Information Technology and Security, Vol. 8, Iss. 1 (14)

Постійне посилання зібрання

https://ela.kpi.ua/handle/123456789/54205

Переглянути

Перегляд Information Technology and Security, Vol. 8, Iss. 1 (14) за Ключові слова "004[942::413.4]"

Зараз показуємо 1 - 2 з 2
  • Ескіз
    ДокументВідкритий доступ
    Applications containers security model
    (Institute of Special Communication and Information Protection of National Technical University of Ukraine “Igor Sikorsky Kyiv Polytechnic Institute”, 2020) Misnik, Oleksii
    It has been established the purpose of container environments for the development, delivery and operation of various types of the software applications. The web and mobile applications have the most widespread use. This is due to the container media’s emphasis on quick loading and installation. Using this method, you can think of the infrastructure as a code and get the benefits associated with it. First of foremost, accelerate the development of software applications, particularly reducing the time between their conception and launch. This is facilitated by the use of download utilities, the deployment of container environments on container virtualization platforms, and the management of software applications. Despite this, the necessity to secure the security of software programs limits the adoption of container systems in practice. This is primarily due to the use of standard approaches based on intrusion detection systems. Features of container environments in relation to real settings were overlooked when they were first introduced. Taking into account the vulnerabilities and dangers of container virtualization platforms, as well as monitoring the processes of container environments given the unique architecture and input load flow, it is important to keep in mind that there are only a few of them. A model for assuring the security of container environments of software programs is proposed to overcome the difficulties of employing intrusion detection systems. It isbased on the idea of using system calls of the host system on the example of the Linux operating system. This is because they allow the software applications to interact with the kernel. As a result, users have been identified as the sources of probable intrusions into container environments. Additionally, there are examples of atypical commands for analysis during the execution of system calls. Based on the obtained results, it has been distinguished the stages of intrusion detection and transitions between them. As a result, the Petri net is used to formalize this process. During the intrusion detection, it has been defined by the numerous sets of stages, transitions between stages, relations between stages, and transitions.As a result of the suggested approach, the security aspects of container environments for software applications are possible to be established.
  • Ескіз
    ДокументВідкритий доступ
    Mobile applications vulnerabilities testing model
    (Institute of Special Communication and Information Protection of National Technical University of Ukraine “Igor Sikorsky Kyiv Polytechnic Institute”, 2020) Antonishyn, Mykhailo
    The process of testing vulnerabilities of mobile software applications has been analysed. This is due to the need to prevent violations of confidentiality, integrity and availability of information. Individual users and the state as a wholebenefit from the preservation of these properties. However, in practice this is mostly neglected, and attention is paid to the functional testing. While the known approaches of testing vulnerabilities of the mobile software applications are focused on thestudy of certain aspects: either a server or a client. At the same time, the applicability of the international standards of testing vulnerabilities in mobile software applications has been established. A characteristic feature of their guidelines is the focus on OWASP methodology. It determines the rating of the most critical vulnerabilities, standard and test scenarios, tools for determining the level of security. They are summed up in OWASP Mobile TOP 10, OWASP MASVS, and OWASP MSTG recommendations. According to OWASP MSTG, vulnerabilities in mobile software apps are tested using OWASP MASVS. There are three parts in these documents, which are the following: general, Android, iOS. Also, these documents define common scenarios for each level of testing vulnerabilities in mobile software applications, as stated in MASVS. The level of security of mobile software applications is determined based on the results of the tests, namely: the test has been passed, the test has not been passed, and the test is not used for the mobile software application. However, the practical use of OWASP methodology is complicated by the focus on the client side of mobile software applications, the subjectivity of the choice of stages and their sequence. To prevent these limitations, a model for testing vulnerabilities in mobile software applications has been developed. A dependency graph is used to codify this procedure.This allows you to determine the stages of testing vulnerabilities in both client and server parts. In addition,it helps you to explain which testing stages to choose, their order, and the appropriate tools. This justification is accomplished by building a dependency relationship between them. An example of its formulation is “the execution of the next stage is preceded by the execution of the previous one”. The obtained results are demonstrated in the example of SSL pinning vulnerability testing.