41 resultados para Software Security
em Doria (National Library of Finland DSpace Services) - National Library of Finland, Finland
Resumo:
Elektroninen kaupankäynti ja pankkipalvelut ovat herättäneet toiminnan jatkuvuuden kannalta erittäin kriittisen kysymyksen siitä, kuinka näitä palveluja pystytään suojaamaan järjestäytynyttä rikollisuutta ja erilaisia hyväksikäyttöjä vastaan.
Resumo:
Increase of computational power and emergence of new computer technologies led to popularity of local communications between personal trusted devices. By-turn, it led to emergence of security problems related to user data utilized in such communications. One of the main aspects of the data security assurance is security of software operating on mobile devices. The aim of this work was to analyze security threats to PeerHood, software intended for performing personal communications between mobile devices regardless of underlying network technologies. To reach this goal, risk-based software security testing was performed. The results of the testing showed that the project has several security vulnerabilities. So PeerHood cannot be considered as a secure software. The analysis made in the work is the first step towards the further implementation of PeerHood security mechanisms, as well as taking into account security in the development process of this project.
Resumo:
The vast majority of our contemporary society owns a mobile phone, which has resulted in a dramatic rise in the amount of networked computers in recent years. Security issues in the computers have followed the same trend and nearly everyone is now affected by such issues. How could the situation be improved? For software engineers, an obvious answer is to build computer software with security in mind. A problem with building software with security is how to define secure software or how to measure security. This thesis divides the problem into three research questions. First, how can we measure the security of software? Second, what types of tools are available for measuring security? And finally, what do these tools reveal about the security of software? Measuring tools of these kind are commonly called metrics. This thesis is focused on the perspective of software engineers in the software design phase. Focus on the design phase means that code level semantics or programming language specifics are not discussed in this work. Organizational policy, management issues or software development process are also out of the scope. The first two research problems were studied using a literature review while the third was studied using a case study research. The target of the case study was a Java based email server called Apache James, which had details from its changelog and security issues available and the source code was accessible. The research revealed that there is a consensus in the terminology on software security. Security verification activities are commonly divided into evaluation and assurance. The focus of this work was in assurance, which means to verify one’s own work. There are 34 metrics available for security measurements, of which five are evaluation metrics and 29 are assurance metrics. We found, however, that the general quality of these metrics was not good. Only three metrics in the design category passed the inspection criteria and could be used in the case study. The metrics claim to give quantitative information on the security of the software, but in practice they were limited to evaluating different versions of the same software. Apart from being relative, the metrics were unable to detect security issues or point out problems in the design. Furthermore, interpreting the metrics’ results was difficult. In conclusion, the general state of the software security metrics leaves a lot to be desired. The metrics studied had both theoretical and practical issues, and are not suitable for daily engineering workflows. The metrics studied provided a basis for further research, since they pointed out areas where the security metrics were necessary to improve whether verification of security from the design was desired.
Resumo:
Tietoturva on yksi yrityksen tärkeimpiä turvallisuuteen liittyviä asioita. Tietoturva voidaan jakaa kahdeksaan eri osa-alueeseen: hallinnolliseen turvallisuuteen, henkilöstöturvallisuuteen, tietoaineistoturvallisuuteen, käyttöturvallisuuteen, fyysiseen turvallisuuteen, laitteistoturvallisuuteen, ohjelmistoturvallisuuteen ja tietoliikenneturvallisuuteen. Yrityksen tulisi huomioida jokainen osa-alue, jotta sen tietoturva olisi mahdollisimman hyvä. Jos jokin osa-alue on jätetty vähemmälle huomiolle, se heijastuu heti yrityksen kokonaisturvallisuuteen. Tämä työ selvittää, mitä asioita yrityksen tulisi ottaa huomioon, jotta sen tietoturva olisi kunnossa. Työn tarkoituksena on kartoittaa, millaista osaamista työelämä kaipaa tietoturvan varalle Pohjois-Karjalan alueella. Työ keskittyy yritysten tietoturva-asioihin johdon ja organisoinnin näkökulmasta. Tutkimusosuudessa esitellään selvitys, millainen on tietoturvan tila pohjoiskarjalaisissa yrityksissä. Tutkimus toteutettiin kvantitatiivisena kyselytutkimuksena. Tutkimukseen vastasi 32 yritystä Pohjois-Karjalan alueelta. Tutkimus osoittaa, että yritykset ovat huomioineet parhaiten ohjelmistoturvallisuuden ja laitteistoturvallisuuden, mutta parannusta kaipaisivat etenkin hallinnollinen turvallisuus ja henkilöstöturvallisuus. Yritysten tietoturva on tasoltaan yhtä hyvä kuin on sen heikoin lenkki. Tästä syystä voidaan sanoa, että yritysten tieto-turvan tila ei ole Pohjois-Karjalassa kovinkaan hyvä.
