检索结果-内蒙古大学图书馆

IEEE Conference on Communications and Network Security (CNS)

作者： Kholoosi, M. Mehdi Babar, M. Ali Yilmaz, Cemal Univ Adelaide CREST Sch Comp Sci Adelaide SA Australia Cyber Secur Cooperat Res Ctr Adelaide SA Australia Sabanci Univ Fac Engn & Nat Sci TR-34956 Istanbul Turkiye

ISBN: (纸本)9798350339451

Timing attacks are considered one of the most damaging side-channel attacks. These attacks exploit timing fluctuations caused by certain operations to disclose confidential information to an attacker. For instance, in asymmetric encryption, operations such as multiplication and division can cause time-varying execution times that can be ill-treated to obtain an encryption key. Whilst several efforts have been devoted to exploring the various aspects of timing attacks, particularly in cryptography, little attention has been paid to empirically studying the timing attack-related vulnerabilities in non-cryptographic software. By inspecting these software vulnerabilities, this study aims to gain an evidence-based understanding of weaknesses in non-cryptographic software that may help timing attacks succeed. We used qualitative and quantitative research approaches to systematically study the timing attackrelated vulnerabilities reported in the National Vulnerability Database (NVD) from March 2003 to December 2022. Our analysis was focused on the modifications made to the code for patching the identified vulnerabilities. We found that a majority of the timing attack-related vulnerabilities were introduced due to not following known secure coding practices. The findings of this study are expected to help the software security community gain evidence-based information about the nature and causes of the vulnerabilities related to timing attacks.

关键词： secure coding software vulnerability timing attack constant time

来源：评论

学校读者我要写书评

暂无评论

VaultBox: Enhancing the Security and Effectiveness of Security Analytics 5th

VaultBox: Enhancing the Security and Effectiveness of Securi...

引用

5th International Conference on Science of Cyber Security (SciSec)

作者： Trivedi, Devharsh Triandopoulos, Nikos Stevens Inst Technol Hoboken NJ 07030 USA

ISBN: (纸本)9783031459320;9783031459337

Security tools like Firewalls, IDS, IPS, SIEM, EDR, and NDR effectively detect and block threats. However, these tools depend on the system, application, and event logs. Logs are the key ingredient for various purposes, including troubleshooting performance issues, satisfying compliance mandates, and monitoring and improving security. In addition, logs from multiple machines are collected and fed to the Security Information and Event Management (SIEM) system for further security analysis. Therefore, a SIEM system's efficiency and effectiveness depend heavily on the quality and quantity of logs provided. Unfortunately, logs are often targeted brutally and tampered with after a successful intrusion to cover the attack's traces. Thus it becomes critical to protect the confidentiality, integrity, availability, and authenticity of logs at rest or transit. This paper proposes a novel scheme to prevent logs from tampering, detect any tampering, and recuperate logs if lost or corrupt. Our scheme is forward-secure, replicated, randomized, and rate-less, aiming to help securely store and transmit logs to SIEM.

关键词： Security analytics Rateless encoding secure logging SIEM security LT codes secure coding

来源：评论

学校读者我要写书评

暂无评论

A Large-Scale Study on the Security Vulnerabilities of Cloud Deployments 1

引用

1st International Conference on Ubiquitous Security (UbiSec)

作者： Iosif, Andrei-Cristian Gasiba, Tiago Espinha Zhao, Tiange Lechner, Ulrike Pinto-Albuquerque, Maria Tech Univ Munich Munich Germany Siemens AG Munich Germany Univ Bundeswehr Munchen Neubiberg Germany Inst Univ Lisboa ISCTE IUL ISTAR Lisbon Portugal

ISBN: (数字)9789811904684

ISBN: (纸本)9789811904684;9789811904677

As cloud deployments are becoming ubiquitous, the rapid adoption of this new paradigm may potentially bring additional cyber security issues. It is crucial that practitioners and researchers pose questions about the current state of cloud deployment security. By better understanding existing vulnerabilities, progress towards a more secure cloud can be accelerated. This is of paramount importance especially with more and more critical infrastructures moving to the cloud, where the consequences of a security incident can be significantly broader. This study presents a data-centric approach to security research - by using three static code analysis tools and scraping the internet for publicly available codebases, a footprint of the current state of open-source infrastructure-as-code repositories can be achieved. Out of the scraped 44485 repository links, the study is concentrated on 8256 repositories from the same cloud provider, across which 292538 security violations have been collected. Our contributions consist of: understanding on existing security vulnerabilities of cloud deployments, contributing a list of Top Guidelines for practitioners to follow to securely deploy systems in the cloud, and providing the raw data for further studies.

