Threat modeling a factory environment using Microsoft Security Development Lifecycle methodology

The number of security violations is increasing and a security breach could have irreversible impacts to business. There are several ways to improve organization security, but some of them may be difficult to comprehend. This thesis demystifies threat modeling as part of secure system development. Threat modeling enables developers to reveal previously undetected security issues from computer systems. It offers a structured approach for organizations to find and address threats against vulnerabilities. When implemented correctly threat modeling will reduce the amount of defects and malicious attempts against the target environment. In this thesis Microsoft Security Development Lifecycle (SDL) is introduced as an effective methodology for reducing defects in the target system. SDL is traditionally meant to be used in software development, principles can be however partially adapted to IT-infrastructure development. Microsoft threat modeling methodology is an important part of SDL and it is utilized in this thesis to find threats from the Acme Corporation’s factory environment. Acme Corporation is used as a pseudonym for a company providing high-technology consumer electronics. Target for threat modeling is the IT-infrastructure of factory’s manufacturing execution system. Microsoft threat modeling methodology utilizes STRIDE –mnemonic and data flow diagrams to find threats. Threat modeling in this thesis returned results that were important for the organization. Acme Corporation now has more comprehensive understanding concerning IT-infrastructure of the manufacturing execution system. On top of vulnerability related results threat modeling provided coherent views of the target system. Subject matter experts from different areas can now agree upon functions and dependencies of the target system. Threat modeling was recognized as a useful activity for improving security.

Improving productivity by developing knowledge management practices for a consulting company

The objective of the research was to identify knowledge conversion states in consultancy sales and delivery processes for the company’s one business unit, to know where to store certain types of information and knowledge, and to create best practices for the company’s knowledge management activities in the selected business processes. The used research methodology was action research. The current business processes were analyzed by interviewing people involved in them. The results were documented and catego- rized, and based on them the target states of the processes were developed. Knowledge man- agement activities were integrated to the business processes. The main findings of the research were that roles and responsibilities in the processes were not clear to people, information systems did not fully support individuals and time was wasted searching for information and knowledge. There were also many variations of how the processes actually realized, which affected the overall quality of the process. The conclusions of the research were that knowledge management activities should be high- lighted in businesses where knowledge workers are the main assets of the company. Knowledge management practices can be supported by company culture, leadership and in- formation systems. However, one main factor is each individual’s willingness to share knowledge. By integrating knowledge management activities to business processes and hav- ing information systems supporting knowledge management, individual productivity can be improved.

Practices of Inclusion and Exclusion in Premodern Culture

In Practices of Inclusion and Exclusion in Premodern Culture a group of Finnish cultural historians discuss the meanings of cultural belonging, experiences and practices of construing boundaries between cultures and their others. What were the motives behind these constructions of differences in Premodern cultures? Why and through what kind of practices were differences created in specific cultural contexts? This book deals with Premodern people having multiple ways of construing their relationship to others, simultaneously being active agents in their own lives. Practices of Inclusion and Exclusion in Premodern Culture is suitable for course book for Master's Degree studies of history.

Finland's security in a changing Europe : a historical perspective

Finnish Defence Studies is published under the auspices of the National Defence College, and the contributions reflect the fields of research and teaching of the College. Finnish Defence Studies will occasionally feature documentation on Finnish Security Policy. Views expressed are those of the authors and do not necessarily imply endorsement by the National Defence College.

Measuring software security from the design of software

The vast majority of our contemporary society owns a mobile phone, which has resulted in a dramatic rise in the amount of networked computers in recent years. Security issues in the computers have followed the same trend and nearly everyone is now affected by such issues. How could the situation be improved? For software engineers, an obvious answer is to build computer software with security in mind. A problem with building software with security is how to define secure software or how to measure security. This thesis divides the problem into three research questions. First, how can we measure the security of software? Second, what types of tools are available for measuring security? And finally, what do these tools reveal about the security of software? Measuring tools of these kind are commonly called metrics. This thesis is focused on the perspective of software engineers in the software design phase. Focus on the design phase means that code level semantics or programming language specifics are not discussed in this work. Organizational policy, management issues or software development process are also out of the scope. The first two research problems were studied using a literature review while the third was studied using a case study research. The target of the case study was a Java based email server called Apache James, which had details from its changelog and security issues available and the source code was accessible. The research revealed that there is a consensus in the terminology on software security. Security verification activities are commonly divided into evaluation and assurance. The focus of this work was in assurance, which means to verify one’s own work. There are 34 metrics available for security measurements, of which five are evaluation metrics and 29 are assurance metrics. We found, however, that the general quality of these metrics was not good. Only three metrics in the design category passed the inspection criteria and could be used in the case study. The metrics claim to give quantitative information on the security of the software, but in practice they were limited to evaluating different versions of the same software. Apart from being relative, the metrics were unable to detect security issues or point out problems in the design. Furthermore, interpreting the metrics’ results was difficult. In conclusion, the general state of the software security metrics leaves a lot to be desired. The metrics studied had both theoretical and practical issues, and are not suitable for daily engineering workflows. The metrics studied provided a basis for further research, since they pointed out areas where the security metrics were necessary to improve whether verification of security from the design was desired.