共查询到20条相似文献,搜索用时 93 毫秒
1.
本设计基于Windows平台上文件格式漏洞分析方法,通过Fuzzing技术实现对软件的自动化安全测试,提出基于文件内容变异和基于文件结构生成两种生成畸形文件方法,利用反汇编引擎libdasm完成对目标程序的异常监控。用C#和C语言实现一个比较完整的文件格式Fuzzing测试系统,能够对目标程序进行Fuzzing测试,并将测试结果通过UI展现给测试人员对应用软件进行Fuzzing测试,并将测试结果展现给研究人员。 相似文献
2.
Security measures have been well established within the waterfall development life cycle model. However, more software projects are using the spiral development life cycle model. Software developers and project managers can easily forget about adapting security measures. The spiral model uses iterative steps that can create changes in each phase of software development process. This will challenge security to ensure the application has few flaws or vulnerabilities that could be exploited. Failure to impose the right security measures at each of these phases can open up vulnerabilities for hackers to exploit and prove costly in patching. This paper will explore areas where security can be engaged within each iteration step of the spiral development model. This way security can continue protection of the software product as it becomes ready for deployment. The paper will help organizations realize where to deploy security measures to reduce vulnerabilities in the software application. 相似文献
3.
The proliferation of information and communication technologies (ICTs) into all aspects of life poses unique ethical challenges
as our modern societies become increasingly dependent on the flawless operation of these technologies. As we increasingly
entrust our privacy, our well-being and our lives to an ever greater number of computers we need to look more closely at the
risks and ethical implications of these developments. By emphasising the vulnerability of software and the practice of professional
software developers, we want to make clear the ethical aspects of producing potentially flawed software. This paper outlines
some of the vulnerabilities associated with software systems and identifies a number of social and organisational factors
affecting software developers and contributing to these vulnerabilities. Scott A. Snook’s theory of practical drift is used as the basis for our analysis. We show that this theory, originally developed to explain the failure of a military
organisation, can be used to understand how professional software developers “drift away” from procedures and processes designed
to ensure quality and prevent software vulnerability. Based on interviews with software developers in two Norwegian companies
we identify two areas where social factors compel software developers to drift away from a global set of rules constituting
software development processes and methods. Issues of pleasure and control and difference in mental models contribute to an uncoupling from established practices designed to guarantee the reliability of software and thus diminish
its vulnerability. 相似文献
4.
《International Journal of Information Management》2016,36(4):580-590
Emerging cloud applications are growing rapidly and the need for identifying and managing service requirements is also highly important and critical at present. Software Engineering and Information Systems has established techniques, methods and technology over two decades to help achieve cloud service requirements, design, development, and testing. However, due to the lack of understanding of software security vulnerabilities that should have been identified and managed during the requirements engineering phase, we have not been so successful in applying software engineering, information management, and requirements management principles that have been established for the past at least 25 years, when developing secure software systems. Therefore, software security cannot just be added after a system has been built and delivered to customers as seen in today’s software applications. This paper provides concise methods, techniques, and best practice requirements engineering and management as an emerging cloud service (SSREMaaES) and also provides guidelines on software security as a service. This paper also discusses an Integrated-Secure SDLC model (IS-SDLC), which will benefit practitioners, researchers, learners, and educators. This paper illustrates our approach for a large cloud system Amazon EC2 service. 相似文献
5.
IPv6协议安全问题研究 总被引:9,自引:0,他引:9
全面分析了IPv6协议本身的内在安全特性和附加的外在安全特性 .在此基础上 ,分析了IPv6可能遇到的安全问题 ,包括针对内部数据结构的安全威胁、可移动性面临的安全威胁 ,以及IPv6对现有安全体系结构的挑战 .对相应的安全问题 ,详细描述了问题的来源和特性 ,并提出了解决这些问题的技术方案 . 相似文献
6.
《International Journal of Information Management》2016,36(1):155-166
This paper presents a systematic approach to develop a resilient software system which can be developed as emerging services and analytics for resiliency. While using the resiliency as a good example for enterprise cloud security, all resilient characteristics should be blended together to produce greater impacts. A framework, cloud computing adoption framework (CCAF), is presented in details. CCAF has four major types of emerging services and each one has been explained in details with regard to the individual function and how each one can be integrated. CCAF is an architectural framework that blends software resilience, service components and guidelines together and provides real case studies to produce greater impacts to the organizations adopting cloud computing and security. CCAF provides business alignments and provides agility, efficiency and integration for business competitive edge. In order to validate user requirements and system designs, a large scale survey has been conducted with detailed analysis provided for each major question. We present our discussion and conclude that the use of CCAF framework can illustrate software resilience and security improvement for enterprise security. CCAF framework itself is validated as an emerging service for enterprise cloud computing with analytics showing survey analysis. 相似文献
7.
8.
随着网络时代的来临,计算机网络带来了无穷的资源,但也面临着越来越严重的网络安全威胁,网上信息的安全和保密是一个至关重要的问题。网络的安全措施应是能全方位地针对各种不同的威胁和脆弱性,这样才能确保网络信息的保密性、完整性和可用性,文章重点介绍了局域网信息面临的威胁、安全控制与病毒防治的一些策略。 相似文献
9.
