci, F.; Zannone, N.; Aldini, A.; Gorrieri, R.; Martinelli, F.

2005-01-01

Integrating security concerns throughout the whole software development process is one of today’s challenges in software and requirements engineering research. A challenge that so far has proved difficult to meet. The major difficulty is that providing security does not only require to solve

17 CFR 240.19g2-1 - Enforcement of compliance by national securities exchanges and registered securities associations...

Science.gov (United States)

2010-04-01

... national securities exchanges and registered securities associations with the Act and rules and regulations... Enforcement of compliance by national securities exchanges and registered securities associations with the Act... associated with its members, a national securities exchange or registered securities association is not...

10 CFR 2.905 - Access to restricted data and national security information for parties; security clearances.

Science.gov (United States)

2010-01-01

... information for parties; security clearances. 2.905 Section 2.905 Energy NUCLEAR REGULATORY COMMISSION RULES... to Adjudicatory Proceedings Involving Restricted Data and/or National Security Information § 2.905 Access to restricted data and national security information for parties; security clearances. (a) Access...

An ethernet/IP security review with intrusion detection applications

International Nuclear Information System (INIS)

Laughter, S. A.; Williams, R. D.

2006-01-01

Supervisory Control and Data Acquisition (SCADA) and automation networks, used throughout utility and manufacturing applications, have their own specific set of operational and security requirements when compared to corporate networks. The modern climate of heightened national security and awareness of terrorist threats has made the security of these systems of prime concern. There is a need to understand the vulnerabilities of these systems and how to monitor and protect them. Ethernet/IP is a member of a family of protocols based on the Control and Information Protocol (CIP). Ethernet/IP allows automation systems to be utilized on and integrated with traditional TCP/IP networks, facilitating integration of these networks with corporate systems and even the Internet. A review of the CIP protocol and the additions Ethernet/IP makes to it has been done to reveal the kind of attacks made possible through the protocol. A set of rules for the SNORT Intrusion Detection software is developed based on the results of the security review. These can be used to monitor, and possibly actively protect, a SCADA or automation network that utilizes Ethernet/IP in its infrastructure. (authors)

STUDY CONTESTING TAX RULES ON SOCIAL SECURITY CONTRIBUTIONS BY TAXPAYERS FROM ROMANIA

Directory of Open Access Journals (Sweden)

Adrian Doru BÎGIOI

2015-07-01

Full Text Available The management bodies of companies must know and correctly apply tax law. There are, however, the practical situations, when, although they want to respect this, taxpayers are penalized by the tax authorities, because it did not comply with tax obligations. There are many factors that can determine this, among which: circumvent tax rules in order to avoid paying taxes and incorrect application of law. In this study was approached the second factor, namely: analysis of the most common situations in which both taxpayers as well fiscal authorities erroneously apply tax law. To achieve these results, was developed a study regarding the determination degree of contesting the tax rules, in area of social security contributions. Data subject research was extracted in the database officially published by competent insitutions tax. The research was conducted for the period January 1, 2004 and until February 28, 2015. In terms of research methodology, were used both quantitative methods and qualitative methods. Finally, data were centralized by type of articles, they are sorted according to the extent of contestation obtained. The final conclusion is that imprecise definition of the terms tax is one of the main causes which determines incorrect application of tax law. The results can be used especially by the subjects of tax legal relationship, to avoid situations the tax law is applied incorrectly, aspects that may lead to negative situations, both companies and the state institutions.

78 FR 48037 - Facility Security Clearance and Safeguarding of National Security Information and Restricted Data

Science.gov (United States)

2013-08-07

... Clearance and Safeguarding of National Security Information and Restricted Data AGENCY: Nuclear Regulatory... the objectives of Executive Order 13526, Classified National Security Information. The rule allows... signed Executive Order 13526, Classified National Security Information, which was published in the...

The laws of software process a new model for the production and management of software

CERN Document Server

Armour, Phillip G

2003-01-01

The Nature of Software and The Laws of Software ProcessA Brief History of KnowledgeThe Characteristics of Knowledge Storage MediaThe Nature of Software DevelopmentThe Laws of Software Process and the Five Orders of IgnoranceThe Laws of Software ProcessThe First Law of Software ProcessThe Corollary to the First Law of Software ProcessThe Reflexive Creation of Systems and ProcessesThe Lemma of Eternal LatenessThe Second Law of Software ProcessThe Rule of Process BifurcationThe Dual Hypotheses of Knowledge DiscoveryArmour's Observation on Software ProcessThe Third Law of Software Process (also kn

Cyber security best practices for the nuclear industry

International Nuclear Information System (INIS)

Badr, I.

2012-01-01

When deploying software based systems, such as, digital instrumentation and controls for the nuclear industry, it is vital to include cyber security assessment as part of architecture and development process. When integrating and delivering software-intensive systems for the nuclear industry, engineering teams should make use of a secure, requirements driven, software development life cycle, ensuring security compliance and optimum return on investment. Reliability protections, data loss prevention, and privacy enforcement provide a strong case for installing strict cyber security policies. (authors)

Cyber security best practices for the nuclear industry

Energy Technology Data Exchange (ETDEWEB)

Badr, I. [Rational IBM Software Group, IBM Corporation, Evanston, IL 60201 (United States)

2012-07-01

When deploying software based systems, such as, digital instrumentation and controls for the nuclear industry, it is vital to include cyber security assessment as part of architecture and development process. When integrating and delivering software-intensive systems for the nuclear industry, engineering teams should make use of a secure, requirements driven, software development life cycle, ensuring security compliance and optimum return on investment. Reliability protections, data loss prevention, and privacy enforcement provide a strong case for installing strict cyber security policies. (authors)

Software vulnerability: Definition, modelling, and practical evaluation for E-mail: transfer software

International Nuclear Information System (INIS)

Kimura, Mitsuhiro

2006-01-01

This paper proposes a method of assessing software vulnerability quantitatively. By expanding the concept of the IPO (input-program-output) model, we first define the software vulnerability and construct a stochastic model. Then we evaluate the software vulnerability of the sendmail system by analyzing the actual security-hole data, which were collected from its release note. Also we show the relationship between the estimated software reliability and vulnerability of the analyzed system

Tier 1 and Tier 3 eAdjudication Business Rule Validation

Science.gov (United States)

2018-04-01

correct rejections. • Research ways to safely approve more cases through eAdjudication. PERSEREC has established a business rule test environment that can... WORK UNIT NUMBER: 7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) Defense Personnel and Security Research Center Office of People Analytics 400...interagency working group of personnel security and suitability experts on business rule development for T3 and T3R. The results of rule development and

CERN’s Computing rules updated to include policy for control systems

CERN Multimedia

IT Department

2008-01-01

The use of CERN’s computing facilities is governed by rules defined in Operational Circular No. 5 and its subsidiary rules of use. These rules are available from the web site http://cern.ch/ComputingRules. Please note that the subsidiary rules for Internet/Network use have been updated to include a requirement that control systems comply with the CNIC(Computing and Network Infrastructure for Control) Security Policy. The security policy for control systems, which was approved earlier this year, can be accessed at https://edms.cern.ch/document/584092 IT Department

Business Management Software Axolon ERP

OpenAIRE

Axolon ERP Solution

2018-01-01

Axolon ERP a Business Management Software www.axolonerp.com by Micromind is a comprehensive business management software solution for businesses. We deliver Business Management Software Dubai in UAE, GCC Countries and products also include ERP Software Dubai. HR & Payroll, Inventory Software, Project Management, Software Development, Solutions and Services in Dubai, UAE for small and medium sized Enterprises (SME) in the middle east with a easy-to-use, secure and efficient business management...

78 FR 46309 - Rules of Administrative Finality

Science.gov (United States)

2013-07-31

...-772-1213 or TTY 1-800-325-0778, or visit our Internet site, Social Security Online, at http://www... SOCIAL SECURITY ADMINISTRATION 20 CFR Parts 404 and 416 [Docket No. SSA 2013-0011] Rules of Administrative Finality AGENCY: Social Security Administration (SSA) ACTION: Notice and request for comments...

Assuring Software Reliability

Science.gov (United States)

2014-08-01

technologies and processes to achieve a required level of confidence that software systems and services function in the intended manner. 1.3 Security Example...that took three high-voltage lines out of service and a software fail- ure (a race condition3) that disabled the computing service that notified the... service had failed. Instead of analyzing the details of the alarm server failure, the reviewers asked why the following software assurance claim had

New HIPAA rules: a guide for radiology providers.

Science.gov (United States)

Dresevic, Adrienne; Mikel, Clinton

2013-01-01

The Office for Civil Rights issued its long awaited final regulations modifying the HIPAA privacy, security, enforcement, and breach notification rules--the HIPAA Megarule. The new HIPAA rules will require revisions to Notice of Privacy Practices, changes to business associate agreements, revisions to HIPAA privacy and security policies and procedures, and an overall assessment of HIPAA compliance. The HIPAA Megarule formalizes the HITECH Act requirements, and makes it clear that the OCRs ramp up of HIPAA enforcement is not merely a passing trend. The new rules underscore that both covered entities and business associates must reassess and strengthen HIPAA compliance.

EMI Security Architecture

CERN Document Server

White, J.; Schuller, B.; Qiang, W.; Groep, D.; Koeroo, O.; Salle, M.; Sustr, Z.; Kouril, D.; Millar, P.; Benedyczak, K.; Ceccanti, A.; Leinen, S.; Tschopp, V.; Fuhrmann, P.; Heyman, E.; Konstantinov, A.

2013-01-01

This document describes the various architectures of the three middlewares that comprise the EMI software stack. It also outlines the common efforts in the security area that allow interoperability between these middlewares. The assessment of the EMI Security presented in this document was performed internally by members of the Security Area of the EMI project.

78 FR 29624 - Rules on Determining Hearing Appearances

Science.gov (United States)

2013-05-21

... site, Social Security Online, at http://www.socialsecurity.gov . SUPPLEMENTARY INFORMATION: Background... SOCIAL SECURITY ADMINISTRATION [Docket No. SSA 2007-0044] 20 CFR Parts 404, 405, and 416 RIN 0960-AH40 Rules on Determining Hearing Appearances AGENCY: Social Security Administration. ACTION: Final...

Statistics of software vulnerability detection in certification testing

Science.gov (United States)

Barabanov, A. V.; Markov, A. S.; Tsirlov, V. L.

2018-05-01

The paper discusses practical aspects of introduction of the methods to detect software vulnerability in the day-to-day activities of the accredited testing laboratory. It presents the approval results of the vulnerability detection methods as part of the study of the open source software and the software that is a test object of the certification tests under information security requirements, including software for communication networks. Results of the study showing the allocation of identified vulnerabilities by types of attacks, country of origin, programming languages used in the development, methods for detecting vulnerability, etc. are given. The experience of foreign information security certification systems related to the detection of certified software vulnerabilities is analyzed. The main conclusion based on the study is the need to implement practices for developing secure software in the development life cycle processes. The conclusions and recommendations for the testing laboratories on the implementation of the vulnerability analysis methods are laid down.

78 FR 76986 - Children's Online Privacy Protection Rule

Science.gov (United States)

2013-12-20

... FEDERAL TRADE COMMISSION 16 CFR Part 312 RIN 3084-AB20 Children's Online Privacy Protection Rule... published final rule amendments to the Children's Online Privacy Protection Rule on January 17, 2013 to update the requirements set forth in the notice, parental consent, confidentiality and security, and safe...

Third-Party Software's Trust Quagmire.

Science.gov (United States)

Voas, J; Hurlburt, G

2015-12-01

Current software development has trended toward the idea of integrating independent software sub-functions to create more complete software systems. Software sub-functions are often not homegrown - instead they are developed by unknown 3 rd party organizations and reside in software marketplaces owned or controlled by others. Such software sub-functions carry plausible concern in terms of quality, origins, functionality, security, interoperability, to name a few. This article surveys key technical difficulties in confidently building systems from acquired software sub-functions by calling out the principle software supply chain actors.

International Liability Issues for Software Quality

National Research Council Canada - National Science Library

Mead, Nancy

2003-01-01

This report focuses on international law related to cybercrime, international information security standards, and software liability issues as they relate to information security for critical infrastructure applications...

Protecting the Privacy and Security of Your Health Information

Science.gov (United States)

... can be used and shared with others. The Security Rule sets rules for how your health information must be kept secure with administrative, technical, and physical safeguards. You may have additional protections and health information rights under your State's laws. ...

The architecture of a reliable software monitoring system for embedded software systems

International Nuclear Information System (INIS)

Munson, J.; Krings, A.; Hiromoto, R.

2006-01-01

We develop the notion of a measurement-based methodology for embedded software systems to ensure properties of reliability, survivability and security, not only under benign faults but under malicious and hazardous conditions as well. The driving force is the need to develop a dynamic run-time monitoring system for use in these embedded mission critical systems. These systems must run reliably, must be secure and they must fail gracefully. That is, they must continue operating in the face of the departures from their nominal operating scenarios, the failure of one or more system components due to normal hardware and software faults, as well as malicious acts. To insure the integrity of embedded software systems, the activity of these systems must be monitored as they operate. For each of these systems, it is possible to establish a very succinct representation of nominal system activity. Furthermore, it is possible to detect departures from the nominal operating scenario in a timely fashion. Such departure may be due to various circumstances, e.g., an assault from an outside agent, thus forcing the system to operate in an off-nominal environment for which it was neither tested nor certified, or a hardware/software component that has ceased to operate in a nominal fashion. A well-designed system will have the property of graceful degradation. It must continue to run even though some of the functionality may have been lost. This involves the intelligent re-mapping of system functions. Those functions that are impacted by the failure of a system component must be identified and isolated. Thus, a system must be designed so that its basic operations may be re-mapped onto system components still operational. That is, the mission objectives of the software must be reassessed in terms of the current operational capabilities of the software system. By integrating the mechanisms to support observation and detection directly into the design methodology, we propose to shift

Contractor Software Charges

National Research Council Canada - National Science Library

Granetto, Paul

1994-01-01

.... Examples of computer software costs that contractors charge through indirect rates are material management systems, security systems, labor accounting systems, and computer-aided design and manufacturing...

Ensuring system security through formal software evaluation

Energy Technology Data Exchange (ETDEWEB)

Howell, J A; Fuyat, C [Los Alamos National Lab., NM (United States); Elvy, M [Marble Associates, Boston, MA (United States)

1992-01-01

With the increasing use of computer systems and networks to process safeguards information in nuclear facilities, the issue of system and data integrity is receiving worldwide attention. Among the many considerations are validation that the software performs as intended and that the information is adequately protected. Such validations are often requested of the Safeguards Systems Group of the Los Alamos National Laboratory. This paper describes our methodology for performing these software evaluations.

FS-OpenSecurity: A Taxonomic Modeling of Security Threats in SDN for Future Sustainable Computing

Directory of Open Access Journals (Sweden)

Yunsick Sung

2016-09-01

Full Text Available Software Defined Networking (SDN has brought many changes in terms of the interaction processes between systems and humans. It has become the key enabler of software defined architecture, which allows enterprises to build a highly agile Information Technology (IT infrastructure. For Future Sustainability Computing (FSC, SDN needs to deliver on many information technology commitments—more automation, simplified design, increased agility, policy-based management, and network management bond to more liberal IT workflow systems. To address the sustainability problems, SDN needs to provide greater collaboration and tighter integration with networks, servers, and security teams that will have an impact on how enterprises design, plan, deploy and manage networks. In this paper, we propose FS-OpenSecurity, which is a new and pragmatic security architecture model. It consists of two novel methodologies, Software Defined Orchestrator (SDO and SQUEAK, which offer a robust and secure architecture. The secure architecture is required for protection from diverse threats. Usually, security administrators need to handle each threat individually. However, handling threats automatically by adapting to the threat landscape is a critical demand. Therefore, the architecture must handle defensive processes automatically that are collaboratively based on intelligent external and internal information.

75 FR 20401 - Self-Regulatory Organizations; NYSE Amex LLC; Notice of Filing of Proposed Rule Change, and...

Science.gov (United States)

2010-04-19

.... Proposed NYSE Amex Equities Rule 510 (Derivative Securities Products) The Exchange also proposes some... derivative securities products,'' as defined in Rule 19b-4(e) under the Act and traded pursuant to Rule 19b-4.../or approved by the Commission for the generic trading of derivative securities products based on...

THE TECHNIQUE OF ANALYSIS OF SOFTWARE OF ON-BOARD COMPUTERS OF AIR VESSEL TO ABSENCE OF UNDECLARED CAPABILITIES BY SIGNATURE-HEURISTIC WAY

Directory of Open Access Journals (Sweden)

Viktor Ivanovich Petrov

2017-01-01

Full Text Available The article considers the issues of civil aviation aircraft onboard computers data safety. Infor- mation security undeclared capabilities stand for technical equipment or software possibilities, which are not mentioned in the documentation. Documentation and tests content requirements are imposed during the software certification. Documentation requirements include documents composition and content of control (specification, description and program code, the source code. Test requirements include: static analysis of program codes (including the compliance of the sources with their loading modules monitoring; dynamic analysis of source code (including implementation of routes monitor- ing. Currently, there are no complex measures for checking onboard computer software. There are no rules and regulations that can allow controlling foreign production aircraft software, and the actual receiving of software is difficult. Consequently, the author suggests developing the basics of aviation rules and regulations, which allow to analyze the programs of CA aircraft onboard computers. If there are no software source codes the two approaches of code analysis are used: a structural static and dy- namic analysis of the source code; signature-heuristic analysis of potentially dangerous operations. Static analysis determines the behavior of the program by reading the program code (without running the program which is represented in the assembler language - disassembly listing. Program tracing is performed by the dynamic analysis. The analysis of aircraft software ability to detect undeclared capa- bilities using the interactive disassembler was considered in this article.

Keystone Business Models for Network Security Processors

OpenAIRE

Arthur Low; Steven Muegge

2013-01-01

Network security processors are critical components of high-performance systems built for cybersecurity. Development of a network security processor requires multi-domain experience in semiconductors and complex software security applications, and multiple iterations of both software and hardware implementations. Limited by the business models in use today, such an arduous task can be undertaken only by large incumbent companies and government organizations. Neither the “fabless semiconductor...

78 FR 69286 - Facility Security Clearance and Safeguarding of National Security Information and Restricted Data

Science.gov (United States)

2013-11-19

... Clearance and Safeguarding of National Security Information and Restricted Data AGENCY: Nuclear Regulatory... Executive Order 13526, Classified National Security Information. In addition, this direct final rule allowed... licensees (or their designees) to conduct classified [[Page 69287

17 CFR 200.67 - Power to adopt rules.

Science.gov (United States)

2010-04-01

... 17 Commodity and Securities Exchanges 2 2010-04-01 2010-04-01 false Power to adopt rules. 200.67... AND ETHICS; AND INFORMATION AND REQUESTS Canons of Ethics § 200.67 Power to adopt rules. In exercising... by the Congress imposes the obligation upon the members to adopt rules necessary to effectuate the...

Towards a New Paradigm of Software Development: an Ambassador Driven Process in Distributed Software Companies

Science.gov (United States)

Kumlander, Deniss

The globalization of companies operations and competitor between software vendors demand improving quality of delivered software and decreasing the overall cost. The same in fact introduce a lot of problem into software development process as produce distributed organization breaking the co-location rule of modern software development methodologies. Here we propose a reformulation of the ambassador position increasing its productivity in order to bridge communication and workflow gap by managing the entire communication process rather than concentrating purely on the communication result.

Open source IPSEC software in manned and unmanned space missions

Science.gov (United States)

Edwards, Jacob

Network security is a major topic of research because cyber attackers pose a threat to national security. Securing ground-space communications for NASA missions is important because attackers could endanger mission success and human lives. This thesis describes how an open source IPsec software package was used to create a secure and reliable channel for ground-space communications. A cost efficient, reproducible hardware testbed was also created to simulate ground-space communications. The testbed enables simulation of low-bandwidth and high latency communications links to experiment how the open source IPsec software reacts to these network constraints. Test cases were built that allowed for validation of the testbed and the open source IPsec software. The test cases also simulate using an IPsec connection from mission control ground routers to points of interest in outer space. Tested open source IPsec software did not meet all the requirements. Software changes were suggested to meet requirements.

Additional Security Considerations for Grid Management

Science.gov (United States)

Eidson, Thomas M.

2003-01-01

The use of Grid computing environments is growing in popularity. A Grid computing environment is primarily a wide area network that encompasses multiple local area networks, where some of the local area networks are managed by different organizations. A Grid computing environment also includes common interfaces for distributed computing software so that the heterogeneous set of machines that make up the Grid can be used more easily. The other key feature of a Grid is that the distributed computing software includes appropriate security technology. The focus of most Grid software is on the security involved with application execution, file transfers, and other remote computing procedures. However, there are other important security issues related to the management of a Grid and the users who use that Grid. This note discusses these additional security issues and makes several suggestions as how they can be managed.

Model-based security testing

OpenAIRE

Schieferdecker, Ina; Großmann, Jürgen; Schneider, Martin

2012-01-01

Security testing aims at validating software system requirements related to security properties like confidentiality, integrity, authentication, authorization, availability, and non-repudiation. Although security testing techniques are available for many years, there has been little approaches that allow for specification of test cases at a higher level of abstraction, for enabling guidance on test identification and specification as well as for automated test generation. Model-based security...

76 FR 46668 - Business Conduct Standards for Security-Based Swap Dealers and Major Security-Based Swap...

Science.gov (United States)

2011-08-03

... SECURITIES AND EXCHANGE COMMISSION 17 CFR Part 240 [Release No. 34-64766; File No. S7-25-11] RIN 3235-AL10 Business Conduct Standards for Security-Based Swap Dealers and Major Security-Based Swap Participants Correction In proposed rule document number 2011-16758, appearing on pages 42396-42455 in the...

Collaboration rules.

Science.gov (United States)

Evans, Philip; Wolf, Bob

2005-01-01

Corporate leaders seeking to boost growth, learning, and innovation may find the answer in a surprising place: the Linux open-source software community. Linux is developed by an essentially volunteer, self-organizing community of thousands of programmers. Most leaders would sell their grandmothers for workforces that collaborate as efficiently, frictionlessly, and creatively as the self-styled Linux hackers. But Linux is software, and software is hardly a model for mainstream business. The authors have, nonetheless, found surprising parallels between the anarchistic, caffeinated, hirsute world of Linux hackers and the disciplined, tea-sipping, clean-cut world of Toyota engineering. Specifically, Toyota and Linux operate by rules that blend the self-organizing advantages of markets with the low transaction costs of hierarchies. In place of markets' cash and contracts and hierarchies' authority are rules about how individuals and groups work together (with rigorous discipline); how they communicate (widely and with granularity); and how leaders guide them toward a common goal (through example). Those rules, augmented by simple communication technologies and a lack of legal barriers to sharing information, create rich common knowledge, the ability to organize teams modularly, extraordinary motivation, and high levels of trust, which radically lowers transaction costs. Low transaction costs, in turn, make it profitable for organizations to perform more and smaller transactions--and so increase the pace and flexibility typical of high-performance organizations. Once the system achieves critical mass, it feeds on itself. The larger the system, the more broadly shared the knowledge, language, and work style. The greater individuals' reputational capital, the louder the applause and the stronger the motivation. The success of Linux is evidence of the power of that virtuous circle. Toyota's success is evidence that it is also powerful in conventional companies.

