Application Security Research Papers - Academia.edu (original) (raw)

• Top Papers
• Most Cited Papers
• Most Downloaded Papers
• Newest Papers
• People

Mobile malware has continued to grow at an alarming rate despite on-going mitigation efforts. This has been much more prevalent on Android due to being an open platform that is rapidly overtaking other competing platforms in the mobile... more

Mobile malware has continued to grow at an alarming rate despite on-going mitigation efforts. This has been much more prevalent on Android due to being an open platform that is rapidly overtaking other competing platforms in the mobile smart devices market. Recently, a new generation of Android malware families has emerged with advanced evasion capabilities which make them much more difficult to detect using conventional methods. This paper proposes and investigates a parallel machine learning based classification approach for early detection of Android malware. Using real malware samples and benign applications, a composite classification model is developed from parallel combination of heterogeneous classifiers. The empirical evaluation of the model under different combination schemes demonstrates its efficacy and potential to improve detection accuracy. More importantly, by utilizing several classifiers with diverse characteristics, their strengths can be harnessed not only for enhanced Android malware detection but also quicker white box analysis by means of the more interpretable constituent classifiers.

• • by
  • •
  • Machine Learning, Data Mining, Mobile Technology, Applications of Machine Learning

With humongous increase of patient data in hospitals and healthcare centres every day, there is tremendous need for hospitals to deploy their services and data to the cloud which will increase the efficiency and makes administration more... more

With humongous increase of patient data in hospitals and healthcare centres every day, there is tremendous need for hospitals to deploy their services and data to the cloud which will increase the efficiency and makes administration more balanced and steadier. While it is a sterling approach to deploy user data and services to the cloud, it is important for healthcare centres and hospitals to understand and be aware of the potential threats in the cloud environment. With the advancement of technology, hackers try to gain access into the cloud by exploiting vulnerabilities which are unpatched for a very long period. These exploitations lead to unauthorised access and control over user information which results in immediate havoc to the user privacy and long-term damage to the goodwill of the hospitals. Technical Issues such as Access Control, Identity Management, Authentication and Authorisation needs to be addressed with immediate alacrity to safeguard the CIA traits namely Confidentiality, Integrity and Availability of user data in the cloud. This paper will elucidate on what kind of security approaches and enhancements are necessary to be taken care to prevent unauthorised data access, financial and goodwill loss in the healthcare domain.

• • by International Journal of Advanced Research in Computer Engineering & Technology (IJARCET) ijarcet
  • •
  • Compliance, Cloud Computing, Application Security, Cloud Forensics
• • by Dragan Pleskonjic
  • •
  • Information Security, Software Security, Software Development, Software Architecture

This paper discusses how cryptography is misused in the security design of a large part of the Web. Our focus is on ASP.NET, the web application framework developed by Microsoft that powers 25% of all Internet web sites. We show that... more

This paper discusses how cryptography is misused in the security design of a large part of the Web. Our focus is on ASP.NET, the web application framework developed by Microsoft that powers 25% of all Internet web sites. We show that attackers can abuse multiple cryptographic design flaws to compromise ASP.NET web applications. We describe practical and highly efficient attacks

• • by Thai Duong
  • •
  • Computer Science, Cryptography, Authentication, Application Security

Over the past decades, efforts to enhance software development life cycle (SDLC) practices have been shown to improve software quality, reliability, and fault-tolerance. More recently, similar strategies to improve the security of... more

Over the past decades, efforts to enhance software development life cycle (SDLC) practices have been shown to improve software quality, reliability, and fault-tolerance. More recently, similar strategies to improve the security of software in organizations such as Microsoft, Oracle, and Motorola have resulted in software products with less vulnerabilities and greater dependability, trustworthiness, and resilience. In its mission to improve the security of software used in America’s critical infrastructure and information systems, the Department of Homeland Security’s (DHS) Software Assurance Program has sponsored the creation of the book Enhancing the Development Life Cycle to Produce Secure Software, a source of practical information intended to help developers, integrators, and testers identify and systematically apply security and assurance principles, methodologies, and techniques to current SDLC practices, and thereby increase the security of the software that results. Unlike t...

