• Title/Summary/Keyword: security testing

Search Result 379, Processing Time 0.028 seconds

Static Analysis Tools Against Cross-site Scripting Vulnerabilities in Web Applications : An Analysis

  • Talib, Nurul Atiqah Abu;Doh, Kyung-Goo
    • Journal of Software Assessment and Valuation
    • /
    • v.17 no.2
    • /
    • pp.125-142
    • /
    • 2021
  • Reports of rampant cross-site scripting (XSS) vulnerabilities raise growing concerns on the effectiveness of current Static Analysis Security Testing (SAST) tools as an internet security device. Attentive to these concerns, this study aims to examine seven open-source SAST tools in order to account for their capabilities in detecting XSS vulnerabilities in PHP applications and to determine their performance in terms of effectiveness and analysis runtime. The representative tools - categorized as either text-based or graph-based analysis tools - were all test-run using real-world PHP applications with known XSS vulnerabilities. The collected vulnerability detection reports of each tool were analyzed with the aid of PhpStorm's data flow analyzer. It is observed that the detection rates of the tools calculated from the total vulnerabilities in the applications can be as high as 0.968 and as low as 0.006. Furthermore, the tools took an average of less than a minute to complete an analysis. Notably, their runtime is independent of their analysis type.

Analyses of Security for Software Attack (소프트웨어 공격에 대한 보안성 분석)

  • Kim, Jung-Tae
    • Proceedings of the Korean Institute of Information and Commucation Sciences Conference
    • /
    • 2007.10a
    • /
    • pp.725-728
    • /
    • 2007
  • Software security is about making software behave correctly in the presence of a malicious attack, even though software failures usually happen spontaneously in the real world. Standard software testing literature is concerned only with what happens when software fails, regardless of intent. The difference between software safety and software security is therefor the presence of an intelligent adversary bent on breaking the system. Software security for attacking the system is presented in this paper

  • PDF

An Empirical Study of Relationship between Information Security Investment and Information Security Incidents : A Focus on Information Security Training, Awareness and Education Service Sector (정보보안 투자가 침해사고에 미치는 영향에 대한 실증분석 : 정보보안 교육 서비스 투자를 중심으로)

  • Lee, Hansol;Chai, Sangmi
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.28 no.1
    • /
    • pp.269-281
    • /
    • 2018
  • Many organizations are threatened by numerous information security attacks which are resulting in information security incidents. To prevent information security incidents, organizations invest on various information security measures like information security products, monitoring services and security training and educations. However they do not have enough knowledge about measurable utilities of information security investments. Since there is little studies empirically examining the effect of information security investments, this research aims to find out utilities of information security investment. We especially focuse on information security service investments. This study examined the data from the survey on information security for business sector which was conducted by Korean information & security agency. We utilized negative binomial regression model, which is a suitable model for over-dispersed count data. We found out that an investment on information security education and vulnerability testing have direct impact on reducing information security incidents. This research academically contributed to shed light on the utility of information security investments on reducing information security incidents. This research practically contributed to providing information security investment guideline for organizations which want to reduce information security incidents efficiently.

A Study on Security Measure of Step-Wise Project (단계별 프로젝트 보안 방안에 대한 연구)

  • Shin, Seong-Yoon;Jang, Dai-Hyun;Kim, Hyeong-Jin
    • Journal of the Korea Institute of Information and Communication Engineering
    • /
    • v.16 no.11
    • /
    • pp.2459-2464
    • /
    • 2012
  • Many companies has led to the damage case being leaked to personal information by taking cyber attack. Also, planned hacking cases continues to increase for the purpose of acquiring monetary gain or causing social disruption induction, etc. Approximately 75% of the Web site attacks exploit the vulnerability of the application. Major security issue is to strengthen the S/W development security according to the legal basis. The members of the project team is the fact that the lack of recognition of application development security. In addition, passive response and security validation/testing, etc. throughout the SDLC to the entire area is insufficient. Therefore, rework due to the belated discovery of a defect has occurs. In this paper, we examine the case of the project step-by-step security activities by performing IT services companies. And, through this, we present security measures that can be applied to the step-wise real-world projects.

Cyclic behavior of self-centering braces utilizing energy absorbing steel plate clusters

  • Jiawang Liu;Canxing Qiu
    • Steel and Composite Structures
    • /
    • v.47 no.4
    • /
    • pp.523-537
    • /
    • 2023
  • This paper proposed a new self-centering brace (SCB), which consists of four post-tensioned (PT) high strength steel strands and energy absorbing steel plate (EASP) clusters. First, analytical equations were derived to describe the working principle of the SCB. Then, to investigate the hysteretic performance of the SCB, four full-size specimens were manufactured and subjected to the same cyclic loading protocol. One additional specimen using only EASP clusters was also tested to highlight the contribution of PT strands. The test parameters varied in the testing process included the thickness of the EASP and the number of EASP in each cluster. Testing results shown that the SCB exhibited nearly flag-shape hysteresis up to expectation, including excellent recentering capability and satisfactory energy dissipating capacity. For all the specimens, the ratio of the recovered deformation is in the range of 89.6% to 92.1%, and the ratio of the height of the hysteresis loop to the yielding force is in the range of 0.47 to 0.77. Finally, in order to further understand the mechanism of the SCB and provide additional information to the testing results, the high-fidelity finite element (FE) models were established and the numerical results were compared against the experimental data. Good agreement between the experimental, numerical, and analytical results was observed, and the maximum difference is less than 12%. Parametric analysis was also carried out based on the validated FE model to evaluate the effect of some key parameters on the cyclic behavior of the SCB.