关键词： Cloud Security Industry Critical infrastructures Awareness Infrastructure as Code Terraform secure coding

来源：评论

学校读者我要写书评

暂无评论

Can gamification help to teach Cybersecurity? 20

Can gamification help to teach Cybersecurity?

引用

20th International Conference on Information Technology Based Higher Education and Training (ITHET)

作者： Berisford, Christopher J. Blackburn, Leighton Ollett, Jennifer M. Tonner, Thomas B. Yuen, Chun San Hugh Walton, Ryan Olayinka, Olakunle Univ Sheffield Dept Comp Sci Sheffield England

ISBN: (纸本)9781665489089

Over the last decade, there has been an increase in the number of attacks on web applications. The proliferation of these attacks is partially a result of increased adoption of IT systems in organisations and the increasing role digital technologies play in our lives. The success of an attack relies upon the existence of vulnerabilities in the code base and there is consensus within literature that many of these vulnerabilities can be avoided through developers adopting secure code practices and standards which are often not formally taught. Whilst gamification has been shown to be an effective educational tool in fields such as health, education and security awareness, there is a scarcity of research regarding the application of gamification in the context of secure code practices. This paper evaluates the efficacy of a bespoke gamified application in creating awareness and fostering an understanding of the threats and secure coding practices. The application presented in this work focuses on JavaScript with the aim of reducing the number of vulnerabilities in web applications. The analysis is conducted using first and second-year undergraduate participants, who are viewed as the primary target for this software. As part of a participant study involving the application, it was found that gamification elements were effective in increasing user engagement. Initial findings suggest potential for the integration of secure-code gamification in traditional pedagogical methods, but further investigation is required to strengthen this claim.

关键词： gamification cybersecurity secure coding developers game-based learning

来源：评论

学校读者我要写书评

暂无评论

Evaluating Serious Slow Game Jams as a Mechanism for Co-Designing Serious Games to Improve Understanding of Cybersecurity

引用

Games: Research and Practice 2025年第1期3卷 1-30页

作者： Shenando Stals Lynne Baillie Jamie Iona Ferguson Daisy Abbott Manuel Maarek Ryan Shah Sandy Louchart Heriot-Watt University Edinburgh United Kingdom of Great Britain and Northern Ireland School of Simulation and Visualisation The Glasgow School of Art Glasgow United Kingdom of Great Britain and Northern Ireland

We present a first evaluation of a Serious Slow Game Jam (SSGJ) methodology as a mechanism for co-designing serious games in the application domain of cybersecurity to assess how the SSGJ contributed to improving the understanding of cybersecurity. To this end, we engaged 13 participants with no experience in cybersecurity in a multidisciplinary SSGJ involving domain-specific, pedagogical and game design knowledge and encouraged engagement in between scheduled days of the SSGJ. Findings show improved confidence of participants in their knowledge of cybersecurity (from 12.5% to 62.5%) after undertaking the SSGJ, with free-text answers specifically indicating an improved understanding in terms of vulnerabilities, attacks and defences for three-quarters of the participants. Also, confidence in knowledge of game design improved (12.5% to 75%), and the SSGJ successfully engaged participants in between scheduled days. Finally, a serious game is presented that was co-designed with participants during our SSGJ and produced as an output of the SSGJ methodology.

关键词： Serious slow game jam serious games evaluation workload motivation engagement cybersecurity secure coding secure code citizens

来源：评论

学校读者我要写书评

暂无评论

Scaffolded Live coding: A Hybrid Pedagogical Approach for Enhanced Teaching of coding Skills

Scaffolded Live Coding: A Hybrid Pedagogical Approach for En...