一个新的信息安全管理模型 总被引:3,自引:0,他引:3
在分析现有信息安全管理模型的基础上 ,根据组织机构的信息安全要求提出一个新的信息安全管理模型。与现有的信息安全管理模型相比该模型有下述优点 :通过把风险分析与评估结果映射成安全需求流 ,能更加合理地选择安全保护措施 ;通过模型中各个模块之间的信息交互 ,可把不同层次的管理部门有机地结合起来 ;通过建立基于Agent的入侵检测系统 ,可及时发现信息系统的薄弱环节和安全漏洞。 相似文献
10.
11.
针对目前网络安全的紧迫形势 ,指出了传统防火墙的缺陷 ,将多级安全策略用于网络访问控制 ,提出了具有多级安全思想的Internet防火墙 ,并进行了设计与实施 . 相似文献
12.
公平交换协议与传统的安全协议有所不同,导致公平交换协议的设计原则与传统的安全协议设计原则有所区别,因此,必须根据公平交换协议的特点重新考虑一些要素。本文根据公平交换协议的特点,另外给出了4条针对公平交换协议的设计原则,并以攻击为实例来说明这些原则的重要性。这些原则与传统的安全协议的设计原则结合起来,使得公平交换协议从设计的开始就能够考虑各种可能会出现的错误与漏洞,从而大大提高协议设计的质量。 相似文献
13.
信息系统的应用越来越广泛,软件被视为信息系统的灵魂,已经在金融、军事、交通、基础设施等领域扮演越来越重要的角色,软件安全性已经成为关系到国民经济平稳发展、社会稳定和国家安全的重要因素。本文分析了国内外软件安全性研究的现状,并对软件安全性分析的主要科学问题和当前我国的重要需求进行了剖析,提出在信息系统安全保障能力建设中,应以加强软件安全性分析能力为导向,以提高软件的安全性分析水平为目标,以软件动态分析为关键技术手段,加强软件安全性分析基础方法研究,加强信息系统安全性分析和保障的专业人才队伍建设,为保障我国信息系统安全和网络空间主权提供技术支撑。 相似文献
14.
In this article we establish three claims: (1) When the target software is proprietary, in the absence of other overriding ethical considerations, the identification of a vulnerability and the development, sale, and purchase of non-zero-day exploits are ethically justified; (2) when the target software is Free/Libre/Open Source, the buying and selling of vulnerabilities can be ethically justified only in a very narrow situation, while the sale and purchase of non-zero-day exploits is ethically justified absent of any other overriding information; and (3) democratic governments should promote legislation that either incentivizes corporate in-house vulnerability identification and mitigation programs or requires firms to more fully absorb the societal costs of insecure software. 相似文献
15.
对于校园网站而言,解决信息安全的关键就是明白网站面临的风险所在。利用风险评估来识别可能存在的风险和威胁,对暴露出的问题进行有针对性的防护,这样才能保证校园网站稳定高效地为师生服务。该文通过对校园网站风险评估的意义、方法、安全解决方案的阐述,意在提高广大校园网站管理者的风险防范意识,提高网络安全的总体水平。 相似文献
16.
源代码审核是指在编码阶段发现和修正软件源代码中存在的安全漏洞,词法分析是源代码审核中的一项重要技术.详细分析了词法分析的实现过程,完善了危险函数数据库,优化了特征分析方法,特别是将贝叶斯理论成功运用于词法分析,并成功开发出一个词法分析工具SSCAN.测试结果表明,SSCAN比主流词法分析软件Flawfinder和Rats具有更高的完整性和准确性. 相似文献
17.
SSL协议的安全缺陷与改进 总被引:11,自引:0,他引:11
讨论了用来保护Internet网络中的通信数据的SSL(和TLS)协议的安全缺陷与攻击方法 ,并分析了协议发展过程中所作的改进 . 相似文献
18.
19.
This paper presents an approach enabling economic modelling of information security risk management in contemporaneous businesses and other organizations. In the world of permanent cyber attacks to ICT systems, risk management is becoming a crucial task for minimization of the potential risks that can endeavor their operation. The prevention of the heavy losses that may happen due to cyber attacks and other information system failures in an organization is usually associated with continuous investment in different security measures and purchase of data protection systems. With the rise of the potential risks the investment in security services and data protection is growing and is becoming a serious economic issue to many organizations and enterprises. This paper analyzes several approaches enabling assessment of the necessary investment in security technology from the economic point of view. The paper introduces methods for identification of the assets, the threats, the vulnerabilities of the ICT systems and proposes a procedure that enables selection of the optimal investment of the necessary security technology based on the quantification of the values of the protected systems. The possibility of using the approach for an external insurance based on the quantified risk analyses is also provided. 相似文献
20.
数字图书馆系统的安全性策略 总被引:1,自引:0,他引:1
针对影响数字图书馆系统安全的因素,对数字图书馆系统应用的安全性提出了一系列策略,以求达到对数字图书馆系统的应用提供更安全的保障。从六个方面对数字图书馆系统提供安全性策略,即网络安全、信息安全、软件安全、管理安全、安全备份、用户个人数据安全。 相似文献