Reasons for lacking web security : An investigation into the knowledge of web developers

Sundqvist, Jonathan

January 2018

Context: With the constantly increasing activity in the internet and its giant rise over the last 18 years, it’s become increasingly important to investigate common problems in web security Objectives: This thesis is made up of a literature study and a survey. It investigates what the common problems in web security are. It also investigates what the average web developer knows, what they think about the state of web security and what they would change. Method: A survey was developed to get information about people’s education levels, previous experience with web security and security breaches. As well as to get their opinions about web security and to find out what they would change. Results: Based on the literature study and survey the thesis finds out what the common problems in web security are as well as what the average web developer knows, think about web security and want to change. Conclusions: The state of web security in 2018 is not at the level that one might expect, there are several common problems created due to lack of knowledge and the consensus of the people is the same, that the state of web security is sub-par and not to their general satisfaction.

web security

vulnerabilities

lacking security

investigation

Software Engineering

Programvaruteknik

Stop the Bleeding, Heal the Wound: The Role of Fertilizer Subsidies in Food Security, Zomba District, Malawi / Role of Fertilizer Subsidies in Food Security, Zomba District, Malawi

Javdani, Marie S.

09 1900

xiv, 126 p. : ill., map. A print copy of this thesis is available through the UO Libraries. Search the library catalog for the location and call number. / The government of Malawi is being lauded internationally for having ostensibly eliminated hunger within its borders through a subsidy that makes available chemical fertilizers to smallholder farmers. Development scholarship and policy have recently turned toward promoting a "new" Green Revolution in Africa for the establishment of food security and the advancement of economic development. Many view the increased use of chemical fertilizer in Malawian agriculture and the resultant rise in maize yieldsdescribed by such publications as the New York Times as the "Malawi Mirac1e"-as evidence that the prescribed NGR is indeed a recipe for success. This thesis places the subsidy in its historical and theoretical framework and discusses the extent to which production-end strategies accomplish the goals of food security. Also discussed are nonproduction measures that are essential to creating a reliable and accessible food system. / Committee in Charge: Peter A. Walker, Chair; Derrick L. Hindery

Agriculture -- Malawi

Food security -- Africa

Food security -- Malawi

Malawi

Fast track land reform programmes and household food security : case of Mutare district (Zimbabwe)

Mudefi, Rwadzisai Abraham

11 1900

The research attempted to demystify the Zimbabwean land reform that was spear headed by war veterans’ in Zimbabwe. This research investigated the impact of the Fast Track Land Reform Programme (FTLRP) in 2000 on Household Food Security. It was generally assumed that the programme did not improve Household Food Security. To verify that assertion the research used questionnaires in a survey research design. The questionnaires were administered to 322 household heads that had been selected by the random stratified sampling method in Mutare District. The results established that Household Food Security in Mutare District improved after the implementation of the FTLRP. The national grain storage however was depleted because the new farmers reduced the production levels set by the former white farmers. The research therefore recommends an orderly and sustainable transition of Land Reform in future programmes to enhance national grain reserves. This also further improves the Household Food Security.

Land reform

Food security

Land reform programmes

Household food security

Federated authentication using the Cloud (Cloud Aura)

