, , , (), p.,

Publications




%2019%
@inproceedings{conf/sac2019/nguyen,
author = {H.V. Nguyen and L. Lo Iacono and H. Federrath},
title = {{Mind the Cache: Large-Scale Analysis of Web Caching}},
booktitle = {{34rd ACM/SIGAPP Symposium on Applied Computing (SAC)}},
year = {2019},
url = {https://doi.org/10.1145/3297280.3297526},
abstract = {{
Modern software applications are widely interconnected systems mostly built on web technologies as foundation. Caching is an integral layer of such systems and thus needs to be carefully considered in development and operations. First reported incidents with caches leaking sensitive information emphasize the possible consequences of getting them and their dependencies with the whole system wrong and that those side effects are not solely related to performance.

In this paper we argue that proper testing tools are required to enable the diverse stakeholders in carefully acting with shared caches including proxies and CDNs. As such tools are currently lacking in many respects, we propose a cache testing environment which allows to analyze shared caches of any kind. Our developed shared web cache testing tool includes 397 test cases and a simple specification language that allows to easily extend the base test suite. With this testing tool, we analyzed seven distinct shared caching systems. We found that they do behave different in many respect, not always conforming with the respective standardization. Some observed peculiarities do even have the potential for future incidents and they remain unnoticed by system integrators and administrators  without proper tooling. Developers of caching components and researchers can benefit from our tool too, as they can systematically investigate caching properties of interest.
}}
}

%2018%

@inproceedings{conf/haisa2018/gorski,
author = {P. L. Gorski and L. Lo Iacono and S. Wiefling and S. M{\"o}ller},
title = {Warn if Secure or How to Deal with Security by Default in Software Development?},
booktitle = {{12th International Symposium on Human Aspects of Information Security and Assurance (HAISA)}},
year = {2018},
url = {http://www.haisa.org/},
abstract = {{
Software development is a complex task. Merely focussing on functional requirements is not sufficient any more. Developers are responsible to take many non-functional requirements carefully into account. Security is amongst the most challenging, as getting it wrong will result in a large user-base being potentially at risk. A similar situation exists for administrators. Security defaults have been put into place here to encounter lacking security controls. As first attempts to establish security by default in software development are flourishing, the question on their usability for developers arises.
In this paper we study the effectiveness and efficiency of Content Security Policy (CSP) enforced as security default in a web framework. When deployed correctly, CSP is a valid protection mean in a defence-in-depth strategy against code injection attacks. In this paper we present a first qualitative laboratory study with 30 participants to discover how developers deal with CSP when deployed as security default. Our results emphasize that the deployment as security default has its benefits but requires careful consideration of a comprehensive information flow in order to improve and not weaken security. We provide first insights to inform research about aiding developers in the creation of secure web applications with usable security by default.
}}
}


@inproceedings {conf/soups2018/gorski,
author = {P. L. Gorski and L. Lo Iacono and D. Wermke and C. Stransky and S. M{\"o}ller and Y. Acar and S. Fahl},
title = {Developers Deserve Security Warnings, Too: On the Effect of Integrated Security Advice on Cryptographic {API} Misuse},
booktitle = {{14th Symposium on Usable Privacy and Security (SOUPS)}},
year = {2018},
pages = {265--281},
url = {https://www.usenix.org/conference/soups2018/presentation/gorski},
publisher = {{USENIX} Association},
abstract = {{

Cryptographic API misuse is responsible for a large number of software vulnerabilities. In many cases developers are overburdened by the complex set of programming choices and their security implications. Past studies have identified significant challenges when using cryptographic APIs that lack a certain set of usability features (e.g. easy-to-use documentation or meaningful warning and error messages) leading to an especially high likelihood of writing functionally correct but insecure code.

To support software developers in writing more secure code, this work investigates a novel approach aimed at these hard-to-use cryptographic APIs. In a controlled online experiment with 53 participants, we study the effectiveness of API-integrated security advice which informs about an API misuse and places secure programming hints as guidance close to the developer. This allows us to address insecure cryptographic choices including encryption algorithms, key sizes, modes of operation and hashing algorithms with helpful documentation in the guise of warnings. Whenever possible, the security advice proposes code changes to fix the responsible security issues. We find that our approach significantly improves code security. 73% of the participants who received the security advice fixed their insecure code.

We evaluate the opportunities and challenges of adopting API-integrated security advice and illustrate the potential to reduce the negative implications of cryptographic API misuse and help developers write more secure code.
}}
}

@inproceedings{conf/webstudies2018/nguyen,
author = {H. V. Nguyen and L. {Lo Iacono} and H. Federrath},
title = {{Systematic Analysis of Web Browser Caches}},
booktitle = {{2nd International conference on Web Studies (WS)}},
year = {2018},
url = {https://doi.org/10.1145/3240431.3240443},
note = {to be appear},
abstract = {{
The caching of frequently requested web resources is an integral part of the web ever since. Cacheability is the main pillar for the web's scalability and an important mechanism for optimizing resource consumption and performance. Caches exist in many variations and locations on the path between web client and server with the browser cache being ubiquitous to date. Web developers need to have a profound understanding of the concepts and policies of web caching even when exploiting these advantages is not relevant. Neglecting web caching may otherwise result in more serve consequences than the simple loss of scalability and efficiency. Recent misuse of web caching systems shows to affect the application's behavior as well as privacy and security.

