Keywords:
Astract: One of the main security ob jectives for systems connected to the Internet which provide services like Voice over Inter- net Protocol (VoIP) is to ensure robustness against security attacks to fulfill Quality of Service (QoS). To avoid system failures during attacks service providers have to integrate countermeasures which have to be tested. This work evalu- ates a test approach to determine the efficiency of counter- measures to fulfill QoS for Session Initiation Protocol (SIP) based VoIP systems even under attack. The main ob jective of the approach is the evaluation of service availability of a System Under Test (SUT) during security attacks, e.g., De- nial of Service (DoS) attacks. Therefore, a simulated system load based on QoS requirements is combined with different security attacks. The observation of the system is based on black-box testing. By monitoring quality metrics of SIP transactions the behavior of the system is measurable. The concept was realized as a prototype and was evaluated using different VoIP systems. For this, multiple security attacks are integrated to the testing scenarios. The outcome showed that the concept provides sound test results, which reflect the behavior of SIP systems availability under various at- tacks. Thus, security problems can be found and QoS for SIP-based VoIP communication under attack can be pre- dicted.

Keywords:
Astract: Current research on historical project data is rarely touching on the subject of security related information. Learning how security is treated in projects and which parts of a software are historically security relevant or prone to security changes can enhance the security strategy of a software project. We present a mining methodology for security related changes by modifying an existing method of software repository analysis. We use the gathered security changes to find out more about the nature of security in the FreeBSD project and we try to establish a link between the identified security changes and a tracker for security issues (security advisories). We give insights how security is presented in the FreeBSD project and show how the mined data and known security problems are connected.

Keywords:
Astract: The paper discusses foundations and requirements for testing security robustness aspects in operational environments while adhering to defined protection values for data. It defines the problem space and special characteristics of security testing in large IT infrastructures. In this area there are different environments with varying characteristics, e.g., regarding confidentiality of data. Common environments based on an existing IT project are defined. Testing in dedicated test environments is state of the art, however, sometimes this is not sufficient and testing in operational environments is required. Case studies showed many restrictions in the security test process, e.g., limited access for testers, which have to be addressed. The problems of testing in these operational environments are pointed out. Experiences and some current solution approaches for testing these special environments are shown (e.g., usage of disaster/recovery mechanism).

Keywords:
Astract: Die Abhängigkeit von IT-Systemen für Unternehmenszwecke nimmt laufend zu. Angriffe auf diese können die Anforderungen bezüglich Verfügbarkeit, Vertraulichkeit und Integrität der Daten stören und somit für das Unternehmen Verluste verursachen. Die Systeme müssen dabei derart abgesichert werden, dass der Aufwand für einen Angreifer höher ist als der entstehende Nutzen durch einen erfolgreichen Angriff.
Die vorliegende Arbeit beschäftigt sich mit Penetrationstests, einer möglichen Testtechnik zur Überprüfung der Sicherheit von Infrastrukturen. Dabei führen Tester simulierte Angriffe durch, um vorhandene Schwachstellen im System zu ermitteln und die Ausnutzbarkeit darzustellen. Die Anwendung von Penetrationstests erfolgt beim laufenden System, wodurch auch Installations- und Konfigurationsfehler in der Betriebsumgebung ermittelt werden. Für eine umfangreiche Sicherheitsbetrachtung können Penetrationstests einen wichtigen Teil beitragen, um die Systeme abzusichern. Die Möglichkeiten und Limitierungen von Penetrationstests werden in dieser Arbeit anhand eines Anwendungsbeispiels dargestellt, indem ein Penetrationstestkonzept definiert wird. Dieses berücksichtigt erforderliche Testtechniken für die eingesetzten Technologien und diskutiert des Weiteren organisatorische Aspekte für die Durchführung.