Security policy audits: why and how

07/22/2022
by   Arvind Narayanan, et al.
0

Information security isn't just about software and hardware – it's at least as much about policies and processes. But the research community overwhelmingly focuses on the former over the latter, while gaping policy and process problems persist. In this experience paper, we describe a series of security policy audits that we conducted, exposing policy flaws affecting billions of users that can be – and often are – exploited by low-tech attackers who don't need to use any tools or exploit software vulnerabilities. The solutions, in turn, need to be policy-based. We advocate for the study of policies and processes, point out its intellectual and practical challenges, lay out our theory of change, and present a research agenda.

READ FULL TEXT

page 1

page 2

page 3

page 4

research
08/23/2023

Reflecting on the Use of the Policy-Process-Product Theory in Empirical Software Engineering

The primary theory of software engineering is that an organization's Pol...
research
12/27/2019

The Offense-Defense Balance of Scientific Knowledge: Does Publishing AI Research Reduce Misuse?

There is growing concern over the potential misuse of artificial intelli...
research
04/21/2023

Policy design in data economy: In need for a public online news (eco)system?

Socio-technical design embeds social investigations and inquiries into (...
research
09/09/2019

Análise de Segurança Baseada em Roles para Fábricas de Software

Most software factories contain applications with sensitive information ...
research
03/19/2018

Using a Model-driven Approach in Building a Provenance Framework for Tracking Policy-making Processes in Smart Cities

The significance of provenance in various settings has emphasised its po...
research
09/01/2021

CorbFuzz: Checking Browser Security Policies with Fuzzing

Browsers use security policies to block malicious behaviors. Cross-Origi...
research
05/29/2019

ATTACK2VEC: Leveraging Temporal Word Embeddings to Understand the Evolution of Cyberattacks

Despite the fact that cyberattacks are constantly growing in complexity,...

Please sign up or login with your details

Forgot password? Click here to reset