Semantic enrichment process: An approach to software component reuse in modernizing enterprise systems

In today’s dynamic business environments, organizations are under pressure to modernize their existing software systems in order to respond to changing business demands. Service oriented architectures provide a composition framework to create new business functionalities from autonomous building blocks called services, enabling organizations to quickly adapt to changing conditions and requirements. Characteristics of services offer the promise of leveraging the value of enterprise systems through source code reuse. In this respect, existing system components can be used as the foundation of newly created services. However, one problem to overcome is the lack of business semantics to support the reuse of existing source code. Without sufficient semantic knowledge about the code in the context of business functionality, it would be impossible to utilize source code components in services development. In this paper, we present an automated approach to enrich source code components with business semantics. Our approach is based on the idea that the gap between the two ends of an enterprise system—(1) services as processes and (2) source code—can be bridged via similarity of data definitions used in both ends. We evaluate our approach in the framework of a commercial enterprise systems application. Initial results indicate that the proposed approach is useful for annotating source code components with business specific knowledge.     

Graphical versus textual software measurement modelling: an empirical study

Model-driven Engineering (MDE) has attained great importance in both the Software Engineering industry and the research community, where it is now widely used to provide a suitable approach with which to improve productivity when developing software artefacts. In this scenario, measurement models (software artefacts) have become a fundamental point in improvement of productivity, where MDE and Software Measurement can reap mutual benefits. MDE principles and techniques can be used in software measurement to build more automatic and generic solutions, and to achieve this, it is fundamental to be able to develop software measurement models. To facilitate this task, a domain-specific language named “Software Measurement Modelling Language” (SMML) has been developed. This paper tackles the question of whether the use of SMML can assist in the definition of software measurement models. An empirical study was conducted, with the aim of verifying whether SMML makes it easier to construct measurement models which are more usable and maintainable as regards textual notation. The results show that models which do not use the language are more difficult—in terms of effort, correctness and efficiency—to understand and modify than those represented with SMML. Additional feedback was also obtained, to verify the suitability of the graphical representation of each symbol (element or relationship) of SMML.     

Secur(e/ity) Management: A Continuing Uphill Climb

With ever growing and evolving threats and cyber attacks, the management of enterprise security and the security of enterprise management systems are key to business—if not a nation’s—operations and survival. Secur(e/ity) management, the moniker for the intertwined topics of secure management and security management, has evolved trying to keep pace. The history of secur(e/ity) management is traced from its origins in the disjoint silos of telecommunications, internetworking and computer security to today’s recognition as necessary, interdisciplinary, interworking technologies and operations. An overview of threats and attacks upon managed and management systems shows that occurrences of ever more sophisticated, complex and harder to detect cyber misconduct are increasing as are the severity and costs of their consequences. Introduction of new technologies, expansion of the perimeters of an enterprise and trends in collaborative business partnerships compound the number of managed system targets of cyber compromise. Technical and marketplace trends in secur(e/ity) management reveal needs that must be bridged. Research attention should focus on developing axiomatic understanding of the natural laws of security, tools to realize vulnerability-free software, metrics for assessing the efficacy of secur(e/ity) management, tools for default-deny strategies so that signature-based security management can be retired, secur(e/ity) management approaches for virtualized and service-oriented environments, and approaches for composite, holistic, secur(e/ity) management.

Homes that make us smart

In this article we consider what it should mean to build “smartness” or “intelligence” into the home. We introduce an argument suggesting that it is people who imbue their homes with intelligence by continually weaving together things in their physical worlds with their everyday routines and distinct social arrangements. To develop this argument we draw on four ongoing projects concerned with designing interactive surfaces. These projects illustrate how, through the use of surfaces like fridge doors and wall displays, and even bowl shaped surfaces, we keep in touch with one another, keep the sense of our homes intact, and craft our homes as something unique and special. Intelligence, here, is seen to be something that emerges from our interactions with these surfaces—seen in the thoughtful placement of things throughout the home’s ecology of surfaces. IT for the home is thus understood less as something to be designed as intelligent and more as a resource for intelligence. With apologies to Don Norman.     

From business to software: a B2B survey

In recent years business-to-business (B2B) e-commerce has been subject to major rethinking. A paradigm shift can be observed from document centric file-based interchange of business information to process-centric and, finally to service-based information exchange. On a business level, a lot of work has been done to capture business models and collaborative business processes of an enterprise; further initiatives address the identification of customer services and the formalization of business service level agreements (SLA). On a lower, i.e., technical level, the focus is on moving towards service-oriented architectures (SOA). These developments promise more flexibility, a market entry at lower costs and an easier IT-alignment to changing market conditions. This explains the overwhelming quantity of specifications and approaches targeting the area of B2B—these approaches are partly competing and overlapping. In this paper we provide a survey of the most promising approaches at both levels and classify them using the Open-edi reference model standardized by ISO. Whereas on the technical level, service-oriented architecture is becoming the predominant approach, on the business level the landscape is more heterogeneous. In this context, we propose—in line with the services science approach—to integrate business modeling with process modeling in order to make the transformation from business services to Web services more transparent.     

