There is, I think, something ethereal about i —the square root of minus one. I remember first hearing about it at school. It seemed an odd beast at that time—an intruder hovering on the edge of reality.

Usually familiarity dulls this sense of the bizarre, but in the case of i it was the reverse: over the years the sense of its surreal nature intensified. It seemed that it was impossible to write mathematics that described the real world in …

I and i

Knowledge Management

/pdf/a-break-in-the-clouds-towards-a-cloud-definition-svovsw1r5a.pdf

A Break in the Clouds: Towards a Cloud Definition

The Object Management Group's (OMG) Model Driven Architecture (MDA) strategy envisages a world where models play a more direct role in software production, being amenable to manipulation and transformation by machine. Model Driven Engineering (MDE) is wider in scope than MDA. MDE combines process and analysis with architecture. This article sets out a framework for model driven engineering, which can be used as a point of reference for activity in this area. It proposes an organisation of the modelling 'space' and how to locate models in that space. It discusses different kinds of mappings between models. It explains why process and architecture are tightly connected. It discusses the importance and nature of tools. It identifies the need for defining families of languages and transformations, and for developing techniques for generating/configuring tools from such definitions. It concludes with a call to align metamodelling with formal language engineering techniques.

Model Driven Engineering

Users have begun downloading an increasingly large number of mobile phone applications in response to advancements in handsets and wireless networks. The increased number of applications results in a greater chance of installing Trojans and similar malware. In this paper, we propose the Kirin security service for Android, which performs lightweight certification of applications to mitigate malware at install time. Kirin certification uses security rules, which are templates designed to conservatively match undesirable properties in security configuration bundled with applications. We use a variant of security requirements engineering techniques to perform an in-depth security analysis of Android to produce a set of rules that match malware characteristics. In a sample of 311 of the most popular applications downloaded from the official Android Market, Kirin and our rules found 5 applications that implement dangerous functionality and therefore should be installed with extreme caution. Upon close inspection, another five applications asserted dangerous rights, but were within the scope of reasonable functional needs. These results indicate that security configuration bundled with Android applications provides practical means of detecting malware.

/pdf/on-lightweight-mobile-phone-application-certification-1y8lgavj4k.pdf

On lightweight mobile phone application certification

Data warehouses (DWs) contained high sensitive data, and therefore, it is essential to specify security measures from the early stages of the DW design and enforce them. Access control models for transactional (relational) databases, based on tables, columns and rows, are not appropriate for DWs. Instead, security and audit rules defined for DWs must be specified based on the multidimensional (MD) modeling used to design data warehouses. So far, very few approaches represent security measures in the conceptual modeling of data warehouses form the early stages of a DW project. Moreover these security measures cannot be directly represented in the relational model for data warehouses, thereby having a semantic gap between the conceptual and logical schemas. In this paper, we present an extension of the relational model to consider security and audit measures represented in the conceptual modeling. To accomplish this, we based on the relational package of the common warehouse metamodel (CWM) and extend it to properly represent all security and audit rules defined in the conceptual modelling of data warehouses. Finally, to show the benefit of our approach, we apply our proposal to a health care case study.

Representing security and audit rules for data warehouses at the logical level by using the common warehouse metamodel

Nowadays, business processes (BP) are important in the maintenance of competitiveness within enterprises. Moreover, security is a crucial issue in business performance. In the last few years, the languages used for BP representation have been improved and new notations have appeared. Proposals for security requirement specifications at this high level of abstraction have also appeared. Nevertheless, these models have not been transformed into concrete models that can be used in a software development process. In our proposal, we will obtain analysis-level classes from a business process specification in which security requirements are included. Model transformations are within the scope of MDA and they are specified by using the QVT standard. Finally, we shall apply this approach to a typical health-care business process.

Analysis-level classes from secure business processes through model transformations

In recent years, most organizations have suffered attacks against their information systems. For this reason, organizations should seek support from enterprise security architectures ESAs in order to secure their information assets. Security patterns can help when building complex ESAs, but they have some limitations that reduce their usability. In this paper, we define the metapattern of a new type of security pattern called Enterprise Security Pattern. This new metapattern provides a model-driven environment and combines all elements that must be considered when designing and building ESAs. We present here a precise meta-model and four diagrams to describe the metapattern of the enterprise security patterns. When avoiding a security problem, organizations could use enterprise security patterns to provide their designers with an optimal and proven security guideline and so standardize the design and building of the ESA for that problem. Enterprise security patterns could also facilitate the selection and tailoring of security policies, patterns, mechanisms, and technologies when a designer is building ESAs. To illustrate our ideas, we present an instance of this new type of pattern, showing how it can be used. Copyright © 2014 John Wiley & Sons, Ltd.

Enterprise security pattern: a new type of security pattern

Web Services (WS) security has undergone an enormous development, as carried out by the major organizations and consortiums of the industry over the last few years. This has brought about the appearance of a huge number of WS security standards. Such a fact has made organizations remain reticent about adopting technologies based on this paradigm, due to the learning curve which is inevitable in the integration of security into their practical deployments. In this paper we present PWSSec (Process for Web Services Security), which enables the integration of a set of specific security stages into the traditional phases of WS-based systems development. PWSSec defines three stages, WSSecReq (Web Services Security Requirements), WSSecArch (Web Services Security Architecture) and WSSecTech (Web Services Security Technologies). These facilitate, respectively, the definition of WS-specific security requirements, the development of a WS-based security architecture and the identification of the WS security standards that the security architecture must articulate in order to implement the security services. ACM Classification: D.2.1 (Requirements/Specification)s, D.2.11 (Software Architecture), D.2.12 (Interoperability), D.2.13 (Reusable Software)

Towards a Process for Web Services Security.

Security has become a crucial aspect for the performance of present organizations since the protected object is the mission of them. Therefore, the management approach oriented to business processes has been a good answer for the current scenarios, changing and complex, where organizations develop their task. Both subjects form a basic requirement to reach not only the mission but also the organizational objectives in a strongly connected global economy. In this work, we will show a microprocess through which it is possible to specify and refine security requirements at a high level of abstraction, in a way that they can be incorporated into the development of a software system. In addition, an extension of UML 2.0 activity diagrams will be presented through which it is possible to identify such requirements.

Eduardo Fernández-Medina

Papers

Representing security and audit rules for data warehouses at the logical level by using the common warehouse metamodel

Analysis-level classes from secure business processes through model transformations

Enterprise security pattern: a new type of security pattern

Towards a Process for Web Services Security.

Capturing security requirements in business processes through a UML 2.0 activity diagrams profile