• • by Karen Mercedes Goertzel
  • •
  • Software Security, Application Security, Software Assurance

Fraud incidences in electronic banking is in continous rise and if not kept in check can discourage people from embracing the electronic banking option. Nigeria has approximately 140 million active mobile subscribers and if this number... more

Fraud incidences in electronic banking is in continous rise and if not kept in check can discourage people from embracing the electronic banking option. Nigeria has approximately 140 million active mobile subscribers and if this number should embrace mobile banking, it will promote the Government's initiative for a cashless society. This research proposes a secured application based mobile banking model for Nigeria, that utilizes the recently introduced Bank Verification Number (BVN) policy of the Central Bank and that is based on a three level authentication mechanism: i. what the user knows (Bank Verification Number (BVN)), ii. what the user has (device's IMEI) iii. what the user is (user's fingerprints and finger vein multimodal biometric data). The dissertation proposes client server mutual authentication with the use of X.509 based Public Key Infrastructure (PKI). This proposal is demonstrated with Android application connected to a MySQL database via HTTPS and JSON Web Services implemented with PHP. The result of this work is a secured application based mobile banking model for Nigeria that will encourage more people to embrace mobile banking due to its increased level of security.

• • by Faisal A Garba and +1
  • •
  • Information Security, Mobile Banking, Application Security

As a freely downloadable reference document, “Security in the Software Life Cycle: Making Application Development Processes – and Software Produced by Them – More Secure” presents key issues in the security of software and its development... more

As a freely downloadable reference document, “Security in the Software Life Cycle: Making Application Development Processes – and Software Produced by Them – More Secure” presents key issues in the security of software and its development processes. It introduces a number of process improvement models, risk management and development methodologies, and sound practices and supporting tools that have been reported to help reduce the vulnerabilities and exploitable defects in software and diminish the possibility that malicious logic and trap doors may be surreptitiously introduced during its development. No single practice, process, or methodology offers the universal silver bullet for software security. “Security in the Software Life Cycle” has been compiled as a reference document with practical guidance intended to tie it together and inform software practitioners of a number of practices and methodologies from which they can evaluate and selectively adopt to reshape their development processes to increase not only the security but also the quality and reliability of their software applications, services, and systems, both in development and deployment.

• • by Karen Mercedes Goertzel
  • •
  • Software Security, Application Security, Software Assurance
• • by Victor Niga
  • •
  • Application Security

—Android is becoming ubiquitous and currently has the largest share of the mobile OS market with billions of application downloads from the official app market. It has also become the platform most targeted by mobile malware that are... more

—Android is becoming ubiquitous and currently has the largest share of the mobile OS market with billions of application downloads from the official app market. It has also become the platform most targeted by mobile malware that are becoming more sophisticated to evade state-of-the-art detection approaches. Many Android malware families employ obfuscation techniques in order to avoid detection and this may defeat static analysis based approaches. Dynamic analysis on the other hand may be used to overcome this limitation. Hence in this paper we propose DynaLog, a dynamic analysis based framework for characterizing Android applications. The framework provides the capability to analyse the behaviour of applications based on an extensive number of dynamic features. It provides an automated platform for mass analysis and characterization of apps that is useful for quickly identifying and isolating malicious applications. The DynaLog framework leverages existing open source tools to extract and log high level behaviours, API calls, and critical events that can be used to explore the characteristics of an application, thus providing an extensible dynamic analysis platform for detecting Android malware. DynaLog is evaluated using real malware samples and clean applications demonstrating its capabilities for effective analysis and detection of malicious applications.