In this paper we introduce a tool-based approach to disburden web developers while keeping them informed about caching influences. Our first contribution is a structured test suite containing 397 web caching test cases. In order to make this collection easily adoptable we introduce an automated testing tool for executing the test cases against web browsers. Based on the developed testing tool we conduct a systematic analysis on the behavior of web browser caches and their compliance with relevant caching standards. Our findings on desktop and mobile versions of Chrome, Firefox, Safari and Edge show many diversities as well as discrepancies. Appropriate tooling supports web developers in uncovering such adversities. As our baseline of test cases is specified using a specification language that enables extensibility, developers as well as administrators and researchers can systematically add and empirically explore caching properties of interest even in non-browser scenarios.
}}
}

@inproceedings{conference/eccws2018/gruschka,
	author = {N. Gruschka and L. Lo Iacono and J. Tolsdorf},
	year = {2018},
	month = {06},
	title = {Classification of Android App Permissions},
	booktitle = {17th European Conference on Cyber Warfare and Security},
	abstract = {{Malicious apps are a severe attack vector on smartphones. A
	common defence mechanism to prevent them is the permission system found in
	mobile operating systems. Still, the effectiveness of such permission systems
	relies heavily on the users' ability to judge the risk associated with a
	certain app and its demanded set of privileges. Failing or ignoring this may
	result in serious consequences. This paper analyses 500,000 Android apps and
	the privileges they request. By adopting machine learning algorithms, clusters
	of permission profiles are identified in the available Google Play store
	categories. Results from the analysis are used to support users and developers
	to rate the risk accompanying a certain app's permission profile.}},
	url = {https://www.researchgate.net/publication/326040506_Classification_of_Android_App_Permissions}
}

@article{journals/waset138/santanoguillen,
	author = {S. Santano Guillén and L. Lo Iacono and C. Meder},
	year = {2018},
	month = {06},
	pages = {552 - 560},
	title = {Affective Robots: Evaluation of Automatic Emotion Recognition Approaches on a Humanoid Robot towards Emotionally Intelligent Machines},
	volume = {12},
	booktitle = {World Academy of Science, Engineering and Technology - International Journal of Mechanical and Mechatronics Engineering},
	abstract = {{One of the main aims of current social robotic research is to improve the robots' abilities to interact with humans. In order to achieve an interaction similar to that among humans, robots should be able to communicate in an intuitive and natural way and appropriately interpret human affects during social interactions. Similarly to how humans are able to recognize emotions in other humans, machines are capable of extracting information from the various ways humans convey emotions-including facial expression, speech, gesture or text-and using this information for improved human computer interaction. This can be described as Affective Computing, an interdisciplinary field that expands into otherwise unrelated fields like psychology and cognitive science and involves the research and development of systems that can recognize and interpret human affects. To leverage these emotional capabilities by embedding them in humanoid robots is the foundation of the concept Affective Robots, which has the objective of making robots capable of sensing the user's current mood and personality traits and adapt their behavior in the most appropriate manner based on that. In this paper, the emotion recognition capabilities of the humanoid robot Pepper are experimentally explored, based on the facial expressions for the so-called basic emotions, as well as how it performs in contrast to other state-of-the-art approaches with both expression databases compiled in academic environments and real subjects showing posed expressions as well as spontaneous emotional reactions. The experiments' results show that the detection accuracy amongst the evaluated approaches differs substantially. The introduced experiments offer a general structure and approach for conducting such experimental evaluations. The paper further suggests that the most meaningful results are obtained by conducting experiments with real subjects expressing the emotions as spontaneous reactions.}},
	url = {http://waset.org/publications/10009027}
}

@book{book/hanser2018/LoIacono,
title = {{Programmieren trainieren - Mit über 120 Workouts in Java und Python}},
author = {L. Lo Iacono and S. Wiefling and M. Schneider},
year = {2018},
publisher = {{Carl Hanser Verlag GmbH & Co. KG}},
abstract = {In diesem Übungsbuch trainierst du anhand von kurzweiligen und praxisnahen Aufgaben deine Programmierfähigkeiten. Jedes Kapitel beginnt mit einem kurzen Warmup zum behandelten Programmierkonzept; die Umsetzung übst du dann anhand von zahlreichen Workout-Aufgaben. Du startest mit einfachen Aufgaben und steigerst dich hin zu komplexeren Fragestellungen. Damit dir nicht langweilig wird, gibt es über 120 praxisnahe Übungen. So lernst du z. B. einen BMI-Rechner oder einen PIN-Generator zu programmieren oder wie du eine Zeitangabe mit einer analogen Uhr anzeigen kannst.

Solltest du mal nicht selbstständig vorankommen, dann werden dir in jedem Workout Lösungshinweise als Hilfestellung angeboten. Die kommentierten Lösungen liegen in den Programmiersprachen Java und Python vor. Für ein möglichst ballastfreies Training wird für die elementaren Programmierkonzepte die Entwicklungsumgebung Processing eingesetzt. Die Installation und Verwendung der Tools sind im Buch beschrieben.},
url = {http://www.hanser-fachbuch.de/buch/Programmieren+trainieren/9783446454866}
}

@inproceedings{conference/gisicherheit2018/gorski,
	title = {{Usability von Security-APIs für massiv-skalierbare vernetzte Service-orientierte Systeme}},
	url = {https://sicherheit2018.in.htwg-konstanz.de/programm/},
	year = {2018},
	abstract = {{Kontemporäre Service-orientierte Systeme sind hochgradig vernetzt und haben zudem die Eigenschaft massiv-skalierbar zu sein. Diese Charakteristiken stellen im besonderen Maße Anforderungen an die Datensicherheit der Anwender solcher Systeme und damit primär an alle Stakeholder der Softwareentwicklung, die in der Verantwortung sind, passgenaue Sicherheitsmechanismen effektiv in die Softwareprodukte zu bringen. Die Effektivität von Sicherheitsarchitekturen in service-orientierten Systemen hängt maßgeblich von der richtigen Nutzung und Integration von Security-APIs durch eine heterogene Gruppe von Softwareentwicklern ab, bei der nicht per se ein fundiertes Hintergrundwissen über komplexe digitale Sicherheitsmechanismen vorausgesetzt werden kann. Die Diskrepanz zwischen komplexen und in der Anwendung fehleranfälligen APIs und einem fehlenden Verständnis für die zugrundeliegenden Sicherheitskonzepte auf Seiten der Nutzer begünstigt in der Praxis unsichere Softwaresysteme. Aus diesem Grund ist die Gebrauchstauglichkeit von Security-APIs besonders relevant, damit Programmierer den benötigten Funktionsumfang effektiv, effizient und zufriedenstellend verwenden können. Abgeleitet von dieser Problemstellung, konzentriert sich das Dissertationsvorhaben auf die gebrauchstaugliche Ausgestaltung von Security-APIs und den Herausforderungen die sich aus den Methoden zur Evaluation der Usability in typischen Umgebungen der Softwareentwicklung ergeben.}},
	booktitle = {{Doctoral Forum - Fachbereichs Sicherheit – Schutz und Zuverlässigkeit der Gesellschaft für Informatik e.V. (SICHERHEIT)}},
	author = {P. L. Gorski},
	note = {{To Appear}}
}

