Joshua J. Pauli

Misuse case-based design and analysis of secure software architecture

This paper presents an approach to the architectural design and analysis of secure software systems based on the system requirements elicited in the form of use cases and misuse cases. We identify architectural components and their connections and analyze whether or not a candidate architecture can address security concerns. This provides a smooth transition from requirements specification to high-level design for engineering secure software systems, and greatly improves the traceability of security concerns, which allows a system developer to know what requirement an architectural component references back to. We demonstrate our approach through a case study on a security-intensive hospital information system.

Towards a Specification Prototype for Hierarchy-Driven Attack Patterns

We propose the characteristics of a software tool that leverages specifying attack pattern details in understandable hierarchies. These hierarchies are currently manually populated from the vast CAPEC dictionary which consume an excessive amount of human resources and are wrought with the possibility of user error. Such a software tool will not only automate the population of these attack pattern hierarchies, but also provide system prerequisite information and suggested mitigation strategies for the system under design. The combination of system prerequisites, possible attack patterns, and necessary mitigation strategies gives system designers and developers a checklist-like artifact to consider as development moves from the design phase to the implementation phase.

Improving the Efficiency and Effectiveness of Penetration Test Automation

During a penetration test there is many different tools used for every step of the test. These steps are done for every penetration test that a company performs. The tools used are focused towards a specific area of the penetration test that range from information gathering to exploitation. This paper introduces scripting certain tools that are used often to make the process more efficient and effective for both the tester and the customer.

Work in progress — Web penetration testing: Effectiveness of student learning in Web application security

Web penetration testing embodies both the understanding of attack and defense philosophies. By learning malicious hacking activities, students will understand the perspectives of attackers and realize how to defend a Web application system. To foster information security education, it is important to introduce the attack understanding philosophy. Using student group projects, this study aims to measure student learning effectiveness in Web application security and to discover how students perceive learning given the attack understanding philosophy. In support of triangulation, this research will employ pre-test and post-test study along with the grounded theory approach. The future research findings will propose a framework to improve student learning effectiveness and student learning perception in Web application security.

Incentive-Based Technology Start-Up Program for Undergraduate Students

This paper summarizes the partnership between Dakota State University (DSU) and the Lake Area Improvement Corporation (LAIC) that supports the Center for TechnoEntrepreneurism at Dakota State University (CT@DSU). Special attention is paid to the operational details of the CT@DSU involving: interacting and servicing student venture ideas, establishing a realistic timeline, developing a CT@DSU Board of Advisors comprised of DSU faculty and community business leaders, expanding partnerships with external entities to provide specialty assistance to student ventures, providing student entrepreneurs with the appropriate amount of training related to starting a technology venture, partnering with area technology entrepreneurs for lessons learned and best practices, and creating and executing a realistic milestone-driven approach to student venture incentives and capital injection. This paper provides a 90 day review of the formation of the CT@DSU, milestones reached, and future work yet to be undertaken.