Software security varies greatly

Veracode has analyzed more than 9,000 applications over the past 18 months, across 40 different industry sectors. These applications are both internally developed enterprise applications and those purchased by enterprises from software vendors. We measured the security quality of third-party software from large and small software vendors and compared the security quality of soft-ware written different languages for different industry sectors. The paper will show that there are significant differences in the quantity and types of vulnerabilities in software due to differences in where the software was developed, the type of software it is, in what language it was developed, and for what type of business the software was developed for.     

Evaluation of Environments for Portals Development: A Case Study

With the growing application of the Internet, business portal software is becoming increasingly complex given the wide variety of technologies it must integrate. It is therefore most important to have development environments that enable this type of software to be built efficiently. This justifies the need to evaluate the quality of business portal development environments.

The objective of this article is to propose the definition of a quality model for business portal development environments, based on ISO/IEC 9126, with the appropriate metrics for estimating quality. the estimation model was evaluated through a case study using a commercial business portal development environment. the rational unified process (RUP) methodology was chosen to build a business portal prototype.     

Adopting a software security improvement program

Leading software shops (including Microsoft) are working hard to improve the way they build security into their products. Software security initiatives have proven beneficial for those organizations that have implemented them. Such initiatives involve the adoption and rollout of various types of best practices. The article describes an approach that works, with an emphasis on business process engineering that might be unfamiliar to technical practitioners. By following some commonsense steps, a software security improvement program has a greater chance of achieving its ultimate goal: software security that makes business sense.     

计算机网络在煤炭地销业务管理中的应用

组建信息网络系统是为了及时准确地掌握企业的经营信息 ,为企业进一步经营决策提供依据。从硬件、软件、数据采集、管理、网络安全等方面考虑 ,根据煤炭企业的经营方式 ,开发了适合煤炭企业的系统应用软件。     

通过PPTP构建安全的企业私有网络

采用ＰＰＴＰ方案成功地解决了构建安全的企业私有网的问题,并在上海复旦高科技集团网络建设与商务系统开发过程中得到很好的验证。     

Detecting (and creating !) a HVM rootkit (aka BluePill-like)

Since the first systems and networks developed, virus and worms matched them to follow these advances. So after a few technical evolutions, rootkits could moved easily from userland to kernelland, attaining the holy grail: to gain full power on computers. Those last years also saw the emergence of the virtualization techniques, allowing the deployment of software virtualization solutions and at the same time to reinforce computer security. Giving means to a processor to manipulate virtualization have not only significantly increased software virtualization performance, but also have provide new techniques to virus writers. These effects had as impact to create a tremendous polemic about this new kind of rootkits—HVM (hardware-based virtual machine)—and especially the most (in)famous of them: Bluepill. Some people claim them to be invisible and consequently undetectable thus making antivirus software or HIDS definitively useless, while for others HVM rootkits are nothing but fanciful. However, the recent release of the source code of the first HVM rootkit, Bluepill, allowed to form a clear picture of those different claims. HVM can indeed change the state of a whole operating system by toggling it into a virtual machine and thus taking the full control on the host and on the operating system itself. In this paper, we haven striven to demystify that new kind of rootkit. Ona first hand we are providing clear and reliable technical data about the conception of such rootkit to explain what is possible and what is not. On a second hand, we provide an efficient, operational detection technique that make possible to systematically detect Bluepill-like rootkits (aka HVM-rootkits).     

Protecting against what? The Achilles heel of information assurance

Many have long regarded software assessment as a way to determine the correctness of software. Formal methods attempt to build in correct behavior. Techniques such as formal verification and testing attempt to demonstrate, either formally or empirically, that the software computes the specified function-whether or not the specified function is correct. Note several subtleties here. First, to employ these techniques, we need a definition of correct behavior. Without an accurate definition of what we want, we cannot confidently label an information system as defective. Second, the predominant goal of software assurance has been to demonstrate correct behavior. But as we all know, correct software can still kill you. Correct and safe behaviors can conflict since safety is a system property while correctness is a software property. We must merge these two properties if we ever hope to realize information assurance. Information assurance is similar to software assurance but covers a broader set of information integrity issues, such as information security, privacy, and confidentiality. For example, if a system can thwart attacks, whether malicious or simply unfortunate, and still provide accurate information on demand, then it provides some degree of information assurance. Information assurance also includes the traditional software “ilities” (as they are called), such as software safety, software security, reliability, fault tolerance, correctness, and so on. Put simply, information assurance is accurate enough information that is available on demand for a given application or situation     

Targets,drivers and metrics in software process improvement: Results of a survey in a multinational organization

This paper reports on a survey amongst software groups in a multinational organization. The survey was initiated by the Software Process Improvement (SPI) Steering Committee of Philips, a committee that monitors the status and quality of software process improvement in the global organization. The paper presents and discusses improvement targets, improvement drivers, and metrics, and the degree to that they are being recognized in the software groups. The improvement targets ‘increase predictability’ and ‘reduce defects’ are being recognized as specifically important, joined for Capability Maturity Model (CMM) level three groups by ‘increase productivity’ and ‘reduce lead time’. The set of improvement drivers that was used in the survey appears to be valid. Three improvement drivers that were rated highest were: ‘commitment of engineering management’, ‘commitment of development staff, and ‘sense of urgency’. Finally, it could be seen that metrics activity, both in size and in quality, increases significantly for CMM level three groups. However, no consensus regarding what metrics should be used can be seen.