Lecture 3: Web Application Security

CERN Multimedia

CERN. Geneva

2013-01-01

Computer security has been an increasing concern for IT professionals for a number of years, yet despite all the efforts, computer systems and networks remain highly vulnerable to attacks of different kinds. Design flaws and security bugs in the underlying software are among the main reasons for this. This lecture focuses on security aspects of Web application development. Various vulnerabilities typical to web applications (such as Cross-site scripting, SQL injection, cross-site request forgery etc.) are introduced and discussed. Sebastian Lopienski is CERN’s deputy Computer Security Officer. He works on security strategy and policies; offers internal consultancy and audit services; develops and maintains security tools for vulnerability assessment and intrusion detection; provides training and awareness raising; and does incident investigation and response. During his work at CERN since 2001, Sebastian has had various assignments, including designing and developing software to manage and support servic...

Software engineering

CERN Document Server

Thorin, Marc

1985-01-01

Software Engineering describes the conceptual bases as well as the main methods and rules on computer programming. This book presents software engineering as a coherent and logically built synthesis and makes it possible to properly carry out an application of small or medium difficulty that can later be developed and adapted to more complex cases. This text is comprised of six chapters and begins by introducing the reader to the fundamental notions of entities, actions, and programming. The next two chapters elaborate on the concepts of information and consistency domains and show that a proc

An Empirical Study of Security Issues Posted in Open Source Projects

DEFF Research Database (Denmark)

Zahedi, Mansooreh; Ali Babar, Muhammad; Treude, Christoph

2018-01-01

When developers gain thorough understanding and knowledge of software security, they can produce more secure software. This study aims at empirically identifying and understanding the security issues posted on a random sample of GitHub repositories. We tried to understand the presence of security...

Computer Security: Mac security – nothing for old versions

CERN Multimedia

Stefan Lueders, Computer Security Team

2016-01-01

A fundamental pillar of computer security is the regular maintenance of your code, operating system and application software – or, in computer lingo: patching, patching, patching.   Only software which is up-to-date should be free from any known vulnerabilities and thus provide you with a basic level of computer security. Neglecting regular updates is putting your computer at risk – and consequently your account, your password, your data, your photos, your videos and your money. Therefore, prompt and automatic patching is paramount. But the Microsofts, Googles and Apples of this world do not always help… Software vendors handle their update policy in different ways. While Android is a disaster – not because of Google, but due to the slow adaptation of many smartphone vendors (see “Android’s Armageddon”) – Microsoft provides updates for their Windows 7, Windows 8 and Windows 10 operating systems through their &ldq...

An Examination of an Information Security Framework Implementation Based on Agile Values to Achieve Health Insurance Portability and Accountability Act Security Rule Compliance in an Academic Medical Center: The Thomas Jefferson University Case Study

Science.gov (United States)

Reis, David W.

2012-01-01

Agile project management is most often examined in relation to software development, while information security frameworks are often examined with respect to certain risk management capabilities rather than in terms of successful implementation approaches. This dissertation extended the study of both Agile project management and information…

Computer Security: improve software, avoid blunder

CERN Multimedia

Computer Security Team

2014-01-01

Recently, a severe vulnerability has been made public about how Apple devices are wrongly handling encryption. This vulnerability rendered SSL/TLS protection useless, and permitted attackers checking out a wireless network to capture or modify data in encrypted sessions.   In other words, all confidential data like passwords, banking information, etc. could have been siphoned off by a targeted attack. While Apple has been quick in providing adequate security patches for iOS devices and Macs, it is an excellent example of how small mistakes can lead to big security holes. Here is the corresponding code from Apple’s Open Source repository. Can you spot the issue? 1 static OSStatus 2 SSLVerifySignedServerKeyExchange(SSLContext *ctx, bool isRsa, SSLBuffer signedParams, uint8_t *signature, UInt16 signatureLen) 3 { 4              OSStatus &nb...

Software Defined Cyberinfrastructure

Energy Technology Data Exchange (ETDEWEB)

Foster, Ian; Blaiszik, Ben; Chard, Kyle; Chard, Ryan

2017-07-17

Within and across thousands of science labs, researchers and students struggle to manage data produced in experiments, simulations, and analyses. Largely manual research data lifecycle management processes mean that much time is wasted, research results are often irreproducible, and data sharing and reuse remain rare. In response, we propose a new approach to data lifecycle management in which researchers are empowered to define the actions to be performed at individual storage systems when data are created or modified: actions such as analysis, transformation, copying, and publication. We term this approach software-defined cyberinfrastructure because users can implement powerful data management policies by deploying rules to local storage systems, much as software-defined networking allows users to configure networks by deploying rules to switches.We argue that this approach can enable a new class of responsive distributed storage infrastructure that will accelerate research innovation by allowing any researcher to associate data workflows with data sources, whether local or remote, for such purposes as data ingest, characterization, indexing, and sharing. We report on early experiments with this approach in the context of experimental science, in which a simple if-trigger-then-action (IFTA) notation is used to define rules.

Software Piracy in Research: A Moral Analysis.

Science.gov (United States)

Santillanes, Gary; Felder, Ryan Marshall

2015-08-01

Researchers in virtually every discipline rely on sophisticated proprietary software for their work. However, some researchers are unable to afford the licenses and instead procure the software illegally. We discuss the prohibition of software piracy by intellectual property laws, and argue that the moral basis for the copyright law offers the possibility of cases where software piracy may be morally justified. The ethics codes that scientific institutions abide by are informed by a rule-consequentialist logic: by preserving personal rights to authored works, people able to do so will be incentivized to create. By showing that the law has this rule-consequentialist grounding, we suggest that scientists who blindly adopt their institutional ethics codes will commit themselves to accepting that software piracy could be morally justified, in some cases. We hope that this conclusion will spark debate over important tensions between ethics codes, copyright law, and the underlying moral basis for these regulations. We conclude by offering practical solutions (other than piracy) for researchers.

76 FR 81359 - National Security Personnel System

Science.gov (United States)

2011-12-28

... Security Personnel System AGENCY: Department of Defense; Office of Personnel Management. ACTION: Final rule... concerning the National Security Personnel System (NSPS). Section 1113 of the National Defense Authorization... National Security Personnel System (NSPS) in regulations jointly prescribed by DOD and OPM (Office of...

Software Assurance: Five Essential Considerations for Acquisition Officials

National Research Council Canada - National Science Library

Polydys, Mary L; Wisseman, Stan

2007-01-01

.... A recent Chief Information Office (CIO) Executive Council poll indicated that the top two most important attributes of software are reliable software that functions as promised and software free from security vulnerabilities and malicious code...

78 FR 69168 - Self-Regulatory Organizations; National Securities Clearing Corporation; Order Approving Proposed...

Science.gov (United States)

2013-11-18

... approve a proposed rule change of a self-regulatory organization if it finds that such proposed rule... SECURITIES AND EXCHANGE COMMISSION [Release No. 34-70848; File No. SR-NSCC-2013-10] Self-Regulatory Organizations; National Securities Clearing Corporation; Order Approving Proposed Rule Change To...

SecureCore Software Architecture: Trusted Path Application (TPA) Requirements

National Research Council Canada - National Science Library

Clark, Paul C; Irvine, Cynthia E; Levin, Timothy E; Nguyen, Thuy D; Vidas, Timothy M

2007-01-01

.... The purpose of the SecureCore research project is to investigate fundamental architectural features required for the trusted operation of mobile computing devices so the security is built-in, transparent and flexible...

75 FR 742 - Temporary Rule Regarding Principal Trades With Certain Advisory Clients

Science.gov (United States)

2010-01-06

... SECURITIES AND EXCHANGE COMMISSION 17 CFR Part 275 [Release No. IA-2965A; File No. S7-23-07] RIN 3235-AJ96 Temporary Rule Regarding Principal Trades With Certain Advisory Clients AGENCY: Securities... transactions with certain of their advisory clients. As adopted, the only change to the rule was the expiration...

Software Defined Networking Demands on Software Technologies

DEFF Research Database (Denmark)

Galinac Grbac, T.; Caba, Cosmin Marius; Soler, José

2015-01-01

Software Defined Networking (SDN) is a networking approach based on a centralized control plane architecture with standardised interfaces between control and data planes. SDN enables fast configuration and reconfiguration of the network to enhance resource utilization and service performances....... This new approach enables a more dynamic and flexible network, which may adapt to user needs and application requirements. To this end, systemized solutions must be implemented in network software, aiming to provide secure network services that meet the required service performance levels. In this paper......, we review this new approach to networking from an architectural point of view, and identify and discuss some critical quality issues that require new developments in software technologies. These issues we discuss along with use case scenarios. Here in this paper we aim to identify challenges...

Software and the future of programming languages.

Science.gov (United States)

Aho, Alfred V

2004-02-27

Although software is the key enabler of the global information infrastructure, the amount and extent of software in use in the world today are not widely understood, nor are the programming languages and paradigms that have been used to create the software. The vast size of the embedded base of existing software and the increasing costs of software maintenance, poor security, and limited functionality are posing significant challenges for the software R&D community.

Cyber/Physical Security Vulnerability Assessment Integration

International Nuclear Information System (INIS)

MacDonald, Douglas G.; Key, Brad; Clements, Samuel L.; Hutton, William J.; Craig, Philip A.; Patrick, Scott W.; Crawford, Cary E.

2011-01-01

This internally funded Laboratory-Directed R and D project by the Pacific Northwest National Laboratory, in conjunction with QinetiQ North America, is intended to identify and properly assess areas of overlap (and interaction) in the vulnerability assessment process between cyber security and physical protection. Existing vulnerability analysis (VA) processes and software tools exist, and these are heavily utilized in the determination of predicted vulnerability within the physical and cyber security domains. These determinations are normally performed independently of one another, and only interact on a superficial level. Both physical and cyber security subject matter experts have come to realize that though the various interactive elements exist, they are not currently quantified in most periodic security assessments. This endeavor aims to evaluate both physical and cyber VA techniques and provide a strategic approach to integrate the interdependent relationships of each into a single VA capability. This effort will also transform the existing suite of software currently utilized in the physical protection world to more accurately quantify the risk associated with a blended attack scenario. Performance databases will be created to support the characterization of the cyber security elements, and roll them into prototype software tools. This new methodology and software capability will enable analysts to better identify and assess the overall risk during a vulnerability analysis.

Governing the Rule-Making of Organic Agriculture

DEFF Research Database (Denmark)

Linneberg, Mai Skjøtt

of Denmark and Sweden. Although the cases illustrate two modes of governance: in the former, rule-making is formally internalized in the State and in the latter, in a private-interest organization, a similar set of stakeholders participate in the actual rule-making processes. The analysis provides...... an interesting avenue into understanding the relationship between local and supranational rule-makers, and how local rule-makers may act to secure local circumstances and demands from supranational legislators concurrently. Moreover, the analysis offers suggestions as to possible consequences of striving...

76 FR 40296 - Declassification of National Security Information

Science.gov (United States)

2011-07-08

... Declassification of National Security Information AGENCY: National Archives and Records Administration. ACTION... classified national security information in records transferred to NARA's legal custody. The rule incorporates changes resulting from issuance of Executive Order 13526, Classified National Security Information...

Foundations for Security Aware Software Development Education

National Research Council Canada - National Science Library

McDonald, Jeffrey T

2005-01-01

.... In this paper, we show how rigorous coding techniques should be woven into the fabric of computer science curriculum and ultimately should be distinguished from requirements-driven security techniques...

Academic Training Lecture Regular Programme: Computer Security - Introduction to information and computer security (1/4)

CERN Multimedia

2012-01-01

Computer Security: Introduction to information and computer security (1/4), by Sebastian Lopienski (CERN).   Monday, 21 May, 2012 from 11:00 to 12:00 (Europe/Zurich) at CERN ( 31-3-004 - IT Auditorium ) Sebastian Lopienski is CERN's Deputy Computer Security Officer. He works on security strategy and policies; offers internal consultancy and audit services; develops and maintains security tools for vulnerability assessment and intrusion detection; provides training and awareness raising; and does incident investigation and response. During his work at CERN since 2001, Sebastian has had various assignments, including designing and developing software to manage and support services hosted in the CERN Computer Centre; providing Central CVS Service for software projects at CERN; and development of applications for accelerator controls in Java. He graduated from the University of Warsaw (MSc in Computer Science) in 2002, and earned an MBA degree at the Enterprise Administration Institute in Ai...

Application Security in the ISO27001 Environment

CERN Document Server

Vinod, Vasudevan; Firosh, Ummer

2008-01-01

Application Security in the ISO27001 Environment demonstrates how to secure software applications within a best practice ISO/IEC 27001 environment and supports implementation of the PCI DSS Payment Application Security Standard.

Agile IT Security Implementation Methodology

CERN Document Server

Laskowski, Jeff

2011-01-01

The book is a tutorial that goes from basic to professional level for Agile IT security. It begins by assuming little knowledge of agile security. Readers should hold a good knowledge of security methods and agile development. The book is targeted at IT security managers, directors, and architects. It is useful for anyone responsible for the deployment of IT security countermeasures. Security people with a strong knowledge of agile software development will find this book to be a good review of agile concepts.

Aspect-oriented security hardening of UML design models

CERN Document Server

Mouheb, Djedjiga; Pourzandi, Makan; Wang, Lingyu; Nouh, Mariam; Ziarati, Raha; Alhadidi, Dima; Talhi, Chamseddine; Lima, Vitor

2015-01-01

This book comprehensively presents a novel approach to the systematic security hardening of software design models expressed in the standard UML language. It combines model-driven engineering and the aspect-oriented paradigm to integrate security practices into the early phases of the software development process. To this end, a UML profile has been developed for the specification of security hardening aspects on UML diagrams. In addition, a weaving framework, with the underlying theoretical foundations, has been designed for the systematic injection of security aspects into UML models. The

A security model for saas in cloud computing

International Nuclear Information System (INIS)

Abbas, R.; Farooq, A.

2016-01-01

Cloud computing is a type of computing that relies on sharing computing resources rather than having local servers or personal devices to handle applications. It has many service modes like Software as-a-Service (SaaS), Platform-as-a-Service (PaaS), Infrastructure-as-a-Service (IaaS). In SaaS model, service providers install and activate the applications in cloud and cloud customers access the software from cloud. So, the user does not have the need to purchase and install a particular software on his/her machine. While using SaaS model, there are multiple security issues and problems like Data security, Data breaches, Network security, Authentication and authorization, Data integrity, Availability, Web application security and Backup which are faced by users. Many researchers minimize these security problems by putting in hard work. A large work has been done to resolve these problems but there are a lot of issues that persist and need to overcome. In this research work, we have developed a security model that improves the security of data according to the desire of the End-user. The proposed model for different data security options can be helpful to increase the data security through which trade-off between functionalities can be optimized for private and public data. (author)

Automating Software Development Process using Fuzzy Logic

NARCIS (Netherlands)

Marcelloni, Francesco; Aksit, Mehmet; Damiani, Ernesto; Jain, Lakhmi C.; Madravio, Mauro

2004-01-01

In this chapter, we aim to highlight how fuzzy logic can be a valid expressive tool to manage the software development process. We characterize a software development method in terms of two major components: artifact types and methodological rules. Classes, attributes, operations, and inheritance

Medicare and Social Security: fraud and abuse; civil money penalties for misuse of certain terms, symbols and emblems--HHS. Final rule.

Science.gov (United States)

1991-08-28

This final rule implements section 428(a) of Public Law 100-360 which authorizes the imposition of civil money penalties for the use--in advertising, solicitations or other communications--of certain words, letters, symbols or emblems associated with the Department of Health and Human Services' Social Security and Medicare programs in a manner that the user knows, or should know, would convey a false impression that (1) the communicated item was approved, endorsed or authorized by the Department or its programs, or (2) the responsible person or organization has some connection with, or authorization from, the Department or these programs. This rulemaking is designed to assist in protecting citizens from misrepresentations concerning the services offered and programs administered by the Social Security Administration and the Health Care Financing Administration.

77 FR 39554 - Self-Regulatory Organizations; NYSE Arca, Inc.; Order Granting Approval of Proposed Rule Change...

Science.gov (United States)

2012-07-03

... later date at a fixed price. The Fund may not (i) with respect to 75% of its total assets, purchase... security. The Fund will not purchase illiquid securities, including Rule 144A securities and loan... 204A-1 under the Advisers Act relating to codes of ethics. This Rule requires investment advisers to...

77 FR 56681 - Order Granting Limited Exemptions From Exchange Act Rule 10b-17 and Rules 101 and 102 of...

Science.gov (United States)

2012-09-13

... created series of the Company. The Fund will invest in stocks consisting of the component securities of... Regulation M Generally, Rule 101 of Regulation M is an anti-manipulation rule that, subject to certain... exemption are directed to the anti-fraud and anti-manipulation provisions of the Exchange Act, particularly...

Aligning Requirements-Driven Software Processes with IT Governance

OpenAIRE

Nguyen Huynh Anh, Vu; Kolp, Manuel; Heng, Samedi; Wautelet, Yves

2017-01-01

Requirements Engineering is closely intertwined with Information Technology (IT) Governance. Aligning IT Governance principles with Requirements-Driven Software Processes allows them to propose governance and management rules for software development to cope with stakeholders’ requirements and expectations. Typically, the goal of IT Governance in software engineering is to ensure that the results of a software organization business processes meet the strategic requirements of the organization...

Computer Security: How to succeed in software deployment

CERN Multimedia

Computer Security Team

2014-01-01

The summer student period has ended and we would like to congratulate all those who successfully accomplished their project! In particular, well done to those who managed to develop and deploy sophisticated web applications in the short summer season. Unfortunately, not all web applications made the final cut, moved into production and became visible on the Internet. We had to reject some... let me explain why.   Making a web application visible on the Internet requires an opening in the CERN outer perimeter firewall. Such a request is usually made through the CERN WebReq web interface. As standard procedure, the CERN Computer Security team reviews every request and performs a security assessment. This is where you, your supervisee and the Computer Security team all start to get frustrated. Many summer students delivered awesome web applications with great new functions and a good “look and feel” following precise use cases, using modern web technologies, dashboards, integr...

33 CFR 83.36 - Signals to attract attention (Rule 36).

Science.gov (United States)

2010-07-01

... 33 Navigation and Navigable Waters 1 2010-07-01 2010-07-01 false Signals to attract attention... SECURITY INLAND NAVIGATION RULES RULES Sound and Light Signals § 83.36 Signals to attract attention (Rule 36). If necessary to attract the attention of another vessel, any vessel may make light or sound...

The use of crypto-analysis techniques for securing internet ...

African Journals Online (AJOL)

... recommended to be combined with other techniques, such as client-side software, data transaction protocols, web server software, and the network server operating system involved in handling e-commerce, for securing internet transaction. This recommendation will invariable ensure that internet transaction is secured.

Query translation for XPath-based security views

NARCIS (Netherlands)

Vercammen, R.; Hidders, A.J.H.; Paredaens, J.; Grust, T.; Hopfner, H.; Illarramendi, A.

2006-01-01

Since XML is used as a storage format in an increasing number of applications, security has become an important issue in XML databases. One aspect of security is restricting access to data by certain users. This can, for example, be achieved by means of access rules or XML security views, which

75 FR 57384 - Rescission of Rules Pertaining to the Payment of Bounties for Information Leading to the Recovery...

Science.gov (United States)

2010-09-21

.... SUPPLEMENTARY INFORMATION: The Insider Trading and Securities Fraud Enforcement Act of 1988 authorized the... SECURITIES AND EXCHANGE COMMISSION 17 CFR Part 201 [Release No. 34-62921] Rescission of Rules... Trading AGENCY: Securities and Exchange Commission. ACTION: Final rule. SUMMARY: The Dodd-Frank Wall...

Enhancing Parliamentary Oversight for Effective Security Sector ...

African Journals Online (AJOL)

2015-06-09

Jun 9, 2015 ... transition from violent conflict or prolonged authoritarian rule. .... State whose primary interest was to secure his regime and prevent ... June 12, 1993 presidential elections triggered the emergence of violent non-state security.

A code inspection process for security reviews

Science.gov (United States)

Garzoglio, Gabriele

2010-04-01

In recent years, it has become more and more evident that software threat communities are taking an increasing interest in Grid infrastructures. To mitigate the security risk associated with the increased numbers of attacks, the Grid software development community needs to scale up effort to reduce software vulnerabilities. This can be achieved by introducing security review processes as a standard project management practice. The Grid Facilities Department of the Fermilab Computing Division has developed a code inspection process, tailored to reviewing security properties of software. The goal of the process is to identify technical risks associated with an application and their impact. This is achieved by focusing on the business needs of the application (what it does and protects), on understanding threats and exploit communities (what an exploiter gains), and on uncovering potential vulnerabilities (what defects can be exploited). The desired outcome of the process is an improvement of the quality of the software artifact and an enhanced understanding of possible mitigation strategies for residual risks. This paper describes the inspection process and lessons learned on applying it to Grid middleware.

A code inspection process for security reviews

International Nuclear Information System (INIS)

Garzoglio, Gabriele

2010-01-01

In recent years, it has become more and more evident that software threat communities are taking an increasing interest in Grid infrastructures. To mitigate the security risk associated with the increased numbers of attacks, the Grid software development community needs to scale up effort to reduce software vulnerabilities. This can be achieved by introducing security review processes as a standard project management practice. The Grid Facilities Department of the Fermilab Computing Division has developed a code inspection process, tailored to reviewing security properties of software. The goal of the process is to identify technical risks associated with an application and their impact. This is achieved by focusing on the business needs of the application (what it does and protects), on understanding threats and exploit communities (what an exploiter gains), and on uncovering potential vulnerabilities (what defects can be exploited). The desired outcome of the process is an improvement of the quality of the software artifact and an enhanced understanding of possible mitigation strategies for residual risks. This paper describes the inspection process and lessons learned on applying it to Grid middleware.

A code inspection process for security reviews

Energy Technology Data Exchange (ETDEWEB)

Garzoglio, Gabriele; /Fermilab

2009-05-01

In recent years, it has become more and more evident that software threat communities are taking an increasing interest in Grid infrastructures. To mitigate the security risk associated with the increased numbers of attacks, the Grid software development community needs to scale up effort to reduce software vulnerabilities. This can be achieved by introducing security review processes as a standard project management practice. The Grid Facilities Department of the Fermilab Computing Division has developed a code inspection process, tailored to reviewing security properties of software. The goal of the process is to identify technical risks associated with an application and their impact. This is achieved by focusing on the business needs of the application (what it does and protects), on understanding threats and exploit communities (what an exploiter gains), and on uncovering potential vulnerabilities (what defects can be exploited). The desired outcome of the process is an improvement of the quality of the software artifact and an enhanced understanding of possible mitigation strategies for residual risks. This paper describes the inspection process and lessons learned on applying it to Grid middleware.