An Improved Side Channel Power Analysis with OP-Amp (OP-Amp를 적용한 향상된 부채널 전력분석 방법)

  • Kim, JinBae;Ji, JaeDeok;Cho, Jong-Won;Kim, MinKu;Han, Dong-Guk
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.25 no.3
    • /
    • pp.509-517
    • /
    • 2015
  • Side Channel Analysis of applying the power-consumption was known as effective method to analyze the key of security device based on chip. The precedential information of power-consumption was measured by the voltage distribution method using by series connection of resistor. This method was dependent on the strength of the voltage. If the voltage cannot be acquired much information which is involved with the key, the information of power-consumption significantly might be influenced by noise. If so, some of the information of power-consumption might be lost and distorted. Then, this loss can reduce the performance of the analysis. For the first time, this paper will be introduced the better way of the improvement with using the method of Current to Voltage Converter with OP-Amp. The suggested method can reduce the effect of the noise which is included in the side channel information. Therefore we can verify the result of our experiments which is provided with the improvement of the performance of side channel analysis.

Study on Developing a Monitoring System for Safe Fire Testing (안전한 탄 발사시험을 위한 모니터링 시스템 개발에 관한 연구)

  • Ki Jae-sug
    • Proceedings of the Safety Management and Science Conference
    • /
    • 2005.05a
    • /
    • pp.453-459
    • /
    • 2005
  • On this research, we show some concrete examples as software design, 2D/3D display, graph display, and gage display to develop a data monitoring system for real time safe fire testing. Developed software which is simulation software for live fire testing, has been designed to display informations about whole test status in a live fire testing, and with this, user can control a live fire testing under the safe environment. Beside, we increase a security by using a authority of user to access on this software. and we develop it based on module designed to apply a requirement of user later on.

  • PDF

Study on Developing a Monitoring System for Safe Fire Testing (안전한 탄 발사시험을 위한 모니터링 시스템 개발에 관한 연구)

  • Ki Jae Sug
    • Journal of the Korea Safety Management & Science
    • /
    • v.7 no.2
    • /
    • pp.65-72
    • /
    • 2005
  • On this research, we show some concrete examples as software design, 2D/3D display, graph display, and gage display to develop a data monitoring system for real time safe fire testing. Developed software which is simulation software for live fire testing, has been designed to display informations about whole test status in a live fire testing, and with this, user can control a live fire testing under the safe environment. Beside, we increase a security by using a authority of user to access on this software. and we develop it based on module designed to apply a requirement of user later on.

A Study on the Effect of Integrated Leakage Rate Testing of Containment Vessel due to the Type A Testing Time (격납건물 ILRT 본시험시간이 시험에 미치는 영향에 관한 연구)

  • Kim, Chang-Soo;Moon, Yong-Sig
    • Transactions of the Korean Society of Pressure Vessels and Piping
    • /
    • v.8 no.3
    • /
    • pp.1-6
    • /
    • 2012
  • The containment Integrated Leakage Rate Testing(ILRT) of nuclear power plants in Korea is performed in accordance with NSSC(Nuclear Safety and Security Commission) code 2012-16 and ANSI/ANS 56.8-1994. Nuclear power plants in Korea and the United States are to apply same test criteria, ANSI/ANS 56.8-1994, except type A testing time. NPPs in Korea apply 24 hours according to NSSC code 2012-16, but NPPs in United States apply 8 hours according to 10CFR50 App. J for type A test. So, there are many difficulties in order to perform ILRT in Korea. In this study, I review the impact on the ILRT results and the effect of ILRT due to type A testing time. The future, we will continue study to enhance the test reliability and improve these problems.

Control strategy for the substructuring testing systems to simulate soil-structure interaction

  • Guo, Jun;Tang, Zhenyun;Chen, Shicai;Li, Zhenbao
    • Smart Structures and Systems
    • /
    • v.18 no.6
    • /
    • pp.1169-1188
    • /
    • 2016
  • Real-time substructuring techniques are currently an advanced experimental method for testing large size specimens in the laboratory. In dynamic substructuring, the whole tested system is split into two linked parts, the part of particular interest or nonlinearity, which is tested physically, and the remanding part which is tested numerically. To achieve near-perfect synchronization of the interface response between the physical specimen and the numerical model, a good controller is needed to compensate for transfer system dynamics, nonlinearities, uncertainties and time-varying parameters within the physical substructures. This paper presents the substructuring approach and control performance of the linear and the adaptive controllers for testing the dynamic characteristics of soil-structure-interaction system (SSI). This is difficult to emulate as an entire system in the laboratory because of the size and power supply limitations of the experimental facilities. A modified linear substructuring controller (MLSC) is proposed to replace the linear substructuring controller (LSC).The MLSC doesn't require the accurate mathematical model of the physical structure that is required by the LSC. The effects of parameter identification errors of physical structure and the shaking table on the control performance of the MLSC are analysed. An adaptive controller was designed to compensate for the errors from the simplification of the physical model in the MLSC, and from parameter identification errors. Comparative simulation and experimental tests were then performed to evaluate the performance of the MLSC and the adaptive controller.