Papers by Francesca Matarese
An innovative methodology for maritime security risk management for cost-effective defence systems design
Nav 2012 17th International Conference on Ships and Shipping Research, Dec 9, 2012
After 9/11 terrorist attacks, critical assets protection has become a priority all over the world... more After 9/11 terrorist attacks, critical assets protection has become a priority all over the world. The focus moved from “safety”, so from the prevention and mitigation of casual and unexpected events, to “security”, so mitigation of deliberate acts. Regarding the protection of particular critical assets as vessels and ports or aircrafts and airports, respectively International Maritime Organisation (IMO) and International Civil Aviation Organization (ICAO) developed two different methodologies for security management, both taking into account that “total security” would be attainable only with an infinite cost. IMO, through the International Ship and Port Facility Security (ISPS) Code, has stated that countermeasures have to be identified and implemented in a scalable way, according to the “security level”. Nevertheless, “security level” is the result of intelligence information, whose trustworthiness is in inverse relation to malicious people’s capability to act by surprise, which undoubtedly increases the success of their actions. Therefore, security risk assessment and consequent countermeasures should set aside intelligence information and base their cost-effectiveness on other considerations. This paper aims at proposing an innovative methodology for security risk management that allows the identification of cost-effective countermeasures, based on the evaluation of the impact of each potential incident, independently from the “security level”. To meet this objective we will benefit of past experiences in airport security, where different strategies are suggested by ICAO.
Innovative Technologies for Dependable OTS-Based Critical Systems, 2013
This chapter presents a methodology to evaluate and benchmark web application vulnerability scann... more This chapter presents a methodology to evaluate and benchmark web application vulnerability scanners using software fault injection techniques. The most common software faults are injected in the web application source code, which is then checked by the scanners. Using this procedure, we evaluated three leading commercial scanners, which are often regarded as an easy way to test the security of web applications, including critical vulnerabilities such as XSS and SQL Injection. Our idea consists of providing the scanners with the input they are supposed to handle, which is a web application with software faults and possible vulnerabilities originated by such faults. The results of the scanners are compared evaluating the efficiency in identifying the potential vulnerabilities created by the injected fault, their coverage of vulnerability detection and false positives. However, the results show that the coverage of these tools is low and the percentage of false positives is very high.
Uploads
Papers by Francesca Matarese