• • by Suleiman Y Yerima and +1
  • •
  • Network Security, Malware Analysis, Malware, Application Security

Application SecurityApplication SecurityApplication SecurityApplication SecurityApplication SecurityApplication SecurityApplication SecurityApplication SecurityApplication Security

• • by Deka Mario
  • •
  • Application Security

The web-based applications are getting popular due to the ease of development and access that enables users to use them without any limitation of time and place. However the web environment faces variety of risks, particularly to those... more

The web-based applications are getting popular due to the ease of development and access that enables users to use them without any limitation of time and place. However the web environment faces variety of risks, particularly to those that exploit applications and systems vulnerabilities. Unfortunately, most of web developers only focus their attentions to the application functionality and user interface. This study develops a framework to measure the level of web developers awareness to security. We also apply the framework to measure the security awareness level of web developers in Indonesia. Our survey results show that their security awareness are in the medium level, thus some aspects need to be improved

• • by Achmad Nizar
  • •
  • Information Security, Innovation statistics, Security, Learning

Internet advertising is one of the most popular online business models. JavaScript-based advertisements (ads) are often directly embedded in a web publisher's page to display ads relevant to users (eg, by checking the user's... more

Internet advertising is one of the most popular online business models. JavaScript-based advertisements (ads) are often directly embedded in a web publisher's page to display ads relevant to users (eg, by checking the user's browser environment and page content). However, as third-party code, the ads pose a significant threat to user privacy. Worse, malicious ads can exploit browser vulnerabilities to compromise users' machines and install malware. To protect users from these threats, we propose AdSentry, a ...

• • by Minh Anh Tran
  • •
  • Computer Science, Application Security, Business Model, Web Pages

One of the hottest and most discussed topics by people involved in the security testing field is this: Should security testing be based on automatic or manual methods? However, what is the truth about using these tools to detect... more

One of the hottest and most discussed topics by people involved in the security testing field is this: Should security testing be based on automatic or manual methods? However, what is the truth about using these tools to detect vulnerabilities in systems, networks or applications? Can these tools help an organization obtain good security results; can they identify weaknesses in order to put in place the required measures/defences to prevent real attacks by potential intruders? Moreover, are these automated efforts enough to accomplish the objective of detecting real vulnerabilities? In this article, we will cover some aspects of web application security testing, and we will see how manual testing could be an essential element, working alongside automated testing procedures to reduce false-positives, leading to defining real vulnerabilities better, which will ultimately lead to a significant impact on the overall security of the organization in question.

• • by Christian Navarrete
  • •
  • Software Security, Network Security, Risk and Vulnerability, Information Security Auditing
• • by Ilham Zico
  • •
  • Security, Application Security, Intelijen

The security risks associated with software and its development processes have been recognized for 40 years or more. But only in the past quarter century have efforts to understand and address the root causes of system security... more

The security risks associated with software and its development processes have been recognized for 40 years or more. But only in the past quarter century have efforts to understand and address the root causes of system security vulnerabilities evolved and coalesced into systematic efforts to improve software security assurance across government and leading industry sectors. Along with these programs have arisen efforts to reshape the software engineering profes- sion, and to establish a robust software security technology and services industry.
This article provides a capsule history of the most significant of the software assurance efforts of the past 25 years, organized by the main problems they have striven—and continue to strive—to correct. At the end of the article, a number of more extensive, detailed software assurance landscapes are recommended to the reader, to complement and elaborate upon the information presented here.

• • by Karen Mercedes Goertzel
  • •
  • Software Engineering, Software Security, Application Security, Software Assurance

Abstract: Trust is an indispensable part of the computing environment, the validity of any transaction or information depends heavily on the authenticity of the information source. In this context, many mechanisms for ensuring the... more

Abstract: Trust is an indispensable part of the computing environment, the validity of any transaction or information depends heavily on the authenticity of the information source. In this context, many mechanisms for ensuring the authenticity of the information source were developed, including password verification and biometrics. But as the attacks are directed towards the computing platform and the applications running on the computer, all these initial security mechanisms are not sufficient. It is essential to ensure before making a secure transaction that the system is in a good state (or say some authorized state) and maintains its integrity throughout the execution time. The emergence of the Trusted Platform Module (TPM) has added to the security feature of a computer. Mechanisms are in place which guarantee system integrity but very little is known about the state of the applications running on them. We propose a system which notifies the user if the integrity of an applicat...

