Journal of Computing and Security
Volume:6 Issue: 2, Summer and Autumn 2019

Model-based development (MBD) is the development of software systems using graphical and textual models such as UML class diagrams. MBD and related approaches such as Model-driven development (MDD) have had some success within specific application domains, such as the automotive industry. Agile software development approaches such as Scrum and eXtreme Programming (XP) have been widely adopted in many different industry sectors. These approaches emphasise iterative development and close customer collaboration. eXtreme Modeling (XM) is a model-based development analogue of eXtreme Programming: it is an agile development approach based on the use of software models to specify and synthesise software systems. In this paper we look at the track record of agile and model-based development, and we consider the case for combining these approaches into XM to obtain benefits from both approaches: rapid automated software generation, lightweight development processes, and direct customer involvement. An example application of XM in the financial services domain is described.

Obfuscation, as one invasive strategy, is considered to be a defense strategy in the field of software and vital information protection against security threats. This paper proposes a new dynamic obfuscation method, called CSE, based on combining a triplet of control flow, signals and encryption of the management table (MT). This triplet exchanges and hides the control graph program. Then, it produces the MT that includes addresses to guide communication between instructions. A type of the stream cipher symmetric encryption (Spritz) applies to encrypt the MT. Also, a multi-objective function (the ability and the resiliency) based on six implementation metrics and two classic objective functions (the cost and the Mishra) are considered to evaluate the proposed obfuscation method. Therefore, the proposed triplet obfuscation method and the multi-objective functions are performed on a small program and a benchmark dataset. The results of our evaluations show that CSE has competitive advantages in comparison with other methods.

Web application vulnerability scanners cannot detect business logic vulnerabilities (vulnerabilities related to logic) because they are not able to understand the business logic of the web application. To identify the business logic of the web application, this paper presents BLProM, Business-Layer Process Miner, the black-box approach that identifies business processes of the web application. Detecting business processes of the web applications can be used in dynamic security testing to identify business logic vulnerabilities in web applications. BLProM first extracts the navigation graph of the web application then identifies business processes from the navigation graph. The evaluation conducted on three well-known open-source web applications shows that BLProM can detect business logic processes. Experimental results show that BLProM improves web application scanning because it clusters web application pages and prevents scanning similar pages. The proposed approach is compared to OWASP ZAP, an open-source web scanner. We show that BLProM improves web application scanning about %96.