Privatising Security

Directory of Open Access Journals (Sweden)

Irina Mindova-Docheva

2016-06-01

Full Text Available The article proposes an analysis of the different approaches towards employing the international legal framework in the regulation and oversight of private military and security companies’ operation in armed conflicts and in peace time security systems. It proposes a partnership-based approach for public and private actors aiming at creating and sharing common values under the principles of solidarity, protection of human rights and rule of law. A focus of further research should be the process of shaping those common values.

33 CFR 89.27 - Waters upon which Inland Rule 24(i) applies.

Science.gov (United States)

2010-07-01

... 33 Navigation and Navigable Waters 1 2010-07-01 2010-07-01 false Waters upon which Inland Rule 24(i) applies. 89.27 Section 89.27 Navigation and Navigable Waters COAST GUARD, DEPARTMENT OF HOMELAND SECURITY INLAND NAVIGATION RULES INLAND NAVIGATION RULES: IMPLEMENTING RULES Waters Upon Which Certain...

Securing collaborative environments

Energy Technology Data Exchange (ETDEWEB)

Agarwal, Deborah [Lawrence Berkeley National Lab. (LBNL), Berkeley, CA (United States); Jackson, Keith [Lawrence Berkeley National Lab. (LBNL), Berkeley, CA (United States); Thompson, Mary [Lawrence Berkeley National Lab. (LBNL), Berkeley, CA (United States)

2002-05-16

The diverse set of organizations and software components involved in a typical collaboratory make providing a seamless security solution difficult. In addition, the users need support for a broad range of frequency and locations for access to the collaboratory. A collaboratory security solution needs to be robust enough to ensure that valid participants are not denied access because of its failure. There are many tools that can be applied to the task of securing collaborative environments and these include public key infrastructure, secure sockets layer, Kerberos, virtual and real private networks, grid security infrastructure, and username/password. A combination of these mechanisms can provide effective secure collaboration capabilities. In this paper, we discuss the requirements of typical collaboratories and some proposals for applying various security mechanisms to collaborative environments.

Foundations for Security Aware Software Development Education

National Research Council Canada - National Science Library

McDonald, Jeffrey T

2005-01-01

Software vulnerability is part and parcel of modern information systems. Even though eliminating all vulnerability is not possible, reducing exploitable code can be accomplished long term by laying the right programming foundations...

Development of Watch Schedule Using Rules Approach

Science.gov (United States)

Jurkevicius, Darius; Vasilecas, Olegas

The software for schedule creation and optimization solves a difficult, important and practical problem. The proposed solution is an online employee portal where administrator users can create and manage watch schedules and employee requests. Each employee can login with his/her own account and see his/her assignments, manage requests, etc. Employees set as administrators can perform the employee scheduling online, manage requests, etc. This scheduling software allows users not only to see the initial and optimized watch schedule in a simple and understandable form, but also to create special rules and criteria and input their business. The system using rules automatically will generate watch schedule.

Computer security

CERN Document Server

Gollmann, Dieter

2011-01-01

A completely up-to-date resource on computer security Assuming no previous experience in the field of computer security, this must-have book walks you through the many essential aspects of this vast topic, from the newest advances in software and technology to the most recent information on Web applications security. This new edition includes sections on Windows NT, CORBA, and Java and discusses cross-site scripting and JavaScript hacking as well as SQL injection. Serving as a helpful introduction, this self-study guide is a wonderful starting point for examining the variety of competing sec

Security Bingo

CERN Multimedia

Computer Security Team

2011-01-01

Want to check your security awareness and win one of three marvellous books on computer security? Just print out this page, mark which of the 25 good practices below you already follow, and send the sheet back to us by 31 October 2011 at either Computer.Security@cern.ch or P.O. Box G19710.   Winners[1] must show that they fulfil at least five good practices in a continuous vertical, horizontal or diagonal row. For details on CERN Computer Security, please consult http://cern.ch/security. I personally…   …am concerned about computer security. …run my computer with an anti-virus software and up-to-date signature files. …lock my computer screen whenever I leave my office. …have chosen a reasonably complex password. …have restricted access to all my files and data. …am aware of the security risks and threats to CERN’s computing facilities. &hell...

76 FR 60939 - Metal Fatigue Analysis Performed by Computer Software

Science.gov (United States)

2011-09-30

... Software AGENCY: Nuclear Regulatory Commission. ACTION: Regulatory issue summary; request for comment... computer software package, WESTEMS TM , to demonstrate compliance with Section III, ``Rules for... Software Addressees All holders of, and applicants for, a power reactor operating license or construction...

28 CFR 501.2 - National security cases.

Science.gov (United States)

2010-07-01

... 28 Judicial Administration 2 2010-07-01 2010-07-01 false National security cases. 501.2 Section... ADMINISTRATION SCOPE OF RULES § 501.2 National security cases. (a) Upon direction of the Attorney General, the... unauthorized disclosure of such information would pose a threat to the national security and that there is a...

Social Security and Part-Time Employment.

Science.gov (United States)

Euzeby, Alain

1988-01-01

Discusses rules governing social security and their implications for part-time employees in various countries. Topics include (1) methods of financing social security, (2) benefits, (3) measures concerning the unemployed, (4) a floor for employers' contributions, (5) graduated contribution rates, and (6) financial incentives. (CH)

Army Secure Operating System: Information Security for Real Time Systems

National Research Council Canada - National Science Library

Anderson, Eric

1984-01-01

The Army Secure Operating System (ASOS) project, under the management of the U.S. Army CECOM organization, will provide real time systems software necessary for fielding modern Battlefield Automation Systems...

Approach to design neural cryptography: a generalized architecture and a heuristic rule.

Science.gov (United States)

Mu, Nankun; Liao, Xiaofeng; Huang, Tingwen

2013-06-01

Neural cryptography, a type of public key exchange protocol, is widely considered as an effective method for sharing a common secret key between two neural networks on public channels. How to design neural cryptography remains a great challenge. In this paper, in order to provide an approach to solve this challenge, a generalized network architecture and a significant heuristic rule are designed. The proposed generic framework is named as tree state classification machine (TSCM), which extends and unifies the existing structures, i.e., tree parity machine (TPM) and tree committee machine (TCM). Furthermore, we carefully study and find that the heuristic rule can improve the security of TSCM-based neural cryptography. Therefore, TSCM and the heuristic rule can guide us to designing a great deal of effective neural cryptography candidates, in which it is possible to achieve the more secure instances. Significantly, in the light of TSCM and the heuristic rule, we further expound that our designed neural cryptography outperforms TPM (the most secure model at present) on security. Finally, a series of numerical simulation experiments are provided to verify validity and applicability of our results.

Evaluation and selection of security products for authentication of computer software

Science.gov (United States)

Roenigk, Mark W.

2000-04-01

Software Piracy is estimated to cost software companies over eleven billion dollars per year in lost revenue worldwide. Over fifty three percent of all intellectual property in the form of software is pirated on a global basis. Software piracy has a dramatic effect on the employment figures for the information industry as well. In the US alone, over 130,000 jobs are lost annually as a result of software piracy.

31 CFR 356.32 - What tax rules apply?

Science.gov (United States)

2010-07-01

... political subdivision of a State, except for State estate or inheritance taxes and other exceptions as... 31 Money and Finance: Treasury 2 2010-07-01 2010-07-01 false What tax rules apply? 356.32 Section...) Miscellaneous Provisions § 356.32 What tax rules apply? (a) General. Securities issued under this part are...

Food security governance in Latin America

NARCIS (Netherlands)

Pérez-Escamilla, Rafael; Shamah-Levy, Teresa; Candel, Jeroen

2017-01-01

In spite of major advances in recent decades, food insecurity continues to be a pressing concern to policymakers across the world. Food security governance (FSG) relates to the formal and informal rules and processes through which interests are articulated, and decisions relevant to food security

Cloud Security: Issues and Research Directions

Science.gov (United States)

2014-11-18

4. Cloud Computing Security: What Changes with Software - Defined Networking ? Maur´ıcio Tsugawa, Andr´ea Matsunaga, and Jos´e A. B. Fortes 5...machine’s memory from an untrusted or malicious hypervisor. In Chapter 4, Tsugawa et al. discuss the security issues introduced when Software - Defined ... Networking ( SDN ) is deployed within and across clouds. Chapters 5-9 are focused on the protection of data stored in the cloud. In Chapter 5, Wang et

Implementation of computer security at nuclear facilities in Germany

Energy Technology Data Exchange (ETDEWEB)

Lochthofen, Andre; Sommer, Dagmar [Gesellschaft fuer Anlagen- und Reaktorsicherheit mbH (GRS), Koeln (Germany)

2013-07-01

In recent years, electrical and I and C components in nuclear power plants (NPPs) were replaced by software-based components. Due to the increased number of software-based systems also the threat of malevolent interferences and cyber-attacks on NPPs has increased. In order to maintain nuclear security, conventional physical protection measures and protection measures in the field of computer security have to be implemented. Therefore, the existing security management process of the NPPs has to be expanded to computer security aspects. In this paper, we give an overview of computer security requirements for German NPPs. Furthermore, some examples for the implementation of computer security projects based on a GRS-best-practice-approach are shown. (orig.)

Implementation of computer security at nuclear facilities in Germany

International Nuclear Information System (INIS)

Lochthofen, Andre; Sommer, Dagmar

2013-01-01

In recent years, electrical and I and C components in nuclear power plants (NPPs) were replaced by software-based components. Due to the increased number of software-based systems also the threat of malevolent interferences and cyber-attacks on NPPs has increased. In order to maintain nuclear security, conventional physical protection measures and protection measures in the field of computer security have to be implemented. Therefore, the existing security management process of the NPPs has to be expanded to computer security aspects. In this paper, we give an overview of computer security requirements for German NPPs. Furthermore, some examples for the implementation of computer security projects based on a GRS-best-practice-approach are shown. (orig.)

17 CFR 240.19c-3 - Governing off-board trading by members of national securities exchanges.

Science.gov (United States)

2010-04-01

... members of national securities exchanges. 240.19c-3 Section 240.19c-3 Commodity and Securities Exchanges... Members § 240.19c-3 Governing off-board trading by members of national securities exchanges. The rules of each national securities exchange shall provide as follows: (a) No rule, stated policy or practice of...

REVEAL - A tool for rule driven analysis of safety critical software

International Nuclear Information System (INIS)

Miedl, H.; Kersken, M.

1998-01-01

As the determination of ultrahigh reliability figures for safety critical software is hardly possible, national and international guidelines and standards give mainly requirements for the qualitative evaluation of software. An analysis whether all these requirements are fulfilled is time and effort consuming and prone to errors, if performed manually by analysts, and should instead be dedicated to tools as far as possible. There are many ''general-purpose'' software analysis tools, both static and dynamic, which help analyzing the source code. However, they are not designed to assess the adherence to specific requirements of guidelines and standards in the nuclear field. Against the background of the development of I and C systems in the nuclear field which are based on digital techniques and implemented in high level language, it is essential that the assessor or licenser has a tool with which he can automatically and uniformly qualify as many aspects as possible of the high level language software. For this purpose the software analysis tool REVEAL has been developed at ISTec and the Halden Reactor Project. (author)

Survey of Cyber Security Methods for the Nuclear Power Plants

Energy Technology Data Exchange (ETDEWEB)

Choi, Yoo Rark; Lee, Jae Cheol; Choi, Young Soo; Hong, Seok Boong [Korea Atomic Energy Research Institute, Daejeon (Korea, Republic of)

2009-10-15

Cyber security includes the method of protecting information, computer programs, and other computer system assets. Hardware security, which is the security of computer assets and capital equipment, refers to computer location, access control, fire protection, and storage procedures. Such measures as badges, electronic identification keys, alarm systems, and physical barriers at entries are used for this purpose. Software security entails the protection of software assets such as Application Programs, the Operating System, and the Data Base Management System and stored information. Special user numbers and passwords are typically used to prevent unauthorized access to software and data. In addition to security for hardware and software, good internal control also requires that measures be taken to prevent loss or accidental destruction of data. Cyber attacks create substantial threats to large enterprises, including federal systems and digital I and C of a NPP (Nuclear Power Plant) is one of them. The cyber security policy for the digital I and C network of the NPP has been established for years by KINS, but its scope is very broad and conceptual. We will propose a cyber security method based on cryptography and authentication that is developed for the digital I and C network of the NPP.

Survey of Cyber Security Methods for the Nuclear Power Plants

International Nuclear Information System (INIS)

Choi, Yoo Rark; Lee, Jae Cheol; Choi, Young Soo; Hong, Seok Boong

2009-01-01

Cyber security includes the method of protecting information, computer programs, and other computer system assets. Hardware security, which is the security of computer assets and capital equipment, refers to computer location, access control, fire protection, and storage procedures. Such measures as badges, electronic identification keys, alarm systems, and physical barriers at entries are used for this purpose. Software security entails the protection of software assets such as Application Programs, the Operating System, and the Data Base Management System and stored information. Special user numbers and passwords are typically used to prevent unauthorized access to software and data. In addition to security for hardware and software, good internal control also requires that measures be taken to prevent loss or accidental destruction of data. Cyber attacks create substantial threats to large enterprises, including federal systems and digital I and C of a NPP (Nuclear Power Plant) is one of them. The cyber security policy for the digital I and C network of the NPP has been established for years by KINS, but its scope is very broad and conceptual. We will propose a cyber security method based on cryptography and authentication that is developed for the digital I and C network of the NPP

Security controls in a Cullinet database environment

International Nuclear Information System (INIS)

Thompson, R.E.

1988-01-01

Security controls using Cullinet's Integrated Data Management System (IDMS) are examined. IDMS software integrity problems, with emphasis on security package interfaces, are disclosed. Solutions applied at Sandia Laboratories Engineering Information Management computing facilty are presented. An overall IDMS computer security philosophy is reviewed

Applicable Law on Demobilized and Dematerialized Securities

Directory of Open Access Journals (Sweden)

Wael Saghir

2017-09-01

Full Text Available In this paper Wael Saghir examines the priority in the business and financial worlds for companies to pursue reduced transaction costs, creating a trend towards demobilization or dematerialization of securities. His paper explains the nature of securities and the governing laws needed to resolve problems of conflict of law rules related to securities.

76 FR 70350 - West Oahu Offshore Security Zone

Science.gov (United States)

2011-11-14

... DEPARTMENT OF HOMELAND SECURITY Coast Guard 33 CFR Part 165 [Docket No. USCG-2011-1048] RIN 1625-AA87 West Oahu Offshore Security Zone AGENCY: Coast Guard, DHS. ACTION: Temporary final rule. SUMMARY: The Coast Guard is establishing a temporary security zone on the navigable waters of Oahu's western...

Rule Systems for Runtime Verification: A Short Tutorial

Science.gov (United States)

Barringer, Howard; Havelund, Klaus; Rydeheard, David; Groce, Alex

In this tutorial, we introduce two rule-based systems for on and off-line trace analysis, RuleR and LogScope. RuleR is a conditional rule-based system, which has a simple and easily implemented algorithm for effective runtime verification, and into which one can compile a wide range of temporal logics and other specification formalisms used for runtime verification. Specifications can be parameterized with data, or even with specifications, allowing for temporal logic combinators to be defined. We outline a number of simple syntactic extensions of core RuleR that can lead to further conciseness of specification but still enabling easy and efficient implementation. RuleR is implemented in Java and we will demonstrate its ease of use in monitoring Java programs. LogScope is a derivation of RuleR adding a simple very user-friendly temporal logic. It was developed in Python, specifically for supporting testing of spacecraft flight software for NASA’s next 2011 Mars mission MSL (Mars Science Laboratory). The system has been applied by test engineers to analysis of log files generated by running the flight software. Detailed logging is already part of the system design approach, and hence there is no added instrumentation overhead caused by this approach. While post-mortem log analysis prevents the autonomous reaction to problems possible with traditional runtime verification, it provides a powerful tool for test automation. A new system is being developed that integrates features from both RuleR and LogScope.

CrossTalk: The Journal of Defense Software Engineering. Volume 19, Number 9

Science.gov (United States)

2006-09-01

activities to ISO /IEC 15288 system life cycle and ISO /IEC 12207 software life cycle processes. • Microsoft Security Development Lifecycle (SDL) [18, 19...Standardization/International Electrotechnical Commission ( ISO / IEC) Standard 15026 System and Software Assurance, which adds securi- ty assurance...Software ProcessSM (TSPSM Secure) [21]. The CMM and ISO /IEC process models are defined at a higher level of abstraction than SDL and CLASP, which

Rules-based analysis with JBoss Drools: adding intelligence to automation

International Nuclear Information System (INIS)

Ley, E. de; Jacobs, D.

2012-01-01

Rule engines are specialized software systems for applying conditional actions (if/then rules) on data. They are also known as 'production rule systems'. Rules engines are less-known as software technology than the traditional procedural, object-oriented, scripting or dynamic development languages. This is a pity, as their usage may offer an important enrichment to a development toolbox. JBoss Drools is an open-source rules engine that can easily be embedded in any Java application. Through an integration in our Passerelle process automation suite, we have been able to provide advanced solutions for intelligent process automation, complex event processing, system monitoring and alarming, automated repair etc. This platform has been proven for many years as an automated diagnosis and repair engine for Belgium's largest telecom provider, and it is being piloted at Synchrotron Soleil for device monitoring and alarming. After an introduction to rules engines in general and JBoss Drools in particular, we will present its integration in a solution platform, some important principles and a practical use case. (authors)

Host based internet protocol (IP) packet analysis to enhance network security

International Nuclear Information System (INIS)

Ahmad, T.; Ahmad, S.Z.; Yasin, M.M.

2007-01-01

Data communication in a computer network environment is facing serious security threats from numerous sources such as viruses, worms, Zombies etc. These threats can be broadly characterized as internal or external security threats. Internal threats are mainly attributed to sneaker-nets, utility modems and unauthorized users, which can be minimized by skillful network administration, password management and optimum usage policy definition. The external threats need more serious attention as these attacks are mostly coming from public networks such as Internet. Frequency and complexity of such attacks is much higher as compared to internal attacks. This paper presents a host based network layer screening of external and internal IP packets for logging, analyzing and real-time detection of possible IP spoofing and Denial of Service attacks. This work can also be used in tuning security rules definition for gateway firewalls. Software has been developed which intercepts IP traffic and analyses it with respect to integrity and origin of I P packet. The received IP packets are parsed and analyzed for possible signs of intrusion. The results show that by watching and categorizing composition of various transport protocol such as TCP, UDP, ICMP and others along with verifying the origin of received IP packet can help in devising real-time firewall rule and blocking possible external attack. This is highly desirable for fighting against zero day attacks and can result in a better Mean Time between Failures (MTBF) to increase the survivability of computer network. Used in a right context, packet screening and filtering can be a useful tool for provision of reliable and stable network services. (author)

Software development an open source approach

CERN Document Server

Tucker, Allen; de Silva, Chamindra

2011-01-01

Overview and Motivation Software Free and Open Source Software (FOSS)Two Case Studies Working with a Project Team Key FOSS Activities Client-Oriented vs. Community-Oriented Projects Working on a Client-Oriented Project Joining a Community-Oriented Project Using Project Tools Collaboration Tools Code Management Tools Run-Time System ConstraintsSoftware Architecture Architectural Patterns Layers, Cohesion, and Coupling Security Concurrency, Race Conditions, and DeadlocksWorking with Code Bad Smells and Metrics Refactoring Testing Debugging Extending the Software for a New ProjectDeveloping the D

Security measures required for HIPAA privacy.

Science.gov (United States)

Amatayakul, M

2000-01-01

HIPAA security requirements include administrative, physical, and technical services and mechanisms to safeguard confidentiality, availability, and integrity of health information. Security measures, however, must be implemented in the context of an organization's privacy policies. Because HIPAA's proposed privacy rules are flexible and scalable to account for the nature of each organization's business, size, and resources, each organization will be determining its own privacy policies within the context of the HIPAA requirements and its security capabilities. Security measures cannot be implemented in a vacuum.

Security Support in Continuous Deployment Pipeline

DEFF Research Database (Denmark)

Ullah, Faheem; Raft, Adam Johannes; Shahin, Mojtaba

2017-01-01

Continuous Deployment (CD) has emerged as a new practice in the software industry to continuously and automatically deploy software changes into production. Continuous Deployment Pipeline (CDP) supports CD practice by transferring the changes from the repository to production. Since most of the CDP...... penetration tools. Our findings indicate that the applied tactics improve the security of the major components (i.e., repository, continuous integration server, main server) of a CDP by controlling access to the components and establishing secure connections....

Secure Handshake in Wi-Fi Connection (A Secure and Enhanced Communication Protocol)

OpenAIRE

Ranbir Sinha; Nishant Behar; Devendra Singh

2012-01-01

This paper presents a concept of enhancing the security in wireless communication. A Computer Network is an interconnected group of autonomous computing nodes, which use a well-defined, mutually agreed set of rules and conventions known as protocols, interact with one-another meaningfully and allow resource sharing preferably in a predictable and controllable manner. Communication has a major impact on today’s business. It is desired to communicate data with high security. These days wireless...

Clean architecture a craftsman's guide to software structure and design

CERN Document Server

Martin, Robert C

2018-01-01

By applying universal rules of software architecture, you can dramatically improve developer productivity throughout the life of any software system. Now, building upon the success of his best-selling books Clean Code and The Clean Coder, legendary software craftsman Robert C. Martin (“Uncle Bob”) reveals those rules and helps you apply them. Martin’s Clean Architecture doesn’t merely present options. Drawing on over a half-century of experience in software environments of every imaginable type, Martin tells you what choices to make and why they are critical to your success. As you’ve come to expect from Uncle Bob, this book is packed with direct, no-nonsense solutions for the real challenges you’ll face—the ones that will make or break your projects. Learn what software architects need to achieve—and core disciplines and practices for achieving it Master essential software design principles for addressing function, component separation, and data management See how programming...

Advances in software development for intelligent interfaces for alarm and emergency management consoles

International Nuclear Information System (INIS)

Moseley, M.R.; Olson, C.E.

1986-01-01

Recent advances in technology allow features like voice synthesis, voice and speech recognition, image understanding, and intelligent data base management to be incorporated in computer driven alarm and emergency management information systems. New software development environments make it possible to do rapid prototyping of custom applications. Three examples using these technologies are discussed. (1) Maximum use is made of high-speed graphics and voice synthesis to implement a state-of-the-art alarm processing and display system with features that make the operator-machine interface efficient and accurate. Although very functional, this system is not portable or flexible; the software would have to be substantially rewritten for other applications. (2) An application generator which has the capability of ''building'' a specific alarm processing and display application in a matter of a few hours, using the site definition developed in the security planning phase to produce the custom application. This package is based on a standardized choice of hardware, within which it is capable of building a system to order, automatically constructing graphics, data tables, alarm prioritization rules, and interfaces to peripherals. (3) A software tool, the User Interface Management System (UIMS), is described which permits rapid prototyping of human-machine interfaces for a variety of applications including emergency management, alarm display and process information display. The object-oriented software of the UIMS achieves rapid prototyping of a new interface by standardizing to a class library of software objects instead of hardware objects

Open Source Software Success Model for Iran: End-User Satisfaction Viewpoint

Directory of Open Access Journals (Sweden)

Ali Niknafs

2012-03-01

Full Text Available The open source software development is notable option for software companies. Recent years, many advantages of this software type are cause of move to that in Iran. National security and international restrictions problems and also software and services costs and more other problems intensified importance of use of this software. Users and their viewpoints are the critical success factor in the software plans. But there is not an appropriate model for open source software case in Iran. This research tried to develop a measuring open source software success model for Iran. By use of data gathered from open source users and online survey the model was tested. The results showed that components by positive effect on open source success were user satisfaction, open source community services quality, open source quality, copyright and security.

