Global ETD Search

1	Nástroje pro testování bezpečnosti aplikací v ASP.NET / Security testing tools for ASP.NET applications Kikerle, Martin January 2015 (has links) The purpose of this thesis is to create a methodology which helps ASP.NET developers to test their web applications for the presence of the most common vulnerabilities. The theoretical part is focused on the ways of application testing and briefly describes ten of the most common web application vulnerabilities, so-called OWASP Top Ten 2013. The web application testing methodology is included in the practical part. A process of the application testing is the key part of the methodology. The designed methodology is used for the selected web application testing.
2	Framework and Tools for IT Security within Logistics and Infrastructure oriented Operations : With a focus on Static Application Security Testing Seger, Elias, Schedin, Fredrick January 2022 (has links) Static Application Security Testing Tools (SAST) is a security tool that claims to help with security in an IT system. Static Application Security Testing tools are technical solutions that operate within the continuous integration of the system. The tool uses frameworks such as OWASP and CWE to detect common vulnerabilities in the codebase by analysing code in the building and testing phase of continuous integration. The problem with SAST tools is that there are many different beliefs surrounding them. Some say they are crucial for security, while some believe they are less helpful and can even inhibit projects by introducing false positives. This thesis determines if SAST tools are an effective solution to security problems within in an IT system. The focus was on logistics- and infrastructure-oriented operations, which the partner company Triona operates within. We use literature review to look at previously similarly conducted research combined with interviews with experienced people within the fields. This gives qualitative results that coupled with previous research can be generalized. The results show that SAST tools are effective tools if used responsibly. Both the literature and interviews conclude that SAST tools are not enough on their own to satisfy the security requirements but must be combined with responsible use of the tools as well as code reviews and other types of testing. SAST tools are also shown to have some problems, mainly false positives, and false negatives. There are also problems related to the implementation of the tools. These problems are costs that comes with implementation, as well as the time spent on it. Other problems are bad communication with developer teams that led to developers not knowing what to do in case of errors shown by the tool. Interviews conducted provides information that SAST tools are not only tools for security but also helps with manageability of code bases. SAST Continuous integration SonarQube OWASP CWE Security tools Information Systems
3	A Study on Ethical Hacking in Cybersecurity Education Within the United States Chew, Jordan 01 March 2024 (has links) (PDF) As the field of computer security continues to grow, it becomes increasingly important to educate the next generation of security professionals. However, much of the current education landscape primarily focuses on teaching defensive skills. Teaching offensive security, otherwise known as ethical hacking, is an important component in the education of all students who hope to contribute to the field of cybersecurity. Doing so requires a careful consideration of what ethical, legal, and practical issues arise from teaching students skills that can be used to cause harm. In this thesis, we first examine the current state of cybersecurity education in the United States through a holistic view of funding, certifications, and course offerings. We then offer a framework to navigate the ethical and legal issues of teaching offensive security, as well as serve as a technical reference of useful tools for configuring and conducting a course in ethical hacking. Together, these contributions can be a baseline for educators looking to create courses on ethical hacking topics. Ethical Hacking Penetration Testing Security Tools Computing Education Curriculum and Instruction Educational Technology Information Security
