During the development of software systems, security is often understood as a
task for specialists. This is unfortunate, as today any system need to fulfill a
large variety of security (and privacy) properties of which many rely on input
from domain experts that are often no security experts. To allow security
interested developers of service-based systems, e.g., using microservices, we
developed a too-supported, model-based approach that allows to capture and
analyze security properties on the level of composition models. Moreover, our
approach supports “pushing security requirements” down to the implementation
level, supporting developers in implementing the services securely.
More and more devices that we buy today are “smart”, i.e., they can be connected
to the Internet. Actually, many experts expect that by 2020, over 50 billion
(smart) things will be connected to the Internet. Technically, a smart device
contains a small computer which runs software and, as we all know from our daily
experiences, software often has bugs that can lead to security vulnerabilities.
In 2016, a botnet called Mirai targeted smart home devices and used them for
attacking a domain registration service provider. This resulted in the
unavailability of well-known services such as Google for Github for many users.
During the last days, a researcher discovered that the SafeBrowse Chrome
extension is using the computer of its users to mine Monero (an alternative
crypto currency similar to Bitcoin). With over 140000 users - most likely, this
is the most popular (and probably the first one) Chrome extension mining a
cyrpto currency without users’ consent. It is not the only one …
We are proud to announce the release of HOL-TestGen
1.9.1 HOL-TestGen is a formal
specification-based test environment HOL-TestGen that allows to have a seamless
transition from verification to test case generation using symbolic computation
in Isabelle/HOL.
Cross-platform frameworks, such as Apache Cordova, are becoming increasingly
popular. They promote the development of hybrid apps that combine native, i.e.,
system specific, code and system independent code, e.g., HTML5/JavaScript.
Combining native with platform independent code opens Pandora’s box: all the
security risks for native development are multiplied with the security risk of
web applications.
We are proud to announce the release of HOL-TestGen
1.9. HOL-TestGen is a formal
specification-based test environment HOL-TestGen that allows to have a seamless
transition from verification to test case generation using symbolic computation
in Isabelle/HOL.
On the one hand, browser extensions, e.g., for Chrome, are very useful, as they
extend web browsers with additional functionality (e.g., blocking ads). On the
other hand, they are the most dangerous code that runs in your browsers:
extension can read and modify both the content displayed in the browser. As they
also can communicate with any web-site or web-service, they can report both data
and metadata to external parties. The current security model for browser
extensions seems to be inadequate for expressing the security or privacy needs
of browser users. Consequently, browser extensions are a “juice target” for
attackers targeting web users.
Missed our AppSecEU talk on the security risk of browser
extensions? or do
you want to learn what happened during the last months? You are lucky! We will
give an updated version of our talk next weekend at the SteelCon conference in
Sheffield!
Update: you can also watch the recording of our
talk!.
More and more devices of our daily life are “smart:” ranging from smart light
bulbs to smart TVs to smart fridges - everything can, and most likely will be,
in the future connected to the Internet. More and more people are already used
to remotely controlling their heating at home using their smartphone.