75 FR 14227 - Self-Regulatory Organizations; The NASDAQ Stock Market LLC; Order Approving Proposed Rule Change...

Science.gov (United States)

2010-03-24

... Commission has considered the proposed rule's impact on efficiency, competition, and capital formation. See... its rules governing NOM, the Securities Industry and Financial Markets Association (``SIFMA... security.''). See also Newton v. Merrill, Lynch, Pierce, Fenner & Smith, Inc., 135 F.3d 266, at 271, 274...

Security Testing Handbook for Banking Applications

CERN Document Server

Doraiswamy, Arvind; Kapoor, Nilesh

2009-01-01

Security Testing Handbook for Banking Applications is a specialised guide to testing a wide range of banking applications. The book is intended as a companion to security professionals, software developers and QA professionals who work with banking applications.

Producing and supporting sharable software

International Nuclear Information System (INIS)

Johnstad, H.; Nicholls, J.

1987-02-01

A survey is reported that addressed the question of shareable software for the High Energy Physics community. Statistics are compiled for the responses of 54 people attending a conference on the subject of shareable software to a questionnaire which addressed the usefulness of shareable software, preference of programming language, and source management tools. The results are found to reflect a continued need for shareable software in the High Energy Physics community and that this effort be performed in coordination. A strong mandate is also claimed for large facilities to support the community with software and that these facilities should act as distribution points. Considerable interest is expressed in languages other than FORTRAN, and the desire for standards or rules in programming is expressed. A need is identified for source management tools

Software tool for data mining and its applications

Science.gov (United States)

Yang, Jie; Ye, Chenzhou; Chen, Nianyi

2002-03-01

A software tool for data mining is introduced, which integrates pattern recognition (PCA, Fisher, clustering, hyperenvelop, regression), artificial intelligence (knowledge representation, decision trees), statistical learning (rough set, support vector machine), computational intelligence (neural network, genetic algorithm, fuzzy systems). It consists of nine function models: pattern recognition, decision trees, association rule, fuzzy rule, neural network, genetic algorithm, Hyper Envelop, support vector machine, visualization. The principle and knowledge representation of some function models of data mining are described. The software tool of data mining is realized by Visual C++ under Windows 2000. Nonmonotony in data mining is dealt with by concept hierarchy and layered mining. The software tool of data mining has satisfactorily applied in the prediction of regularities of the formation of ternary intermetallic compounds in alloy systems, and diagnosis of brain glioma.

Analyses Of Two End-User Software Vulnerability Exposure Metrics

Energy Technology Data Exchange (ETDEWEB)

Jason L. Wright; Miles McQueen; Lawrence Wellman

2012-08-01

The risk due to software vulnerabilities will not be completely resolved in the near future. Instead, putting reliable vulnerability measures into the hands of end-users so that informed decisions can be made regarding the relative security exposure incurred by choosing one software package over another is of importance. To that end, we propose two new security metrics, average active vulnerabilities (AAV) and vulnerability free days (VFD). These metrics capture both the speed with which new vulnerabilities are reported to vendors and the rate at which software vendors fix them. We then examine how the metrics are computed using currently available datasets and demonstrate their estimation in a simulation experiment using four different browsers as a case study. Finally, we discuss how the metrics may be used by the various stakeholders of software and to software usage decisions.

THE EXPERIENCE OF COMPARISON OF STATIC SECURITY CODE ANALYZERS

Directory of Open Access Journals (Sweden)

Alexey Markov

2015-09-01

Full Text Available This work presents a methodological approach to comparison of static security code analyzers. It substantiates the comparison of the static analyzers as to efficiency and functionality indicators, which are stipulated in the international regulatory documents. The test data for assessment of static analyzers efficiency is represented by synthetic sets of open-source software, which contain vulnerabilities. We substantiated certain criteria for quality assessment of the static security code analyzers subject to standards NIST SP 500-268 and SATEC. We carried out experiments that allowed us to assess a number of the Russian proprietary software tools and open-source tools. We came to the conclusion that it is of paramount importance to develop Russian regulatory framework for testing software security (firstly, for controlling undocumented features and evaluating the quality of static security code analyzers.

CBP Customs Rulings Online Search System (CROSS)

Data.gov (United States)

Department of Homeland Security — CROSS is a searchable database of CBP rulings that can be retrieved based on simple or complex search characteristics using keywords and Boolean operators. CROSS has...

Achieving Security Assurance with Assertion-based Application Construction

Directory of Open Access Journals (Sweden)

Carlos E. Rubio-Medrano

2015-12-01

Full Text Available Modern software applications are commonly built by leveraging pre-fabricated modules, e.g. application programming interfaces (APIs, which are essential to implement the desired functionalities of software applications, helping reduce the overall development costs and time. When APIs deal with security-related functionality, it is critical to ensure they comply with their design requirements since otherwise unexpected flaws and vulnerabilities may consequently occur. Often, such APIs may lack sufficient specification details, or may implement a semantically-different version of a desired security model to enforce, thus possibly complicating the runtime enforcement of security properties and making it harder to minimize the existence of serious vulnerabilities. This paper proposes a novel approach to address such a critical challenge by leveraging the notion of software assertions. We focus on security requirements in role-based access control models and show how proper verification at the source-code level can be performed with our proposed approach as well as with automated state-of-the-art assertion-based techniques.

A Novel Algorithm for Flow-Rule Placement in SDN Switches

DEFF Research Database (Denmark)

Kentis, Angelos Mimidis; Pilimon, Artur; Soler, José

2018-01-01

power consumption and high silicon footprint. To counter this limitation, some commercial switches offer both, hardware and software flow table implementations, termed hybrid flow table architecture in this paper. The software-based tables are stored in non-TCAM memory modules, which offer higher...... flow rule should be placed in a hardware (expensive) or a software (cheap) table. The placement decisions are based on a number of criteria with the goal to increase the utilization of the software-based table, without introducing performance degradation in the network in terms of significant delay......The forwarding rules, used by the legacy and SDN network devices to perform routing/forwarding decisions, are generally stored in Ternary Content Addressable Memory (TCAM) modules, which offer constant look-up times, but have limited capacity, due to their high capital and operational costs, high...

77 FR 76854 - Temporary Rule Regarding Principal Trades With Certain Advisory Clients

Science.gov (United States)

2012-12-31

... 3235-AL28 Temporary Rule Regarding Principal Trades With Certain Advisory Clients AGENCY: Securities... transactions with certain of their advisory clients. The amendment extends the date on which rule 206(3)- 3T... releases used RIN 3235-AJ96. (See Temporary Rule Regarding Principal Trades with Certain Advisory Clients...

Trade and investment rules for energy

Energy Technology Data Exchange (ETDEWEB)

NONE

2009-09-15

Rules that govern energy trade is an issue that has generated increasing concern everywhere, from the standpoint of both the security of supply for consumers and security of demand for suppliers. This concern reflects the importance of rules that comprehensively address the needs from supply and demand point of view and integrate the international fabric of energy trade. The GATT and the WTO Agreement define trans-border movement of energy but leave many aspects unclear, particularly as efforts accelerate to control carbon emissions. This timely report by a WEC Task Force of experts with legal standing in the energy business identifies the most pressing issues relating to energy trade and suggests actions and measures which, if implemented, would provide clarity and answer many questions. More importantly, these measures would strengthen the WTO and coming rounds of negotiations.

How to Compare the Security Quality Requirements Engineering (SQUARE) Method with Other Methods

National Research Council Canada - National Science Library

Mead, Nancy R

2007-01-01

The Security Quality Requirements Engineering (SQUARE) method, developed at the Carnegie Mellon Software Engineering Institute, provides a systematic way to identify security requirements in a software development project...

Building an intelligence-led security program

CERN Document Server

Liska, Allan

2014-01-01

As recently as five years ago, securing a network meant putting in a firewall, intrusion detection system, and installing antivirus software on the desktop. Unfortunately, attackers have grown more nimble and effective, meaning that traditional security programs are no longer effective. Today's effective cyber security programs take these best practices and overlay them with intelligence. Adding cyber threat intelligence can help security teams uncover events not detected by traditional security platforms and correlate seemingly disparate events across the network. Properly-implemented inte

Security Research on Engineering Database System

Institute of Scientific and Technical Information of China (English)

无

2002-01-01

Engine engineering database system is an oriented C AD applied database management system that has the capability managing distributed data. The paper discusses the security issue of the engine engineering database management system (EDBMS). Through studying and analyzing the database security, to draw a series of securi ty rules, which reach B1, level security standard. Which includes discretionary access control (DAC), mandatory access control (MAC) and audit. The EDBMS implem ents functions of DAC, ...

Predicting Vulnerability Risks Using Software Characteristics

Science.gov (United States)

Roumani, Yaman

2012-01-01

Software vulnerabilities have been regarded as one of the key reasons for computer security breaches that have resulted in billions of dollars in losses per year (Telang and Wattal 2005). With the growth of the software industry and the Internet, the number of vulnerability attacks and the ease with which an attack can be made have increased. From…

Elements of social security

DEFF Research Database (Denmark)

Hansen, Hans

Elements of Social Security is a comparative study of important elements of the social security systems in Denmark (DK), Sweden (S), Finland (FIN), Austria (A), Germany (D), the Netherlands (NL), Great Britain (GB) and Canada (CAN). It should be emphasized that Germany is the former West Germany...... (Alte Länder). This is the 9th and last edition of the publication,covering income levels and rules for social security and personal taxation for 1999. Basis for the projections to 1999 income levels is the 1998 data (in some cases 1999 data)for OECD's Taxing Wages as reported by national experts....

Bureaucracy, Safety and Software: a Potentially Lethal Cocktail

Science.gov (United States)

Hatton, Les

This position paper identifies a potential problem with the evolution of software controlled safety critical systems. It observes that the rapid growth of bureaucracy in society quickly spills over into rules for behaviour. Whether the need for the rules comes first or there is simple anticipation of the need for a rule by a bureaucrat is unclear in many cases. Many such rules lead to draconian restrictions and often make the existing situation worse due to the presence of unintended consequences as will be shown with a number of examples.

Managing Cisco network security

CERN Document Server

Knipp, Eric

2002-01-01

An in-depth knowledge of how to configure Cisco IP network security is a MUST for anyone working in today''s internetworked world"There''s no question that attacks on enterprise networks are increasing in frequency and sophistication..."-Mike Fuhrman, Cisco Systems Manager, Security ConsultingManaging Cisco Network Security, Second Edition offers updated and revised information covering many of Cisco''s security products that provide protection from threats, detection of network security incidents, measurement of vulnerability and policy compliance and management of security policy across an extended organization. These are the tools that network administrators have to mount defenses against threats. Chapters also cover the improved functionality and ease of the Cisco Secure Policy Manger software used by thousands of small-to-midsized businesses and a special section on the Cisco Aironet Wireless Security Solutions.Security from a real-world perspectiveKey coverage of the new technologies offered by the Cisc...

14 CFR 99.7 - Special security instructions.

Science.gov (United States)

2010-01-01

... 14 Aeronautics and Space 2 2010-01-01 2010-01-01 false Special security instructions. 99.7 Section 99.7 Aeronautics and Space FEDERAL AVIATION ADMINISTRATION, DEPARTMENT OF TRANSPORTATION (CONTINUED) AIR TRAFFIC AND GENERAL OPERATING RULES SECURITY CONTROL OF AIR TRAFFIC General § 99.7 Special...

Modeling reliability measurement of interface on information system: Towards the forensic of rules

Science.gov (United States)

Nasution, M. K. M.; Sitompul, Darwin; Harahap, Marwan

2018-02-01

Today almost all machines depend on the software. As a software and hardware system depends also on the rules that are the procedures for its use. If the procedure or program can be reliably characterized by involving the concept of graph, logic, and probability, then regulatory strength can also be measured accordingly. Therefore, this paper initiates an enumeration model to measure the reliability of interfaces based on the case of information systems supported by the rules of use by the relevant agencies. An enumeration model is obtained based on software reliability calculation.

Secure Multiparty AES

Science.gov (United States)

Damgård, Ivan; Keller, Marcel

We propose several variants of a secure multiparty computation protocol for AES encryption. The best variant requires 2200 + {{400}over{255}} expected elementary operations in expected 70 + {{20}over{255}} rounds to encrypt one 128-bit block with a 128-bit key. We implemented the variants using VIFF, a software framework for implementing secure multiparty computation (MPC). Tests with three players (passive security against at most one corrupted player) in a local network showed that one block can be encrypted in 2 seconds. We also argue that this result could be improved by an optimized implementation.

Software test and validation of wireless sensor nodes used in nuclear power plant

International Nuclear Information System (INIS)

Deng Changjian; Chen Dongyi; Zhang Heng

2015-01-01

The software test and validation of wireless sensor nodes is one of the key approaches to improve or guarantee the reliability of wireless network application in nuclear power plants (NPPs). At first, to validate the software test, some concepts are defined quantitatively, for example the robustness of software, the reliability of software, and the security of software. Then the development tools and simulators of discrete event drive operating system are compared, in order to present robustness, reliability and security of software test approach based on input-output function. Some simple preliminary test results are given to show that different development software can obtain almost same measurement and communication results although the software of special application may be different than normal application. (author)

The Management and Security Expert (MASE)

Science.gov (United States)

Miller, Mark D.; Barr, Stanley J.; Gryphon, Coranth D.; Keegan, Jeff; Kniker, Catherine A.; Krolak, Patrick D.

1991-01-01

The Management and Security Expert (MASE) is a distributed expert system that monitors the operating systems and applications of a network. It is capable of gleaning the information provided by the different operating systems in order to optimize hardware and software performance; recognize potential hardware and/or software failure, and either repair the problem before it becomes an emergency, or notify the systems manager of the problem; and monitor applications and known security holes for indications of an intruder or virus. MASE can eradicate much of the guess work of system management.

19 CFR 177.7 - Situations in which no ruling will be issued.

Science.gov (United States)

2010-04-01

....7 Section 177.7 Customs Duties U.S. CUSTOMS AND BORDER PROTECTION, DEPARTMENT OF HOMELAND SECURITY... for a ruling which fails to comply with the provisions of this part. Moreover, no ruling letter will... litigation in the United States Court of International Trade. No ruling letter will be issued with respect to...

Simulation of Attacks for Security in Wireless Sensor Network.

Science.gov (United States)

Diaz, Alvaro; Sanchez, Pablo

2016-11-18

The increasing complexity and low-power constraints of current Wireless Sensor Networks (WSN) require efficient methodologies for network simulation and embedded software performance analysis of nodes. In addition, security is also a very important feature that has to be addressed in most WSNs, since they may work with sensitive data and operate in hostile unattended environments. In this paper, a methodology for security analysis of Wireless Sensor Networks is presented. The methodology allows designing attack-aware embedded software/firmware or attack countermeasures to provide security in WSNs. The proposed methodology includes attacker modeling and attack simulation with performance analysis (node's software execution time and power consumption estimation). After an analysis of different WSN attack types, an attacker model is proposed. This model defines three different types of attackers that can emulate most WSN attacks. In addition, this paper presents a virtual platform that is able to model the node hardware, embedded software and basic wireless channel features. This virtual simulation analyzes the embedded software behavior and node power consumption while it takes into account the network deployment and topology. Additionally, this simulator integrates the previously mentioned attacker model. Thus, the impact of attacks on power consumption and software behavior/execution-time can be analyzed. This provides developers with essential information about the effects that one or multiple attacks could have on the network, helping them to develop more secure WSN systems. This WSN attack simulator is an essential element of the attack-aware embedded software development methodology that is also introduced in this work.

Simulation of Attacks for Security in Wireless Sensor Network

Science.gov (United States)

Diaz, Alvaro; Sanchez, Pablo

2016-01-01

The increasing complexity and low-power constraints of current Wireless Sensor Networks (WSN) require efficient methodologies for network simulation and embedded software performance analysis of nodes. In addition, security is also a very important feature that has to be addressed in most WSNs, since they may work with sensitive data and operate in hostile unattended environments. In this paper, a methodology for security analysis of Wireless Sensor Networks is presented. The methodology allows designing attack-aware embedded software/firmware or attack countermeasures to provide security in WSNs. The proposed methodology includes attacker modeling and attack simulation with performance analysis (node’s software execution time and power consumption estimation). After an analysis of different WSN attack types, an attacker model is proposed. This model defines three different types of attackers that can emulate most WSN attacks. In addition, this paper presents a virtual platform that is able to model the node hardware, embedded software and basic wireless channel features. This virtual simulation analyzes the embedded software behavior and node power consumption while it takes into account the network deployment and topology. Additionally, this simulator integrates the previously mentioned attacker model. Thus, the impact of attacks on power consumption and software behavior/execution-time can be analyzed. This provides developers with essential information about the effects that one or multiple attacks could have on the network, helping them to develop more secure WSN systems. This WSN attack simulator is an essential element of the attack-aware embedded software development methodology that is also introduced in this work. PMID:27869710

75 FR 62900 - Self-Regulatory Organizations; International Securities Exchange, LLC; Notice of Filing and...

Science.gov (United States)

2010-10-13

...-Regulatory Organizations; International Securities Exchange, LLC; Notice of Filing and Immediate Effectiveness of Proposed Rule Change Relating to a Market Maker Incentive Plan for Foreign Currency Options... Rule 19b-4 thereunder,\\2\\ notice is hereby given that on October 4, 2010, International Securities...

77 FR 32704 - Self-Regulatory Organizations; Municipal Securities Rulemaking Board; Order Granting Approval of...

Science.gov (United States)

2012-06-01

... securities owned or under management by the institutional customer. The MSRB stated that FINRA Rule 2111....19b-4. \\3\\ The implementation date for Financial Industry Regulatory Authority (``FINRA'') Rule 2111... General Counsel, Securities Industry and Financial Markets Association, dated May 4, 2012 (``SIFMA Letter...

17 CFR 200.80c - Appendix C-Rules and miscellaneous publications available from the Government Printing Office.

Science.gov (United States)

2010-04-01

... Securities Exchanges SECURITIES AND EXCHANGE COMMISSION ORGANIZATION; CONDUCT AND ETHICS; AND INFORMATION AND... Commission in pamphlet form. All SEC public rules and regulations, including its Rules of Practice, are contained in title 17 of the Code of Federal Regulations, which also is available for purchase from the...

Software Formal Inspections Guidebook

Science.gov (United States)

1993-01-01

The Software Formal Inspections Guidebook is designed to support the inspection process of software developed by and for NASA. This document provides information on how to implement a recommended and proven method for conducting formal inspections of NASA software. This Guidebook is a companion document to NASA Standard 2202-93, Software Formal Inspections Standard, approved April 1993, which provides the rules, procedures, and specific requirements for conducting software formal inspections. Application of the Formal Inspections Standard is optional to NASA program or project management. In cases where program or project management decide to use the formal inspections method, this Guidebook provides additional information on how to establish and implement the process. The goal of the formal inspections process as documented in the above-mentioned Standard and this Guidebook is to provide a framework and model for an inspection process that will enable the detection and elimination of defects as early as possible in the software life cycle. An ancillary aspect of the formal inspection process incorporates the collection and analysis of inspection data to effect continual improvement in the inspection process and the quality of the software subjected to the process.

International and European Security Law

Directory of Open Access Journals (Sweden)

Jonathan Herbach

2012-02-01

Full Text Available Security law, or more comprehensively conflict and security law, on the international level represents the intersection of three distinct but interrelated fields: international humanitarian law (the law of armed conflict, jus in bello, the law of collective security (most identified with the United Nations (UN system, jus ad bellum and arms control law (including non-proliferation. Security in this sense is multifaceted - interest security, military security and, as is often referred to in the context of the EU, human security. As such, the law covers a wide range of specific topics with respect to conflict, encompassing the use of force, including choice of weapons and fighting techniques, extending to the rules applicable in peacekeeping and peace enforcement, and yet also dictating obligations outside the context of conflict, such as safeguarding and securing dual-use materials (those with both peaceful and military applications to prevent malicious use.

Computer Security: The dilemma of fractal defence

CERN Multimedia

Stefan Lueders, Computer Security Team

2015-01-01

Aren’t mathematical fractals just beautiful? The Mandelbrot set and the Julia set, the Sierpinski gasket, the Menger sponge, the Koch curve (see here)… Based on very simple mathematical rules, they quickly develop into a mosaic of facets slightly different from each other. More and more features appear the closer you zoom into a fractal and expose similar but not identical features of the overall picture.   Computer security is like these fractals, only much less pretty: simple at first glance, but increasingly complex and complicated when you look more closely at the details. The deeper you dig, the more and more possibilities open up for malicious people as the attack surface grows, just like that of “Koch’s snowflakes”, where the border length grows exponentially. Consequently, the defensive perimeter also increases when we follow the bits and bytes layer by layer from their processing in the CPU, trickling up the software stack thro...

Whitelisting and the Rule of Law

DEFF Research Database (Denmark)

Leander, Anna

2016-01-01

Leander’s chapter argues that whitelists in commercial security are establishing and consolidating a rule of law marked by managerialism. It closely describes the significance of the mundane, seemingly innocuous whitelists. Whitelists have proliferated as part of governance through Codes of Condu...

Trends in software testing

CERN Document Server

Mohanty, J; Balakrishnan, Arunkumar

2017-01-01

This book is focused on the advancements in the field of software testing and the innovative practices that the industry is adopting. Considering the widely varied nature of software testing, the book addresses contemporary aspects that are important for both academia and industry. There are dedicated chapters on seamless high-efficiency frameworks, automation on regression testing, software by search, and system evolution management. There are a host of mathematical models that are promising for software quality improvement by model-based testing. There are three chapters addressing this concern. Students and researchers in particular will find these chapters useful for their mathematical strength and rigor. Other topics covered include uncertainty in testing, software security testing, testing as a service, test technical debt (or test debt), disruption caused by digital advancement (social media, cloud computing, mobile application and data analytics), and challenges and benefits of outsourcing. The book w...

76 FR 67238 - Self-Regulatory Organizations; BATS Exchange, Inc.; Order Approving Proposed Rule Change by BATS...

Science.gov (United States)

2011-10-31

... SECURITIES AND EXCHANGE COMMISSION [Release No. 34-65619, File No. SR-BATS-2011-032] Self-Regulatory Organizations; BATS Exchange, Inc.; Order Approving Proposed Rule Change by BATS Exchange, Inc. To Adopt Rules Applicable to Auctions Conducted by the Exchange for Exchange-Listed Securities October 25, 2011. I. Introduction On August 22, 2011,...

An Accurate FFPA-PSR Estimator Algorithm and Tool for Software Effort Estimation

Directory of Open Access Journals (Sweden)

Senthil Kumar Murugesan

2015-01-01

Full Text Available Software companies are now keen to provide secure software with respect to accuracy and reliability of their products especially related to the software effort estimation. Therefore, there is a need to develop a hybrid tool which provides all the necessary features. This paper attempts to propose a hybrid estimator algorithm and model which incorporates quality metrics, reliability factor, and the security factor with a fuzzy-based function point analysis. Initially, this method utilizes a fuzzy-based estimate to control the uncertainty in the software size with the help of a triangular fuzzy set at the early development stage. Secondly, the function point analysis is extended by the security and reliability factors in the calculation. Finally, the performance metrics are added with the effort estimation for accuracy. The experimentation is done with different project data sets on the hybrid tool, and the results are compared with the existing models. It shows that the proposed method not only improves the accuracy but also increases the reliability, as well as the security, of the product.

KaZaA and similar Peer-to-Peer (P2P) file-sharing applications

CERN Multimedia

2003-01-01

Personal use of Peer-to-Peer (P2P) file sharing applications is NOT permitted at CERN. A non-exhaustive list of such applications, popular for exchanging music, videos, software etc, is: KaZaA, Napster, Gnutella, Edonkey2000, Napigator, Limewire, Bearshare, WinMX, Aimster, Morpheus, BitTorrent, ... You are reminded that use of CERN's Computing Facilities is governed by CERN's Computing Rules (Operational Circular No 5). They require that all users of CERN's Computing Facilities respect copyright, license and confidentiality agreements for data of any form (software, music, videos, etc). Sanctions are applicable in case of non-respect of the Computing Rules. Further details on restrictions for P2P applications are at: http://cern.ch/security/file-sharing CERN's Computing Rules are at: http://cern.ch/ComputingRules Denise Heagerty, CERN Computer Security Officer, Computer.Security@cern.ch

77 FR 43407 - Self-Regulatory Organizations; The Options Clearing Corporation; Order Approving Proposed Rule...

Science.gov (United States)

2012-07-24

...-Laws and Rules to security futures on index-linked securities such as exchange-traded notes, which are currently traded on OneChicago, LLC. Index-linked securities are non-convertible debt of a major financial... futures contracts, one or more physical commodities, currencies or debt securities, or a combination of...

17 CFR 270.17f-1 - Custody of securities with members of national securities exchanges.

Science.gov (United States)

2010-04-01

... upon physical inspection thereof and upon examination of the books of the custodian. The physical... a member of a national securities exchange of any obligation under existing law or under the rules...

Secure system design and trustable computing

CERN Document Server

Potkonjak, Miodrag

2016-01-01

This book provides the foundations for understanding hardware security and trust, which have become major concerns for national security over the past decade.  Coverage includes issues related to security and trust in a variety of electronic devices and systems related to the security of hardware, firmware and software, spanning system applications, online transactions, and networking services.  This serves as an invaluable reference to the state-of-the-art research that is of critical significance to the security of, and trust in, modern society’s microelectronic-supported infrastructures.

77 FR 37722 - Self-Regulatory Organizations; International Securities Exchange, LLC; Notice of Filing and...

Science.gov (United States)

2012-06-22

... Organizations; International Securities Exchange, LLC; Notice of Filing and Immediate Effectiveness of Proposed Rule Change To Eliminate the Rules and Fees Related to the Second Market June 18, 2012. Pursuant to...\\ notice is hereby given that on June 6, 2012, the International Securities Exchange, LLC (the ``Exchange...

Implementation Support of Security Design Patterns Using Test Templates

Directory of Open Access Journals (Sweden)

Masatoshi Yoshizawa

2016-06-01

Full Text Available Security patterns are intended to support software developers as the patterns encapsulate security expert knowledge. However, these patterns may be inappropriately applied because most developers are not security experts, leading to threats and vulnerabilities. Here we propose a support method for security design patterns in the implementation phase of software development. Our method creates a test template from a security design pattern, consisting of an “aspect test template” to observe the internal processing and a “test case template”. Providing design information creates a test from the test template with a tool. Because our test template is reusable, it can easily perform a test to validate a security design pattern. In an experiment involving four students majoring in information sciences, we confirm that our method can realize an effective test, verify pattern applications, and support pattern implementation.

Integrated Solution Modeling Software: A New Paradigm on Information Security Review

OpenAIRE

Susanto, Heru; Almunawar, Mohammad Nabil; Tuan, Yong Chee; Aksoy, Mehmet Sabih; Syam, Wahyudin P

2012-01-01

Actually Information security becomes a very important part for the organization's intangible assets, so level of confidence and stakeholder trusted are performance indicator as successes organization. Since information security has a very important role in supporting the activities of the organization, we need a standard or benchmark which regulates governance over information security. The main objective of this paper is to implement a novel practical approach framework to the development o...

Bigdata Driven Cloud Security: A Survey

Science.gov (United States)

Raja, K.; Hanifa, Sabibullah Mohamed

2017-08-01

Cloud Computing (CC) is a fast-growing technology to perform massive-scale and complex computing. It eliminates the need to maintain expensive computing hardware, dedicated space, and software. Recently, it has been observed that massive growth in the scale of data or big data generated through cloud computing. CC consists of a front-end, includes the users’ computers and software required to access the cloud network, and back-end consists of various computers, servers and database systems that create the cloud. In SaaS (Software as-a-Service - end users to utilize outsourced software), PaaS (Platform as-a-Service-platform is provided) and IaaS (Infrastructure as-a-Service-physical environment is outsourced), and DaaS (Database as-a-Service-data can be housed within a cloud), where leading / traditional cloud ecosystem delivers the cloud services become a powerful and popular architecture. Many challenges and issues are in security or threats, most vital barrier for cloud computing environment. The main barrier to the adoption of CC in health care relates to Data security. When placing and transmitting data using public networks, cyber attacks in any form are anticipated in CC. Hence, cloud service users need to understand the risk of data breaches and adoption of service delivery model during deployment. This survey deeply covers the CC security issues (covering Data Security in Health care) so as to researchers can develop the robust security application models using Big Data (BD) on CC (can be created / deployed easily). Since, BD evaluation is driven by fast-growing cloud-based applications developed using virtualized technologies. In this purview, MapReduce [12] is a good example of big data processing in a cloud environment, and a model for Cloud providers.

Accuracy Test of Software Architecture Compliance Checking Tools : Test Instruction

NARCIS (Netherlands)

Prof.dr. S. Brinkkemper; Dr. Leo Pruijt; C. Köppe; J.M.E.M. van der Werf

2015-01-01

Author supplied: "Abstract Software Architecture Compliance Checking (SACC) is an approach to verify conformance of implemented program code to high-level models of architectural design. Static SACC focuses on the modular software architecture and on the existence of rule violating dependencies

Software essentials design and construction

CERN Document Server

Dingle, Adair

2014-01-01

About the Cover: Although capacity may be a problem for a doghouse, other requirements are usually minimal. Unlike skyscrapers, doghouses are simple units. They do not require plumbing, electricity, fire alarms, elevators, or ventilation systems, and they do not need to be built to code or pass inspections. The range of complexity in software design is similar. Given available software tools and libraries-many of which are free-hobbyists can build small or short-lived computer apps. Yet, design for software longevity, security, and efficiency can be intricate-as is the design of large-scale sy

High Assurance Models for Secure Systems

Science.gov (United States)

Almohri, Hussain M. J.

2013-01-01

Despite the recent advances in systems and network security, attacks on large enterprise networks consistently impose serious challenges to maintaining data privacy and software service integrity. We identify two main problems that contribute to increasing the security risk in a networked environment: (i) vulnerable servers, workstations, and…

Cyber Security: Rule of Use Internet Safely?

OpenAIRE

-, Maskun

2013-01-01

International Journal Cyber security plays on important role to guarantee and protect people who use internet in their daily life. Some cases take place around the world that people get inconvenience condition when they access and use internet. Misuse of internet becomes a current issue which some cases take place including a university. Advantages of using internet in the university of course assist the student to get some information in internet. However, they have to be protected in ord...

Securing the Application Layer in eCommerce

OpenAIRE

Bala Musa S; Norita Md Norwawi; Mohd Hasan Selamat

2012-01-01

As e-commerce transaction is evolving, security is becoming a paramount issue since a great deal of credit cards, fund transfer, web shopping and public retirements are involved. Therefore, an appropriate development process is necessary for such security critical application. Also, handling security issues at early stage of software development is paramount to avoiding vulnerabilities from scaling through production environment unnoticed. This paper proposes a comprehensive security requirem...

78 FR 21046 - Amendment to Rule Filing Requirements for Dually-Registered Clearing Agencies

Science.gov (United States)

2013-04-09

... clearing operations of a Registered Clearing Agency and are not linked to securities clearing operations...: (A) does not adversely affect the safeguarding of securities or funds in the custody or control of...)(ii) to designate proposed rule changes concerning the agency's security futures operations as taking...

DIRAC distributed secure framework

International Nuclear Information System (INIS)

Casajus, A; Graciani, R

2010-01-01

DIRAC, the LHCb community Grid solution, provides access to a vast amount of computing and storage resources to a large number of users. In DIRAC users are organized in groups with different needs and permissions. In order to ensure that only allowed users can access the resources and to enforce that there are no abuses, security is mandatory. All DIRAC services and clients use secure connections that are authenticated using certificates and grid proxies. Once a client has been authenticated, authorization rules are applied to the requested action based on the presented credentials. These authorization rules and the list of users and groups are centrally managed in the DIRAC Configuration Service. Users submit jobs to DIRAC using their local credentials. From then on, DIRAC has to interact with different Grid services on behalf of this user. DIRAC has a proxy management service where users upload short-lived proxies to be used when DIRAC needs to act on behalf of them. Long duration proxies are uploaded by users to a MyProxy service, and DIRAC retrieves new short delegated proxies when necessary. This contribution discusses the details of the implementation of this security infrastructure in DIRAC.

Rule-based topology system for spatial databases to validate complex geographic datasets

Science.gov (United States)

Martinez-Llario, J.; Coll, E.; Núñez-Andrés, M.; Femenia-Ribera, C.

2017-06-01

A rule-based topology software system providing a highly flexible and fast procedure to enforce integrity in spatial relationships among datasets is presented. This improved topology rule system is built over the spatial extension Jaspa. Both projects are open source, freely available software developed by the corresponding author of this paper. Currently, there is no spatial DBMS that implements a rule-based topology engine (considering that the topology rules are designed and performed in the spatial backend). If the topology rules are applied in the frontend (as in many GIS desktop programs), ArcGIS is the most advanced solution. The system presented in this paper has several major advantages over the ArcGIS approach: it can be extended with new topology rules, it has a much wider set of rules, and it can mix feature attributes with topology rules as filters. In addition, the topology rule system can work with various DBMSs, including PostgreSQL, H2 or Oracle, and the logic is performed in the spatial backend. The proposed topology system allows users to check the complex spatial relationships among features (from one or several spatial layers) that require some complex cartographic datasets, such as the data specifications proposed by INSPIRE in Europe and the Land Administration Domain Model (LADM) for Cadastral data.

Privacy-Preserving Detection of Inter-Domain SDN Rules Overlaps

KAUST Repository

Dethise, Arnaud

2017-08-24

SDN approaches to inter-domain routing promise better traffic engineering, enhanced security, and higher automation. Yet, naïve deployment of SDN on the Internet is dangerous as the control-plane expressiveness of BGP is significantly more limited than the data-plane expressiveness of SDN, which allows fine-grained rules to deflect traffic from BGP\\'s default routes. This mismatch may lead to incorrect forwarding behaviors such as forwarding loops and blackholes, ultimately hindering SDN deployment at the inter-domain level. In this work, we make a first step towards verifying the correctness of inter-domain forwarding state with a focus on loop freedom while keeping private the SDN rules, as they comprise confidential routing information. To this end, we design a simple yet powerful primitive that allows two networks to verify whether their SDN rules overlap, i.e., the set of packets matched by these rules is non-empty, without leaking any information about the SDN rules. We propose an efficient implementation of this primitive by using recent advancements in Secure Multi-Party Computation and we then leverage it as the main building block for designing a system that detects Internet-wide forwarding loops among any set of SDN-enabled Internet eXchange Points.

77 FR 11385 - Security Considerations for Lavatory Oxygen Systems

Science.gov (United States)

2012-02-27

... considerations for lavatory oxygen systems (77 FR 12550). The interim final rule addresses a security... and taken to restore the oxygen system with a design that would consider the security risk. Boeing... [Docket No. FAA-2011-0186; Amdt. Nos. 21-94, 25-133, 121-354, 129-50; SFAR 111] RIN 2120-AJ92 Security...

On the Use of Software Metrics as a Predictor of Software Security Problems

Science.gov (United States)

2013-01-01

models to determine if additional metrics are required to increase the accuracy of the model: non-security SCSA warnings, code churn and size, the...vulnerabilities reported by testing and those found in the field. Summary of Most Important Results We evaluated our model on three commercial telecommunications

Macroeconomic Implications of Changes in Social Security Rules

Directory of Open Access Journals (Sweden)

Bilal Bagis

2017-02-01

Full Text Available The Turkish social insurance system has been feverishly debated for years, particularly through its burden on the economy. The most recent reform is an attempt to neutralize the deterioration within the social security system and its effects on the economy. After the recent reform, ‘the way that retirement benefits are calculated’ is changed unfavorably for workers and the minimum age for retirement is increased. In particular, for an agent with 25 years of social security tax payments, the replacement rate is down from 65 percent to 50 percent. On the other hand, retirement age is up from 60 to 65. The aim of this paper is to investigate the macroeconomic effects of these changes using an OLG model. The author’s findings indicate that labor supply, output and capital stock increase when changes above are applied to the benchmark economy calibrated to the Turkish economy data in 2005. A critical change with the current reform is that the marginal benefit of working has become uniform over ages. In a simulation exercise, the marginal retirement benefit in the benchmark economy is changed to be uniform over ages while keeping the size of social security system unchanged. As a result, the benefit of retiring at a later period increases. However, uniform distribution of the marginal benefits itself decreases both the capital stock and output of the economy. Increasing the retirement age, on the other hand, has positive effects on the economy since agents obtain retirement benefits for fewer years and at an older age. Age increase has substantial positive effects on the labor supply, the capital stock, and the output.

RIGHTS, RULES, AND DEMOCRACY

Directory of Open Access Journals (Sweden)

Richard S. Kay, University of Connecticut-School of Law, Estados Unidos

2012-11-01

Full Text Available Abstract: Democracy require protection of certain fundamental rights, but can we expect courts to follow rules? There seems little escape from the proposition that substantive constitutional review by an unelected judiciary is a presumptive abridgement of democratic decision-making. Once we have accepted the proposition that there exist human rights that ought to be protected, this should hardly surprise us. No one thinks courts are perfect translators of the rules invoked before them on every occasion. But it is equally clear that rules sometimes do decide cases. In modern legal systems the relative roles of courts and legislators with respect to the rules of the system is a commonplace. Legislatures make rules. Courts apply them in particular disputes. When we are talking about human rights, however, that assumption must be clarified in at least one way. The defense of the practice of constitutional review in this article assumes courts can and do enforce rules. This article also makes clear what is the meaning of “following rules”. Preference for judicial over legislative interpretation of rights, therefore, seems to hang on the question of whether or not judges are capable of subordinating their own judgment to that incorporated in the rules by their makers. This article maintains that, in general, entrenched constitutional rules (and not just constitutional courts can and do constrain public conduct and protect human rights. The article concludes that the value judgments will depend on our estimate of the benefits we derive from the process of representative self-government. Against those benefits we will have to measure the importance we place on being able to live our lives with the security created by a regime of human rights protected by the rule of law. Keywords: Democracy. Human Rights. Rules. Judicial Review.

Design and development of a prototypical software for semi-automatic generation of test methodologies and security checklists for IT vulnerability assessment in small- and medium-sized enterprises (SME)

Science.gov (United States)

Möller, Thomas; Bellin, Knut; Creutzburg, Reiner

2015-03-01

The aim of this paper is to show the recent progress in the design and prototypical development of a software suite Copra Breeder* for semi-automatic generation of test methodologies and security checklists for IT vulnerability assessment in small and medium-sized enterprises.

Software quality assurance plans for safety-critical software

International Nuclear Information System (INIS)

Liddle, P.

2006-01-01

Application software is defined as safety-critical if a fault in the software could prevent the system components from performing their nuclear-safety functions. Therefore, for nuclear-safety systems, the AREVA TELEPERM R XS (TXS) system is classified 1E, as defined in the Inst. of Electrical and Electronics Engineers (IEEE) Std 603-1998. The application software is classified as Software Integrity Level (SIL)-4, as defined in IEEE Std 7-4.3.2-2003. The AREVA NP Inc. Software Program Manual (SPM) describes the measures taken to ensure that the TELEPERM XS application software attains a level of quality commensurate with its importance to safety. The manual also describes how TELEPERM XS correctly performs the required safety functions and conforms to established technical and documentation requirements, conventions, rules, and standards. The program manual covers the requirements definition, detailed design, integration, and test phases for the TELEPERM XS application software, and supporting software created by AREVA NP Inc. The SPM is required for all safety-related TELEPERM XS system applications. The program comprises several basic plans and practices: 1. A Software Quality-Assurance Plan (SQAP) that describes the processes necessary to ensure that the software attains a level of quality commensurate with its importance to safety function. 2. A Software Safety Plan (SSP) that identifies the process to reasonably ensure that safety-critical software performs as intended during all abnormal conditions and events, and does not introduce any new hazards that could jeopardize the health and safety of the public. 3. A Software Verification and Validation (V and V) Plan that describes the method of ensuring the software is in accordance with the requirements. 4. A Software Configuration Management Plan (SCMP) that describes the method of maintaining the software in an identifiable state at all times. 5. A Software Operations and Maintenance Plan (SO and MP) that

Security of M-Commerce transactions

Directory of Open Access Journals (Sweden)

Ion IVAN

2013-07-01

Full Text Available In this material electronic market are defined. How they are structured. Security in E-Commerce applications is very important both at the administrative level and from the user perspective. The new trend in the field is the M-commerce that involves making purchases through mobile devices. And for M-commerce transactions the security is a very important thing. Here's how to analyze the security of M-commerce transactions and ways to increase security for these transactions taking into account the organization of M-Commerce applications, software used, hardware used and other important issues in the development of these applications.

Computer Security: Computer security threats, vulnerabilities and attacks (3/4)

CERN Document Server

CERN. Geneva

2012-01-01

Antonio Perez Perez works in the Computer Security Team doing software development, sysadmin tasks and operations. He is also involved on grid security and does 1st line security support at CERN on ROTA. With the prevalence of modern information technologies and its increasing integration into our daily live, digital systems become more and more playground for evil people. While in the past, attacks were driven by fame& kudos, nowadays money is the motivating factor. Just the recent months have shown several successful attacks against e.g. Sony, PBS, UNESCO, RSAsecurity, Citibank, and others. Credit card information of hundreds of thousands of people got exposed. Affected companies not only lost their assets and data, also their reputation has suffered. Thus, proper computer security measures are essential. Without question, security must even more become an inherent ingredient when developing, deploying, and operating applications, web sites, and computing services. These lectures shall give an ove...

CMS software deployment on OSG

International Nuclear Information System (INIS)

Kim, B; Avery, P; Thomas, M; Wuerthwein, F

2008-01-01

A set of software deployment tools has been developed for the installation, verification, and removal of a CMS software release. The tools that are mainly targeted for the deployment on the OSG have the features of instant release deployment, corrective resubmission of the initial installation job, and an independent web-based deployment portal with Grid security infrastructure login mechanism. We have been deploying over 500 installations and found the tools are reliable and adaptable to cope with problems with changes in the Grid computing environment and the software releases. We present the design of the tools, statistics that we gathered during the operation of the tools, and our experience with the CMS software deployment on the OSG Grid computing environment

CMS software deployment on OSG

Energy Technology Data Exchange (ETDEWEB)

Kim, B; Avery, P [University of Florida, Gainesville, FL 32611 (United States); Thomas, M [California Institute of Technology, Pasadena, CA 91125 (United States); Wuerthwein, F [University of California at San Diego, La Jolla, CA 92093 (United States)], E-mail: bockjoo@phys.ufl.edu, E-mail: thomas@hep.caltech.edu, E-mail: avery@phys.ufl.edu, E-mail: fkw@fnal.gov

2008-07-15

A set of software deployment tools has been developed for the installation, verification, and removal of a CMS software release. The tools that are mainly targeted for the deployment on the OSG have the features of instant release deployment, corrective resubmission of the initial installation job, and an independent web-based deployment portal with Grid security infrastructure login mechanism. We have been deploying over 500 installations and found the tools are reliable and adaptable to cope with problems with changes in the Grid computing environment and the software releases. We present the design of the tools, statistics that we gathered during the operation of the tools, and our experience with the CMS software deployment on the OSG Grid computing environment.

Methods and Software for Building Bibliographic Data Bases.

Science.gov (United States)

Daehn, Ralph M.

1985-01-01

This in-depth look at database management systems (DBMS) for microcomputers covers data entry, information retrieval, security, DBMS software and design, and downloading of literature search results. The advantages of in-house systems versus online search vendors are discussed, and specifications of three software packages and 14 sources are…

Directed Security Policies: A Stateful Network Implementation

Directory of Open Access Journals (Sweden)

Cornelius Diekmann

2014-05-01

Full Text Available Large systems are commonly internetworked. A security policy describes the communication relationship between the networked entities. The security policy defines rules, for example that A can connect to B, which results in a directed graph. However, this policy is often implemented in the network, for example by firewalls, such that A can establish a connection to B and all packets belonging to established connections are allowed. This stateful implementation is usually required for the network's functionality, but it introduces the backflow from B to A, which might contradict the security policy. We derive compliance criteria for a policy and its stateful implementation. In particular, we provide a criterion to verify the lack of side effects in linear time. Algorithms to automatically construct a stateful implementation of security policy rules are presented, which narrows the gap between formalization and real-world implementation. The solution scales to large networks, which is confirmed by a large real-world case study. Its correctness is guaranteed by the Isabelle/HOL theorem prover.

Asset Identification for Security Risk Assessment in Web Applications

OpenAIRE

Hisham M. Haddad; Brunil D. Romero

2009-01-01

As software applications become more complex they require more security, allowing them to reach an appropriate level of quality to manage information, and therefore achieving business objectives. Web applications represent one segment of software industry where security risk assessment is essential. Web engineering must address new challenges to provide new techniques and tools that guarantee high quality application development. This work focuses asset identification, the initial step in sec...

Moving towards Cloud Security

Directory of Open Access Journals (Sweden)

Edit Szilvia Rubóczki

2015-01-01

Full Text Available Cloud computing hosts and delivers many different services via Internet. There are a lot of reasons why people opt for using cloud resources. Cloud development is increasing fast while a lot of related services drop behind, for example the mass awareness of cloud security. However the new generation upload videos and pictures without reason to a cloud storage, but only few know about data privacy, data management and the proprietary of stored data in the cloud. In an enterprise environment the users have to know the rule of cloud usage, however they have little knowledge about traditional IT security. It is important to measure the level of their knowledge, and evolve the training system to develop the security awareness. The article proves the importance of suggesting new metrics and algorithms for measuring security awareness of corporate users and employees to include the requirements of emerging cloud security.

