By Topic

Security & Privacy, IEEE

Issue 3 • Date May-June 2012

Filter Results

Displaying Results 1 - 25 of 26
  • [Front cover]

    Page(s): c1
    Save to Project icon | Request Permissions | PDF file iconPDF (4918 KB)  
    Freely Available from IEEE
  • Usenix 2012 house advertisement

    Page(s): c2
    Save to Project icon | Request Permissions | PDF file iconPDF (2185 KB)  
    Freely Available from IEEE
  • Table of contents

    Page(s): 1 - 2
    Save to Project icon | Request Permissions | PDF file iconPDF (5841 KB)  
    Freely Available from IEEE
  • A Key to the Castle

    Page(s): 3
    Save to Project icon | Request Permissions | PDF file iconPDF (642 KB)  
    Freely Available from IEEE
  • [Masthead]

    Page(s): 4
    Save to Project icon | Request Permissions | PDF file iconPDF (137 KB)  
    Freely Available from IEEE
  • Security Analytics and Measurements

    Page(s): 5 - 8
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (329 KB)  

    The magazine's founding editor in chief, George Cybenko, and his first successor, Carl E. Landwehr, provide perspectives on the need for measuring security and the meaning of those measurements in the context of adversarial dynamics. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Silver Bullet Talks with Giovanni Vigna

    Page(s): 9 - 11
    Save to Project icon | Request Permissions | PDF file iconPDF (530 KB)  
    Freely Available from IEEE
  • Security, Privacy, and Policy Roundup

    Page(s): 12 - 13
    Save to Project icon | Request Permissions | PDF file iconPDF (627 KB)  
    Freely Available from IEEE
  • Guest editors' introduction: Software Assurance for the Masses

    Page(s): 14 - 15
    Save to Project icon | Request Permissions | PDF file iconPDF (2095 KB)  
    Freely Available from IEEE
  • Transitioning Parfait into a Development Tool

    Page(s): 16 - 23
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (2454 KB)  

    The Parfait static-code-analysis tool started as a research project at Sun Labs (now Oracle Labs) to address runtime and precision shortcomings of C and C++ static-code-analysis tools. After developers started to see and verify the research outcomes, they made further requests to ensure the tool would be easy to use and integrate. This helped transition Parfait from a research artifact to a developer tool. Developers use Parfait daily to prevent the introduction of defects into code bases and to report defects in existing code. Several organizations at Oracle have integrated it into build processes. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • The Software Industry's "Clean Water Act" Alternative

    Page(s): 24 - 31
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (2805 KB)  

    With water, we trust that qualities harmful to its intended use aren't present. To avoid a regulatory solution to problems with contaminants that endanger software's intended use, the industry needs to implement processes and technical methods for examining software for the contaminants that are most dangerous given its intended use. By finding systematic and verifiable ways to identify remove, and verify contaminated software, software providers can improve customers' confidence in systems and possibly avoid regulatory solutions. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • SAVI: Static-Analysis Vulnerability Indicator

    Page(s): 32 - 39
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (2593 KB)  

    Open source software presents new opportunities for software acquisition but introduces risks. The selection of open source applications should take into account both features and security risks. Risks include security vulnerabilities, of which published vulnerabilities are only the tip of the iceberg. Having an application's source code lets us look deeper at its security. SAVI (Static-Analysis Vulnerability Indicator) is a metric for assessing risks of using software built by external developers. It combines several types of static-analysis data to rank application vulnerability. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Measuring the Value of Static-Analysis Tool Deployments

    Page(s): 40 - 47
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (1645 KB)  

    For optimum success, static-analysis tools must balance the ability to find important defects against the risk of false positive reports. A human must interpret each reported warning to determine if any action is warranted, and the criteria for judging warnings can vary significantly depending on the analyst's role, the security risk, the nature of the defect, the deployment environment, and many other factors. These considerations mean that it can be difficult to compare tools with different characteristics, or even to arrive at the optimal way to configure a single tool. This article presents a model for computing the value of using a static-analysis tool. Given inputs such as engineering effort, the cost of an exploited security vulnerability, and some easily measured tool properties, the model lets users make rational decisions about how best to deploy static analysis. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Static Analyzers: Seat Belts for Your Code

    Page(s): 48 - 52
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (1567 KB)  

    Just as seat belt use is widespread, static analysis should be part of ethical software development. Because security must be designed in, static analysis should occur early in software development to reduce vulnerabilities or, even better, provide feedback to educate software developers and reinforce good practices, minimizing vulnerable constructs ever getting in the code. Even as industry migrates to languages safer than unconstrained C, thus eliminating many possible weaknesses, static analysis can be even more useful to check annotations, guarantees, conditions, and specifications provided by developers. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Static Analysis in Motion

    Page(s): 53 - 56
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (3111 KB)  

    As part of this special issue on static analysis, guest editor Brian Chess put together a roundtable discussion with leaders in the field. Here, they discuss their views on where static analysis is today and what's required to make it an effective part of creating secure and reliable software. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Blaming Noncompliance Is Too Convenient: What Really Causes Information Breaches?