Resumo:
Diplomityössä tutkitaan keinoja brändätä ja varioida S60-ohjelmistoja dynaamisesti ja ajonaikaisesti. S60 on kehitysalusta, jota käyttävät useat puhelinvalmistajat ja heidän puhelimiaan käyttävät lukuisat eri operaattorit. Operaattorit haluavat puhelimiensa tai osan puhelimen sovelluksista erottuvan kilpailijoista heidän omalla brändillään ja tämän takia täytyy olla keinot joko koko puhelimen, tai valittujen sovellusten brändäykselle. Osa sovelluksista saatetaan haluta vaihtavan käytettyä brändiä sen käyttämien resurssien, kuten verkkopalvelimen, mukaan. Variointidataa tulee myös pystyä jakamaan eri sovellusten tai sovellusten osien kesken. Työssä esitellään Symbian käyttöjärjestelmä ja S60 kehitysympäristö, sekä pohditaan Symbianin turvallisuuskäytäntöjen tuomia haasteita variointidatan jakamiseen eri sovellusten välillä. Olemassaolevia variointitapoja tutkitaan työn mahdolliseksi pohjaksi. Työ sisältää esittelyn projektista, jossa kehitettiin erään S60 sovelluksen dynaaminen brändäystoteutus, joka myös mahdollistaa variointidatan jakamisen eri sovellusten kanssa.
Resumo:
Tässä luomistyössä on esitetty tutkimus informaation suojaamisen menetelmien osalta paikallisissa ja ryhmäkuntaisissa verkoissa. Tutkimukseen kuuluu nykyaikaisten kryptagraafisten järjestelmien, Internetin/Intranetin ohjelmointikeinojen ja pääsyoikeuksien jakelumenetelmien analyysi. Tutkimusten perusteella on laadittu ohjelmiston prototyyppi HTML-tiedostojen suojaamista varten. Ohjelmiston laatimisprosessi on sisältänyt vaatimusten, järjestelmän ja suojelukomponenttien suunnittelun ja protytyypin testauksen. Ohjelmiston realisoinnin jälkeen kirjoitettiin käyttöohjeet. Ohjelmiston prototyyppi suojaa informaatiota HTML-tiedoston koko käytön aikana ja eri yrityksissä voidaan käyttää sitä pienien laajennuksien jälkeen.
Resumo:
Today cloud computing is the next stage in development information-oriented society in field of information technologies. Great attention is paid to cloud computing in general, but the lack of scientific consideration to components brings to the problem, that not all aspects are well examined. This thesis is an attempt to consider Platform as a Service (a technology of providing development environment through the Internet) from divergent angles. Technical characteristics, costs, time, estimation of effectiveness, risks, strategies that can be applied, migration process, advantages and disadvantages and the future of the approach are examined to get the overall picture of cloud platforms. During the work literature study was used to examine Platform as a Service, characteristics of existent cloud platforms were explored and a model of a typical software development company was developed to create a scenario of migration to cloud technologies. The research showed that besides all virtues in reducing costs and time, cloud platforms have some significant obstacles in adoption. Privacy, security and insufficient legislation impede the concept to be widespread.
Resumo:
Object-oriented programming is a widely adopted paradigm for desktop software development. This paradigm partitions software into separate entities, objects, which consist of data and related procedures used to modify and inspect it. The paradigm has evolved during the last few decades to emphasize decoupling between object implementations, via means such as explicit interface inheritance and event-based implicit invocation. Inter-process communication (IPC) technologies allow applications to interact with each other. This enables making software distributed across multiple processes, resulting in a modular architecture with benefits in resource sharing, robustness, code reuse and security. The support for object-oriented programming concepts varies between IPC systems. This thesis is focused on the D-Bus system, which has recently gained a lot of users, but is still scantily researched. D-Bus has support for asynchronous remote procedure calls with return values and a content-based publish/subscribe event delivery mechanism. In this thesis, several patterns for method invocation in D-Bus and similar systems are compared. The patterns that simulate synchronous local calls are shown to be dangerous. Later, we present a state-caching proxy construct, which avoids the complexity of properly asynchronous calls for object inspection. The proxy and certain supplementary constructs are presented conceptually as generic object-oriented design patterns. The e ect of these patterns on non-functional qualities of software, such as complexity, performance and power consumption, is reasoned about based on the properties of the D-Bus system. The use of the patterns reduces complexity, but maintains the other qualities at a good level. Finally, we present currently existing means of specifying D-Bus object interfaces for the purposes of code and documentation generation. The interface description language used by the Telepathy modular IM/VoIP framework is found to be an useful extension of the basic D-Bus introspection format.