Incorporating lab experience into computer security courses

NARCIS (Netherlands)

Ben Othmane, L.; Bhuse, V.; Lilien, L.T.

2013-01-01

We describe our experience with teaching computer security labs at two different universities. We report on the hardware and software lab setups, summarize lab assignments, present the challenges encountered, and discuss the lessons learned. We agree with and emphasize the viewpoint that security

Remote software upload techniques in future vehicles and their performance analysis

Science.gov (United States)

Hossain, Irina

Updating software in vehicle Electronic Control Units (ECUs) will become a mandatory requirement for a variety of reasons, for examples, to update/fix functionality of an existing system, add new functionality, remove software bugs and to cope up with ITS infrastructure. Software modules of advanced vehicles can be updated using Remote Software Upload (RSU) technique. The RSU employs infrastructure-based wireless communication technique where the software supplier sends the software to the targeted vehicle via a roadside Base Station (BS). However, security is critically important in RSU to avoid any disasters due to malfunctions of the vehicle or to protect the proprietary algorithms from hackers, competitors or people with malicious intent. In this thesis, a mechanism of secure software upload in advanced vehicles is presented which employs mutual authentication of the software provider and the vehicle using a pre-shared authentication key before sending the software. The software packets are sent encrypted with a secret key along with the Message Digest (MD). In order to increase the security level, it is proposed the vehicle to receive more than one copy of the software along with the MD in each copy. The vehicle will install the new software only when it receives more than one identical copies of the software. In order to validate the proposition, analytical expressions of average number of packet transmissions for successful software update is determined. Different cases are investigated depending on the vehicle's buffer size and verification methods. The analytical and simulation results show that it is sufficient to send two copies of the software to the vehicle to thwart any security attack while uploading the software. The above mentioned unicast method for RSU is suitable when software needs to be uploaded to a single vehicle. Since multicasting is the most efficient method of group communication, updating software in an ECU of a large number of vehicles

Recommendations and best practices for cloud enterprise security

OpenAIRE

Ramachandran, M; Chang, V

2015-01-01

© 2014 IEEE. Enterprise security is essential to achieve global information security in business and organizations. Enterprise Cloud computing is a new paradigm for that enterprise where businesses need to be secured. Enterprise Cloud computing has established its businesses and software as a service paradigm is increasing its demand for more services. However, this new trend needs to be more systematic with respect to Enterprise Cloud security. Enterprise Cloud security is the key factor in ...

TOWARD HIGHLY SECURE AND AUTONOMIC COMPUTING SYSTEMS: A HIERARCHICAL APPROACH

Energy Technology Data Exchange (ETDEWEB)

Lee, Hsien-Hsin S

2010-05-11

The overall objective of this research project is to develop novel architectural techniques as well as system software to achieve a highly secure and intrusion-tolerant computing system. Such system will be autonomous, self-adapting, introspective, with self-healing capability under the circumstances of improper operations, abnormal workloads, and malicious attacks. The scope of this research includes: (1) System-wide, unified introspection techniques for autonomic systems, (2) Secure information-flow microarchitecture, (3) Memory-centric security architecture, (4) Authentication control and its implication to security, (5) Digital right management, (5) Microarchitectural denial-of-service attacks on shared resources. During the period of the project, we developed several architectural techniques and system software for achieving a robust, secure, and reliable computing system toward our goal.

A Taxonomy for Enhancing Usability, Flexibility, and Security of User Authentication

Directory of Open Access Journals (Sweden)

Susan Gottschlich

2017-12-01

Full Text Available Two technology trends – a move toward software defined capabilities and toward networked devices – support both unprecedented innovations and requirements for security. A fundamental aspect of security is user authentication, which allows devices and software applications to establish their user’s identity and identity is in turn used to establish which of its capabilities the user is authorized to access. While multiple authentication steps, known as multifactor authentication, are being used more widely throughout the military, government, businesses, and consumer sectors, the selection and implementation of which authentication factors to require is typically defined by security policy. Security policy is in turn typically established by a security organization that may have no formal metrics or means to guide its selection of authentication factors. This paper will present a taxonomy for describing authentication factors including important attributes that characterize authentication robustness to aid in the selection of factors that are consistent with the user’s mission. One particular authentication factor that I have developed will be discussed in the context of this taxonomy to motivate the need to broaden current definitions and security policies. The ultimate goal of this paper is to inspire the development of standards for authentication technologies to both support mission aware authentication innovation and to inform decision making about security policies concerning user authentication and authorization. Further, this paper aims to demonstrate that such an approach will fundamentally enhance both security and usability of increasingly networked, software-defined devices, equipment and software applications.

46 CFR 11.1101 - Purpose of rules.

Science.gov (United States)

2010-10-01

... passenger ships as defined in § 10.1103. ... 46 Shipping 1 2010-10-01 2010-10-01 false Purpose of rules. 11.1101 Section 11.1101 Shipping COAST GUARD, DEPARTMENT OF HOMELAND SECURITY MERCHANT MARINE OFFICERS AND SEAMEN REQUIREMENTS FOR OFFICER...

Data-Driven Security-Constrained OPF

DEFF Research Database (Denmark)

Thams, Florian; Halilbasic, Lejla; Pinson, Pierre

2017-01-01

considerations, while being less conservative than current approaches. Our approach can be scalable for large systems, accounts explicitly for power system security, and enables the electricity market to identify a cost-efficient dispatch avoiding redispatching actions. We demonstrate the performance of our......In this paper we unify electricity market operations with power system security considerations. Using data-driven techniques, we address both small signal stability and steady-state security, derive tractable decision rules in the form of line flow limits, and incorporate the resulting constraints...... in market clearing algorithms. Our goal is to minimize redispatching actions, and instead allow the market to determine the most cost-efficient dispatch while considering all security constraints. To maintain tractability of our approach we perform our security assessment offline, examining large datasets...

75 FR 75207 - Regulation SBSR-Reporting and Dissemination of Security-Based Swap Information

Science.gov (United States)

2010-12-02

... Dissemination of Security-Based Swap Information; Proposed Rule #0;#0;Federal Register / Vol. 75 , No. 231... Dissemination of Security-Based Swap Information AGENCY: Securities and Exchange Commission. ACTION: Proposed... SBSR--Reporting and Dissemination of Security-Based Swap Information (``Regulation SBSR'') under the...

Decree n.06-488 /P-RM of 23 november 2006 determining the rules related to the protection against ionizing radiation, safety and security of ionizing radiation sources

International Nuclear Information System (INIS)

2006-01-01

This decree determine the r(ules of protection of workers, public, patients and environment against the risks of ionizing radiation. The scope of these rules is defined as well as the definitions of some terms and concepts used in the field such as raioelement, radiopactive waste, dose, level of intervention, etc. The responsability for Malian Agency for radioprotection and for different stakeholders are clarified and those of workers as well. The condition of declaration, obtaining authorization and exemption are set. Instructions related to radioprotection, safety and security ofn ionizing radiation are stated regarding occupational, madical and public exposure and in case of emergency. instructions related to inventory and inspec tion are also defined

Agile Software Development in the Department of Defense Environment

Science.gov (United States)

2017-03-31

traditional project/program life cycle (i.e., waterfall ). In the traditional model , security requirements are not evaluated until development is...2015), which may better facilitate adoption of Agile software development in the DoD. Several models are provided for software-dominant and software...the DoD has historically used a traditional, waterfall approach for acquiring systems and services), and oversight requirements that are

75 FR 51863 - Self-Regulatory Organizations; NYSE Arca, Inc.; Order Approving Proposed Rule Change Relating to...

Science.gov (United States)

2010-08-23

... securities defined in Section 2 of NYSE Arca Equities Rule 8, collectively, ``Derivative Securities Products... Derivative Securities Products) each shall have a minimum market value of at least $75 million. The Exchange... provides, among other things, that (i) the component stocks (excluding Derivative Securities Products...

Open Source Software Projects Needing Security Investments

Science.gov (United States)

2015-06-19

modtls, BouncyCastle, gpg, otr, axolotl. 7. Static analyzers: Clang, Frama-C. 8. Nginx. 9. OpenVPN . It was noted that the funding model may be similar...to OpenSSL, where consulting funds the company. It was also noted that OpenVPN needs to correctly use OpenSSL in order to be secure, so focusing on...Dovecot 4. Other high-impact network services: OpenSSH, OpenVPN , BIND, ISC DHCP, University of Delaware NTPD 5. Core infrastructure data parsers

75 FR 28831 - Self-Regulatory Organizations; New York Stock Exchange LLC; Notice of Filing of a Proposed Rule...

Science.gov (United States)

2010-05-24

... second by comparing each last consolidated sale price of a security (``Trigger Trade'') during the...-Regulatory Organizations; New York Stock Exchange LLC; Notice of Filing of a Proposed Rule Change Adding Rule 80C To Provide for a Trading Pause for Individual Securities When the Price Moves 10 Percent or More...

RED: A Java-MySQL Software for Identifying and Visualizing RNA Editing Sites Using Rule-Based and Statistical Filters.

Directory of Open Access Journals (Sweden)

Yongmei Sun

Full Text Available RNA editing is one of the post- or co-transcriptional processes that can lead to amino acid substitutions in protein sequences, alternative pre-mRNA splicing, and changes in gene expression levels. Although several methods have been suggested to identify RNA editing sites, there remains challenges to be addressed in distinguishing true RNA editing sites from its counterparts on genome and technical artifacts. In addition, there lacks a software framework to identify and visualize potential RNA editing sites. Here, we presented a software - 'RED' (RNA Editing sites Detector - for the identification of RNA editing sites by integrating multiple rule-based and statistical filters. The potential RNA editing sites can be visualized at the genome and the site levels by graphical user interface (GUI. To improve performance, we used MySQL database management system (DBMS for high-throughput data storage and query. We demonstrated the validity and utility of RED by identifying the presence and absence of C→U RNA-editing sites experimentally validated, in comparison with REDItools, a command line tool to perform high-throughput investigation of RNA editing. In an analysis of a sample data-set with 28 experimentally validated C→U RNA editing sites, RED had sensitivity and specificity of 0.64 and 0.5. In comparison, REDItools had a better sensitivity (0.75 but similar specificity (0.5. RED is an easy-to-use, platform-independent Java-based software, and can be applied to RNA-seq data without or with DNA sequencing data. The package is freely available under the GPLv3 license at http://github.com/REDetector/RED or https://sourceforge.net/projects/redetector.

RED: A Java-MySQL Software for Identifying and Visualizing RNA Editing Sites Using Rule-Based and Statistical Filters.

Science.gov (United States)

Sun, Yongmei; Li, Xing; Wu, Di; Pan, Qi; Ji, Yuefeng; Ren, Hong; Ding, Keyue

2016-01-01

RNA editing is one of the post- or co-transcriptional processes that can lead to amino acid substitutions in protein sequences, alternative pre-mRNA splicing, and changes in gene expression levels. Although several methods have been suggested to identify RNA editing sites, there remains challenges to be addressed in distinguishing true RNA editing sites from its counterparts on genome and technical artifacts. In addition, there lacks a software framework to identify and visualize potential RNA editing sites. Here, we presented a software - 'RED' (RNA Editing sites Detector) - for the identification of RNA editing sites by integrating multiple rule-based and statistical filters. The potential RNA editing sites can be visualized at the genome and the site levels by graphical user interface (GUI). To improve performance, we used MySQL database management system (DBMS) for high-throughput data storage and query. We demonstrated the validity and utility of RED by identifying the presence and absence of C→U RNA-editing sites experimentally validated, in comparison with REDItools, a command line tool to perform high-throughput investigation of RNA editing. In an analysis of a sample data-set with 28 experimentally validated C→U RNA editing sites, RED had sensitivity and specificity of 0.64 and 0.5. In comparison, REDItools had a better sensitivity (0.75) but similar specificity (0.5). RED is an easy-to-use, platform-independent Java-based software, and can be applied to RNA-seq data without or with DNA sequencing data. The package is freely available under the GPLv3 license at http://github.com/REDetector/RED or https://sourceforge.net/projects/redetector.

VOIP for Telerehabilitation: A Risk Analysis for Privacy, Security and HIPAA Compliance: Part II.

Science.gov (United States)

Watzlaf, Valerie J M; Moeini, Sohrab; Matusow, Laura; Firouzan, Patti

2011-01-01

In a previous publication the authors developed a privacy and security checklist to evaluate Voice over Internet Protocol (VoIP) videoconferencing software used between patients and therapists to provide telerehabilitation (TR) therapy. In this paper, the privacy and security checklist that was previously developed is used to perform a risk analysis of the top ten VoIP videoconferencing software to determine if their policies provide answers to the privacy and security checklist. Sixty percent of the companies claimed they do not listen into video-therapy calls unless maintenance is needed. Only 50% of the companies assessed use some form of encryption, and some did not specify what type of encryption was used. Seventy percent of the companies assessed did not specify any form of auditing on their servers. Statistically significant differences across company websites were found for sharing information outside of the country (p=0.010), encryption (p=0.006), and security evaluation (p=0.005). Healthcare providers considering use of VoIP software for TR services may consider using this privacy and security checklist before deciding to incorporate a VoIP software system for TR. Other videoconferencing software that is specific for TR with strong encryption, good access controls, and hardware that meets privacy and security standards should be considered for use with TR.

ADTool: Security Analysis with Attack-Defense Trees

NARCIS (Netherlands)

Kordy, Barbara; Kordy, P.T.; Mauw, Sjouke; Schweitzer, Patrick; Joshi, Kaustubh; Siegle, Markus; Stoelinga, Mariëlle Ida Antoinette; d' Argenio, P.R.

ADTool is free, open source software assisting graphical modeling and quantitative analysis of security, using attack–defense trees. The main features of ADTool are easy creation, efficient editing, and automated bottom-up evaluation of security-relevant measures. The tool also supports the usage of

Gaming the system. Dodging the rules, ruling the dodgers.

Science.gov (United States)

Morreim, E H

1991-03-01

Although traditional obligations of fidelity require physicians to deliver quality care to their patients, including to utilize costly technologies, physicians are steadily losing their accustomed control over the necessary resources. The "economic agents" who own the medical and monetary resources of care now impose a wide array of rules and restrictions in order to contain their costs of operation. However, physicians can still control resources indirectly through "gaming the system," employing tactics such as "fudging" that exploit resource rules' ambiguity and flexibility to bypass the rules while ostensibly honoring them. Physicians may be especially inclined to game the system where resource rules seriously underserve patients' needs, where economic agents seem to be "gaming the patient," with needless obstacles to care, or where others, such as hospitals or even physicians themselves, may be denied needed reimbursements. Though tempting, gaming is morally and medically hazardous. It can harm patients and society, offend honesty, and violate basic principles of contractual and distributive justice. It is also, in fact, usually unnecessary in securing needed resources for patients. More fundamentally, we must reconsider what physicians owe their patients. They owe what is theirs to give: their competence, care and loyalty. In light of medicine's changing economics, two new duties emerge: economic advising, whereby physicians explicitly discuss the economic as well as medical aspects of each treatment option; and economic advocacy, whereby physicians intercede actively on their patients' behalf with the economic agents who control the resources.

Security. Review Software for Advanced CHOICE. CHOICE (Challenging Options in Career Education).

Science.gov (United States)

Pitts, Ilse M.; And Others

CHOICE Security is an Apple computer game activity designed to help secondary migrant students memorize their social security numbers and reinforce job and role information presented in "Career Notes, First Applications." The learner may choose from four time options and whether to have the social security number visible on the screen or…

17 CFR 270.22e-2 - Pricing of redemption requests in accordance with Rule 22c-1.

Science.gov (United States)

2010-04-01

... 17 Commodity and Securities Exchanges 3 2010-04-01 2010-04-01 false Pricing of redemption requests in accordance with Rule 22c-1. 270.22e-2 Section 270.22e-2 Commodity and Securities Exchanges....22e-2 Pricing of redemption requests in accordance with Rule 22c-1. An investment company shall not be...

17 CFR 230.100 - Definitions of terms used in the rules and regulations.

Science.gov (United States)

2010-04-01

... express reference to the Act or to the rules and regulations or to a portion thereof defines such term for... 17 Commodity and Securities Exchanges 2 2010-04-01 2010-04-01 false Definitions of terms used in... terms used in the rules and regulations. (a) As used in the rules and regulations prescribed in this...

Biometric Feature Script for Information Security

Directory of Open Access Journals (Sweden)

N. E. Gunko

2010-03-01

Full Text Available Special studies related to the development of rules for making decisions on the psychological characteristics of the offender in his manuscript handwriting with the goal of ensuring information security.

2016 International Conference on Software Process Improvement

CERN Document Server

Muñoz, Mirna; Rocha, Álvaro; Feliu, Tomas; Peña, Adriana

2017-01-01

This book offers a selection of papers from the 2016 International Conference on Software Process Improvement (CIMPS’16), held between the 12th and 14th of October 2016 in Aguascalientes, Aguascalientes, México. The CIMPS’16 is a global forum for researchers and practitioners to present and discuss the most recent innovations, trends, results, experiences and concerns in the different aspects of software engineering with a focus on, but not limited to, software processes, security in information and communication technology, and big data. The main topics covered include: organizational models, standards and methodologies, knowledge management, software systems, applications and tools, information and communication technologies and processes in non-software domains (mining, automotive, aerospace, business, health care, manufacturing, etc.) with a clear focus on software process challenges.

Radioactive Waste SECURITY

International Nuclear Information System (INIS)

Brodowski, R.; Drapalik, M.; Gepp, C.; Gufler, K.; Sholly, S.

2010-01-01

The purpose of this work is to investigate the safety requirements for a radioactive waste repository, the fundamental problems involved and the legislative rules and arrangements for doing so. As the title already makes clear, the focus of this work is on aspects that can be assigned to the security sector - ie the security against the influence of third parties - and are to be distinguished from safety measures for the improvement of the technical safety aspects. In this context, mention is made of events such as human intrusion into guarded facilities, whereas e.g. a geological analysis on seismic safety is not discussed. For a variety of reasons, the consideration of security nuclear waste repositories in public discussions is increasingly taking a back seat, as ia. Terrorist threats can be considered as negligible risk or well calculable. Depending on the type of storage, different security aspects still have to be considered. (roessner)

Software defined wireless sensor networks security challenges

CSIR Research Space (South Africa)

Kgogo, T

2017-09-01

Full Text Available party development [28]. Moreover, there is a new attack that fingerprints SDN network and launches more efficient resource consumption attacks like DDoS. In general, SDN security vulnerabilities comes from the absence of integration with existing... resilience in NOX that uses its component organization. Moreover, a Primary-Backup method was introduced to enhanve the resilience of the SDN. “SDN-based DDoS blocking scheme” [38] DoS/DDoS attack specifically on the controller DDoS Blocking...

Industry Software Trustworthiness Criterion Research Based on Business Trustworthiness

Science.gov (United States)

Zhang, Jin; Liu, Jun-fei; Jiao, Hai-xing; Shen, Yi; Liu, Shu-yuan

To industry software Trustworthiness problem, an idea aiming to business to construct industry software trustworthiness criterion is proposed. Based on the triangle model of "trustworthy grade definition-trustworthy evidence model-trustworthy evaluating", the idea of business trustworthiness is incarnated from different aspects of trustworthy triangle model for special industry software, power producing management system (PPMS). Business trustworthiness is the center in the constructed industry trustworthy software criterion. Fusing the international standard and industry rules, the constructed trustworthy criterion strengthens the maneuverability and reliability. Quantitive evaluating method makes the evaluating results be intuitionistic and comparable.

Accuracy Test of Software Architecture Compliance Checking Tools – Test Instruction

NARCIS (Netherlands)

Pruijt, Leo; van der Werf, J.M.E.M.|info:eu-repo/dai/nl/36950674X; Brinkkemper., Sjaak|info:eu-repo/dai/nl/07500707X

2015-01-01

Software Architecture Compliance Checking (SACC) is an approach to verify conformance of implemented program code to high-level models of architectural design. Static SACC focuses on the modular software architecture and on the existence of rule violating dependencies between modules. Accurate tool

77 FR 5073 - Self-Regulatory Organizations; NASDAQ OMX PHLX LLC; Notice of Filing of Proposed Rule Change...

Science.gov (United States)

2012-02-01

... Trading of PHLX FOREX Options\\TM\\ January 26, 2012. Pursuant to Section 19(b)(1) of the Securities... new Phlx Rules 1000C (Applicability of Rule 1000C Series-- PHLX FOREX Options\\TM\\) \\3\\; Rule 1001C (Definitions--PHLX FOREX Options); Rule 1002C (Series of PHLX FOREX Options Open for Trading); Rule 1003C...

Rapidly Deployable Security System Final Report CRADA No. TC-2030-01

Energy Technology Data Exchange (ETDEWEB)

Kohlhepp, V. [Lawrence Livermore National Lab. (LLNL), Livermore, CA (United States); Whiteman, B. [Lawrence Livermore National Lab. (LLNL), Livermore, CA (United States); McKibben, M. T. [Lawrence Livermore National Lab. (LLNL), Livermore, CA (United States)

2017-09-28

The ultimate objective of the LEADER and LLNL strategic partnership was to develop and commercialize_a security-based system product and platform for the use in protecting the substantial physical and economic assets of the government and commerce of the United States. The primary goal of this project was to integrate video surveillance hardware developed by LLNL with a security software backbone developed by LEADER. Upon completion of the project, a prototype hardware/software security system that is highly scalable was to be demonstrated.

Green Secure Processors: Towards Power-Efficient Secure Processor Design

Science.gov (United States)

Chhabra, Siddhartha; Solihin, Yan

With the increasing wealth of digital information stored on computer systems today, security issues have become increasingly important. In addition to attacks targeting the software stack of a system, hardware attacks have become equally likely. Researchers have proposed Secure Processor Architectures which utilize hardware mechanisms for memory encryption and integrity verification to protect the confidentiality and integrity of data and computation, even from sophisticated hardware attacks. While there have been many works addressing performance and other system level issues in secure processor design, power issues have largely been ignored. In this paper, we first analyze the sources of power (energy) increase in different secure processor architectures. We then present a power analysis of various secure processor architectures in terms of their increase in power consumption over a base system with no protection and then provide recommendations for designs that offer the best balance between performance and power without compromising security. We extend our study to the embedded domain as well. We also outline the design of a novel hybrid cryptographic engine that can be used to minimize the power consumption for a secure processor. We believe that if secure processors are to be adopted in future systems (general purpose or embedded), it is critically important that power issues are considered in addition to performance and other system level issues. To the best of our knowledge, this is the first work to examine the power implications of providing hardware mechanisms for security.

Threat modeling designing for security

CERN Document Server

Shostack, Adam

2014-01-01

Adam Shostack is responsible for security development lifecycle threat modeling at Microsoft and is one of a handful of threat modeling experts in the world. Now, he is sharing his considerable expertise into this unique book. With pages of specific actionable advice, he details how to build better security into the design of systems, software, or services from the outset. You'll explore various threat modeling approaches, find out how to test your designs against threats, and learn effective ways to address threats that have been validated at Microsoft and other top companies. Systems secur

77 FR 59030 - Self-Regulatory Organizations; BATS Exchange, Inc.; Order Granting Approval of Proposed Rule...

Science.gov (United States)

2012-09-25

... (collectively, ``Derivative Securities Products'') \\5\\ when applying the quantitative generic listing criteria... or other Derivative Securities Products. \\4\\ The Exchange notes that NYSE Arca uses the term...\\ Rule 14.11 includes criteria for derivative securities that may be listed or traded on the Exchange...

