Note: When clicking on a Digital Object Identifier (DOI) number, you will be taken to an external site maintained by the publisher.
Some full text articles may not yet be available without a charge during the embargo (administrative interval).
What is a DOI Number?
Some links on this page may take you to non-federal websites. Their policies may differ from this site.
-
Analyzing, implementing and maintaining security requirements of software-intensive systems and achieving truly secure software requires planning for security from ground up, and continuously assuring that security is maintained across the software's lifecycle and even after deployment when software evolves. Given the increasing complexity of software systems, new application domains, dynamic and often critical operating conditions, the distributed nature of many software systems, and fast moving markets which put pressure on software vendors, building secure systems from ground up becomes even more challenging. Security-related issues have previously been targeted in software engineering sub-communities and venues. In the second edition of the International Workshop on Security from Design to Deployment (SEAD) at the International Conference on Automated Software Engineering (ASE) 2020, we aimed to bring the research and practitioner communities of requirements engineers, security experts, architects, developers, and testers together to identify foundations, and challenges, and to formulate solutions related to automating the analysis, design, implementation, testing, and maintenance of secure software systems.more » « less
-
Industrial control systems (ICS) are systems used in critical infrastructures for supervisory control, data acquisition, and industrial automation. ICS systems have complex, component-based architectures with many different hardware, software, and human factors interacting in real time. Despite the importance of security concerns in industrial control systems, there has not been a comprehensive study that examined common security architectural weaknesses in this domain. Therefore, this paper presents the first in-depth analysis of 988 vulnerability advisory reports for Industrial Control Systems developed by 277 vendors. We performed a detailed analysis of the vulnerability reports to measure which components of ICS have been affected the most by known vulnerabilities, which security tactics were affected most often in ICS and what are the common architectural security weaknesses in these systems. Our key findings were: (1) Human-Machine Interfaces, SCADA configurations, and PLCs were the most affected components, (2) 62.86% of vulnerability disclosures in ICS had an architectural root cause, (3) the most common architectural weaknesses were “Improper Input Validation”, followed by “Im-proper Neutralization of Input During Web Page Generation” and “Improper Authentication”, and (4) most tactic-related vulnerabilities were related to the tactics “Validate Inputs”, “Authenticate Actors” and “Authorize Actors”.more » « less