@inproceedings{conference/eurousec2018/loiacono,
	title = {{Consolidating Principles and Patterns for Human-centred Usable Security Research and Development}},
	url = {https://eusec.cs.umd.edu/},
	year = {2018},
	abstract = {{We present an evaluation of usable security principles and patterns to facilitate the transfer of existing knowledge to researchers and practitioners. Based on a literature review we extracted 23 common usable security principles and 47 usable security patterns and identified their interconnection. The results indicate that current research tends to focus on only a subset of important principles. The fact that some principles are not yet addressed by any design patterns suggests that further work on refining these patterns is needed. We developed an online repository, which stores the harmonized principles and patterns. The tool enables users to search for relevant patterns and explore them in an interactive and programmatic manner. We argue that both the insights presented in this paper and the repository will be highly valuable for students for getting a good overview, practitioners for implementing usable security and researchers for identifying areas of future research.}},
	booktitle = {{European Workshop on Usable Security (EuroUSEC)}},
	author = {L. {Lo Iacono} and M. Smith and E. von Zezschwitz and P. L. Gorski and P. Nehren},
	note = {{To Appear}}
}


@Inbook{Iacono2018,
	author={L. Lo Iacono and M. Smith},
	editor={{Reuter, Christian}},
	title="Werkzeuge f{\"u}r Usable (Cyber-)Security",
	bookTitle="Sicherheitskritische Mensch-Computer-Interaktion: Interaktive Technologien und Soziale Medien im Krisen- und Sicherheitsmanagement",
	year="2018",
	publisher="Springer Fachmedien Wiesbaden",
	address="Wiesbaden",
	pages="99-118",
	abstract="Vernetzte Systeme, Produkte und Dienstleistungen m{\"u}ssen mit Sicherheitsfunktionen ausgestattet sein, die sowohl f{\"u}r Fachanwender als auch f{\"u}r Gelegenheitsnutzer und Laien verst{\"a}ndlich und benutzbar sind. Der Umgang mit diesen Systemen, Produkten und Dienstleistungen kann sich ansonsten schnell als Risiko entpuppen, etwa wenn Sicherheitsmechanismen aufgrund mangelnder Usability von den Nutzern falsch oder {\"u}berhaupt nicht bedient werden. Der Begriff „Usable (Cyber-)Security`` bezeichnet ein Qualit{\"a}tsmerkmal beziehungsweise einen Entwicklungsansatz f{\"u}r Sicherheitsfunktionen in Software von digitalen Erzeugnissen, in dessen Zentrum der Nutzer steht. Dieses Kapitel zeigt auf, wie die Entwicklung von Cybersecurity-Mechanismen auf Grundlage von spezifischen Werkzeugen f{\"u}r Usable Security hinsichtlich ihrer Gebrauchstauglichkeit unterst{\"u}tzt werden kann. Konkret werden als Werkzeuge Usable Security Principles, Guidelines und Patterns eingef{\"u}hrt und verf{\"u}gbare Repositories vorgestellt sowie deren Anwendung an einem Fallbeispiel veranschaulicht.",
	isbn="978-3-658-19523-6",
	doi="10.1007/978-3-658-19523-6_6",
	url="https://doi.org/10.1007/978-3-658-19523-6_6"
	}

%2017%

@inproceedings{conference/ESEC/FSE2017/harms,
	title = {{Guidelines for Adopting Frontend Architectures and Patterns in Microservices-based Systems}},
	isbn = {978-1-4503-5105-8},
	url = {http://doi.acm.org/10.1145/3106237.3117775},
	doi = {10.1145/3106237.3117775},
	abstract = {{Microservice-based systems enable the independent development, deployment, and scalability for separate system components of enterprise applications. A significant aspect during development is the microservice integration in frontends of web, mobile, and desktop applications. One challenge here is the selection of an adequate frontend architecture as well as suitable patterns that satisfy the application requirements. This paper analyses available strategies for organizing and implementing microservices frontends. These approaches are then evaluated based on a quality model and various prototypes of the same application implemented using the distinct approaches. The results of this analysis are generalized to a guideline that supports the selection of a suitable architecture.}},
	booktitle = {{11th European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC/FSE)}},
	author = {H. Harms and C. Rogowski and L. {Lo Iacono}},
	year = {2017}
}
@inproceedings{conference/trustbus2017/nguyen,
	title = {{On the Security Expressiveness of REST-Based API Definition Languages}},
	url = {https://doi.org/10.1007/978-3-319-64483-7_14},
	year = {2017},
	doi = {10.1007/978-3-319-64483-7_14},
	abstract = {{Modern software is inherently distributed. Applications are decomposed into functional components of which most are provided by third parties usually deployed as software services scattered around the network. Available services can be discovered and orchestrated by service consumers in a flexible and on-the-fly manner. To do so, a standardized specification of the service’s functionalities is required. Apart from functional aspects, such an interface definition language needs to offer expressions for specifying important non-functional facets in addition, such as security. With WSDL and WS-Security such a standardized service description language and a mature security framework are available for the SOAP domain. For REST-based web services such standards are, however, missing. To overcome these shortcomings, many distinct sources propose service description languages and security schemes for REST-based web services. This paper provides a systematic analysis of these languages with a specific focus on their ability to express security policies. The obtained results reveal substantial limitations in all analyzed specification languages.}},
	booktitle = {{International Conference on Trust and Privacy in Digital Business (TrustBus)}},
	author = {H.V. Nguyen and J. Tolsdorf and L. {Lo Iacono}}
}

