CyberSPL: A Framework for the Verification of Cybersecurity Policy Compliance of System Configurations Using Software Product Lines

Varela-Vaca, Ángel Jesús; Gasca, Rafael M.; Ceballos, Rafael; Gómez-López, María Teresa; Torres, Pedro Bernáldez

doi:10.3390/app9245364

Cited by 18 publications

(11 citation statements)

References 47 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Currently, monitoring and process mining techniques are new trends in order to detect whether certain security requirements are fulfilled by analyzing event logs [1,6]. The work in [52] enables the generation of security configuration workflows, whereas [50] provides a framework to design product lines to verify security policies in accordance to a set of available configurations. Nevertheless, these works only consider the activitycentric perspective and overlook the artifact-centric perspective in most cases.…”

Section: Related Workmentioning

confidence: 99%

Reasoning on the usage control security policies over data artifact business process models

et al. 2022

View full text Add to dashboard Cite

The inclusion of security aspects in organizations is a crucial aspect to ensure compliance with both internal and external regulations. Business process models are a well-known mechanism to describe and automate the activities of the organizations, which should include security policies to ensure the correct performance of the daily activities. Frequently, these security policies involve complex data which cannot be represented using the standard Business Process Model Notation (BPMN). In this paper, we propose the enrichment of the BPMN with a UML class diagram to describe the data model, that is also combined with security policies defined using the UCONABC framework annotated within the business process model. The integration of the business process model, the data model, and the security policies provides a context where more complex reasoning can be applied about the satisfiability of the security policies in accordance with the business process and data models. To do so, we transform the original models, including security policies, into the BAUML framework (an artifact-centric approach to business process modelling). Once this is done, it is possible to ensure that there are no inherent errors in the model (verification) and that it fulfils the business requirements (validation), thus ensuring that the business process and the security policies are compatible and that they are aligned with the business security requirements.

show abstract

Section: Related Workmentioning

confidence: 99%

Reasoning on the usage control security policies over data artifact business process models

et al. 2022

View full text Add to dashboard Cite

show abstract

“…However, giving permissions can be extremely dangerous, especially from a privacy perspective, as an attacker may access private data and may run an information leakage attack. The problem of correctly configuring systems so to protect the user privacy is a very challenging task in general and has been widely studied also in other contexts, e.g., to correctly configure TLS/SSL connections in mobile applications [118], or to configure products and systems in the software industry [119]. In this section, we will illustrate the available apps that adopt balanced permissions that meet the privacy requirements.…”

Section: Save-privacy Applicationsmentioning

confidence: 99%

Security and Privacy of QR Code Applications: A Comprehensive Study, General Guidelines and Solutions

Wahsheh

Luccio

2020

Information

View full text Add to dashboard Cite

The widespread use of smartphones is boosting the market take-up of dedicated applications and among them, barcode scanning applications. Several barcodes scanners are available but show security and privacy weaknesses. In this paper, we provide a comprehensive security and privacy analysis of 100 barcode scanner applications. According to our analysis, there are some apps that provide security services including checking URLs and adopting cryptographic solutions, and other apps that guarantee user privacy by supporting least privilege permission lists. However, there are also apps that deceive the users by providing security and privacy protections that are weaker than what is claimed. We analyzed 100 barcode scanner applications and we categorized them based on the real security features they provide, or on their popularity. From the analysis, we extracted a set of recommendations that developers should follow in order to build usable, secure and privacy-friendly barcode scanning applications. Based on them, we also implemented BarSec Droid, a proof of concept Android application for barcode scanning. We then conducted a user experience test on our app and we compared it with DroidLa, the most popular/secure QR code reader app. The results show that our app has nice features, such as ease of use, provides security trust, is effective and efficient.

show abstract

“…Most of the approaches in the literature make a transformation from the FMs to a formalisation, for instance, Constraint Satisfaction Problems (CSPs) or Constraint Optimisation Problems (COPs) [14]. In this work, the tools used to automated the analysis are FaMa and CyberSPL [9,39], both based on the Constraint Programming paradigm.…”

Section: Definition 2 Feature Model Let F M Be a Feature Model Which ...mentioning

confidence: 99%

Definition and Verification of Security Configurations of Cyber-Physical Systems

et al. 2020

Self Cite

View full text Add to dashboard Cite

The proliferation of Cyber-Physical Systems (CPSs) is raising serious security challenges. These are complex systems, integrating physical elements into automated networked systems, often containing a variety of devices, such as sensors and actuators, and requiring complex management and data storage. This makes the construction of secure CPSs a challenge, requiring not only an adequate specification of security requirements and needs related to the business domain but also an adaptation and concretion of these requirements to define a security configuration of the CPS where all its components are related. Derived from the complexity of the CPS, their configurations can be incorrect according to the requirements, and must be verified. In this paper, we propose a grammar for specifying business domain security requirements based on the CPS components. This will allow the definition of security requirements that, through a defined security feature model, will result in a configuration of services and security properties of the CPS, whose correctness can be verified. For this last stage, we have created a catalogue of feature models supported by a tool that allows the automatic verification of security configurations. To illustrate the results, the proposal has been applied to automated verification of requirements in a hydroponic system scenario.

show abstract

CyberSPL: A Framework for the Verification of Cybersecurity Policy Compliance of System Configurations Using Software Product Lines

Cited by 18 publications

References 47 publications

Reasoning on the usage control security policies over data artifact business process models

Reasoning on the usage control security policies over data artifact business process models

Security and Privacy of QR Code Applications: A Comprehensive Study, General Guidelines and Solutions

Definition and Verification of Security Configurations of Cyber-Physical Systems

Contact Info

Product

Resources

About