4	Investigating the security of a microservices architecture : A case study on microservice and Kubernetes Security Muresu, Daniel January 2021 (has links) The concept of breaking down a bigger application into smaller components is not a new idea, but it has been more commonly adopted in recent years due to the rise of the microservice application architecture. What has not been elaborated on enough however, is the security of the microservice architecture and how it differs from a monolithic application architecture. This leads to question what the most relevant security vulnerabilities of integrating and using a microservice architecture are, and what the correlating metrics that can be used to detect intrusions based on the vulnerabilities can be. In this report, the security of the microservice architecture is elaborated on in a case study of the system at Skatteverket, the Swedish tax agency, which is a microservice based architecture running on Kubernetes. Interviews are conducted with people that have experience in Kubernetes and microservices separately, both employed at Skatteverket and elsewhere. In the interviews, vulnerabilities and intrusion detection metrics are identified, which are then analyzed with respect to a use case in the Skatteverket system. A survey is also done on the existing technologies that can mitigate the identified vulnerabilities that are related to a microservice architecture. The vulnerabilities present in the use case are then concluded to be most relevant, the identified intrusion detection metrics are elaborated on and the service mesh technology Istio is found to mitigate largest number of the identified vulnerabilities. / Konceptet att bryta ner en större applikation i mindre komponenter är inte en ny idé, men den har blivit vanligare under de senaste åren på grund av växten i användning av mikrotjänstsarkitekturer. Vad som dock inte har utforskats tillräckligt är säkerheten för mikrotjänstarkitekturen och hur den skiljer sig från en monolitisk applikationsarkitektur. Detta leder till att fråga vilka de mest relevanta säkerhetsriskerna med att integrera och använda en mikrotjänstarkitektur är, och vilka mätvärden som kan användas för att upptäcka intrång baserat på riskerna kan vara. I denna rapport utforskas säkerheten för mikrotjänstarkitekturer genom en fallstudie av systemet hos Skatteverket, som är en mikrotjänstbaserad arkitektur som körs på Kubernetes. Intervjuer genomförs med personer som har erfarenhet av Kubernetes och mikrotjänster separat, både med anställda på Skatteverket och på annat håll. I intervjuerna identifieras risker och mätvärden för att märka av intrång som sedan analyseras med avseende på ett användningsfall i Skatteverketssystemet. En undersökning görs också om befintlig teknik som kan mildra de identifierade riskerna som är relaterade till en mikrotjänstarkitektur. De risker som förekommer i användningsfallet anses sedan till att vara mest relevanta i slutsatserna, de identifierade mätvärdena för att märka av intrång diskuteras och service mesh teknologin Istio anses mitigera störst antal av de identifierade riskerna. Microservices Security Kubernetes Intrusion detection Security tools Mikrotjänster säkerhet Kubernetes upptäcka intrång säkerhetsverktyg Computer Sciences Datavetenskap (datalogi)
5	Implementering DevSecOps metodik vid systemutveckling för hälso och sjukvård / Implementing DevSecOps methodology for healthcare system development Abd Alwaheb, Sofia January 2023 (has links) Inom hälso- och sjukvården är IT-säkerhet avgörande för att skydda både personlig information och patientsäkerheten. För närvarande genomförs implementering av säkerhetsåtgärder och tester efter mjukvaruutvecklingen, vilket kan minska effektiviteten och utgöra en potentiell risk för patienternas integritet. Detta arbete undersökte implementeringen av DevSecOps-metodiken inom hälso- och sjukvården med fokus på utvecklingsfasen. Genom att intervjua anställda och använda säkerhetsverktyg som SAST, kodgranskning, penetrationstestning och DAST identifierades fördelar och utmaningar. Utmaningarna inkluderade brist på säkerhetskunskap och svårighet att integrera verktyg kostnadsfritt. Trots detta visade resultatet på möjligheten att förbättra säkerheten, effektivisera arbetet och spara pengar genom att använda gratis verktyg och implementera säkerhet redan i utvecklingsfasen. Utbildning och anställning av säkerhetskompetent personal betonades också som viktigt för att upprätthålla höga säkerhetsstandarder / In healthcare, IT security is crucial for protecting both personal information and patient safety. Currently, the implementation of security measures and testing is done after software development, which can reduce efficiency, and pose a potential risk to patient privacy. This study examined the implementation of the DevSecOps methodology in healthcare, focusing on the development phase. By interviewing employees and using security tools such as SAST, code review, penetration testing, and DAST, benefits and challenges were identified. The challenges included a lack of security knowledge and difficulty integrating tools for free. Despite this, the results demonstrated the potential to enhance security, streamline operations, and save money by utilizing free tools and implementing security during the development phase. Training and hiring security-competent personnel were also emphasized as important for maintaining high security standards. DevSecOps healthcare security tools implementation security development phase automated tests DevSecOps hälso- och sjukvård säkerhetsverktyg implementering säkerhet utvecklingsfas automatiserade tester Computer Engineering Datorteknik