@inproceedings{conference/trustbus2017/lo_iacono,
	title = {{Mobile Personal Identity Provider Based on OpenID Connect}},
	url = {https://link.springer.com/chapter/10.1007/978-3-319-64483-7_2},
	year = {2017},
	doi = {10.1007/978-3-319-64483-7_2},
	abstract = {{In our digital society managing identities and according access credentials is as painful as needed. This is mainly due to the demand for a unique password for each service a user makes use of. Various approaches have been proposed for solving this issue amongst which Identity Provider ({IDP}) based systems gained most traction for Web services. An obvious disadvantage of these {IDPs} is, however, the level of trust a user requires to place into them. After all, an {IDP} stores a lot of sensitive information about its users and is able to impersonate each of them.In the present paper we therefore propose an architecture that enables to operate a personal {IDP} ({PIDP}) on a mobile device owned by the user. To evaluate the properties of our introduced mobile {PIDP} ({MoPIDP}) we analyzed it by means of a prototype. Our {MoPIDP} architecture provides clear advantages in comparison to classical {IDP} approaches in terms of required trust and common threats like phishing and additionally regarding the usability for the end user.}},
	booktitle = {{International Conference on Trust and Privacy in Digital Business (TrustBus)}},
	author = {L. {Lo Iacono} and N. Gruschka and P. Nehren}
}

@article{journals/dud41.2/Wiefling,
title = {{Anwendung der Blockchain außerhalb von Geldwährungen}},
author = {S. Wiefling and L. {Lo Iacono} and F. Sandbrink},
year = {2017},
pages = {482-486},
volume = {41},
number = {8},
doi = {10.1007/s11623-017-0816-x},
abstract = {{Der Beitrag stellt Konzepte und Modelle von Blockchain-Anwendungen außerhalb des Finanzbereichs vor. Die Anwendungsgebiete reichen derzeit vom Schutz persönlicher Daten bis zur Sicherung und Überwachung von Nahrungsmittelproduktionsketten.}},
journal = {{DuD - Datenschutz und Datensicherheit}},
url = {https://doi.org/10.1007/s11623-017-0816-x}
}


@inproceedings{conf/soups/Gorski,
author = {L. {Lo Iacono} and P. L. Gorski},
title = {{Poster: I Do and I Understand. Not Yet True for Security APIs. So Sad}},
booktitle = {{13th Symposium on Usable Privacy and Security (SOUPS)}},
year = {2017},
url = {https://www.internetsociety.org/sites/default/files/eurousec2017_15_LoIacono_paper.pdf},
abstract = {{Usable security puts the users into the center of
cyber security developments. Software developers are a very
specific user group in this respect, since their points of contact
with security are application programming interfaces (APIs). In
contrast to APIs providing functionalities of other domains than
security, security APIs are not approachable by habitual means.
Learning by doing exploration exercises is not well supported.
Reasons for this range from missing documentation, tutorials and
examples to lacking tools and impenetrable APIs, that makes this
complex matter accessible. In this paper we study what abstraction level of security
APIs is more suitable to meet common developers’ needs and
expectations. For this purpose, we firstly define the term security
API. Following this definition, we introduce a classification of
security APIs according to their abstraction level. We then
adopted this classification in two studies. In one we gathered
the current coverage of the distinct classes by the standard set of
security functionality provided by popular software development
kits. The other study has been an online questionnaire in which we
asked 55 software developers about their experiences and opinion
in respect of integrating security mechanisms into their coding
projects. Our findings emphasize that the right abstraction level
of a security API is one important aspect to consider in usable
security API design that has not been addressed much so far.}}
}

@book{book/entwickler/schmitt,
title = {{Usable Security und Privacy by Design}},
author = {H. Schmitt and P. Nehren L. Lo Iacono and P. L. Gorski},
year = {2017},
publisher = {{Software & Support Media GmbH, entwickler.press}},
abstract = {{Forschen, forschen und nochmal forschen: Genau das haben sich Hartmut Schmitt, Peter Nehren, Luigi Lo Iacono und Peter Leo Gorski in diesem shortcut zur Aufgabe gemacht. In fünf Kapiteln stellen sie die Ergebnisse des Forschungsprojekts "USecureD - Usable Security by Design" vor und unterstützen damit Softwareentwickler bei der systematischen Entwicklung von Produkten mit dem Qualititäsmerkmal "Usable Security". Forschen Sie selbst ein wenig mit und lernen Sie alles zu spannenden Anwendungsmöglichketen, Werkzeugen, Testplattformen und Entscheidungshilfen.}},
url = {https://www.usecured.de/UseWP/wp-content/uploads/2017/07/Usable-Security-und-Privacy-by-Design.pdf}
}


@inproceedings{conf/bsi/Gorski,
author = {P. L. Gorski and L. {Lo Iacono} and H. Schmitt and P. Nehren and H. V. Nguyen },
title = {{Usable Security by Design: Unterstützung für kleine und mittlere Softwarehersteller in frühen Phasen der Produktentwicklung}},
booktitle = {{15. Deutscher IT-Sicherheitskongress}},
year = {2017},
url = {https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Veranstaltungen/ITSiKongress/15ter/Vortraege_18-05-2017/HartmutSchmitt.pdf;jsessionid=5D506024D1BDD22C9343D2977ACDC5F5.1_cid341?__blob=publicationFile&v=2},
abstract = {{Damit IT-gestützte Produkte und Systeme vor unbefugter oder missbräuchlicher Nutzung wirksam geschützt sind, müssen sie mit Sicherheitsfunktionen ausgestattet sein, die benutzerfreundlich sind. Hierfür sind seitens der Entwickler sowohl Security- als auch Usability-Kenntnisse erforderlich. Da insbesondere Entwickler in kleinen und mittleren Unternehmen (KMU) oft nicht über tiefer gehende Kenntnisse in beiden Bereichen verfügen, bedürfen sie einer Unterstützung, z. B. in Form geeigneter Methoden und Werkzeuge. In diesem Beitrag werden ein Lösungsweg und eine Werkzeugsammlung vorgestellt, die Entwicklern in KMU dabei helfen, auf systematische Weise digitale Produkte und Systeme mit dem Qualitätsmerkmal Usable Security herzustellen.}}
}