• • by renu mary daniel
  • •
  • Trust, Application Security, Sealing, Integrity Measurement

Abstrak—Jumlah pencurian data perusahaan meningkat dari tahun ke tahun. Hal ini dikarenakan kurangnya kesadaran pihak perusahaan akan pentingnya suatu sistem keamanan yang efisien dan unik. Pihak perusahaan mengira bahwa hanya dengan... more

Abstrak—Jumlah pencurian data perusahaan meningkat dari tahun ke tahun. Hal ini dikarenakan kurangnya kesadaran pihak perusahaan akan pentingnya suatu sistem keamanan yang efisien dan unik. Pihak perusahaan mengira bahwa hanya dengan password, data tersebut sudah sangat aman. Pada penelitian ini, dibuat suatu skema keamanan data, yakni V.S.N Hardware Key dengan algoritma kriptografi RSA. Volume Serial Number yang terdapat di dalam suatu hardware yang berbentuk bilangan hexadecimal diambil dengan fungsi API GetVolumeInformation dan diubah menjadi bilangan decimal yang kemudian digunakan sebagai otentifikasi dalam pengaksesan sebuah aplikasi. RSA merupakan salah satu algoritma kriptografi asimetris yang menggunakan sepasang kunci, yaitu kunci publik dan kunci privat. Panjang kunci dapat diatur, dimana semakin panjang bit pembentukan kunci maka semakin sukar untuk dipecahkan karena sulitnya memfaktorkan dua bilangan yang sangat besar. Aplikasi yang dirancang dalam mendukung V.S.N Hardware Key dengan algoritma kriptografi RSA telah diuji dengan melibatkan data-data confidential perusahaan, dan terbukti ampuh dalam membuat para intruder gagal melakukan pencurian data penting perusahaan termasuk penggandaan ilegal. Secara umum V.S.N Hardware Key dengan algoritma kriptografi RSA digunakan sebagai skema penyempurna pengamanan data perusahaan yang secara umum berbentuk aplikasi sistem informasi. Kata kunci: V.S.N hardware key, volume serial number, get volume information, keamanan data, RSA

• • by Andy Victor
  • •
  • Computer Security, Application Security
• • by Pierre-yves Strub
  • •
  • Cryptography, Wireless networks, Authentication, Application Security

The Web Application Security Consortium (WASC) is pleased to announce the WASC Web Application Security Statistics Project 2008. This initiative is a collaborative industry wide effort to pool together sanitized website vulnerability data... more

The Web Application Security Consortium (WASC) is pleased to announce the WASC Web
Application Security Statistics Project 2008. This initiative is a collaborative industry wide effort to
pool together sanitized website vulnerability data and to gain a better understanding about the
web application vulnerability landscape. We ascertain which classes of attacks are the most
prevalent regardless of the methodology used to identify them. Industry statistics such as those
compiled by Mitre CVE project provide valuable insight into the types of vulnerabilities discovered
in open source and commercial applications, this project tries to be the equivalent for custom web
applications.
The main Project goals are:
 Identify the prevalence and probability of different vulnerability classes
 Compare testing methodologies against what types of vulnerabilities they are likely to
identify

• • by Sergey Gordeychik
  • •
  • Application Security, Web Application Security
• • by Dragan Pleskonjic
  • •
  • Information Security, Software Security, Network Security, Computer Networks

ABSTRACT The Security services within applications have received recent attention. It has been suggested that this may be the only way to increase overall information system assurance in an era where ICT governance and compliance have... more

ABSTRACT The Security services within applications have received recent attention. It has been suggested that this may be the only way to increase overall information system assurance in an era where ICT governance and compliance have taken on new force and the use of commodity level ICT products for critical information systems continues. While it has been argued that an application can be no more secure than its underlying computer sub-systems, security at the application layer was always envisaged as playing a major role, e.g. in the “Open Systems Interconnection (OSI)” security model. At a time when “end-user” programming is being advocated, the needs and parameters of security education and training are rapidly changing, and increased threats from global Internet connection are rapidly rising, there is a need to reconsider security schemes at the application level. This paper examines current trends in application design, development, deployment and management and evaluates these against known system vulnerabilities and threats.

