research-article

Challenges and mitigation approaches for getting secured applications in an enterprise company

Author:

Paweł RajbaAuthors Info & Claims

ARES '18: Proceedings of the 13th International Conference on Availability, Reliability and Security

Article No.: 7, Pages 1 - 6

https://doi.org/10.1145/3230833.3233276

Published: 27 August 2018 Publication History

Abstract

For years many companies have paid attention to making sure infrastructure is protected adequately while making applications secured was underestimated. This approach is changing nowadays, but according to many security research companies (like WhiteHat or Gartner) a lot of vulnerabilities are still present in applications. Those vulnerabilities are on different levels like architecture or code and they have multiple sources like wrong requirements, processes, tools, unskilled developers or everything at the same time. In the paper we present the challenges that were discovered when we applied some mitigation approaches during the security journey in an enterprise company in the automotive industry.

References

[1]

Ashley, P., Hada, S., Karjoth, G., Powers, C., Schunter, M. (2003). Enterprise privacy authorization language (EPAL). IBM Research.

[2]

Computer Business Review, Top 5 critical infrastructure cyber attacks, Available: https://www.cbronline.com/cybersecurity/top-5-infrastructure-hacks/ {Accessed: 29.06.2018}

[3]

Stuart Broderick, Top 5 Success Factors for Cybersecurity Management Programs, CISCO Blogs, 2015 https://blogs.cisco.com/security/top-5-success-factors-for-cybersecurity-management-programs

[4]

Certified Information Systems Security Professional (CISSP). Available: https://www.isc2.org/Certifications/CrSSP {Accessed: 29.06.2018}

[5]

ISO/IEC 27000 family - Information security management systems. Available: https://www.iso.org/isoiec-27001-information-security.html {Accessed: 29.06.2018}

[6]

Open Security Architecture. Available: http://www.opensecurityarchitecture.org/cms/ {Accessed: 29.06.2018}

[7]

OWASP, Application Security Verification Standard, 2016. Available: https://www.owasp.org/images/3/33/OWASP_Application_Security_Verification_Standard_3.0.1.pdf {Accessed: 29.06.2018}

[8]

NIST CyberSecurity Framework. Available: https://www.nist.gov/cyberframework {Accessed: 29.06.2018}

[9]

SABSA. Available: http://www.sabsa.org/ {Accessed: 29.06.2018}

[10]

Reihaneh Amel Sadeghi, Identifying Key Success Factors in the Implementation of Information Security Systems on Service Businesses: A Case Study of the Private Banks of Tehran, American Journal of Theoretical and Applied Business, 2 (4), 28--37, 2016

[11]

John Sherwood, Andrew Clark, David Lynas, Enterprise Security Architecture: A Business-Driven Approach, CRC Press, 2005.

Digital Library

[12]

Marianne Swanson et al. Contingency Planning Guide for Federal Information Systems, NIST, 2010

[13]

Yasar, H. (2017). Implementing Secure DevOps assessment for highly regulated environments. In Proceedings of the 12th International Conference on Availability, Reliability and Security (p. 70). ACM.

Digital Library

[14]

World's Biggest Data Breaches, Available: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ {Accessed: 29.06.2018}

[15]

Vinh, T. V., Grewal, D. Critical success factors of effective security management: a survey of Vietnamese maritime transport service providers. In International Association of Maritime Universities (IAMU) 6th Annual General Assembly and Conference, ed. D. Nielsen, World Maritime University, Sweden (Vol. 10, pp. 24--26), 2005

Cited By

Ryan IRoedig UStol K(2024)Training Developers to Code Securely: Theory and PracticeProceedings of the 2024 ACM/IEEE 4th International Workshop on Engineering and Cybersecurity of Critical Systems (EnCyCriS) and 2024 IEEE/ACM Second International Workshop on Software Vulnerability10.1145/3643662.3643956(37-44)Online publication date: 15-Apr-2024
https://dl.acm.org/doi/10.1145/3643662.3643956
Pöhn DSeeber SHommel W(2023)Combining SABSA and Vis4Sec to the Process Framework IdMSecMan to Continuously Improve Identity Management Security in Heterogeneous ICT InfrastructuresApplied Sciences10.3390/app1304234913:4(2349)Online publication date: 11-Feb-2023
https://doi.org/10.3390/app13042349
Ryan IRoedig UStol KMeng WJensen CCremers CKirda E(2023)Unhelpful Assumptions in Software Security ResearchProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623122(3460-3474)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3623122
Show More Cited By