Al Abdulwahid, Abdulwahid Abdullah

January 2017

Individuals, businesses and governments undertake an ever-growing range of activities online and via various Internet-enabled digital devices. Unfortunately, these activities, services, information and devices are the targets of cybercrimes. Verifying the user legitimacy to use/access a digital device or service has become of the utmost importance. Authentication is the frontline countermeasure of ensuring only the authorised user is granted access; however, it has historically suffered from a range of issues related to the security and usability of the approaches. Traditionally deployed in a point-of-entry mode (although a number of implementations also provide for re-authentication), the intrusive nature of the control is a significant inhibitor. Thus, it is apparent that a more innovative, convenient and secure user authentication solution is vital. This thesis reviews the authentication methods along with the current use of authentication technologies, aiming at developing a current state-of-the-art and identifying the open problems to be tackled and available solutions to be adopted. It also investigates whether these authentication technologies have the capability to fill the gap between the need for high security whilst maximising user satisfaction. This is followed by a comprehensive literature survey and critical analysis of the existing research domain on continuous and transparent multibiometric authentication. It is evident that most of the undertaken studies and proposed solutions thus far endure one or more shortcomings; for instance, an inability to balance the trade-off between security and usability, confinement to specific devices, lack or negligence of evaluating users’ acceptance and privacy measures, and insufficiency or absence of real tested datasets. It concludes that providing users with adequate protection and convenience requires innovative robust authentication mechanisms to be utilised in a universal manner. Accordingly, it is paramount to have a high level of performance, scalability, and interoperability amongst existing and future systems, services and devices. A survey of 302 digital device users was undertaken and reveals that despite the widespread interest in more security, there is a quite low number of respondents using or maintaining the available security measures. However, it is apparent that users do not avoid applying the concept of authentication security but avoid the inconvenience of its current common techniques (biometrics are having growing practical interest). The respondents’ perceptions towards Trusted Third-Party (TTP) enable utilising biometrics for a novel authentication solution managed by a TTP working on multiple devices to access multiple services. However, it must be developed and implemented considerately. A series of experimental feasibility analysis studies disclose that even though prior Transparent Authentication Systems (TAS) models performed relatively well in practice on real live user data, an enhanced model utilising multibiometric fusion outweighs them in terms of the security and transparency of the system within a device. It is also empirically established that a centralised federated authentication approach using the Cloud would help towards constructing a better user profile encompassing multibiometrics and soft biometric information from their multiple devices and thus improving the security and convenience of the technique beyond those of unimodal, the Non-Intrusive and Continuous Authentication (NICA), and the Weighted Majority Voting Fusion (WMVF) and what a single device can do by itself. Furthermore, it reduces the intrusive authentication requests by 62%-74% (of the total assumed intrusive requests without operating this model) in the worst cases. As such, the thesis proposes a novel authentication architecture, which is capable of operating in a transparent, continuous and convenient manner whilst functioning across a range of digital devices – bearing in mind it is desirable to work on differing hardware configurations, operating systems, processing capabilities and network connectivity but they are yet to be validated. The approach, entitled Cloud Aura, can achieve high levels of transparency thereby being less dependent on secret-knowledge or any other intrusive login and leveraging the available devices capabilities without requiring any external sensors. Cloud Aura incorporates a variety of biometrics from different types, i.e. physiological, behavioural, and soft biometrics and deploys an on-going identity confidence level based upon them, which is subsequently reflected on the user privileges and mapped to the risk level associated to them, resulting in relevant reaction(s). While in use, it functions with minimal processing overhead thereby reducing the time required for the authentication decision. Ultimately, a functional proof of concept prototype is developed showing that Cloud Aura is feasible and would have the provisions of effective security and user convenience.

005.8

The United States container security initiative and European Union container seaport competition

Zhang, Xufan

January 2018

The increasing volume of container trade poses formidable security challenges. As a result of terrorist attacks, a variety of compulsory and voluntary security measures have been introduced to enhance and secure maritime container trade. The United States (US) Container Security Initiative (CSI) was claimed to impose serious problems in European Union (EU) ports, and in particular it was claimed to affect EU container port competitiveness due to compliance cost and operational inefficiency. This research aimed to analyse the impact of the CSI on EU container seaport competition. Following an abductive approach, a conceptual model was developed based on the literature review. This directed the design of a Delphi study, which was used to test the opinions of academic, industrial and administrative experts. The Delphi results showed the necessity of implementing maritime security measures integrated into the entire supply chain. The negativity effects of additional costs and operational obstructions are insignificant compared to the overall benefits from a secure supply chain. The CSI is a successful and appropriate maritime security measure. With regard to its effects on the EU container seaport competition, the CSI has not distorted port competition and small ports have not lost market share. It helps the member ports to create new revenue streams and attract more container traffic, hence enhancing their competitiveness. Moreover, it facilitates global trade by reducing total transit time. A model which contains four factors was built to interpret the results of the Delphi research. This model helps to analyse how a maritime security policy will affect the EU port industry. This research also reveals two major issues under the current supply chain security framework, which are the substantial liability problem and unbalanced bilateral relations. A proposal for developing a comprehensive multilateral regime that is fully integrated into the entire supply chain is recommended as a sustainable solution.

Tourism in an unstable and complex world? : searching for a relevant political risk paradigm and model for tourism organisations

Piekarz, Mark J.

January 2008

This work has a single aim, focusing on developing a political risk model relevant for tourism organisations, which are operating in an increasingly complex and turbulent international environment. It pays particular attention to the language of risk (how risks are articulated and described), the culture of risk (how risks are viewed), and the risk process (how they are analysed and assessed). The work critically evaluates a variety of methods that can be utilised to scan, analyse and assess political hazards and risks. It finds that many of the existing methods of political and country risk assessment are limited and not sufficiently contextualised to the needs of the tourism industry. Whilst many models can have an attractive façade of using positivistic methods to calculate political risks, in practice these are fraught with problems. The study also highlights a more complex relationship between tourism and political instability, whereby tourism can be characterised as much by its robustness, as its sensitivity. A model is developed which primarily adapts a systems theory approach, whereby a language, culture and practical process is developed through which the analysis of various factors and indicators can take place. The approach adopted has a number of stages, which vary in the amount of data necessary for the analysis and assessment of political risks. The model begins by utilising existing travel advice databases, moving onto an analysis of the frequency of past events, then to the nature of the political system itself, finishing with an analysis and assessment of more complex input factors and indicators which relate to notions of causation. One of the more provocative features of the model is the argument that it is more than possible to make an assessment of the risks that the political environment can pose to a tourism organisation, without necessarily understanding theories of causation.

320.9

The conflict of interest between data sharing and data privacy : a middleware approach

Molema, Karabo Omphile

January 2016

Thesis (MTech (Information Technology))--Cape Peninsula University of Technology, 2016. / People who are referred to as data owners in this study, use the Internet for various purposes and one of those is using online services like Gmail, Facebook, Twitter and so on. These online services are offered by organizations which are referred to as data controllers. When data owners use these service provided by data controllers they usually have to agree to the terms and conditions which gives data controllers indemnity against any privacy issues that may be raised by the data owner. Data controllers are then free to share that data with any other organizations, referred to as third parties. Though data controllers are protected from lawsuits it does not necessarily mean they are free of any act that may be considered a privacy violation by the data owner. This thesis aims to arrive at a design proposition using the design science research paradigm for a middleware extension, specifically focused on the Tomcat server which is a servlet engine running on the JVM. The design proposition proposes a client side annotation based API to be used by developers to specify classes which will carry data outside the scope of the data controller's system to a third party system, the specified classes will then have code weaved in that will communicate with a Privacy Engine component that will determine based on data owner's preferences if their data should be shared or not. The output of this study is a privacy enhancing platform that comprises of three components the client side annotation based API used by developers, an extension to Tomcat and finally a Privacy Engine.

Computer security

Data protection

Computer networks -- Security measures

Privacy, Right of

The increasing role of regionalism in security governance : passing trend or evolving framework for practice?