@inproceedings{conf/eurousec/Gorski,
author = {L. {Lo Iacono} and P. L. Gorski},
title = {{I Do and I Understand. Not Yet True for Security APIs. So Sad}},
booktitle = {{2nd European Workshop on Usable Security (EuroUSEC)}},
year = {2017},
url = {https://www.internetsociety.org/sites/default/files/eurousec2017_15_LoIacono_paper.pdf},
abstract = {{Usable security puts the users into the center of
cyber security developments. Software developers are a very
specific user group in this respect, since their points of contact
with security are application programming interfaces (APIs). In
contrast to APIs providing functionalities of other domains than
security, security APIs are not approachable by habitual means.
Learning by doing exploration exercises is not well supported.
Reasons for this range from missing documentation, tutorials and
examples to lacking tools and impenetrable APIs, that makes this
complex matter accessible. In this paper we study what abstraction level of security
APIs is more suitable to meet common developers’ needs and
expectations. For this purpose, we firstly define the term security
API. Following this definition, we introduce a classification of
security APIs according to their abstraction level. We then
adopted this classification in two studies. In one we gathered
the current coverage of the distinct classes by the standard set of
security functionality provided by popular software development
kits. The other study has been an online questionnaire in which we
asked 55 software developers about their experiences and opinion
in respect of integrating security mechanisms into their coding
projects. Our findings emphasize that the right abstraction level
of a security API is one important aspect to consider in usable
security API design that has not been addressed much so far.}}
}

@article{journals/md/schmitt,
title = {{Usable Security – Benutzerfreundliche Sicherheitsfunktionen für Software und interaktive Produkte}},
author = {H. Schmitt and P.L. Gorski and L. {Lo Iacono}},
journal = {{Mittelstand-Digtal - Wissenschaft trifft Praxis}},
year = {2017},
pages = {5-13},
volume = {6},
abstract = {{Sowohl im geschäftlichen wie im privaten Umfeld müssen Software, Apps und vernetzte Technikprodukte
mit Sicherheitsfunktionen ausgestattet sein, die auch für Laien und Gelegenheitsnutzer verständlich und
benutzbar sind. Im Umgang mit sensiblen Daten können sich diese Produkte ansonsten schnell als Risiko
entpuppen, etwa wenn Sicherheitsmechanismen aufgrund mangelnder Usability von den Nutzern falsch
oder überhaupt nicht bedient werden. Der Begriff „Usable Security“ bezeichnet ein Qualitätsmerkmal bzw.
einen Entwicklungsansatz für Sicherheitskomponenten von Software und technischen Produkten, in dessen
Zentrum der Benutzer steht. Dieser Beitrag soll als Einführung in das Thema Usable Security dienen und
zugleich für die Probleme bei der Entwicklung gebrauchstauglicher Sicherheitsfunktionen sensibilisieren. Er
ist Teil einer Serie von insgesamt drei Artikeln. Die folgenden zwei Beiträge vertiefen spezifische Themen im
Kontext der Entwicklung von Sicherheitsfunktionen auf Grundlage von Muster lösungen (Patterns) und der
Ausgestaltung von Warnhinweisen.}},
url = {https://www.mittelstand-digital.de/MD/Redaktion/DE/PDF/wissenschaft-trifft-praxis-ausgabe6,property=pdf,bereich=md,sprache=de,rwb=true.pdf}
}

@article{journals/md/nehren,
title = {{Usable Security – Werkzeuge für Entwickler}},
author = {P. Nehren and H. Schmitt and L. {Lo Iacono}},
journal = {{Mittelstand-Digtal - Wissenschaft trifft Praxis}},
year = {2017},
pages = {14-20},
volume = {6},
abstract = {{Wie im Artikel „Usable Security – benutzerfreundliche
Sicherheitsfunktionen für Software und interaktive
Produkte“ in diesem Heft bereits herausgestellt
wurde, gibt es einen hohen bedarf an gebrauchstauglichen
sicherheitskomponenten in der softwarebranche.1
 Dies bedeutet für softwarearchitekten
und Programmierer, dass sie das neue Qualitätsmerkmal
Usable Security vermehrt berücksichtigen
und umsetzen müssen. seit Mai 2015 werden
daher im Rahmen des Projekts usecureD („usable
security by Design“, siehe Kasten in schmitt et. al
(2016)) Methoden und Werkzeuge für softwareentwickler
entworfen und umgesetzt, die bei der entwicklung
von digitalen Artefakten mit dem Qualitätsmerkmal
Usable Security unterstützen.}},
url = {https://www.mittelstand-digital.de/MD/Redaktion/DE/PDF/wissenschaft-trifft-praxis-ausgabe6,property=pdf,bereich=md,sprache=de,rwb=true.pdf}
}

@article{journals/md/gorski,
title = {{Computer-Sicherheitswarnungen – Benutzerzentrierte Entwurfsansätze der Usable Security-Forschung}},
author = {P. L. Gorski and L. {Lo Iacono}},
journal = {{Mittelstand-Digtal - Wissenschaft trifft Praxis}},
year = {2017},
pages = {21-29},
volume = {6},
abstract = {{Der dritte und letzte Teil der Artikel-Serie in dieser Ausgabe zum Thema Usable Security zeigt exemplarisch,
wie Softwareentwickler mit den im Rahmen des USecureD-Projekts entwickelten Werkzeugen arbeiten
können. Der Beitrag konzentriert sich dabei auf Prinzipien, Richtlinien und Patterns, die bei der Ausgestaltung
gebrauchstauglicher Computer-Sicherheitswarnungen berücksichtigt werden sollten. Anhand dieser
sehr ubiquitären Bestandteile eines jeden digitalen Produkts kann anschaulich gezeigt werden, wie aktuelle
wissenschaftliche Erkenntnisse auf dem Gebiet der Usable Security praxisnah für Softwarearchitekturen
und Programmierer verfügbar und anwendbar gemacht werden können. }},
url = {https://www.mittelstand-digital.de/MD/Redaktion/DE/PDF/wissenschaft-trifft-praxis-ausgabe6,property=pdf,bereich=md,sprache=de,rwb=true.pdf}
}