引用

IEEE Frontiers in Education Conference (FIE)

作者： Chattopadhyay, Ankur Ryan, Drew Pockrandt, James Northern Kentucky Univ Dept Comp Sci Highland Hts KY 41076 USA Univ Wisconsin Dept Comp Sci Green Bay WI USA

ISBN: (数字)9781665462440

ISBN: (纸本)9781665462440

This Full paper in the Innovative Practice Category describes a novel research study that is based upon an experimental scaffolding of live coding techniques used towards teaching a traditional face to face undergrad computer programming class. It discusses our hybrid pedagogical model, which comprises of a scaffolded collection of our class instructional methods that include fine blend of live coding-based teaching strategies, and traditional lectures. Our combination of live coding styles, as used in this study, consists of the standard live coding technique and our live secure coding demonstrations, which lead to a uniquely blended and integrated live coding approach for teaching coding along with software security concepts. To our knowledge, this is a new research study based upon a hybrid, integrated live coding approach that represents a scaffolding of distinct teaching styles, which combines coding instructions with teaching of secure coding components. We demonstrate an improvised teaching model that enhances the classical live coding pedagogy by adding the live secure coding components, which holistically represent a new variant in a traditional undergrad coding class, for an engaged and enhanced learning experience. Existing literature indicates that there is limited number of prior educational research studies on the usage of a hybrid, non-traditional live secure coding approach blended with the traditional live coding style. Thus, this paper discusses a fresh, nifty teaching strategy that involves new variants of the standard live coding instructional method and forms a hybrid pedagogical model for a more effective and relatable learning of coding skills. We discuss the results of our experimental study in the form of data obtained over a couple of semesters from an upper-level undergrad coding class through learning assessments and collected survey data on learner experiences. We have analyzed the overall gathered learner data to evaluate the performanc

关键词： hybrid teaching pedagogy model live hacking scaffolded live-coding secure coding

来源：评论

学校读者我要写书评

暂无评论

Web Cryptography API: Prevalence and Possible Developer Mistakes 22

Web Cryptography API: Prevalence and Possible Developer Mist...

引用

17th International Conference on Availability, Reliability and Security (ARES)

作者： Wichmann, Pascal Blochberger, Maximilian Federrath, Hannes Univ Hamburg Secur Distributed Syst Hamburg Germany

ISBN: (纸本)9781450396707

In this paper, we analyze mistakes that web developers can make when using the Web Cryptography API. We evaluate the impact of the uncovered mistakes and discuss how they can be prevented. Furthermore, we derive best practices from these mistakes to provide guidance to developers. To assess the relevance of the Web Cryptography API, we empirically evaluate how prevalently it is used by popular web applications on the Internet and in GitHub repositories, finding that only a small proportion of web applications use it. The most widely used operation by far is the generation of cryptographically secure random values, which was not possible in browser-based JavaScript prior to the Web Cryptography API.

关键词： Web Cryptography API cryptographic misuse web security developer mistakes secure coding best practices

来源：评论

学校读者我要写书评

暂无评论

Introducing secure coding in CS0, CS1, and CS2 (abstract only) 14

Introducing secure coding in CS0, CS1, and CS2 (abstract onl...

引用

Proceedings of the 45th ACM technical symposium on Computer science education

作者： Blair Taylor Siddharth Kaza Elizabeth Hawthorne Towson University Towson MD USA Union County College Cranford NJ USA

ISBN: (纸本)9781450326056

The CS 2013 curriculum includes Information Assurance and Security as a pervasive knowledge area. However, introducing security in lower level courses is challenging because of lack of appropriate teaching resources and training. This workshop will provide a well-tested strategy for introducing secure coding concepts in CS0, CS1, and CS2. We will introduce attendees to secure coding through hands-on exercises, and provide self-contained, lab-based modules designed to be injected into CS0-CS2 with minimal impact on the course (***/securityinjections). Participants will be encouraged to bring in their own syllabus and labs to modify to include secure coding concepts. The first 15 participants will be reimbursed for the workshop cost on attendance. Laptop recommended.