Resumo:
Presentation at Open Repositories 2014, Helsinki, Finland, June 9-13, 2014
Resumo:
The purpose of this study was to find out how a software company can successfully expand business to the Danish software market through distribution channel. The study was commissioned by a Finnish software company and it was conducted using a qualitative research method by analyzing external and internal business environment, and interviewing Danish ICT organizations and M-Files personnel. Interviews were semi-structured interviews, which were designed to collect comprehensive information on the existing ICT and software market in Denmark. The research used three external and internal analyzing frameworks; PEST analysis (market level), Porter´s Five Force analysis (industry level competition) and SWOT analysis (company level). Distribution channels theory was a base to understand why and what kind of distribution channels the case company uses, and what kind of channels target markets companies’ uses. Channel strategy and design were integrated to the industry level analysis. The empirical findings revealed that Denmark has very business friendly ICT environment. Several organizations have ranked Denmark´s information and communication technology as the best in the world. Denmark’s ICT and software market are relatively small, compared to many other countries in Europe. Danish software market is centralized. Largest software clusters are in the largest cities; Copenhagen, Aarhus, Odense and Aalborg. From these clusters, software companies can most likely find suitable resellers. The following growing trends are clearly seen in the software market: mobile and wireless applications, outsourcing, security solutions, cloud computing, social business solutions and e-business solutions. When expanding software business to the Danish market, it is important to take into account these trends. In Denmark distribution channels varies depending on the product or service. For many, a natural distribution channel is a local partner or internet. In the public sector solutions are purchased through a public procurement process. In the private sector the buying process is more straight forwarded. Danish companies are buying software from reliable suppliers. This means that they usually buy software direct from big software vendors or local partners. Some customers prefer to use professional consulting companies. These consulting companies can strongly influence on the selection of the supplier and products, and in this light, consulting companies can be important partners for software companies. Even though the competition is fierce in ECM and DMS solutions, Danish market offers opportunities for foreign companies. Penetration to the Danish market through reseller channel requires advanced solutions and objective selection criteria for channel partners. Based on the findings, Danish companies are interested in advanced and efficient software solutions. Interest towards M-Files solutions was clearly seen and the company has excellent opportunity to expand business to the Danish market through reseller channel. Since the research explored the Danish ICT and software market, the results of the study may offer valuable information also to the other software companies which are expanding their business to the Danish market.
Resumo:
Software is a key component in many of our devices and products that we use every day. Most customers demand not only that their devices should function as expected but also that the software should be of high quality, reliable, fault tolerant, efficient, etc. In short, it is not enough that a calculator gives the correct result of a calculation, we want the result instantly, in the right form, with minimal use of battery, etc. One of the key aspects for succeeding in today's industry is delivering high quality. In most software development projects, high-quality software is achieved by rigorous testing and good quality assurance practices. However, today, customers are asking for these high quality software products at an ever-increasing pace. This leaves the companies with less time for development. Software testing is an expensive activity, because it requires much manual work. Testing, debugging, and verification are estimated to consume 50 to 75 per cent of the total development cost of complex software projects. Further, the most expensive software defects are those which have to be fixed after the product is released. One of the main challenges in software development is reducing the associated cost and time of software testing without sacrificing the quality of the developed software. It is often not enough to only demonstrate that a piece of software is functioning correctly. Usually, many other aspects of the software, such as performance, security, scalability, usability, etc., need also to be verified. Testing these aspects of the software is traditionally referred to as nonfunctional testing. One of the major challenges with non-functional testing is that it is usually carried out at the end of the software development process when most of the functionality is implemented. This is due to the fact that non-functional aspects, such as performance or security, apply to the software as a whole. In this thesis, we study the use of model-based testing. We present approaches to automatically generate tests from behavioral models for solving some of these challenges. We show that model-based testing is not only applicable to functional testing but also to non-functional testing. In its simplest form, performance testing is performed by executing multiple test sequences at once while observing the software in terms of responsiveness and stability, rather than the output. The main contribution of the thesis is a coherent model-based testing approach for testing functional and performance related issues in software systems. We show how we go from system models, expressed in the Unified Modeling Language, to test cases and back to models again. The system requirements are traced throughout the entire testing process. Requirements traceability facilitates finding faults in the design and implementation of the software. In the research field of model-based testing, many new proposed approaches suffer from poor or the lack of tool support. Therefore, the second contribution of this thesis is proper tool support for the proposed approach that is integrated with leading industry tools. We o er independent tools, tools that are integrated with other industry leading tools, and complete tool-chains when necessary. Many model-based testing approaches proposed by the research community suffer from poor empirical validation in an industrial context. In order to demonstrate the applicability of our proposed approach, we apply our research to several systems, including industrial ones.