@article{journals/dud41.2/Nguyen,
title = {{Sicherheit für REST-basierte Systeme}},
author = {H. V. Nguyen and L. {Lo Iacono}},
year = {2017},
pages = {99–103},
volume = {41},
number = {2},
doi = {10.1007/s11623-017-0736-9},
abstract = {{Der dem Web zugrunde liegende Architekturstil REST gilt als einer der bedeutendsten Leitfäden für den Entwurf gro§er, verteilter Anwendungssysteme. Die existierenden Ansätze für die Sicherheit von REST-basierten Anwendungen sind jedoch nur für bestimmte REST-basierte Technologien wie HTTP oder CoAP konzipiert. Um Sicherheitskonzepte für alle derzeitigen und zukünftigen REST-basierten Systeme zu gewährleisten, sind jedoch universelle und Technologie unabhängige Ansätze notwendig. Dieser Beitrag stellt einen Ansatz vor, wie allgemeingültige Sicherheitskonzepte für REST entwickelt werden können, die sich auf dem gleichem Abstraktionsniveau befinden wie der Architekturstil selbst.}},
journal = {{DuD - Datenschutz und Datensicherheit}},
url = {https://doi.org/10.1007/s11623-017-0736-9}
}

%2016%
@article{journals/JISA.SI.2016/LoIacono,
author = {L. {Lo Iacono} and P. L. Gorski and J. Grosse and N. Gruschka},
title = {{Signalling over-privileged mobile applications using passive security indicators}},
journal = {Journal of Information Security and Applications (JISA)},
year = {2016},
doi = {10.1016/j.jisa.2016.11.006},
url = {http://dx.doi.org/10.1016/j.jisa.2016.11.006},
abstract = {{As mobile devices have evolved from simple phones to rich computing systems, the data stored on these multi-taskers have consequently become more sensitive and private. Due to this, modern mobile operating systems include sophisticated permission systems for restricting the access to this device for the mobile applications. However, many applications acquire more permissions than required. These over-privileged applications can affect data security and user privacy. All application permissions are indicated to the user, but these notifications have been shown to be ignored or not understood. Thus, other mechanisms need to be improved.

This paper presents design approaches to communicate the degree of over-privilege in mobile applications. It uses an additional rating system in application stores to inform users before making the decision of installing a specific application. The approaches have been evaluated in a usability study based on distinct prototype Android application stores. The findings show that passive security indicators can be applied to influence the decision-making process of users before downloading and installing an application.}}
}


@incollection{bookchapters/mss/nguyen,
edition = {1},
series = {Advanced {Topics} in {Information} {Security}},
title = {{RESTful} {IoT} {Authentication} {Protocols}},
booktitle = {Mobile {Security} and {Privacy} - {Advances}, {Challenges} and {Future} {Research} {Directions}},
publisher = {{Elsevier/Syngress}},
author = {H.V. Nguyen and L. Lo Iacono},
year = {2016},
pages = {217 - 234},
url = {http://dx.doi.org/10.1016/B978-0-12-804629-6.00010-9},
abstract = {{Future IT visions, including smart city, smart building, smart home, smart mobility, and Industry 4.0, are evolving on the foundations of the Internet of Things (IoT). As those systems cover a large number of networked entities, design concepts for developing IoT systems must be highly scalable. One approach to fulfilling this requirement is the architectural style of the web, known as representational state transfer (REST).

Due to its strength in terms of scalability, interoperability, and efficiency, the application of REST has been adopted in further domains including service-oriented architectures and cloud computing.

Consequently, REST is gaining traction as an approved concept for implementing IoT systems on a large scale. Security is another crucial requirement, since IoT applications share sensible information.

This chapter introduces a generic authentication approach for RESTful IoT protocols, which consider scalability and resource-restrictiveness constraints stemming from the architectural style REST and IoT environments.}}
}


@article{journals/icom16.2/LoIacono,
author = {L. {Lo Iacono} and H. V. Nguyen and H. Schmitt},
title = {Usable Security - Results from a Field Study},
journal = {i-com - Journal of Interactive Media},
volume = {15},
number = {2},
year = {2016},
pages = {203-209},
doi = {10.1515/icom-2016-0026},
url = {https://www.degruyter.com/view/j/icom.2016.15.issue-2/icom-2016-0026/icom-2016-0026.xml?format=INT},
abstract = {{Security has evolved into an essential quality factor of software systems. However, security features
in software applications are often time-consuming, error-prone and too complicated for common users. This is mainly
due to a limited consideration and integration of usability. As a consequence, users either circumvent security
features or do not utilize them at all. Usable security is an advanced quality topic and an important research area
of software systems. This area combines usability and security with the objective of making the use of security
features in software effective, efficient and satisfying. In order to meet this challenge, the research project
USecureD aims at supporting small and medium-sized enterprises (SMEs) in facilitating the selection and
incorporation of usable security by developing, evaluating and collecting principles, guidelines, patterns and tools
for merging usability and security engineering. During the initiation phase of the USecureD project, an online study
(N = 118) in conjunction with 10 interviews and 2 workshops have been con- ducted in order to identify the relevance
and requirements of usability, security and usable security with a specific focus on SMEs. The obtained results are
presented and derived implications are discussed in this paper.}}
}

