Integrating and Monitoring Security in Software Applications

集成和监控软件应用程序中的安全性

• 批准号: RGPIN-2019-04651
• 负责人: Zulkernine, Mohammad
• 金额: $ 2.48万
• 依托单位: Queen's University
• 依托单位国家: 加拿大
• 项目类别: Discovery Grants Program - Individual
• 财政年份: 2019
• 资助国家: 加拿大
• 起止时间: 2019-01-01 至 2020-12-31
• 项目状态: 已结题
• 来源: https://www.nserc-crsng.gc.ca/ase-oro/Details-Detailles_eng.asp?id=685278
• 关键词: Integrating; Monitoring; Security; Software; Applications

Major software security breaches occur daily in Canada and around the world. It is thus critical to improve software security to ensure that the digital environment is helpful and trusted by users. To deliver software functionalities in a timely manner for emerging domains such as the cloud, software service providers usually prioritize functionality over security requirements, resulting in software with potential security risks and systems vulnerable to attack. The growing complexity of software systems and their ever-changing runtime environments requires improved capability of security analysts and software engineers to monitor the security of such systems. The proposed research program will develop a variety of automated techniques to develop secure software by addressing security issues in different stages of a development life cycle and subsequent monitoring at runtime.******The proposed research will develop methods and tools for intrusion scenario description and automatic signature generation from the scenarios. A monitoring system will be developed to detect intrusions into software systems by comparing their run-time behavior with the generated signatures. Commonly recurring security problems can be addressed using security patterns. Such patterns will be used to realize security requirements in software design, with violation detected by automatic runtime analysis of the patterns. As security patterns are the design components that correspond to security requirements, any violation of patterns will indicate violation of the requirements. Software-as-a-Service (SaaS) are being used more and more to access various applications anytime anywhere. Given the constant threat of various attacks on cloud-based systems, security requirements must be given the same importance as functionality requirements and to this end, the proposed research will provide a novel comprehensive platform that allows security requirements and services to be incorporated in each stage of the SaaS development lifecycle. We will investigate the underlying operational environments of cloud and build defense mechanisms in the development and monitoring stages for ensuring the security of the cloud environment and its applications or services.******This research program will play a vital role in bridging the gap between software engineering and security engineering practices for complex software of new paradigms and computing environments that include cloud. The program is in alignment with the Government of Canada's priority for information security and safety and its commitment to protect Canadians from cyberattacks. A unique aspect of this program is to provide a balanced training facility for two PhD and two MSc students each year that will include both software engineering and security engineering principles for developing more secure software applications.

加拿大和世界各地每天都发生重大软件安全漏洞。因此，必须提高软件安全性，以确保数字环境对用户有帮助并受到用户的信任。为了及时为云等新兴领域提供软件功能，软件服务提供商通常将功能优先于安全要求，导致软件存在潜在的安全风险，系统容易受到攻击。软件系统的日益复杂性及其不断变化的运行时环境要求安全分析师和软件工程师提高监控此类系统安全性的能力。拟议的研究计划将开发各种自动化技术，通过解决开发生命周期不同阶段的安全问题和运行时的后续监控来开发安全软件。该研究将开发入侵场景描述和场景自动签名生成的方法和工具。将开发一个监测系统，通过将软件系统的运行时行为与生成的签名进行比较来检测对软件系统的入侵。通常反复出现的安全问题可以使用安全模式来解决。这些模式将用于实现软件设计中的安全需求，并通过模式的自动运行时分析来检测违规行为。由于安全模式是与安全需求相对应的设计组件，因此任何违反模式的行为都将表明违反了需求。软件即服务（SaaS）越来越多地用于随时随地访问各种应用程序。鉴于对基于云的系统的各种攻击的持续威胁，安全要求必须与功能要求同等重要，为此，拟议的研究将提供一个新颖的综合平台，允许将安全要求和服务纳入SaaS开发生命周期的每个阶段。我们将调查云的底层运行环境，并在开发和监控阶段建立防御机制，以确保云环境及其应用或服务的安全。这项研究计划将在弥合软件工程和安全工程实践之间的差距，为新的范例和计算环境，包括云复杂软件发挥至关重要的作用。该计划符合加拿大政府对信息安全和保障的优先考虑，以及保护加拿大人免受网络攻击的承诺。该计划的一个独特方面是每年为两名博士和两名硕士学生提供平衡的培训设施，其中包括软件工程和安全工程原则，以开发更安全的软件应用程序。