• • by William Caelli
  • •
  • Application Security, System Security, Security Model, Information System
• • by Minh Tran
  • •
  • Application Security, Business Model, Web Pages, Performance Measure

Over the past decades, efforts to enhance software development life cycle (SDLC) practices have been shown to improve software quality, reliability, and fault-tolerance. More recently, similar strategies to improve the security of... more

Over the past decades, efforts to enhance software development life cycle (SDLC) practices have been shown to improve software quality, reliability, and fault-tolerance. More recently, similar strategies to improve the security of software in organizations such as Microsoft, Oracle, and Motorola have resulted in software products with less vulnerabilities and greater dependability, trustworthiness, and resilience. In its mission to improve the security of software used in America’s critical infrastructure and information systems, the Department of Homeland Security’s (DHS) Software Assurance Program has sponsored the creation of the book Enhancing the Development Life Cycle to Produce Secure Software, a source of practical information intended to help developers, integrators, and testers identify and systematically apply security and assurance principles, methodologies, and techniques to current SDLC practices, and thereby increase the security of the software that results. Unlike the numerous other books on secure software development, Enhancing the Development Life Cycle does not espouse any specific methodology, process model, or development philosophy. Instead it explains the essentials of what makes software secure, and takes an unbiased look at the numerous security principles and secure development methodologies, practices, techniques, and tools that developers are finding effective for developing secure software – information that readers can leverage in defining their own SDLC security-enhancement strategies.

• • by Karen Mercedes Goertzel
  • •
  • Software Security, Application Security, Software Assurance
• • by Dragan Pleskonjic
  • •
  • Information Security, Software Security, Database Security, Application Security

DevSecOps is a more than just getting security testing integrated into a pipeline and using the results to influence flow. Real success with DevSecOps comes when you are able to identify and measure critical aspects of your risks as well... more

DevSecOps is a more than just getting security testing integrated into a pipeline and using the results to influence flow. Real success with DevSecOps comes when you are able to identify and measure critical aspects of your risks as well as your security controls and functions. It means that you have governance that enables and encourages the right behaviors – not just inhibits bad ones and you have an audit function that can measure this success. It also means you are able to incorporate and include security related information from all parts of the SDLC – including threat, design, testing and at runtime. Many places have achieved higher degrees of automation and education within their DevSecOps initiatives, however this needs to be an improving and continuous cycle. Taking it to the next level involves intensify these efforts with accurate threat analysis, secure design, measuring, governance and audit. Join us as we share insights on how organizations are moving beyond DevSecOps and more towards real Continuous Security.

• • by Dragan Pleskonjic
  • •
  • Software Engineering, Software Security, Agile Software Process Improvement, Software Development

Book Details: Book Title:IT Application Security & Control ISBN-13: 978-3-659-93713-2 ISBN-10: 3659937134 EAN: 9783659937132 Book language: English By (author) : Dileep Keshava Narayana Number of pages: 52 Published on: 2018-09-17... more

Book Details:
Book Title:IT Application Security & Control
ISBN-13: 978-3-659-93713-2
ISBN-10: 3659937134
EAN: 9783659937132
Book language: English
By (author) : Dileep Keshava Narayana
Number of pages: 52
Published on: 2018-09-17
Publisher: LAP Lambert Academic Publishing
Category: Informatics, IT

• • by Dileep Keshava Narayana
  • •
  • Application Security, IT Governance, IT Security

Abstrak Jumlah pencurian data perusahaan meningkat dari tahun ke tahun. Hal ini dikarenakan kurangnya kesadaran pihak perusahaan akan pentingnya suatu sistem keamanan yang efisien dan unik. Pihak perusahaan mengira bahwa hanya dengan... more

Abstrak Jumlah pencurian data perusahaan meningkat dari tahun ke tahun. Hal ini dikarenakan kurangnya kesadaran pihak perusahaan akan pentingnya suatu sistem keamanan yang efisien dan unik. Pihak perusahaan mengira bahwa hanya dengan password, data tersebut sudah sangat aman.Pada penelitian ini, dibuat suatu skema keamanan data, yakni VSN Hardware Key.Volume Serial Number yang terdapat di dalam suatu hardware yang berbentuk bilangan hexadecimal diambil dengan fungsi API GetVolumeInformationdan diubah menjadi bilangan decimal yang kemudian digunakan sebagai otentifikasi dalam pengaksesan sebuah aplikasi.Aplikasi yang dirancang dalam mendukung VSN Hardware Key telah diuji dengan melibatkan data data confidential perusahaan, dan terbukti ampuh dalam membuat para intruder gagal melakukan pencurian data penting perusahaan termasuk penggandaan ilegal.Secara umum VSN Hardware Key digunakan sebagai skema penyempurna pengamanan data perusahaan yang secara umum berbentuk aplikasi sistem informasi. Kata kunci:vsn hardware key, volume serial number, get volume information, keamanan data.

• • by Andy Victor
  • •
  • Computer Security, Application Security

Internet advertising is one of the most popular online business models. JavaScript-based advertisements (ads) are often directly embedded in a web publisher's page to display ads relevant to users (eg, by checking the user's... more

Internet advertising is one of the most popular online business models. JavaScript-based advertisements (ads) are often directly embedded in a web publisher's page to display ads relevant to users (eg, by checking the user's browser environment and page content). However, as third-party code, the ads pose a significant threat to user privacy. Worse, malicious ads can exploit browser vulnerabilities to compromise users' machines and install malware. To protect users from these threats, we propose AdSentry, a ...

• • by Minh Tran
  • •
  • Application Security, Business Model, Web Pages, Performance Measure

Mobile devices have been playing vital roles in modern dayeducation delivery as students can access or download learning materials on their smartphones and tablets, they can also install educational apps and study anytime, anywhere. The... more

Mobile devices have been playing vital roles in modern dayeducation delivery as students can access or download learning materials on their smartphones and tablets, they can also install educational apps and study anytime, anywhere. The need to provide adequate security forportable devices being used for learning cannot be underestimated. In this paper, we present a mobile security enhancement app, designed and developedfor Android smart mobile devices in order to promote security awareness among students. The app can alsoidentify major and the most significant security weaknesses, scan or check for vulnerabilities in m-learning devices and report any security threat.

• • by International Journal on Integrating Technology in Education ( IJITE )
  • •
  • Mobile Learning, Mobile Technology, Application Security
• • by ehud gudes
  • •
  • Information Systems, Application Security, Web Security, Security Policy

The deficient of a good authentication protocol in a ubiquitous application environment has made it a good target for adversaries. As a result, all the devices which are participating in such environment are said to be exposed to attacks... more

The deficient of a good authentication protocol in a ubiquitous application environment has made it a good target for adversaries. As a result, all the devices which are participating in such environment are said to be exposed to attacks such as identity impostor, man-in-the-middle attacks and also unauthorized attacks. Thus, this has created skeptical among the users and has resulted them of keeping their distance from such applications. For this reason, in this paper, we are proposing a new authentication protocol to be used in such environment. Unlike other authentication protocols which can be adopted to be used in such environment, our proposed protocol could avoid a single point of failures, implements trust level in granting access and also promotes decentralization. It is hoped that the proposed authentication protocol can reduce or eliminate the problems mentioned.

• • by SDIWC Organization
  • •
  • Computer Science, Information Technology, Ubiquitous Computing, Application Security