Resumo:
The number of security violations is increasing and a security breach could have irreversible impacts to business. There are several ways to improve organization security, but some of them may be difficult to comprehend. This thesis demystifies threat modeling as part of secure system development. Threat modeling enables developers to reveal previously undetected security issues from computer systems. It offers a structured approach for organizations to find and address threats against vulnerabilities. When implemented correctly threat modeling will reduce the amount of defects and malicious attempts against the target environment. In this thesis Microsoft Security Development Lifecycle (SDL) is introduced as an effective methodology for reducing defects in the target system. SDL is traditionally meant to be used in software development, principles can be however partially adapted to IT-infrastructure development. Microsoft threat modeling methodology is an important part of SDL and it is utilized in this thesis to find threats from the Acme Corporation’s factory environment. Acme Corporation is used as a pseudonym for a company providing high-technology consumer electronics. Target for threat modeling is the IT-infrastructure of factory’s manufacturing execution system. Microsoft threat modeling methodology utilizes STRIDE –mnemonic and data flow diagrams to find threats. Threat modeling in this thesis returned results that were important for the organization. Acme Corporation now has more comprehensive understanding concerning IT-infrastructure of the manufacturing execution system. On top of vulnerability related results threat modeling provided coherent views of the target system. Subject matter experts from different areas can now agree upon functions and dependencies of the target system. Threat modeling was recognized as a useful activity for improving security.
Resumo:
Sustainability in software system is still a new practice that most software developers and companies are trying to incorporate into their software development lifecycle and has been largely discussed in academia. Sustainability is a complex concept viewed from economic, environment and social dimensions with several definitions proposed making sometimes the concept of sustainability very fuzzy and difficult to apply and assess in software systems. This has hindered the adoption of sustainability in the software industry. A little research explores sustainability as a quality property of software products and services to answer questions such as; How to quantify sustainability as a quality construct in the same way as other quality attributes such as security, usability and reliability? How can it be applied to software systems? What are the measures and measurement scale of sustainability? The Goal of this research is to investigate the definitions, perceptions and measurement of sustainability from the quality perspective. Grounded in the general theory of software measurement, the aim is to develop a method that decomposes sustainability in factors, criteria and metrics. The Result is a method to quantify and access sustainability of software systems while incorporating management and users concern. Conclusion: The method will empower the ability of companies to easily adopt sustainability while facilitating its integration to the software development process and tools. It will also help companies to measure sustainability of their software products from economic, environmental, social, individual and technological dimension.
Resumo:
Tässä insinöörityössä selvitettiin mahdollisuuksia parantaa Tapiola-ryhmän Yhtiökokousjärjestelmä-ohjelmiston ominaisuuksia ja tietoturvallisuutta. Järjestelmää käytetään Tapiola-ryhmän vakuutusyhtiöiden yhtiökokouksiin osallistuvien osakkaiden kirjaamiseen ja heidän äänten laskentaan. Tutkimuksen perusteella tehtiin järjestelmän määrittely ja suunnittelu, joiden tuloksena syntyivät toiminnallinen ja tekninen määrittelydokumentaatio, jotka toimivat pohjana uuden Yhtiökokousjärjestelmän toteutukselle. Työ tehtiin Tapiola-ryhmälle Tieto-Tapiola Oy:n tilauksesta. Työn alussa tutkittiin erilaisia mahdollisuuksia toteuttaa järjestelmän ohjelmisto- ja tietokanta-arkkitehtuuri, joiden perusteella määrittelyä ja suunnittelua alettiin toteuttaa. Tutkimuksen perusteella päädyttiin käyttämään Java SE -arkkitehtuuria sovelluksen toteutukseen ja SQL Server -tietokantaa järjestelmän tietovarastona. Valittuihin ratkaisuihin päädyttiin niiden hyvien tietoturvallisuus- ja kertakirjausominaisuuksien takia. Toiminnallisessa määrittelydokumentissa käydään läpi järjestelmälle asetettuja vaatimuksia ja kuvataan sen toiminnot, liiketoimintaluokkamalli, käyttöliittymä ja tulosteet. Lisäksi siinä otetaan kantaa järjestelmän käyttöympäristöön, ulkoisiin tietokantaliittymiin, käyttäjän tunnistautumiseen ja tietoturvallisuuteen sekä käydään läpi sen toiminta käyttäjien näkökulmasta. Toiminnallisen määrittelydokumentin pohjalta luotiin tekninen määrittelydokumentti. Siinä kuvataan järjestelmän ympäristö ja ohjelmisto- sekä tietokanta-arkkitehtuuri yleisellä tasolla. Tämän lisäksi järjestelmän arkkitehtuuria käydään myös tarkemmin läpi sekä kuvataan moduulit ja toiminnot niin tarkasti, että niiden perusteella voidaan toteuttaa koko järjestelmä. Työn tuloksena syntyivät kattava toiminnallinen ja tekninen määrittelydokumentaatio, joissa käydään läpi kaikki järjestelmän toteuttamiseen tarvittavat elementit sillä tarkkuudella, että järjestelmän toteuttaminen voidaan aloittaa.