On the Road to Holistic Decision Making in Adaptive Security

Directory of Open Access Journals (Sweden)

Mahsa Emami-Taba

2013-08-01

Full Text Available Security is a critical concern in today's software systems. Besides the interconnectivity and dynamic nature of network systems, the increasing complexity in modern software systems amplifies the complexity of IT security. This fact leaves attackers one step ahead in exploiting vulnerabilities and introducing new cyberattacks. The demand for new methodologies in addressing cybersecurity is emphasized by both private and national corporations. A practical solution to dynamically manage the high complexity of IT security is adaptive security, which facilitates analysis of the system's behaviour and hence the prevention of malicious attacks in complex systems. Systems that feature adaptive security detect and mitigate security threats at runtime with little or no administrator involvement. In these systems, decisions at runtime are balanced according to quality and performance goals. This article describes the necessity of holistic decision making in such systems and paves the road to future research.

New Brunswick electricity market rules : summary

International Nuclear Information System (INIS)

2004-02-01

The electricity market rules for New Brunswick were reviewed with particular reference to two broad classifications. The first classification is based on the roles and responsibilities of the system operator (SO) in facilitating the Bilateral Contract market, as well as the role of market participants in participating in the Bilateral Contract market. The second classification is based on the roles and responsibilities of each of the SO, market participants and transmitters in maintaining the reliability of the integrated electricity system and ensuring a secure supply of electricity for consumers in New Brunswick. The market rules consist of 10 chapters entitled: (1) introduction to the market rules and administrative rules of general application, (2) market participation and the use of the SO-controlled grid, (3) market administration, (4) technical and connection requirements, testing and commissioning, (5) system reliability, (6) operational requirements, (7) settlement, (8) connection of new or modified facilities, (9) transmission system planning, investment and operation, and (10) definitions and interpretation

Applications for cyber security - System and application monitoring

International Nuclear Information System (INIS)

Marron, J. E.

2006-01-01

Standard network security measures are adequate for defense against external attacks. However, many experts agree that the greater threat is from internal sources. Insiders with malicious intentions can change controller instructions, change alarm thresholds, and issue commands to equipment which can damage equipment and compromise control system integrity. In addition to strict physical security the state of the system must be continually monitored. System and application monitoring goes beyond the capabilities of network security appliances. It will include active processes, operating system services, files, network adapters and IP addresses. The generation of alarms is a crucial feature of system and application monitoring. The alarms should be integrated to avoid the burden on operators of checking multiple locations for security violations. Tools for system and application monitoring include commercial software, free software, and ad-hoc tools that can be easily created. System and application monitoring is part of a 'defense-in-depth' approach to a control network security plan. Layered security measures prevent an individual security measure failure from being exploited into a successful security breach. Alarming of individual failures is essential for rapid isolation and correction of single failures. System and application monitoring is the innermost layer of this defense strategy. (authors)

UN Security Council Practice and Regional Arrangements: Procedure, Legitimacy and International Justice

DEFF Research Database (Denmark)

Cullen, Miriam

2015-01-01

When the United Nations Security Council first met in January 1946, it was unable to reach agreement on rules of procedure to govern its operation. Instead, “provisional” rules were adopted in anticipation of further negotiation at a later date. The same provisional rules govern the Council’s work...... today, but provide only the skeletal framework of its contemporary practice. From the early 1990s, the Council increasingly implemented informal working methods to expedite its decision-making. This paper will critically examine the tension between the procedural practice of the Security Council...... to act ‘in conformity with the principles of justice and international law’ as stipulated in the very first provision of the United Nations Charter. Scholarship to date has largely ignored the procedural context of Security Council decisions, notwithstanding it provides the very structure within which...

17 CFR 240.3a55-4 - Exclusion from definition of narrow-based security index for indexes composed of debt securities.

Science.gov (United States)

2010-04-01

... respective rules promulgated thereunder, that is a note, bond, debenture, or evidence of indebtedness; (ii) None of the securities of an issuer included in the index is an equity security, as defined in section... its outstanding common equity held by non-affiliates of $71 million or more; (C) The issuer of the...

Comparative analysis of business rules and business process modeling languages

Directory of Open Access Journals (Sweden)

Audrius Rima

2013-03-01

Full Text Available During developing an information system is important to create clear models and choose suitable modeling languages. The article analyzes the SRML, SBVR, PRR, SWRL, OCL rules specifying language and UML, DFD, CPN, EPC and IDEF3 BPMN business process modeling language. The article presents business rules and business process modeling languages theoretical comparison. The article according to selected modeling aspects of the comparison between different business process modeling languages ​​and business rules representation languages sets. Also, it is selected the best fit of language set for three layer framework for business rule based software modeling.

SC²: Secure Communication over Smart Cards

DEFF Research Database (Denmark)

Dragoni, Nicola; Lostal, Eduardo; Papini, Davide

2012-01-01

The Security-by-Contract (S×C) framework has recently been proposed to support software evolution in open multi-application smart cards. The key idea lies in the notion of contract, a specification of the security behavior of an application that must be compliant with the security policy of the c...

Mobile Connectivity and Security Issues for Cloud Informatic Systems

OpenAIRE

Cosmin Cătălin Olteanu

2015-01-01

The main purpose of the paper is to illustrate the importance of new software tools that can be used with mobile devices to make them more secure for the use of day to day business software. Many companies are using mobile applications to access some components to ERP’s or CRM’s remotely. Even the new come, cloud Informatic Systems are using more remote devices than ever. This is why we need to secure somehow these mobile applications.

Biometric Secured Result Processing Software For Nigerian Tertiary Institutions

Directory of Open Access Journals (Sweden)

Oladipo Oluwasegun

2015-08-01

Full Text Available Abstract One of the challenges facing result processing in Nigerian tertiary institutions is the problem of insecurity. Untraceable changes are made to students result and this result to various disasters such as innocent people losing their jobs since their innocence cannot be proven. Biometric based systems operate on behavioral and physiological biometric data to identify a person and grant required access to a user. Physiological characteristics such as fingerprint remains unchanged throughout an individuals life time and thus it can serve as a viable means of identifying and authenticating users who are to access a system. In this study fingerprint biometric based result processing software is developed to ensure that users are well authenticated and are made to see only what they are pre-configured to see and work with. The fingerprint authentication system was developed using visual basic.net. Staff fingerprints were enrolled into the system to form a biometric template which the system validates against at every login attempt on the result processing software. The digital personal one touch ID sdk and other libraries were used in developing the authentication system. The result processing software also ensures that all write transactions to the database are confirmed and identified by forcing another biometric authentication at the point of making a write request to the web server and associated database. This ensures that the exact person initiating the transaction was the same user who logged in to the application. The users identified at login and various confirmation milestones set for write transactions are logged into a table for future reference and audit trail. Conclusively the developed system has helped to eradicate the problem of user impersonation by ensuring only authorized users are made to access the software and in-turn participate in result processing activities.

Report of the Defense Science Board Task Force on Mission Impact of Foreign Influence on DoD Software

National Research Council Canada - National Science Library

2007-01-01

The Defense Science Board (DSB) Task Force on Mission Impact of Foreign Influence on DoD Software examined areas in software security, security architecture, and risk mitigation and received briefings from industry, academia...

76 FR 59803 - Children's Online Privacy Protection Rule

Science.gov (United States)

2011-09-27

... next COPPA Rule review was originally set for 2017. On April 5, 2010, the Commission published a...); and United States v. Bonzi Software, Inc., No. CV-04-1048 (C.D. Cal., filed Feb. 14, 2004) (desktop...

Automated Security Testing of Web Widget Interactions

NARCIS (Netherlands)

Bezemer, C.P.; Mesbah, A.; Van Deursen, A.

2009-01-01

This paper is a pre-print of: Cor-Paul Bezemer, Ali Mesbah, and Arie van Deursen. Automated Security Testing of Web Widget Interactions. In Proceedings of the 7th joint meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering

Secure Enclaves: An Isolation-centric Approach for Creating Secure High Performance Computing Environments

Energy Technology Data Exchange (ETDEWEB)

Aderholdt, Ferrol [Tennessee Technological Univ., Cookeville, TN (United States); Caldwell, Blake A. [Oak Ridge National Lab. (ORNL), Oak Ridge, TN (United States); Hicks, Susan Elaine [Oak Ridge National Lab. (ORNL), Oak Ridge, TN (United States); Koch, Scott M. [Oak Ridge National Lab. (ORNL), Oak Ridge, TN (United States); Naughton, III, Thomas J. [Oak Ridge National Lab. (ORNL), Oak Ridge, TN (United States); Pelfrey, Daniel S. [Oak Ridge National Lab. (ORNL), Oak Ridge, TN (United States); Pogge, James R [Tennessee Technological Univ., Cookeville, TN (United States); Scott, Stephen L [Tennessee Technological Univ., Cookeville, TN (United States); Shipman, Galen M. [Oak Ridge National Lab. (ORNL), Oak Ridge, TN (United States); Sorrillo, Lawrence [Oak Ridge National Lab. (ORNL), Oak Ridge, TN (United States)

2017-01-01

High performance computing environments are often used for a wide variety of workloads ranging from simulation, data transformation and analysis, and complex workflows to name just a few. These systems may process data at various security levels but in so doing are often enclaved at the highest security posture. This approach places significant restrictions on the users of the system even when processing data at a lower security level and exposes data at higher levels of confidentiality to a much broader population than otherwise necessary. The traditional approach of isolation, while effective in establishing security enclaves poses significant challenges for the use of shared infrastructure in HPC environments. This report details current state-of-the-art in virtualization, reconfigurable network enclaving via Software Defined Networking (SDN), and storage architectures and bridging techniques for creating secure enclaves in HPC environments.

Software bots -The next frontier for shared services and functional excellence

NARCIS (Netherlands)

Suri, Vipin K.; Elia, Marianne; van Hillegersberg, Jos

2017-01-01

A Software Bot is a fundamental element of Robotics Process Automation (RPA). RPA can be deployed to automate repeatable, mundane, rules-based work-flowed process tasks across multiple functions in an organization, including Shared Services. While RPA holds high promise, using Software Bots for

I6-FPS: Automating the ICMPv6 Filtering Rules

Directory of Open Access Journals (Sweden)

Wan Ali Wan Nor Ashiqin

2018-01-01

Full Text Available Enterprises are required to utilize Internet Control Message Protocol version 6 (ICMPv6 when IPv6 is deployed. In IPv4, Internet Control Message Protocol (ICMP is aggressively filtered by a network administrator while in IPv6, ICMPv6 messages cannot be aggressively filtered due to the function of ICMPv6 message. ICMPv6 security risks increase when ICMPv6 threats and vulnerabilities are exploited. Thus, it is very crucial for enterprises to address the issues. In practice, network researchers must review several resources to identify ICMPv6 related attacks occurring due to the exploitation of ICMPv6 vulnerabilities. Overlooking any of these issues will jeopardize the security of ICMPv6. While conducting the attack scenarios testing, IPv6-Filtering Prototype System (I6-FPS was developed to overcome the deficiency and limited filtering tools that supported IPv6 filtering rules (ip6table. I6-FPS is used to automate and simplify the writing of ip6table and it was developed using PHP5 and Shell script languages. This research revealed that I6-FPS is significant in the initial phase of securing IPv6 deployment as well as focusing on the ICMPv6 filtering rules. The I6-FPS has the potential to be enhanced and developed over time by including more functions to that system in generating specific filtering ip6table rules.

An updated look at document security: from initiation to storage or shredder.

Science.gov (United States)

McConnell, Charles R

2014-01-01

In these days of close attention to security of information handled electronically, there is often a tendency to overlook the security of hard-copy documents. Document security can involve many areas of business, but the health care department manager's concerns are primarily for patient records and employee documentation. Document security is closely related to growing concerns for individual privacy; guidelines are furnished for protecting employee privacy by separating retention practices for business information from personal information. Sensitive documentation requires rules and procedures for processing, retaining, accessing, storing, and eventually destroying. Also, documents that are missing or incomplete at times present unique problems for the organization. The department manager is provided with some simple rules for safeguarding employee and patient documentation.

Application Security Automation

Science.gov (United States)

Malaika, Majid A.

2011-01-01

With today's high demand for online applications and services running on the Internet, software has become a vital component in our lives. With every revolutionary technology comes challenges unique to its characteristics; for online applications, security is one huge concern and challenge. Currently, there are several schemes that address…

76 FR 2737 - Self-Regulatory Organizations; National Securities Clearing Corporation; Order Approving Proposed...

Science.gov (United States)

2011-01-14

... SECURITIES AND EXCHANGE COMMISSION [Release No. 34-63668; File No. SR-NSCC-2010-09] Self-Regulatory Organizations; National Securities Clearing Corporation; Order Approving Proposed Rule Change... Facility January 6, 2011. I. Introduction On August 30, 2010, the National Securities Clearing Corporation...

In-camera automation of photographic composition rules.

Science.gov (United States)

Banerjee, Serene; Evans, Brian L

2007-07-01

At the time of image acquisition, professional photographers apply many rules of thumb to improve the composition of their photographs. This paper develops a joint optical-digital processing framework for automating composition rules during image acquisition for photographs with one main subject. Within the framework, we automate three photographic composition rules: repositioning the main subject, making the main subject more prominent, and making objects that merge with the main subject less prominent. The idea is to provide to the user alternate pictures obtained by applying photographic composition rules in addition to the original picture taken by the user. The proposed algorithms do not depend on prior knowledge of the indoor/outdoor setting or scene content. The proposed algorithms are also designed to be amenable to software implementation on fixed-point programmable digital signal processors available in digital still cameras.

Model-Based Security Testing

Directory of Open Access Journals (Sweden)

Ina Schieferdecker

2012-02-01

Full Text Available Security testing aims at validating software system requirements related to security properties like confidentiality, integrity, authentication, authorization, availability, and non-repudiation. Although security testing techniques are available for many years, there has been little approaches that allow for specification of test cases at a higher level of abstraction, for enabling guidance on test identification and specification as well as for automated test generation. Model-based security testing (MBST is a relatively new field and especially dedicated to the systematic and efficient specification and documentation of security test objectives, security test cases and test suites, as well as to their automated or semi-automated generation. In particular, the combination of security modelling and test generation approaches is still a challenge in research and of high interest for industrial applications. MBST includes e.g. security functional testing, model-based fuzzing, risk- and threat-oriented testing, and the usage of security test patterns. This paper provides a survey on MBST techniques and the related models as well as samples of new methods and tools that are under development in the European ITEA2-project DIAMONDS.

Closing gaps between open software and public data in a hackathon setting: User-centered software prototyping.

Science.gov (United States)

Busby, Ben; Lesko, Matthew; Federer, Lisa

2016-01-01

In genomics, bioinformatics and other areas of data science, gaps exist between extant public datasets and the open-source software tools built by the community to analyze similar data types.  The purpose of biological data science hackathons is to assemble groups of genomics or bioinformatics professionals and software developers to rapidly prototype software to address these gaps.  The only two rules for the NCBI-assisted hackathons run so far are that 1) data either must be housed in public data repositories or be deposited to such repositories shortly after the hackathon's conclusion, and 2) all software comprising the final pipeline must be open-source or open-use.  Proposed topics, as well as suggested tools and approaches, are distributed to participants at the beginning of each hackathon and refined during the event.  Software, scripts, and pipelines are developed and published on GitHub, a web service providing publicly available, free-usage tiers for collaborative software development. The code resulting from each hackathon is published at https://github.com/NCBI-Hackathons/ with separate directories or repositories for each team.

Governance characteristics and the market reaction to the SEC’s proxy access rule

NARCIS (Netherlands)

Akyol, A.; Lim, B.; Verwijmeren, P.

2012-01-01

We examine the wealth effects of the Security and Exchange Commission's (SEC) recent proxy access rule to facilitate director nominations by shareholders. We focus on how a firm's governance characteristics affect the market reaction to the rule. We find more negative announcement effects for firms

76 FR 57787 - Self-Regulatory Organizations; EDGA Exchange, Inc.; Notice of Filing of Proposed Rule Change...

Science.gov (United States)

2011-09-16

... securities product (``UTP Derivative Security'') that derives its value from one or more currencies or..., proposed EDGA Rule 14.1(c)(5)(A) provides that a Restricted Market Maker in a UTP Derivative Security on... Reference Asset of that UTP Derivative Security, or any derivative instrument based on a Reference Asset of...

Hybrid architecture for building secure sensor networks

Science.gov (United States)

Owens, Ken R., Jr.; Watkins, Steve E.

2012-04-01

Sensor networks have various communication and security architectural concerns. Three approaches are defined to address these concerns for sensor networks. The first area is the utilization of new computing architectures that leverage embedded virtualization software on the sensor. Deploying a small, embedded virtualization operating system on the sensor nodes that is designed to communicate to low-cost cloud computing infrastructure in the network is the foundation to delivering low-cost, secure sensor networks. The second area focuses on securing the sensor. Sensor security components include developing an identification scheme, and leveraging authentication algorithms and protocols that address security assurance within the physical, communication network, and application layers. This function will primarily be accomplished through encrypting the communication channel and integrating sensor network firewall and intrusion detection/prevention components to the sensor network architecture. Hence, sensor networks will be able to maintain high levels of security. The third area addresses the real-time and high priority nature of the data that sensor networks collect. This function requires that a quality-of-service (QoS) definition and algorithm be developed for delivering the right data at the right time. A hybrid architecture is proposed that combines software and hardware features to handle network traffic with diverse QoS requirements.

Claims Procedure for Plans Providing Disability Benefits. Final rule.

Science.gov (United States)

2016-12-19

This document contains a final regulation revising the claims procedure regulations under the Employee Retirement Income Security Act of 1974 (ERISA) for employee benefit plans providing disability benefits. The final rule revises and strengthens the current rules primarily by adopting certain procedural protections and safeguards for disability benefit claims that are currently applicable to claims for group health benefits pursuant to the Affordable Care Act. This rule affects plan administrators and participants and beneficiaries of plans providing disability benefits, and others who assist in the provision of these benefits, such as third-party benefits administrators and other service providers.

76 FR 15216 - Security Zones; Cruise Ships, Port of San Diego, CA

Science.gov (United States)

2011-03-21

... Executive Order 13045, Protection of Children from Environmental Health Risks and Safety Risks. This rule is not an economically significant rule and does not create an environmental risk to health or risk to...-AA87 Security Zones; Cruise Ships, Port of San Diego, CA AGENCY: Coast Guard, DHS. ACTION: Final rule...

Mobile Connectivity and Security Issues for Cloud Informatic Systems

Directory of Open Access Journals (Sweden)

Cosmin Cătălin Olteanu

2015-05-01

Full Text Available The main purpose of the paper is to illustrate the importance of new software tools that can be used with mobile devices to make them more secure for the use of day to day business software. Many companies are using mobile applications to access some components to ERP’s or CRM’s remotely. Even the new come, cloud Informatic Systems are using more remote devices than ever. This is why we need to secure somehow these mobile applications.

78 FR 44729 - Disqualification of Felons and Other “Bad Actors” From Rule 506 Offerings

Science.gov (United States)

2013-07-24

... administrative sanctions for, securities fraud or other violations of specified laws. Rule 506 in its current... Vol. 78 Wednesday, No. 142 July 24, 2013 Part IV Securities and Exchange Commission 17 CFR Parts...

New Mandatory Computer Security Course

CERN Multimedia

CERN Bulletin

2010-01-01

Just like any other organization, CERN is permanently under attack - even right now. Consequently it's important to be vigilant about security risks, protecting CERN's reputation - and your work. The availability, integrity and confidentiality of CERN's computing services and the unhindered operation of its accelerators and experiments come down to the combined efforts of the CERN Security Team and you. In order to remain par with the attack trends, the Security Team regularly reminds CERN users about the computer security risks, and about the rules for using CERN’s computing facilities. Since 2007, newcomers have to follow a dedicated basic computer security course informing them about the “Do’s” and “Dont’s” when using CERNs computing facilities. This course has recently been redesigned. It is now mandatory for all CERN members (users and staff) owning a CERN computer account and must be followed once every three years. Members who...

Network systems security analysis

Science.gov (United States)

Yilmaz, Ä.°smail

2015-05-01

Network Systems Security Analysis has utmost importance in today's world. Many companies, like banks which give priority to data management, test their own data security systems with "Penetration Tests" by time to time. In this context, companies must also test their own network/server systems and take precautions, as the data security draws attention. Based on this idea, the study cyber-attacks are researched throughoutly and Penetration Test technics are examined. With these information on, classification is made for the cyber-attacks and later network systems' security is tested systematically. After the testing period, all data is reported and filed for future reference. Consequently, it is found out that human beings are the weakest circle of the chain and simple mistakes may unintentionally cause huge problems. Thus, it is clear that some precautions must be taken to avoid such threats like updating the security software.

Security model for picture archiving and communication systems.

Science.gov (United States)

Harding, D B; Gac, R J; Reynolds, C T; Romlein, J; Chacko, A K

2000-05-01

The modern information revolution has facilitated a metamorphosis of health care delivery wrought with the challenges of securing patient sensitive data. To accommodate this reality, Congress passed the Health Insurance Portability and Accountability Act (HIPAA). While final guidance has not fully been resolved at this time, it is up to the health care community to develop and implement comprehensive security strategies founded on procedural, hardware and software solutions in preparation for future controls. The Virtual Radiology Environment (VRE) Project, a landmark US Army picture archiving and communications system (PACS) implemented across 10 geographically dispersed medical facilities, has addressed that challenge by planning for the secure transmission of medical images and reports over their local (LAN) and wide area network (WAN) infrastructure. Their model, which is transferable to general PACS implementations, encompasses a strategy of application risk and dataflow identification, data auditing, security policy definition, and procedural controls. When combined with hardware and software solutions that are both non-performance limiting and scalable, the comprehensive approach will not only sufficiently address the current security requirements, but also accommodate the natural evolution of the enterprise security model.

Computer-Aided Sensor Development Focused on Security Issues.

Science.gov (United States)

Bialas, Andrzej

2016-05-26

The paper examines intelligent sensor and sensor system development according to the Common Criteria methodology, which is the basic security assurance methodology for IT products and systems. The paper presents how the development process can be supported by software tools, design patterns and knowledge engineering. The automation of this process brings cost-, quality-, and time-related advantages, because the most difficult and most laborious activities are software-supported and the design reusability is growing. The paper includes a short introduction to the Common Criteria methodology and its sensor-related applications. In the experimental section the computer-supported and patterns-based IT security development process is presented using the example of an intelligent methane detection sensor. This process is supported by an ontology-based tool for security modeling and analyses. The verified and justified models are transferred straight to the security target specification representing security requirements for the IT product. The novelty of the paper is to provide a patterns-based and computer-aided methodology for the sensors development with a view to achieving their IT security assurance. The paper summarizes the validation experiment focused on this methodology adapted for the sensors system development, and presents directions of future research.