6	A Solution to Selecting Cyber-Security Software Tools for an Organization Using Security Controls Marcos Conca, Alexandre January 2017 (has links) In the last decade, cyber-threats have evolved dramatically, forcing organizations yearafter year to use increasingly sophisticated security measures, security software amongothers. This has led to a huge increase in the number of security tools available in theindustry. The result of the increase is that that companies often do not know in whichsoftware to invest in order to meet their security needs. The purpose of this thesis isto address this problem by developing a solution that helps companies to choose theright security software based on their security needs and that allows to do the selectionprocess in a systematic and reliable way.The solution proposed in the thesis builds on interviews with experts in information security,data collection from the literature and Internet and on a case study. The solutionconsists of rstly an investigate method with which it is possible to categorize any securitytool according to the list of cyber-security controls proposed by CIS Critical SecurityControls (CSC), which were chosen after a comparative study with other publicly availablecontrols because they are actionable, relevant and updated frequently. Secondly,the solution proposes a user-friendly web tool that has been developed to allow the usersto visualize the collected information for comparison. The visualization tool will helpthe users to select the security tools in which the company could be interested to investin. The visualization is done in a simple way and the CSCs that would be covered areshown together with the gaps and the overlaps of the selected tools. In order to verifythe viability of the solution that was developed with real data, the project includes acase study with a representative set of security tools. The case study facilitates thecomprehension of the process undertaken and shows how this method could be appliedin a real case scenario. / Under det senaste decenniet har cyberhot utvecklats dramatiskt. Hotet tvingar organisationeratt år efter år använda allt mer sofistikerade säkerhetsåtgärder, bland annatsäkerhetsmjukvara. Detta har lett till en enorm ökning av antalet av säkerhetsverktygsom finns i branschen. Resultatet av ökningen är att företag ofta inte vet i vilken programvarade borde investera i för att möta sina säkerhetsbehov. Syftet med dennarapporten är att ta itu med detta problem genom att utveckla en lösning som hjälperföretag att välja rätt säkerhetsprogramvara baserat på deras säkerhetsbehov och somgör urvalsprocessen på ett systematiskt och tillförlitligt sätt.Den lösning som föreslås i rapporten bygger på intervjuer med experter inom informationssäkerhet, datainsamling från litteraturen och Internet och på en fallstudie. Lösningenbestår först av en utredningsmetod med vilken det är möjligt att kategorisera vilketsäkerhetsverktyg som helst enligt listan över cybersäkerhetskontroller som publiceras avCIS Critical Security Controls (CSC). CSC valdes efter en jämförande studie som inkluderadeandra allmänt tillgängliga förteckningar över kontrollerna, eftersom CSC kontrollerär genomförbara, relevanta och uppdateras ofta. För det andra föreslår lösningen ettanvändarvänligt webbverktyg som har utvecklats för att göra det möjligt för användareatt visualisera den insamlade informationen för jämförelse. Visualiseringsverktyget kommeratt hjälpa användarna välja säkerhetsverktyg som företaget kan vara intresseradeav att investera i. Visualiseringen sker på ett enkelt sätt och CSCs som omfattas visastillsammans med de luckor och överlappningar som finns i den valda programvaran.För att bekräfta genomförbarhet för den lösning som utvecklats med verkliga data,omfattar projektet en fallstudie med ett representativt urval av säkerhetsverktyg. Fallstudienunderlättar förståelsen för klassificeringen och urvalsprocessen genom att visahur denna metod skulle kunna tillämpas i ett verkligt fall. Information Security Critical Security Controls Investigative Method Security Tools Web Tool Informationssakerhet Kritiska Sakerhetskontroller Undersokande Metod Sakerhetsverktyg Webbverktyg Elektroteknik och elektronik