Esterhuizen, Eden

04 June 2014

LL.M. (International Law) / After witnessing the catastrophic effects of the First World War, the pursuit of a global regulatory body charged with the responsibility of maintaining global peace and security was the talk of the day and a body which became known as the League of Nations soon surfaced. However, with the manifestation of the Second World War the essential failure of the League of Nations was evident and led to the creation of a new body along with a dream to prevent the same kind of disastrous conflict the world had just witnessed for a second time from occurring again. The idea that a single body would in essence control the fate of world security matters was brought to life and the United Nations Security Council essentially emerged, reflecting the power balance that ensued at the end of World War 2 – the United States, Britain, the Soviet Union, China and France suddenly became the most powerful nations in the world. With the existence of regional organisations pre-dating that of both the League and the United Nations, the debate as to the ideal relationship between the global body and regional bodies developed. Despite the fact that the UN Charter essentially instilled a hierarchy, with the Security Council holding primacy over matters of security governance4 whilst allowing regional organisations to act unilaterally only in limited circumstances,5 this debate has continued to the present day. Since the conception of the United Nations, the traditional role of regional organisations in matters of security governance were mostly limited to peacekeeping and preventative diplomacy and the inaction of the Security Council during the Cold War saw an increase in the activity of these bodies, albeit in these forms.

United Nations. Security Council

Regionalism

'n Bestuurshulpmiddel vir die evaluering van 'n maatskappy se rekenaarsekerheidsgraad

Von Solms, Rossouw

13 May 2014

M.Sc. (Informatics) / Information is power. Any organization must secure and protect its entire information assets. Management is responsible for the well-being of the organization and consequently for computer security. Management must become and stay involved with the computer security situation of the organization, because the existence of any organization depends on an effective information system. One way in which management can stay continually involved and committed with the computer security situation of the organization, is by -, the periodic evaluation of computer security. The results from this evaluation process can initiate appropriate actions to increase computer security in areas needed. For effective management involvement, a tool is needed to aid management in monitoring the status of implementing computer security on a regular basis. The main objective of this dissertation is to develop such a management tool. Basically the thesis consists of three parts, namely framework for effective computer security evaluation, the definition of the criteria to be included in the tool and lastly, the tool itself. The framework (chapters 1 to 6) defines the basis on which the tool (chapters 7 to 9) is built, e.g. that computer security controls need to be cost-effective and should aid the organization in accomplishing its objectives. The framework is based on a two dimensional graph: firstly, tho various risk areas in which computer security should be applied and secondly, the severity of controls in each of these areas. The tool identifies numerous risk areas critical to the security of the computer and its environment. Each of these risk areas need to be evaluated to find out how well it is secured. From these results an overall computer security situation is pictured. The tool is presented as a spreadsheet, containing a number of questions. The built -in formulae in the spreadsheet perform calculations resulting in an appreciation of the computer security situation. The results of the security evaluation can be used by management to take appropriate actions regarding the computer security situation.

Data protection

Computer security

Enforcing Privacy on the Internet.

Lategan, Frans Adriaan

02 June 2008

Privacy of information is becoming more and more important as we start trusting unknown computers, servers and organisations with more and more of our personal information. We distribute our private information on an ever-increasing number of computers daily, and we effectively give target organisations carte blanche to do what they want with our private information once they have collected it. We have only their privacy policy as a possible safeguard against misuse of our private information. Thus far, no reliable and practical method to enforce privacy has been discovered. In this thesis we look at ways to enforce the privacy of information. In order to do this, we first present a classification of private information based on the purpose it is acquired for. This will then enable us to tailor protection methods in such a way that the purpose the information is acquired for can still be fulfilled. We propose three distinct methods to protect such information. The first method, that of nondisclosure, is where private information is required not for the contents, but as input to verify calculations. We shall present an encryption method to protect private information where the private information consists of a set of numeric values S on which some function G has to be applied and the result = G(S) has to be supplied to a target organisation. The calculation of the result must be verifiable by the target organisation, without disclosing S. The second method, that of retaining control is a method by which we can grant limited access to our private information, and thus enforce the terms of privacy policies. The final method we present is a conceptual method to extend P3P in order to add more flexibility to the decision on whether or not a given item of private information will be supplied to a target organisation by using the Chinese Wall security policy. This will enable a user to not only define rules as to which items of private information he would disclose, but also to define what collection of private information any given organisation would be able to build about him. / Olivier, M.S., Prof.

internet

internet security

computer security

data protection

right of privacy