Cyber Security in Digital I and C Implementation

Energy Technology Data Exchange (ETDEWEB)

Chow, Ivan; Hsu, Allen; Kim, Jong Min; Luo, William [Doosan HF Controls, Texas (United States)

2011-08-15

During the Nuclear Regulatory Commission (NRC) audit process of Doosan HF Control HFC-6000 safety system 2009, cyber security assessment was a major audit process. The result of the assessment was favorably satisfied. As preventing digital I and C systems from being hijacked by malicious software a major goal for the NRC, audit process of actual digital I and C implementations such as the HFC-6000 safety system which provides already strong cyber security measures is mutually beneficial to both the NRC and the vendor: NRC can enhance their set of cyber security assessments and vendors such as Doosan HFC can also augment their cyber security measures. The NRC Safety Evaluation Report (SER) for the HFC-6000 system was released in April 2011 qualifying the system to be used as safety systems in US nuclear power plants. This paper provides the summary of the cyber security assessment of the complete software life cycle of HFC-6000 Safety System. Lessons learned in each life cycle phase are provided. In addition, alternate measures or recommendations for enhancing the cyber security in each life cycle phase are also described.

Cyber Security in Digital I and C Implementation

International Nuclear Information System (INIS)

Chow, Ivan; Hsu, Allen; Kim, Jong Min; Luo, William

2011-01-01

During the Nuclear Regulatory Commission (NRC) audit process of Doosan HF Control HFC-6000 safety system 2009, cyber security assessment was a major audit process. The result of the assessment was favorably satisfied. As preventing digital I and C systems from being hijacked by malicious software a major goal for the NRC, audit process of actual digital I and C implementations such as the HFC-6000 safety system which provides already strong cyber security measures is mutually beneficial to both the NRC and the vendor: NRC can enhance their set of cyber security assessments and vendors such as Doosan HFC can also augment their cyber security measures. The NRC Safety Evaluation Report (SER) for the HFC-6000 system was released in April 2011 qualifying the system to be used as safety systems in US nuclear power plants. This paper provides the summary of the cyber security assessment of the complete software life cycle of HFC-6000 Safety System. Lessons learned in each life cycle phase are provided. In addition, alternate measures or recommendations for enhancing the cyber security in each life cycle phase are also described

Secure wireless embedded systems via component-based design

DEFF Research Database (Denmark)

Hjorth, T.; Torbensen, R.

2010-01-01

This paper introduces the method secure-by-design as a way of constructing wireless embedded systems using component-based modeling frameworks. This facilitates design of secure applications through verified, reusable software. Following this method we propose a security framework with a secure c......, with full support for confidentiality, authentication, and integrity using keypairs. The approach has been demonstrated in a multi-platform home automation prototype that can remotely unlock a door using a PDA over the Internet....

Secure electronic commerce communication system based on CA

Science.gov (United States)

Chen, Deyun; Zhang, Junfeng; Pei, Shujun

2001-07-01

In this paper, we introduce the situation of electronic commercial security, then we analyze the working process and security for SSL protocol. At last, we propose a secure electronic commerce communication system based on CA. The system provide secure services such as encryption, integer, peer authentication and non-repudiation for application layer communication software of browser clients' and web server. The system can implement automatic allocation and united management of key through setting up the CA in the network.

A Practice of Secure Development and Operational Environment Plan

International Nuclear Information System (INIS)

Park, Jaekwan; Seo, Sangmun; Suh, Yongsukl; Park, Cheol

2017-01-01

This paper suggests a practice of plan for SDOE establishment in a nuclear I and C. First, it is necessary to perform a requirements analysis to define key regulatory issues and determine the target systems. The analysis includes a survey to find out the applicable measures credited internationally. Based on the analysis results, this paper proposes an implementation plan including a process harmonizing security activities with legacy software activities and applicable technical, operational, and management measures for target systems. Recently, nuclear I and C has been faced with two security issues, cyber security (CS) and secure development and operational environment (SDOE). Unlike cyber security, few studies on planning SDOE have been presented. This paper suggests a plan for establishing an SDOE in a nuclear I and C. This paper defines three key considerations to comply with the regulatory position of RG. 1.152(R3) and proposes a process harmonizing the security activities with legacy software activities. In addition, this paper proposes technical, operational, and management measures applicable for SDOE.

Automated generation of lattice QCD Feynman rules

Energy Technology Data Exchange (ETDEWEB)

Hart, A.; Mueller, E.H. [Edinburgh Univ. (United Kingdom). SUPA School of Physics and Astronomy; von Hippel, G.M. [Deutsches Elektronen-Synchrotron (DESY), Zeuthen (Germany); Horgan, R.R. [Cambridge Univ. (United Kingdom). DAMTP, CMS

2009-04-15

The derivation of the Feynman rules for lattice perturbation theory from actions and operators is complicated, especially for highly improved actions such as HISQ. This task is, however, both important and particularly suitable for automation. We describe a suite of software to generate and evaluate Feynman rules for a wide range of lattice field theories with gluons and (relativistic and/or heavy) quarks. Our programs are capable of dealing with actions as complicated as (m)NRQCD and HISQ. Automated differentiation methods are used to calculate also the derivatives of Feynman diagrams. (orig.)

Automated generation of lattice QCD Feynman rules

International Nuclear Information System (INIS)

Hart, A.; Mueller, E.H.; Horgan, R.R.

2009-04-01

The derivation of the Feynman rules for lattice perturbation theory from actions and operators is complicated, especially for highly improved actions such as HISQ. This task is, however, both important and particularly suitable for automation. We describe a suite of software to generate and evaluate Feynman rules for a wide range of lattice field theories with gluons and (relativistic and/or heavy) quarks. Our programs are capable of dealing with actions as complicated as (m)NRQCD and HISQ. Automated differentiation methods are used to calculate also the derivatives of Feynman diagrams. (orig.)

Fuzzy Logic Based Anomaly Detection for Embedded Network Security Cyber Sensor

Energy Technology Data Exchange (ETDEWEB)

Ondrej Linda; Todd Vollmer; Jason Wright; Milos Manic

2011-04-01

Resiliency and security in critical infrastructure control systems in the modern world of cyber terrorism constitute a relevant concern. Developing a network security system specifically tailored to the requirements of such critical assets is of a primary importance. This paper proposes a novel learning algorithm for anomaly based network security cyber sensor together with its hardware implementation. The presented learning algorithm constructs a fuzzy logic rule based model of normal network behavior. Individual fuzzy rules are extracted directly from the stream of incoming packets using an online clustering algorithm. This learning algorithm was specifically developed to comply with the constrained computational requirements of low-cost embedded network security cyber sensors. The performance of the system was evaluated on a set of network data recorded from an experimental test-bed mimicking the environment of a critical infrastructure control system.

Materials for the information security education

International Nuclear Information System (INIS)

Yashiro, Shigeo; Aoki, Kazuhisa; Sato, Tomohiko; Tanji, Kazuhiro

2014-01-01

With the rapid progress of the utilization of Information Technology (IT), IT infrastructure (network environment and information system) became crucial as a lifeline for promoting business. At the same time, changes in the circumstances surrounding the IT infrastructure globalize the threat of cyber attacks and increase the risk of the information security such as unlawful access to an information system, viral infection, an alteration of a website, disclosure of subtlety information, destruction of an information system and so on. Information security measure is an important issue in Japan Atomic Energy Agency (JAEA). In order to protect the information property of JAEA from the threat, Center for Computational Science and e-Systems (CCSE) has been taking triadic measures for information security: (1) to lay down a set of information security rules, (2) to introduce security equipments to backbone network and (3) to provide information security education. This report is a summary of the contents of the information security education by e-learning. (author)

Analysis of Intel IA-64 Processor Support for Secure Systems

National Research Council Canada - National Science Library

Unalmis, Bugra

2001-01-01

.... Systems could be constructed for which serious security threats would be eliminated. This thesis explores the Intel IA-64 processor's hardware support and its relationship to software for building a secure system...

17 CFR 250.52 - Exemption of issue and sale of certain securities.

Science.gov (United States)

2010-04-01

... 17 Commodity and Securities Exchanges 3 2010-04-01 2010-04-01 false Exemption of issue and sale of... sale of any security, of which it is the issuer if: (1) The issue and sale of the security are solely.... 79f(a)) and related rules with respect to the issue and sale of any security of which it is the issuer...

Automated support for experience-based software management

Science.gov (United States)

Valett, Jon D.

1992-01-01

To effectively manage a software development project, the software manager must have access to key information concerning a project's status. This information includes not only data relating to the project of interest, but also, the experience of past development efforts within the environment. This paper describes the concepts and functionality of a software management tool designed to provide this information. This tool, called the Software Management Environment (SME), enables the software manager to compare an ongoing development effort with previous efforts and with models of the 'typical' project within the environment, to predict future project status, to analyze a project's strengths and weaknesses, and to assess the project's quality. In order to provide these functions the tool utilizes a vast corporate memory that includes a data base of software metrics, a set of models and relationships that describe the software development environment, and a set of rules that capture other knowledge and experience of software managers within the environment. Integrating these major concepts into one software management tool, the SME is a model of the type of management tool needed for all software development organizations.

10 CFR 2.911 - Admissibility of restricted data or other national security information.

Science.gov (United States)

2010-01-01

... security information. 2.911 Section 2.911 Energy NUCLEAR REGULATORY COMMISSION RULES OF PRACTICE FOR... Proceedings Involving Restricted Data and/or National Security Information § 2.911 Admissibility of restricted data or other national security information. A presiding officer shall not receive any Restricted Data...

Developing a software for removable partial denture design: Part II: Introduction of RPD graph software

Directory of Open Access Journals (Sweden)

Nejatidanesh F

2007-06-01

Full Text Available Background and Aim: Designing removable partial dentures is one of the most important phases of prosthetic treatments. Computer can be used to facilitate and increase accuracy of removable partial denture design. The aim of this study was to develop a software for removable partial denture design.Materials and Methods: A questionnaire (discussed in part I and major textbooks, were used to determine the design rules.  The software (RPD Graph was developed using Visual C++ and Maryam program. The RPD Graph can determine the classification of partial edentulous arch. With defining the missing teeth and providing data about prognosis and conditions of abutment teeth, the removable partial design will be developed by RPD Graph. This software is a knowledge-based system which has specific characteristics. It can be used as an educational tool for teaching RPD design and as a clinical tool for supporting clinician's decision. In addition it can be developed to more complete softwares.

76 FR 70207 - Self-Regulatory Organizations; Municipal Securities Rulemaking Board; Order Granting Approval of...

Science.gov (United States)

2011-11-10

... Change Regarding Professional Qualifications and Information Concerning Associated Persons November 3... proposed rule change consisting of amendments to Rule G-3, on professional qualifications, and Rule G-7, on.... Underwriting, trading or sales of municipal securities; 2. Financial advisory or consultant services for...

LHCb: DIRAC Secure Distributed Platform

CERN Multimedia

Casajus, A

2009-01-01

DIRAC, the LHCb community grid solution, provides access to a vast amount of computing and storage resources to a large number of users. In DIRAC users are organized in groups with different needs and permissions. In order to ensure that only allowed users can access the resources and to enforce that there are no abuses, security is mandatory. All DIRAC services and clients use secure connections that are authenticated using certificates and grid proxies. Once a client has been authenticated, authorization rules are applied to the requested action based on the presented credentials. These authorization rules and the list of users and groups are centrally managed in the DIRAC Configuration Service. Users submit jobs to DIRAC using their local credentials. From then on, DIRAC has to interact with different Grid services on behalf of this user. DIRAC has a proxy management service where users upload short-lived proxies to be used when DIRAC needs to act on behalf of them. Long duration proxies are uploaded by us...

An Interoperability Framework and Capability Profiling for Manufacturing Software

Science.gov (United States)

Matsuda, M.; Arai, E.; Nakano, N.; Wakai, H.; Takeda, H.; Takata, M.; Sasaki, H.

ISO/TC184/SC5/WG4 is working on ISO16100: Manufacturing software capability profiling for interoperability. This paper reports on a manufacturing software interoperability framework and a capability profiling methodology which were proposed and developed through this international standardization activity. Within the context of manufacturing application, a manufacturing software unit is considered to be capable of performing a specific set of function defined by a manufacturing software system architecture. A manufacturing software interoperability framework consists of a set of elements and rules for describing the capability of software units to support the requirements of a manufacturing application. The capability profiling methodology makes use of the domain-specific attributes and methods associated with each specific software unit to describe capability profiles in terms of unit name, manufacturing functions, and other needed class properties. In this methodology, manufacturing software requirements are expressed in terns of software unit capability profiles.

33 CFR 89.25 - Waters upon which Inland Rules 9(a)(ii), 14(d), and 15(b) apply.

Science.gov (United States)

2010-07-01

... 33 Navigation and Navigable Waters 1 2010-07-01 2010-07-01 false Waters upon which Inland Rules 9(a)(ii), 14(d), and 15(b) apply. 89.25 Section 89.25 Navigation and Navigable Waters COAST GUARD, DEPARTMENT OF HOMELAND SECURITY INLAND NAVIGATION RULES INLAND NAVIGATION RULES: IMPLEMENTING RULES Waters...

32 CFR 318.15 - Rules of conduct

Science.gov (United States)

2010-07-01

... DEFENSE THREAT REDUCTION AGENCY PRIVACY PROGRAM § 318.15 Rules of conduct (a) DTRA personnel shall: (1... of records, to which they have access or are using incident to the conduct of official business, shall be protected so that the security and confidentiality of the information shall be preserved. (2...

A control system verifier using automated reasoning software

International Nuclear Information System (INIS)

Smith, D.E.; Seeman, S.E.

1985-08-01

An on-line, automated reasoning software system for verifying the actions of other software or human control systems has been developed. It was demonstrated by verifying the actions of an automated procedure generation system. The verifier uses an interactive theorem prover as its inference engine with the rules included as logical axioms. Operation of the verifier is generally transparent except when the verifier disagrees with the actions of the monitored software. Testing with an automated procedure generation system demonstrates the successful application of automated reasoning software for verification of logical actions in a diverse, redundant manner. A higher degree of confidence may be placed in the verified actions of the combined system

A Container-based Trusted Multi-level Security Mechanism

Directory of Open Access Journals (Sweden)

Li Xiao-Yong

2017-01-01

Full Text Available Multi-level security mechanism has been widely applied in the military, government, defense and other domains in which information is required to be divided by security-level. Through this type of security mechanism, users at different security levels are provided with information at corresponding security levels. Traditional multi-level security mechanism which depends on the safety of operating system finally proved to be not practical. We propose a container-based trusted multi-level security mechanism in this paper to improve the applicability of the multi-level mechanism. It guarantees multi-level security of the system through a set of multi-level security policy rules and trusted techniques. The technical feasibility and application scenarios are also discussed. The ease of realization, strong practical significance and low cost of our method will largely expand the application of multi-level security mechanism in real life.

Open source software migration: Best practices

CSIR Research Space (South Africa)

Molefe, Onkgopotse M

2010-09-01

Full Text Available Open source software (OSS) has gained prominence worldwide, largely due to cost savings and security considerations. This has caused a change in the IT sector and has led to the migration of desktops from proprietary to OSS. The problem...

Sandia National Laboratories Advanced Simulation and Computing (ASC) software quality plan : ASC software quality engineering practices Version 3.0.

Energy Technology Data Exchange (ETDEWEB)

Turgeon, Jennifer L.; Minana, Molly A.; Hackney, Patricia; Pilch, Martin M.

2009-01-01

The purpose of the Sandia National Laboratories (SNL) Advanced Simulation and Computing (ASC) Software Quality Plan is to clearly identify the practices that are the basis for continually improving the quality of ASC software products. Quality is defined in the US Department of Energy/National Nuclear Security Agency (DOE/NNSA) Quality Criteria, Revision 10 (QC-1) as 'conformance to customer requirements and expectations'. This quality plan defines the SNL ASC Program software quality engineering (SQE) practices and provides a mapping of these practices to the SNL Corporate Process Requirement (CPR) 001.3.6; 'Corporate Software Engineering Excellence'. This plan also identifies ASC management's and the software project teams responsibilities in implementing the software quality practices and in assessing progress towards achieving their software quality goals. This SNL ASC Software Quality Plan establishes the signatories commitments to improving software products by applying cost-effective SQE practices. This plan enumerates the SQE practices that comprise the development of SNL ASC's software products and explains the project teams opportunities for tailoring and implementing the practices.

Introduction and user's information for the fixed site physical protection upgrade rule guidance compendium

International Nuclear Information System (INIS)

Evans, L.J. Jr.; Allen, T.

1980-06-01

Licensees at fixed sites who possess, use, process, or handle strategic special nuclear material are required to design a physical security system to protect this material. This report suggests an orderly process for using guidance, with special emphasis on two regulatory guides and two NUREG series documents that comprise a compendium, to aid in the design of a physical security system that meets the requirements of the final Physical Protection Upgrade Rule. The rule was published November 28, 1979 (44 FR 68184), and became effective March 25, 1980

Software defined networking firewall for industry 4.0 manufacturing systems

Directory of Open Access Journals (Sweden)

Akihiro Tsuchiya

2018-04-01

Full Text Available Purpose: In order to leverage automation control data, Industry 4.0 manufacturing systems require industrial devices to be connected to the network. Potentially, this can increase the risk of cyberattacks, which can compromise connected industrial devices to acquire production data or gain control over the production process. Search engines such as Sentient Hyper-Optimized Data Access Network (SHODAN can be perverted by attackers to acquire network information that can be later used for intrusion. To prevent this, cybersecurity standards propose network architectures divided into several networks segments based on system functionalities. In this architecture, Firewalls limit the exposure of industrial control devices in order to minimize security risks. This paper presents a novel Software Defined Networking (SDN Firewall that automatically applies this standard architecture without compromising network flexibility.   Design/methodology/approach: The proposed SDN Firewall changes filtering rules in order to implement the different network segments according to application level access control policies. The Firewall applies two filtering techniques described in this paper: temporal filtering and spatial filtering, so that only applications in a white list can connect to industrial control devices. Network administrators need only to configure this application-oriented white lists to comply with security standards for ICS. This simplifies to a great extent network management tasks. Authors have developed a prototype implementation based on the OPC UA Standard and conducted security tests in order to test the viability of the proposal. Findings: Network segmentation and segregation are effective counter-measures against network scanning attacks. The proposed SDN Firewall effectively configures a flat network into virtual LAN segments according to security standard guidelines. Research limitations/implications: The prototype implementation still

Network Security: What Non-Technical Administrators Must Know

Science.gov (United States)

Council, Chip

2005-01-01

Now it is increasingly critical that community college leaders become involved in network security and partner with their directors of information technology (IT). Network security involves more than just virus protection software and firewalls. It involves vigilance and requires top executive support. Leaders can help their IT directors to…

Reminder: Mandatory Computer Security Course

CERN Multimedia

IT Department

2011-01-01

Just like any other organization, CERN is permanently under attack – even right now. Consequently it's important to be vigilant about security risks, protecting CERN's reputation - and your work. The availability, integrity and confidentiality of CERN's computing services and the unhindered operation of its accelerators and experiments come down to the combined efforts of the CERN Security Team and you. In order to remain par with the attack trends, the Security Team regularly reminds CERN users about the computer security risks, and about the rules for using CERN’s computing facilities. Therefore, a new dedicated basic computer security course has been designed informing you about the “Do’s” and “Dont’s” when using CERN's computing facilities. This course is mandatory for all person owning a CERN computer account and must be followed once every three years. Users who have never done the course, or whose course needs to be renewe...

Security bingo for administrators

CERN Multimedia

Computer Security Team

2011-01-01

Have you ever thought about the security of your service(s) or system(s)? Show us and win one of three marvellous books on computer security! Just print out this page, mark which of the 25 good practices below you already follow, and send the sheet back to us at Computer.Security@cern.ch or P.O. Box G19710, by November 14th 2011.   Winners[1] must show us that they follow at least five good practices in a continuous horizontal row, vertical column or diagonal. For details on CERN Computer Security, please consult http://cern.ch/security. My service or system…   …is following a software development life-cycle. …is patched in an automatic and timely fashion. …runs a tightened local ingress/egress firewall. …uses CERN Single-Sign-On (SSO). …has physical access protections in place. …runs all processes / services / applications with least privileges. …has ...

Security Components of Globalization

Directory of Open Access Journals (Sweden)

Florin Iftode

2015-05-01

Full Text Available The objective of this paper is our intention to present what are the main connections between globalization and international security. In terms of global security we can perceive the globalization as a process by which global state is represented by the UN, with a single world system, represented by major security organizations and with global effects. We will present from the beginning the main theoretical aspects that define the phenomenon of globalization, and then our contribution in assessing the implications of this phenomenon on the regional and global security. The results of our research are materialized in the last part of the paper. They emphasize the personal assessments on how the phenomenon of globalization has direct effect on global security. When talking about government, we think of norms, rules and decisionmaking procedures in the management of international life. The value that we add to the new scientific interpretation of the definition of globalization is represented, primarily, by the valuable bibliographic used resources and the original approach on the concept that refers to the links between globalization and security. This article may be, at any time, a starting point in an interesting research direction in the field of global security.

European union mission for the rule of law in Kosovo

Directory of Open Access Journals (Sweden)

Dr.Sc. Bejtush Gashi

2011-12-01

Full Text Available Here we have studied the international circumstances that have affected the deployment of the EULEX Mission in Kosovo. The EULEX mission is the European Union Mission for the Rule of Law in Kosovo. Its main goal is to advise, assist and support the Kosovo authorities in issues of the rule of law, especially in the field of police, judiciary and customs performance. Also this mission has the responsibility to develop and further strengthen the independent multi-ethnic justice system in Kosovo, by ensuring that the rule of law institutions are not politically influenced and that they meet the known international standards and best European practices. This mission was foreseen to be deployed to Kosovo, based on the Ahtissari Comprehensive Status Proposal for Kosovo, but due to its non-approval by the UN Security Council, its full implementation was delayed until December 2008. EULEX acts within the framework of Resolution 1244 of the UN Security Council and under a single chain of command in Brussels. EULEX officials have supported Kosovo Police, the Judiciary system and Kosovo Customs, through MMA actions for achieving objectives and goals that are foreseen by the program strategy of EULEX. But in terms of efficiency, EULEX has only achieved modest results. In the northern part of Kosovo, EULEX has failed, as a result of its ambivalent mandate and incoherence of EU Foreign and Security Policy.

Using simplex method in verifying software safety

Directory of Open Access Journals (Sweden)

Vujošević-Janičić Milena

2009-01-01

Full Text Available In this paper we have discussed the application of the Simplex method in checking software safety - the application in automated detection of buffer overflows in C programs. This problem is important because buffer overflows are suitable targets for hackers' security attacks and sources of serious program misbehavior. We have also described our implementation, including a system for generating software correctness conditions and a Simplex based theorem prover that resolves these conditions.

Fruit-80: A Secure Ultra-Lightweight Stream Cipher for Constrained Environments

Directory of Open Access Journals (Sweden)