Index Terms

Challenges and mitigation approaches for getting secured applications in an enterprise company
1. Security and privacy
  1. Software and application security
    1. Software security engineering
    2. Web application security
  2. Systems security
    1. Information flow control
    2. Vulnerability management

Recommendations

The Secured Enterprise: Protecting Your Information Assets
A threat pattern for the "cross-site scripting (XSS)" attack
PLoP '15: Proceedings of the 22nd Conference on Pattern Languages of Programs

We present a threat pattern that describes cross-site scripting (XSS) attacks. In this attack attackers insert scripts in web applications that will lead to misuses in a target web application. Cross-Site Scripting is listed as number three risk on the ...
An attack scenario and mitigation mechanism for enterprise BYOD environments

The recent proliferation of the Internet of Things (IoT) technology poses major security and privacy concerns. Specifically, the use of personal IoT devices, such as tablets, smartphones, and even smartwatches, as part of the Bring Your Own Device (BYOD)...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ARES '18: Proceedings of the 13th International Conference on Availability, Reliability and Security

August 2018

603 pages

ISBN:9781450364485

DOI:10.1145/3230833

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

In-Cooperation

Universität Hamburg: Universität Hamburg

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 27 August 2018

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

ARES 2018

ARES 2018: International Conference on Availability, Reliability and Security

August 27 - 30, 2018

Hamburg, Germany

Acceptance Rates

ARES '18 Paper Acceptance Rate 128 of 260 submissions, 49%;

Overall Acceptance Rate 228 of 451 submissions, 51%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

6
Total Citations
View Citations
146
Total Downloads

Downloads (Last 12 months)2
Downloads (Last 6 weeks)0

Reflects downloads up to 07 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Ryan IRoedig UStol K(2024)Training Developers to Code Securely: Theory and PracticeProceedings of the 2024 ACM/IEEE 4th International Workshop on Engineering and Cybersecurity of Critical Systems (EnCyCriS) and 2024 IEEE/ACM Second International Workshop on Software Vulnerability10.1145/3643662.3643956(37-44)Online publication date: 15-Apr-2024
https://dl.acm.org/doi/10.1145/3643662.3643956
Pöhn DSeeber SHommel W(2023)Combining SABSA and Vis4Sec to the Process Framework IdMSecMan to Continuously Improve Identity Management Security in Heterogeneous ICT InfrastructuresApplied Sciences10.3390/app1304234913:4(2349)Online publication date: 11-Feb-2023
https://doi.org/10.3390/app13042349
Ryan IRoedig UStol KMeng WJensen CCremers CKirda E(2023)Unhelpful Assumptions in Software Security ResearchProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623122(3460-3474)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3623122
Wulfert T(2023)Boundary resource management in innovation ecosystems: The case of e-commerceElectronic Markets10.1007/s12525-023-00651-633:1Online publication date: 29-May-2023
https://doi.org/10.1007/s12525-023-00651-6
Tøndel IJaatun M(2022)Towards a Conceptual Framework for Security Requirements Work in Agile Software DevelopmentInternational Journal of Systems and Software Security and Protection10.4018/IJSSSP.202001010311:1(33-62)Online publication date: 17-May-2022
https://dl.acm.org/doi/10.4018/IJSSSP.2020010103
Tøndel IJaatun M(2022)Towards a Conceptual Framework for Security Requirements Work in Agile Software DevelopmentResearch Anthology on Agile Software, Software Development, and Testing10.4018/978-1-6684-3702-5.ch012(247-279)Online publication date: 2022
https://doi.org/10.4018/978-1-6684-3702-5.ch012

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten