Security Threat Identification and Testing

Carbone, Roberto; Compagna, Luca; Panichella, Annibale; Ponta, Serena Elisa

doi:10.1109/icst.2015.7102630

Cited by 7 publications

(5 citation statements)

References 11 publications

(33 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…For example, we plan to cover participants who forget to include relevant security headers and are supported by appropriately configured monitors in this delicate task. Finally, we would like to further engineer Bulwark to make it easier to use for people who have no experience with ProVerif, e.g., by including support for a graphical notation which is compiled into ProVerif processes, similarly to the approach in [10].…”

Section: Discussionmentioning

confidence: 99%

Bulwark: Holistic and Verified Security Monitoring of Web Protocols

Veronese,

Calzavara,

Compagna

2021

Preprint

Self Cite

View full text Add to dashboard Cite

Modern web applications often rely on third-party services to provide their functionality to users. The secure integration of these services is a non-trivial task, as shown by the large number of attacks against Single Sign On and Cashier-as-a-Service protocols. In this paper we present Bulwark, a new automatic tool which generates formally verified security monitors from applied pi-calculus specifications of web protocols. The security monitors generated by Bulwark offer holistic protection, since they can be readily deployed both at the client side and at the server side, thus ensuring full visibility of the attack surface against web protocols. We evaluate the effectiveness of Bulwark by testing it against a pool of vulnerable web applications that use the OAuth 2.0 protocol or integrate the PayPal payment system.

show abstract

Section: Discussionmentioning

confidence: 99%

Bulwark: Holistic and Verified Security Monitoring of Web Protocols

Veronese,

Calzavara,

Compagna

2021

Preprint

Self Cite

View full text Add to dashboard Cite

show abstract

“…Therefore, it is essential that organizations identify as early as possible the risks that arise from improper access right management and find solutions to avoid them from occurring [64]. The article [65] described that collaboration across domains, devices, and service composition is becoming increasingly common in business applications. In addition to its isolated systems, security should focus on the general application scheme, comprising interaction between its units, devices, and services.…”

Section: Threat Identificationmentioning

confidence: 99%

“…In addition to its isolated systems, security should focus on the general application scheme, comprising interaction between its units, devices, and services. Security Threat Identification and testing is a toolkit that [65] introduce to assist development teams with security testing of their underdevelopment applications with the aim of identifying delicate security logical errors that may go hidden by using existing industrial technology [65].…”

Section: Threat Identificationmentioning

confidence: 99%

Turning the Hunted into the Hunter via Threat Hunting: Life Cycle, Ecosystem, Challenges and the Great Promise of AI

Hillier¹,

Karroubi²

2022

Preprint

View full text Add to dashboard Cite

The threat hunting lifecycle is a complex atmosphere that requires special attention from professionals to maintain security. This paper is a collection of recent work that gives a holistic view of the threat hunting ecosystem, identifies challenges, and discusses the future with the integration of artificial intelligence (AI). We specifically establish a life cycle and ecosystem for privacy-threat hunting in addition to identifying the related challenges. We also discovered how critical the use of AI is in threat hunting. This work paves the way for future work in this area as it provides the foundational knowledge to make meaningful advancements for threat hunting.

show abstract

“…The analysis of satisfaction also requires the identification of user tasks as the user feedback may be referring to a particular task [4]. Security analysis highly relies on the identification and description of potential threats [9]. The analysis of possible threats on user tasks requires precise and exhaustive description of user tasks [7].…”

Section: Generic Requirements For Engineering Authentication Mechanis...mentioning

confidence: 99%

Models-Based Analysis of Both User and Attacker Tasks: Application to EEVEHAC

Nikula

Martinie

Palanque

et al. 2022

Lecture Notes in Computer Science

View full text Add to dashboard Cite

The design and development of security mechanisms, such as authentication, requires analysis techniques that take into account usability along with security. Although techniques that are grounded in the security domain target the identification and mitigation of possible threats, user centered design approaches have been proposed in order to also take into account the user's perspective and needs. Approaches dealing with both usability and security focus on the extent to which the user can perform the authentication tasks, as well as on the possible types of attacks that may occur and the potential threats on user tasks. However, to some extent, attacker can be considered as user of the system (even if undesirable), and the analysis of attacker tasks provides useful information for the design and development of an authentication mechanism. We propose a models-based approach to analyse both user and attacker tasks. The modeling of attacker tasks enables to go deeper when analysing the threats on an authentication mechanism and the trade-offs between usability and security. We present the results of the application of this models-based approach to the EEVEHAC security mechanism, which enables the setup of a secure communication channel for users of shared public computers.

show abstract

Security Threat Identification and Testing

Cited by 7 publications

References 11 publications

Bulwark: Holistic and Verified Security Monitoring of Web Protocols

Bulwark: Holistic and Verified Security Monitoring of Web Protocols

Turning the Hunted into the Hunter via Threat Hunting: Life Cycle, Ecosystem, Challenges and the Great Promise of AI

Models-Based Analysis of Both User and Attacker Tasks: Application to EEVEHAC

Contact Info

Product

Resources

About