7	Less Detectable Web Scraping Techniques / Mindre Detekterbara Webbskrapningstekniker Färholt, Fredric January 2021 (has links) Web scraping is an efficient way of gathering data, and it has also become much eas- ier to perform and offers a high success rate. People no longer need to be tech-savvy when scraping data since several easy-to-use platform services exist. This study conducts experiments to see if people can scrape in an undetectable fashion using a popular and intelligent JavaScript library (Puppeteer). Three web scraper algorithms, where two of them use movement patterns from real-world web users, demonstrate how to retrieve information automatically from the web. They operate on a website built for this research that utilizes known semi-security mechanisms, honeypot, and activity logging, making it possible to collect and evaluate data from the algorithms and the website. The result shows that it may be possible to construct a web scraper algorithm with less detectability using Puppeteer. One of the algorithms reveals that it is possible to control computer performance using built-in methods in Puppeteer. / Webbskrapning är ett effektivt sätt att hämta data på, det har även blivit en aktivitet som är enkel att genomföra och chansen att en lyckas är hög. Användare behöver inte längre vara fantaster inom teknik när de skrapar data, det finns idag mängder olika och lättanvändliga plattformstjänster. Den här studien utför experi- ment för att se hur personer kan skrapa på ett oupptäckbart sätt med ett populärt och intelligent JavaScript bibliotek (Puppeteer). Tre webbskrapningsalgoritmer, där två av dem använder rörelsemönster från riktiga webbanvändare, demonstrerar hur en kan samla information. Webbskrapningsalgoritmerna har körts på en hemsida som ingått i experimentet med kännbar säkerhet, honeypot, och aktivitetsloggning, nå- got som gjort det möjligt att samla och utvärdera data från både algoritmerna och hemsidan. Resultatet visar att det kan vara möljligt att skrapa på ett oupptäckbart sätt genom att använda Puppeteer. En av algoritmerna avslöjar även möjligheten att kontrollera prestanda genom att använda inbyggda metoder i Puppeteer. web scraping data mining javascript puppeteer algorithms data collection security mechanisms honeypot security tools undetectability webbskrapning data mining javascript puppeteer algoritmer datakollektion säkerhetsmekanismer honeypot säkerhetsverktyg oupptäckbar Engineering and Technology Teknik och teknologier
8	Security Tools in DevSecOps : A Systematic Literature Review / Säkerhetsverktyg i DevSecOps : En systematisk litteraturöversikt Martelleur, Joel, Hamza, Amina January 2022 (has links) DevSecOps emerged to mitigate the challenges of integrating security into DevOps. DevOps have grown tremendously, leading to difficulties in integrating security tools in its development process while maintaining speed and agility. This study aims to investigate the security tools in DevSecOps and how they have been reported in previous literature. The main objective of this study is to provide a knowledge base concerning security tools in DevSecOps that can be used to mitigate challenges regarding the selection and use of security tools in the context of DevSecOps. A systematic literature review was adopted for the research. The study collected a total of 228 studies published between 2015 and 2022; fourteen of these papers were selected to be used for data extraction after conducting a thorough review protocol. This study has identified thirteen security tool categories used or recommended to be used in DevSecOps. These tools have been structured into seven phases of the development process and five security practices. Additionally, this study has identified twelve drawbacks and sixteen recommendations concerning the use of these security tools in DevSecOps. The security tools categories, recommendations, and drawbacks identified in this study could potentially be used to facilitate the challenges of selecting and using security tools in DevSecOps and similar methodologies that rely on automation and delivering software frequently. DevSecOps DevOps Security Tools SDLC phases Shift Security to the Left Continuous Security Automation Systematic Literature Review DevSecOps DevOps Säkerhetsverktyg SDLC-faser Skift säkerhet till vänster Kontinuerlig säkerhet Automation Systematisk litteraturgranskning Övrig annan teknik

Search results