Secure Agents

With the rapid proliferation of software agents, there comes an increased need for agents to ensure that they do not provide data and/or services to unauthorized users. We first develop an abstract definition of what it means for an agent to preserve data/action security. Most often, this requires an agent to have knowledge that is impossible to acquire – hence, we then develop approximate security checks that take into account, the fact that an agent usually has incomplete/approximate beliefs about other agents. We develop two types of security checks – static ones that can be checked prior to deploying the agent, and dynamic ones that are executed at run time. We prove that a number of these problems are undecidable, but under certain conditions, they are decidable and (our definition of) security can be guaranteed. Finally, we propose a language within which the developer of an agent can specify her security needs, and present provably correct algorithms for static/dynamic security verification.     

CPU bugs, CPU backdoors and consequences on security

In this paper, we present the security implications of x86 processor bugs or backdoors on operating systems and virtual machine monitors. We will not try to determine whether the backdoor threat is realistic or not, but we will assume that a bug or a backdoor exists and analyze the consequences on systems. We will show how it is possible for an attacker to implement a simple and generic CPU backdoor in order—at some later point in time—to bypass mandatory security mechanisms with very limited initial privileges. We will explain practical difficulties and show proof of concept schemes using a modified Qemu CPU emulator. Backdoors studied in this paper are all usable from the software level without any physical access to the hardware.     

自助服务系统在中山社保行业的应用

中山市社保自助服务系统是一个利用触摸自助终端做为人机操作接口、光纤传输网络做为支撑载体和相应的业务应用软件系统搭建起来的自助服务平台。它覆盖中山地区的政府机关、社保、社区、,医院和银行等公共场所。为参保人提供各类信息查询和业务办理等功能。既方便了市民应用,又降低了社保部门办事窗口的压力。     

ROI-Driven Cyber Risk Mitigation Using Host Compliance and Network Configuration

Automated cyber security configuration synthesis is the holy grail of cyber risk management. The effectiveness of cyber security is highly dependent on the appropriate configuration hardening of heterogeneous, yet interdependent, network security devices, such as firewalls, intrusion detection systems, IPSec gateways, and proxies, to minimize cyber risk. However, determining cost-effective security configuration for risk mitigation is a complex decision-making process because it requires considering many different factors including end-hosts’ security weaknesses based on compliance checking, threat exposure due to network connectivity, potential impact/damage, service reachability requirements according to business polices, acceptable usability due to security hardness, and budgetary constraints. Although many automated techniques and tools have been proposed to scan end-host vulnerabilities and verify the policy compliance, existing approaches lack metrics and analytics to identify fine-grained network access control based on comprehensive risk analysis using both the hosts’ compliance reports and network connectivity. In this paper, we present new metrics and a formal framework for automatically assessing the global enterprise risk and determining the most cost-effective security configuration for risk mitigation considering both the end-host security compliance and network connectivity. Our proposed metrics measure the global enterprise risk based on the end-host vulnerabilities and configuration weaknesses, collected through compliance scanning reports, their inter-dependencies, and network reachability. We then use these metrics to automatically generate a set of host-based vulnerability fixes and network access control decisions that mitigates the global network risk to satisfy the desired Return on Investment of cyber security. We solve the problem of cyber risk mitigation based on advanced formal methods using Satisfiability Module Theories, which has shown scalability with large-size networks.     

安全态势感知的关键是对安全的有效度量

文章通过分析给出未来安全态势趋势预测的系统,提出安全度量的目标是把专业的安全数据翻译成决策者关心的、与核心业务关联的评价指标,形成对安全态势度量的指标体系,并最终为管理者决策提供依据。     

Measuring the fitness relationship

It is widely acknowledged that the system functionality captured in a system model has to match organisational requirements available in the business model. However, such a matching is rarely used to support design strategies. We believe that appropriate measures of what we refer to as the fitness relationship can facilitate design decisions. The paper proposes criteria and associated generic metrics to quantify to which extent there is a fit between the business and the system which supports it. In order to formulate metrics independent of specific formalisms to express the system and the business models, we base our proposal on the use of ontologies. This also contributes to provide a theoretical foundation to our proposal. In order to illustrate the use of the proposed generic metrics we show in the paper, how to derive a set of specific metrics from the generic ones and we illustrate the use of the specific metrics in a case study.