@article{journals/dud40.8/Jaritz,
title = {Untersuchung des Datenverkehrs aktueller Smart-TVs},
author = {A. Jaritz and L. {Lo Iacono}},
year = {2016},
pages = {511-518},
volume = {40},
number = {8},
doi = {10.1007/s11623-016-0648-0},
abstract = {{Das Internet der Dinge (IoT) bezeichnet die Anbindung von Gegenständen des alltäglichen Gebrauchs an
das Internet. Der Fernseher ist als Smart-TV bereits Teil des Internets. Einige Untersuchungen haben hier in
jüngster Vergangenheit deutliche Missstände in Bezug auf Datenschutz und Datensicherheit aufgezeigt. Der Beitrag
fasst die Ergebnisse einer aktuellen, umfangreichen Untersuchung von fünf Smart-TVs zusammen.}},
journal = {{DuD - Datenschutz und Datensicherheit}},
url = {https://doi.org/10.1007/s11623-016-0648-0}
}

@inproceedings{conf/haisa2016/Gorski,
author = {P. L. Gorski and L. {Lo Iacono}},
title = {{Towards the Usability Evaluation of Security APIs}},
booktitle = {{10th International Symposium on Human Aspects of Information Security and Assurance (HAISA)}},
year = {2016},
url = {http://www.cscan.org/openaccess/?paperid=287},
abstract = {{Application Programming Interfaces (APIs) are a vital link between software components as
well as between software and developers. Security APIs deliver crucial functionalities for
programmers who see themselves in the increasing need for integrating security services into
their software products. The ignorant or incorrect use of Security APIs leads to critical security
flaws, as has been revealed by recent security studies. One major reason for this is rooted in
usability issues. API Usability research has been deriving recommendations for designing
usable APIs in general. Facing the growing relevance of Security APIs, the question arises,
whether the observed usability aspects in the general space are already sufficient enough for
building usable Security APIs. The currently available findings in the API Usability domain
are selective fragments only, though. This still emerging field has not produced a
comprehensive model yet. As a consequence, a first contribution of this paper is such a model
that provides a consolidated view on the current research coverage of API Usability. On this
baseline, the paper continues by conducting an analysis of relevant security studies, which
give insights on usability problems developers had, when using Security APIs. This analysis
leads to a proposal of eleven specific usability characteristics relevant for Security APIs.
These have to be followed up by usability studies in order to evaluate how Security APIs need
to be designed in a usable way and which potential trade-offs have to be balanced.}}
}

@article{journals/entwickler4.16/Schmitt,
author = {H. Schmitt and P. Nehren},
title = {{Usable Security and Privacy by Design - Teil 2: Anwendungsfälle und Musterlösungen für Unternehmenssoftware}},
journal = {{Entwickler Magazin}},
volume = {4.16},
year = {2016},
url = {https://entwickler.de/entwickler-magazin/entwickler-magazin-4-16-246341.html},
abstract = {{Gerade im Bereich betrieblicher Anwendungssoftware gibt es einen großen Nachholbedarf, was die Gebrauchstauglichkeit von Schutzmechanismen und Sicherheitsfunktionen angeht. Mangelnde Usability ist in diesem Fall kein Schönheitsfehler. Sie kann, wenn Sicherheitsfunktionen nicht richtig bedient werden und dadurch der Schutz sensibler Daten versagt, drastische Folgen für die Unternehmen haben. Um das Problem einzugrenzen, lohnt es sich, zu schauen, welche Anwendungsfälle konkret betroffen sind und vor allem, welche Musterlösungen geeignet sind, um Abhilfe zu schaffen und Anwenderunternehmen einen effektiven Schutz zu gewährleisten.}},
url = {https://entwickler.de/leseproben/usable-security-privacy-by-design-247713.html}
}

@inproceedings{conf/webist2016/skutnik,
title = {{Methods of Data Processing and Communication for a Web-based Wind Flow Visualizations}},
author = {M. Skutnik and L. {Lo Iacono}},
year = {2016},
abstract = {{This paper presents methods for the reduction and compression of meteorological data for web-based wind flow visualizations, which are tailored to the flow visualization technique. Flow data sets represent a large amount of data and are therefore not well suited for mobile networks with low data throughput rates and high latency. Using the mechanisms introduced in this paper, an efficient transfer of thinned out and compressed data can be achieved, while keeping the accuracy of the visualized information almost at the same quality level as for the original data.}},
booktitle = {{12th International Conference on Web Information Systems and Technologies (WEBIST)}},
url = {https://doi.org/10.5220/0005846800320041}
}

@inproceedings{conf/webist2016/LoIacono,
title ={{Adaptive Push-based Media Streaming in the Web}},
author = {L. {Lo Iacono} and S. Santano Guillén},
year = 2016,
booktitle = {{12th International Conference on Web Information Systems and Technologies (WEBIST)}},
abstract = {{Online media consumption is the main driving force for the recent growth of the Web. As especially realtime media is becoming more and more accessible from a wide range of devices, with contrasting screen resolutions, processing resources and network connectivity, a necessary requirement is providing users with a seamless multimedia experience at the best possible quality, henceforth being able to adapt to the specific device and network conditions. This paper introduces a novel approach for adaptive media streaming in the Web. Despite the pervasive pullbased designs based on HTTP, this paper builds upon a Web-native push-based approach by which both the communication and processing overheads are reduced significantly in comparison to the pull-based counterparts. In order to maintain these properties when enhancing the scheme by adaptation features, a server-side monitoring and control needs to be developed as a consequence. Such an adaptive push-based media streaming approach is intr oduced as main contribution of this work. Moreover, the obtained evaluation results provide the evidence that with an adaptive push-based media delivery, on the one hand, an equivalent quality of experience can be provided at lower costs than by adopting pull-based media streaming. On the other hand, an improved responsiveness in switching between quality levels can be obtained at no extra costs.}},
url = {https://doi.org/10.5220/0005813501210129}
}

