Measuring software security from the design of software

The vast majority of our contemporary society owns a mobile phone, which has resulted in a dramatic rise in the amount of networked computers in recent years. Security issues in the computers have followed the same trend and nearly everyone is now affected by such issues. How could the situation be improved? For software engineers, an obvious answer is to build computer software with security in mind. A problem with building software with security is how to define secure software or how to measure security. This thesis divides the problem into three research questions. First, how can we measure the security of software? Second, what types of tools are available for measuring security? And finally, what do these tools reveal about the security of software? Measuring tools of these kind are commonly called metrics. This thesis is focused on the perspective of software engineers in the software design phase. Focus on the design phase means that code level semantics or programming language specifics are not discussed in this work. Organizational policy, management issues or software development process are also out of the scope. The first two research problems were studied using a literature review while the third was studied using a case study research. The target of the case study was a Java based email server called Apache James, which had details from its changelog and security issues available and the source code was accessible. The research revealed that there is a consensus in the terminology on software security. Security verification activities are commonly divided into evaluation and assurance. The focus of this work was in assurance, which means to verify one’s own work. There are 34 metrics available for security measurements, of which five are evaluation metrics and 29 are assurance metrics. We found, however, that the general quality of these metrics was not good. Only three metrics in the design category passed the inspection criteria and could be used in the case study. The metrics claim to give quantitative information on the security of the software, but in practice they were limited to evaluating different versions of the same software. Apart from being relative, the metrics were unable to detect security issues or point out problems in the design. Furthermore, interpreting the metrics’ results was difficult. In conclusion, the general state of the software security metrics leaves a lot to be desired. The metrics studied had both theoretical and practical issues, and are not suitable for daily engineering workflows. The metrics studied provided a basis for further research, since they pointed out areas where the security metrics were necessary to improve whether verification of security from the design was desired.

Increased profitability and efficiency by improving the Meetings & Events Category S2P-process – Case Company

The purpose of this research was to examine the most optimal way to arrange meetings and events management and source to pay –process in a global company. The research is a qualitative multi-method case study and is a commission from a global company. The theoretical framework of this research structures around two approaches. First approach focus on a purchasing strategy and management that shows the current role of procure-ment and introduce different ways to organize purchasing functions. Second approach focus on purchasing process management and improvement methods. Annual spend analyze, external and internal interviews and internal survey were done to gain compre-hensive knowledge about the current state of operations and possible solutions. Gathered data were then combined to theoretical framework in order to create optimal solution for the case company. Based on the research a source to pay –process and global policy for meeting and event category was created. The solution includes all relevant matters that are needed in order to secure efficient and profitable operations. The results show that optimal way to arrange meetings and events structures around standardized source to pay –processes, central-ized procurement, preferred supplier and clearly defined roles and responsibilities be-tween different stakeholders.

Feasibility of replacing multiple ADSL connections with Multi-Dwelling Access

This final project was made for the Broadband/Implementation department of TeliaSonera Finland. The question to be examined is if the operator should replace multiple ADSL connections implemented over a leased line with Multi-Dwelling access based on an Ethernet/Optical Fibre access network. The project starts with describing the technology related to these access network solu-tions and presents the technology that is used in TeliaSonera Finland's access network. It continues from the technology to describe the problem with some of the ADSL implemen-tations of TeliaSonera. The problem is the implementations done over a leased line that can cost TeliaSonera over years as much as a possible investment to extend network when there is several lines leased to the same building. The project proposes a Multi-Dwelling access as a solution to this problem and defines the circumstances when to use it. After a satisfactory solution has found the project takes a view how implementation of the solution might alter the network and a new problem is found. When used commonly to replace need of ADSL implementation Multi-Dwelling access would significantly increase optical cable congestion near operators POP. As a final deed this project also proposes a technical change to existing way to implement multi-dwelling access with EPON technology.

ETYK III-vaihe (Tasavallan Presidentin esittämä Suomen puheenvuoro 31.7.1975 = Conference on Security and Co-operation in Europe = main speech of Finland delivered by President Urho Kekkonen July 31, 1975)

Puhe