Our research contributes to a society where we can trust all electronic services and those we communicate with, and where we can easily act upon our privacy preferences. Information security involves ensuring that information is only available to those who are authorized to see it (confidentiality), that the accuracy of data is maintained (integrity), and that IT systems and other facilities are present and usable when and where they are needed (availability).
Secure software engineering
Vulnerabilities in software are increasingly becoming a great problem. There is a growing trend of incidents compromising software and information for large organisations, as well as ordinary citizens. There are several reasons for this development, such as more connectivity, complexity, advanced attacks and new motivation factors, e.g. related to profit or political views.
The traditional way of protecting the software is by relying on network security solutions, but merely trusting firewalls and anti-virus applications will not hold in the long run – security must be an integrated part of every software product. At the same time, security should not clog normal usage and give a bad user experience.We are conducting research on how to improve software security and create robust services through use of efficient development methods and tools.
Contact: Per Håkon Meland
Every one of us has the right to control when, how and how much our personal information is shared with others.
Social networks, executive work, internal company systems, medical records – electronic storage, sharing and transfer of personal information make collaboration and communication more efficient. At the same time it is getting harder to maintain control on who knows what about us. Through social networks we share lots of personal information ourselves, but this does not mean that we are able to fully understand the consequences of our actions.
The user himself/herself must be able to exercise control on own information, while the system at the same time can not assume the user to have the complete responsibility. Anonymization is one way of ensuring privacy, but in many cases this is not a very usable solution.
Contact: Maria Bartnes
Identity management and access control
Identity and access control management comprise identification and authentication of users in order to determine the appropriate level of authorization.
The ever-increasing number of identities is challenging to handle for users and represent a significant cost in terms of administration. Additionally, service integration and interaction is made difficult due to the fact that users may have different identities in the different systems. Federated Identity Management aims to let users utilize a single identity to access a variety of systems. Hence, system owners may reduce administration costs significantly.
With the use of distributed systems and the extensive exchange of information across systems, access control decisions and enforcement are becoming more challenging. Usage control attempts to handle all aspects of controlling access to and usage of information and resources, also external to the originating system.
SINTEF conducts research on how to create better and more efficient solutions for a holistic identity and access control management.
Contact: Maria Bartnes
In modern society, we are increasingly surrounded by a multitude of computers of various types, and the computers are increasingly interconnected using wired or wireless networks.
We are being hurtled toward the "internet of things" at breakneck speed, to the point where it will be more likely than not that even your coffee-maker is connected to the internet. With all this communication, security is ever more important; not only may you wish to keep all the information from your appliances safely within the confines of your home, but you certainly don't want random passersby to turn on your coffee-maker or play with your living room lights. The importance of security becomes even clearer if we shift our gaze away from the home and consider how the internet of things becomes a part of operation and production on oil platforms in the North Sea.
In addition to technical security mechanisms, it's important to have routines for handling of information security incidents when they occur, and not least ensure that the organisation learns from the incident, so that the probability of recurrence is minimised.
SINTEF has been involved in many aspects of network security in later years, including security in open wireless broadband access networks, security in wireless ad-hoc networks, security in RFID-based payment solutions and security for satellite communication with airplanes.
Contact: Martin Gilje Jaatun
Dypdykk i BSIMM del 11 – Security Testing
I vår serie om innebygd målbar sikkerhet og BSIMM er vi nå kommet til Security Testing, eller «Sikkerhetstesting». Hovedmålet for praksisen Sikkerhetstesting er kvalitetskontroll som gjøres i løpet av utviklingssyklusen. De som utfører sikkerhetstesting må sørge for at sikkerhetsfeil oppdages … Les videre →
Nettverksmøte 14. oktober 2015 i Trondheim
ISF, ISACA og Faggruppen Informasjonssikkerhet i Dataforeningen Trøndelag inviterer til felles møte for faglig påfyll onsdag 14. oktober fra kl.15 til kl.18. Etter det faglige programmet blir det servering og sosialisering. Program 14:30 Velkommen og registrering 15:00 Nytt fra ISACA, Dataforeningen og … Les videre →
Dypdykk i BSIMM del 10 – Penetration Testing
I vår modenhetsstudie av programvaresikkerhet i offentlige virksomheter pekte penetreringstesting seg ut som en aktivitet som generelt sett ikke gjøres som en del av utviklingen – dette er overraskende når man tenker på hvor mange verktøy som er fritt tilgjengelige. … Les videre →