    Page(s): 57 - 63
    Multimedia
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (437 KB)  

    Information breaches demand a vigorous response from organizations. The traditional response is to institute policies to constrain and control employee behavior. Information security policies inform employees about appropriate uses of information technology in an organization. Unfortunately, limited evidence exists that such policies effectively reduce confidentiality breaches or information loss. This article explores the possible reasons for this and reports on a survey aiming to detect the presence of these factors in a UK National Health Service health board. This article argues that you must pay attention to the entire system, instead of focusing merely on individuals in the system. The survey shows how the pressures on the organization's staff members and the rules imposed by the policies often place staff in an impossible or untenable position. They sometimes feel this leaves them no option but to break the rules just to do their work. The Web extra is a list of additional resources. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Detecting Targeted Malicious Email

    Page(s): 64 - 71
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (765 KB)  

    Targeted malicious emails (TME) for computer network exploitation have become more insidious and more widely documented in recent years. Beyond spam or phishing designed to trick users into revealing personal information, TME can exploit computer networks and gather sensitive information. They can consist of coordinated and persistent campaigns that can span years. A new email-filtering technique based on email's persistent-threat and recipient-oriented features with a random forest classifier outperforms two traditional detection methods, SpamAssassin and ClamAV, while maintaining reasonable false positive rates. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Resilience: What Is It, and How Much Do We Want?

    Page(s): 72 - 75
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (244 KB)  

    The word “resilience” is increasingly popular to designate some properties we want from systems. When we use this word, do we all mean the same concept? Or the same set of multiple concepts? How do we know when we've achieved it, or them, or a certain amount of them? To design systems, write contracts, or manage organizations, we need some common view about all this. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • NICE: Creating a Cybersecurity Workforce and Aware Public

    Page(s): 76 - 79
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (1780 KB)  

    The National Initiative for Cybersecurity Education (NICE) aims to create an operational, sustainable, and continually improving program for cybersecurity awareness, education, training, and workforce development. As part of the initiative, the NICE Cybersecurity Workforce Framework aims to codify cybersecurity talent; define the cybersecurity workforce in common terms; and tie the workforce's various jobs, competencies, and responsibilities into a common architecture. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Hardware-Anchored Security Based on SRAM PUFs, Part 1

    Page(s): 80 - 83
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (3280 KB)  

    Physical unclonable functions (PUFs) originate in intrinsic properties extracted from devices and objects for the purpose of identification. A special type of silicon PUFs called SRAM (static RAM) PUFs can help make integrated circuits securer. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • The Clouds Roll By

    Page(s): 84 - 87
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (270 KB)  

    Technology changes have driven us first away from centralized computer services and now back toward centralization. Security and reliability are likely to improve as expertise is also centralized and fewer demands are placed on the relatively inexperienced individual users. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Developing Secure Products in the Age of Advanced Persistent Threats

    Page(s): 88 - 92
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (1204 KB)  

    Advanced persistent threats (APTs) are making technology providers reconsider their security assumptions for secure product development. This article suggests an industry roadmap for rethinking product security in the face of APTs. It also describes steps EMC has taken to implement this roadmap and strengthen its product development practices. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • ICS Update

    Page(s): 93 - 95
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (1037 KB)  

    The natal announcement for the Index of Cyber Security (ICS) first appeared in these pages one year ago. As we promised at the outset, its first birthday marked the time for a review. The ICS is composed from a survey of expert sentiment-that is to say, it asks a set of respondents what they think. Sentiment-based indices have a long history and wide acceptance; two (US) examples are the Consumer Confidence Index and the Purchasing Managers Index. Generally speaking, sentiment-based indices are vulnerable to misinformed respondents. This is conquered either by large-scale sample randomization (Consumer Confidence) or by careful selection of respondents (Purchasing Managers). The ICS goes with the latter: it gathers a composite of cybersecurity expert opinions that aren't generalizable to any description of the public at large. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Fighting the Last War

    Page(s): 96
    Save to Project icon | Request Permissions | PDF file iconPDF (519 KB)  
    Freely Available from IEEE
  • Magazine subscribe house advertisement

    Page(s): c3
    Save to Project icon | Request Permissions | PDF file iconPDF (3800 KB)  
    Freely Available from IEEE

Aims & Scope

The primary objective of IEEE Security & Privacy is to stimulate and track advances in information assurance and security and present these advances in a form that can be useful to a broad cross-section of the professional community-ranging from academic researchers to industry practitioners. It is intended to serve a broad readership.

Full Aims & Scope

Meet Our Editors

Editor-in-Chief
Shari Lawrence Pfleeger
shari.l.pfleeger@dartmouth.edu