Secure Information Technology Center – Austria

Certificate Status Application

Kategorie: Electronic signatures

The Certificate Status Tool is designed to provide certificate status information based on manually defined trust anchors as well as the EU Trusted Lists of Certification Service Providers (TSL). This status information includes OCSP and CRL-based revocation information. The tool also directly supports querying LDAP services for certificates. Some services are already configured by default (those used by the Austrian Citizen Card, in particular). Users can update the list of configured services using the provided Online Update functionality. In addition, the configuration can be extended locally. Version 3.2.0 introduces an interactive TSL explorer.

Weiter lesen…

12

May

2016

Managing Security of API-based Integration Workflows

Kategorie: Cloud Computing, IT-Security

Security requirements, particularly those on confidentiality, require IT processes to be compliant to the least privilege principle. OAuth 2.0, a currently broadly adopted authorization protocol, meets these requirements only partially. For example, due to unilateraly defined and service provider specific representation of access scopes, the possibility to granulary and interoperably structure access restrictions and authorizations is virtually eliminated. This problem concerns in particular cross-domain data exchanges, as the security measures in different organizations can be applied only in limited extent.

The architecture and relevant first results of ongoing work were presented in the scope of DISSECT Workshop at IEEE / IFIP NOMS Conference. The proposed approach addresses the security management of API-based interactions. The prospects of service providers, clients and data owners are taken into consideration to enable the contextual dependence in API-based data exchanges, as well as to support the granularity and interoperability in security management.

30

April

2016

Ontologies in the e-Government Domain

Kategorie: eGovernment

During the past years, ontology-based concepts have gained importance especially in the context of applications related to the Semantic Web. In addition, these concepts are currently in the focus of various research activities. The capability to amend stored and processed data by a semantic dimension enables numerous use cases and fields of application.
Weiter lesen…

19

April

2016

Secure Integration in the Cloud

Kategorie: IT-Security

Novel product category related to cloud integration platforms (iPaaS) provides additional value to customers by integrating a diverse range of cloud services offered by third-parties. This way, the service providers of iPaaS deliver a cloud service that composes, integrates and reuses a range of different products and services offered by other providers or organisations. This concept assumes that the interactions, data-flows and service consumptions take place in a complex environment that spans across several domains. The resulting complexity, however, extends the attack surface and increases the security risk of these interactions. This is especially important to consider for cross-domain interactions, where the service provider may have access to broader range of user’s service than necessary to accomplish the task.

The paper that deals with the topic of secure integration in the cloud has been presented on 7th April, in the scope of ACM SAC 2016 conference. In this work we particularly considered the aspects of protocols, integration platforms, and security requirements in the case of the relevant building block of a typical integration platform.

  • Securing Integration of Cloud Services in Cross-Domain Distributed Environments
    [Presentation]  [Paper]

17

March

2016

Security Implications of Emerging Web-Technologies

Kategorie: IT-Security

In this report existing web-tracking technologies are analyzed. Backed by this knowledge two new web technologies, WebSockets and WebRTC, are analyzed focusing on user’s privacy implications.
Four scenarious were developed to tamper user’s privacy on one hand and to enable a vast improvement of unperceived user identification on the other hand.
Weiter lesen…

Security Recommendations for the Public Sector

Kategorie: eGovernment, IT-Security

Cryptography is a powerful tool, which—if applied correctly—provides confidentiality, integrity, and authenticity of electronically stored, processed, and transmitted data. Electronic Internet-based services from security-critical fields such as e-government or e-banking would be infeasible without cryptography. Hence, the correct application of cryptographic methods is also for public administrations of special relevance.
Weiter lesen…

SSL Check for Clients/Cerver

Kategorie: IT-Security

The A-SIT SSL tool consists of two parts. The “Browser test” is capable of reviewing and evaluating the SSL/TLS capabilities of web browsers, while the “Server test” performs investigative actions on web servers. A classification is performed on the tested components, indicating whether the tested components are qualified for use in security-critical environments.
Weiter lesen…

Analysis of Modern Cross-platform Development Frameworks for Mobile Applications

Kategorie: eGovernment

This study analyzes which security mechanisms are available in popular cross-platform frameworks. This study covers the two most popular frameworks, Apache Cordova and Xamarin, and additionally Alpha Anywhere. Alpha Anywhere was selected because of the advertised security features. The selected frameworks cover both development approaches, hybrid and interpreded applications. Apache Cordova and Alpha Anywhere create interpreted applications, while Xamarin creates hybrid applications.

Weiter lesen…

Static Analysis of Windows Phone Applications

Kategorie: IT-Security

The objective of the project was to analyse a number of Windows Phone Apps on common security issues. It started with the manual analysis of selected applications. Soon it became evident that many of the analysis steps can be easily automated to save time. Another observation was that several applications suffer from similar security issues.
Weiter lesen…