关键词： security injections secure coding CS1 CS2 CS0

来源：评论

学校读者我要写书评

暂无评论

Motivating secure coding practices in a freshman-level programming course 14

Motivating secure coding practices in a freshman-level progr...

引用

Proceedings of the 2014 Information Security Curriculum Development Conference

作者： Bryson R. Payne Aaron R. Walker University of North Georgia Dahlonega GA

ISBN: (纸本)9781450330497

secure application development is becoming even more critical as the impact of insecure code becomes deeper and more pervasive in our personal and professional lives. The approach described in this paper seeks to motivate computer science students to write secure code almost from the very beginning by focusing on concrete examples of common software vulnerabilities in the second freshman-level programming course. Sample exercises and assignments are given as examples that can be reused in similar courses. While long-term data collection is still ongoing, initial results are promising enough that the method is presented here in detail to support university faculty interested in incorporating lessons and real-world examples in secure app development in their programming courses at any level.

关键词： security-aware programming application security secure coding secure application development

来源：评论

学校读者我要写书评

暂无评论

Raising Security Awareness of Cloud Deployments using Infrastructure as Code through CyberSecurity Challenges 21

Raising Security Awareness of Cloud Deployments using Infras...

引用

16th International Conference on Availability, Reliability and Security (ARES)

作者： Gasiba, Tiago Espinha Andrei-Cristian, Iosif Lechner, Ulrike Pinto-Albuquerque, Maria Siemens AG T RDA CST SEL DE Munich Germany Tech Univ Munich Munich Germany Univ Bundeswehr Munchen Neubiberg Germany Inst Univ Lisboa ISCTE IUL ISTAR Lisbon Portugal

ISBN: (纸本)9781450390514

Improper deployment of software can have serious consequences, ranging from simple downtime to permanent data loss and data breaches. Infrastructure as Code tools serve to streamline delivery by promising consistency and speed, by abstracting away from the underlying actions. However, this simplicity may distract from architectural or configuration faults, potentially compromising the secure development lifecycle. One way to address this issue involves awareness training. Sifu is a platform that provides education on security through serious games, developed in the industry, for the industry. The presented work extends the Sifu platform with challenges addressing Terraform-aided cloud deployment on Amazon Web Services. This paper proposes an evaluation pipeline behind the challenges, and provides details of the vulnerability detection and feedback mechanisms, as well as a novel technique for detecting undesired differences between a given architecture and a target result. Furthermore, this paper quantifies the challenges' perceived usefulness and impact, by evaluating the challenges among a total of twelve participants. Our preliminary results show that the challenges are suitable for education and the industry, with potential usage in internal training. A key finding is that, although the participants understand the importance of secure coding, their answers indicate that universities leave them unprepared in this area. Finally, our results are compared with related industry works, to extract and provide good practices and advice for practitioners.

关键词： secure coding DevSecOps Awareness Training Serious Games CyberSecurity Challenges Infrastructure as Code

来源：评论

学校读者我要写书评

暂无评论

建议与咨询留下您的常用邮箱和电话号码，以便我们向您反馈解决方案和替代方法

时间限定

文献类型

馆藏选择

核心期刊

语言

文献类型

帮助

文字说明：

检索规则说明：

检索范例：

分类表

所选分类

限定检索结果

文献类型

馆藏范围

日期分布

学科分类号

主题

机构

作者

语言

请选择保存的检索档案：

请选择收藏分类：

通借通还

建议与咨询 留下您的常用邮箱和电话号码，以便我们向您反馈解决方案和替代方法

时间限定

文献类型

馆藏选择

核心期刊

语言

文献类型

帮助

文字说明：

检索规则说明：

检索范例：

分类表

所选分类

限定检索结果

文献类型

馆藏范围

日期分布

学科分类号

主题

机构

作者

语言

请选择保存的检索档案： 新增检索档案 确定 取消

请选择收藏分类： 新增自定义分类 确定 取消

通借通还

建议与咨询留下您的常用邮箱和电话号码，以便我们向您反馈解决方案和替代方法

请选择保存的检索档案：

请选择收藏分类：