Our research contributes to a society where we can trust all electronic services and those we communicate with, and where we can easily act upon our privacy preferences. Information security involves ensuring that information is only available to those who are authorized to see it (confidentiality), that the accuracy of data is maintained (integrity), and that IT systems and other facilities are present and usable when and where they are needed (availability).
Secure software engineering
Vulnerabilities in software are increasingly becoming a great problem. There is a growing trend of incidents compromising software and information for large organisations, as well as ordinary citizens. There are several reasons for this development, such as more connectivity, complexity, advanced attacks and new motivation factors, e.g. related to profit or political views.
The traditional way of protecting the software is by relying on network security solutions, but merely trusting firewalls and anti-virus applications will not hold in the long run – security must be an integrated part of every software product. At the same time, security should not clog normal usage and give a bad user experience.We are conducting research on how to improve software security and create robust services through use of efficient development methods and tools.
Contact: Per Håkon Meland
Every one of us has the right to control when, how and how much our personal information is shared with others.
Social networks, executive work, internal company systems, medical records – electronic storage, sharing and transfer of personal information make collaboration and communication more efficient. At the same time it is getting harder to maintain control on who knows what about us. Through social networks we share lots of personal information ourselves, but this does not mean that we are able to fully understand the consequences of our actions.
The user himself/herself must be able to exercise control on own information, while the system at the same time can not assume the user to have the complete responsibility. Anonymization is one way of ensuring privacy, but in many cases this is not a very usable solution.
Contact: Maria Bartnes Line
Identity management and access control
Identity and access control management comprise identification and authentication of users in order to determine the appropriate level of authorization.
The ever-increasing number of identities is challenging to handle for users and represent a significant cost in terms of administration. Additionally, service integration and interaction is made difficult due to the fact that users may have different identities in the different systems. Federated Identity Management aims to let users utilize a single identity to access a variety of systems. Hence, system owners may reduce administration costs significantly.
With the use of distributed systems and the extensive exchange of information across systems, access control decisions and enforcement are becoming more challenging. Usage control attempts to handle all aspects of controlling access to and usage of information and resources, also external to the originating system.
SINTEF conducts research on how to create better and more efficient solutions for a holistic identity and access control management.
Contact: Maria Bartnes Line
In modern society, we are increasingly surrounded by a multitude of computers of various types, and the computers are increasingly interconnected using wired or wireless networks.
We are being hurtled toward the "internet of things" at breakneck speed, to the point where it will be more likely than not that even your coffee-maker is connected to the internet. With all this communication, security is ever more important; not only may you wish to keep all the information from your appliances safely within the confines of your home, but you certainly don't want random passersby to turn on your coffee-maker or play with your living room lights. The importance of security becomes even clearer if we shift our gaze away from the home and consider how the internet of things becomes a part of operation and production on oil platforms in the North Sea.
In addition to technical security mechanisms, it's important to have routines for handling of information security incidents when they occur, and not least ensure that the organisation learns from the incident, so that the probability of recurrence is minimised.
SINTEF has been involved in many aspects of network security in later years, including security in open wireless broadband access networks, security in wireless ad-hoc networks, security in RFID-based payment solutions and security for satellite communication with airplanes.
Contact: Martin Gilje Jaatun
Sjekkliste for sikkerhet i skytjenester
Vi har publisert en rapport som kan være til hjelp for deg som vurderer å ta i bruk nettskyen! Rapporten «Cloud Security Requirements» (som du laster ned gratis her) inneholder nemlig en sjekkliste som du kan bruke til å evaluere sikkerhet og personvern … Les videre →
Dypdykk i BSIMM del 9 – Code Review
I vår serie om innebygd målbar sikkerhet og BSIMM er vi nå kommet til Code Review, eller kodegjennomgang. Hovedmålet for praksisen «Kodegjennomgang» er kvalitetskontroll. De som utfører kodegjennomgang må sørge for at sikkerhetsfeil oppdages og korrigeres. SSG må sørge for … Les videre →
Dypdykk i BSIMM del 8 – Architecture Analysis
I vår serie om innebygd målbar sikkerhet og BSIMM er vi nå kommet til Architecture Analysis, eller Arkitekturanalyse. Hovedmålet for praksisen Arkitekturanalyse er kvalitetskontroll. De som utfører arkitekturanalyse må sørge for at strukturelle sikkerhetsfeil oppdages og korrigeres. Programvarearkitekter må sørge … Les videre →