%2015
@article{journal/entwickler6.15/Gorski,
title = {{Usable Security und Privacy by Design - Teil 1: Benutzerzentrierte Entwicklung von Sicherheitsfunktionen}},
author = {P. L. Gorski and L. Lo Iacono and H. Schmitt},
year = {2015},
journal = {Entwickler Magazin},
volume = {6.15},
abstract = {Der Begriff „Usable Security and Privacy by Design“ bezeichnet Methoden und Verfahrensweisen in der Entwicklung von Software und technischen Produkten, bei denen der Benutzer im Mittelpunkt der Entwicklung von Sicherheits- bzw. Datenschutzkomponenten steht. „Benutzer“ meint in diesem Zusammenhang nicht nur den Anwender der Software, sondern auch deren Entwickler. Letzterem kommt dabei eine besondere Bedeutung zu. Denn die komplexen Sicherheits- und Datenschutzsachverhalte müssen in verständlicher Art und Weise in Methoden, Werkzeugen, APIs, Bibliotheken und Frameworks integriert sein, damit nicht funktionale Anforderungen wie Sicherheit korrekt umgesetzt werden können – korrekt im Sinne der effektiven Implementierung der Sicherheitsmechanismen, aber auch der Benutzbarkeit durch den Zielanwender. Der erste Teil einer Artikelserie zum Thema „Usable Security“ dient als Einführung in die Thematik. Er soll insbesondere für Softwareentwickler einen Überblick bieten und für die Probleme bei der Entwicklung gebrauchstauglicher Sicherheitsfunktionen sensibilisieren.},
url = {https://entwickler.de/entwickler-magazin/entwickler-magazin-6-15-135575.html}
}

@inproceedings{conf/siot2015/Nguyen,
title = {REST-ful CoAP Message Authentication},
author = {H.V. Nguyen and L. Lo Iacono},
year = {2015},
date = {2015-09-21},
booktitle = {{International Workshop on Secure Internet of Things (SIoT), in conjunction with the European Symposium on Research in Computer Security (ESORICS)}},
abstract = {One core technology for implementing and integrating the architectural principles of REST into the Internet of Things (IoT) is CoAP, a REST-ful application protocol for constrained networks and devices. Since CoAP defaults to UDP as transport protocol, the protection of CoAP-based systems is realised by the adoption of DTLS, a transport-oriented security protocol for datagrams. This is, however, in many cases not a sufficient safeguard, since messages in distributed systems---as obtained, e.g., by the adoption of REST---are commonly transported via multiple intermediate components. This induces the need for message-oriented protection means supplementing transport security for IoT scenarios with high security demands.

This paper approaches an important part of this requirement by introducing a REST-ful CoAP message authentication scheme. The overarching goal of this work is, though, to establish a message-oriented security layer for CoAP. Here, specific challenges are stemming from the architectural style REST and the resource-restrictiveness of IoT networks and devices. The present contribution reaches this goal for authentication by proposing a REST-ful CoAP message signature generation and verification scheme.},
url = {https://dx.doi.org/10.1109/SIOT.2015.8}

}

@inproceedings{conf/wsp2015/Boerger,
title = {{User Perception and Response to Computer Security Warnings}},
author = {W. Boerger and L. Lo Iacono},
url = {https://doi.org/10.1515/9783110443905-087},
year = {2015},
abstract = {{This paper gives necessary foundations to understand the mechanism of warning processing and
summarizes the state of the art in warning development. That includes a description of tools,
researchers use to work in this scientific field. In detail these are models that describes the human way
of processing warnings and mental models. Both are presented detailed with relevant examples. The
paper tells how these tools are connected and how they are used to improve the effectiveness of
warnings.}},
booktitle = {{Workshop on Usable Security and Privacy, in conjunction with Mensch und Computer}}
}

@conference{conf/froscon2015/Nguyen2015,
title = {{WebSocket - WS^2 2.0}},
author = {H.V. Nguyen},
year = {2015},
booktitle = {{Free and Open Source Software Conference (FrOSCon)}},
institution = {Free and Open Source Software Conference (FrOSCon)},
abstract = {Das Websocket-Protokoll hat sich derzeit zu einer wichtigen Technologie für die Entwicklung moderner Webanwendungen durchgesetzt. Mit der Möglichkeit eine dauerhafte bidirektionale Verbindung zwischen Client und Server aufzubauen, ergeben sich neue Anwendungsszenarien, die vorher mit dem reinen HTTP nicht realisierbar waren. Die Einsatzgebiete reichen hier von einfachen Chats bis hin zu komplexen Systemen wie das kollaborative Arbeiten an Dokumenten in Echtzeit. Mittlerweile hat sogar der Instant Messaging-Dienst WhatsApp die Vorteile der WebSocket-Technologie für sich entdeckt und erlaubt Benutzern ihre Nachrichten nun auch über den Webbrowser auszutauschen.

Dieser Workshop soll den Teilnehmern zeigen wie sie die oben genannten oder andere Echzeitwebanwendungen mit der WebSocket-Technologie implementieren können. Nach einer kurzen Einführung wird gezeigt wie es in einfachen Schritten möglich ist, mehr als nur simple Chat-Anwendungen mit den WebSocket-Protokoll zu realisieren. Zudem stellt der Workshop nach Möglichkeit auch die Verwendung von Subprotokollen vor, wodurch auch RPC- sowie Publish and Subscribe-Anwendungen mit WebSockets umgesetzt werden können.},
note = {Workshop},
url =  {https://programm.froscon.de/2015/events/1543.html}
}

@inproceedings{conf/ratsp2016/LoIacono,
title = {{Partial Data Protection via Structure-Preserving Document Partitioning}},
author = {L. {Lo Iacono}},
year = {2015},
booktitle = {{IEEE International Symposium on Recent Advances of Trust, Security and Privacy in Computing and Communications (RATSP), in conjunction with the 14th International Conference on Trust, Security and Privacy in Computing and Communications (IEEE TrustCom)}},
abstract = {The application of cryptographic primitives to structured and semi-structured data in a fine-grained manner is constantly increasing in importance. The encryption and signature of selective parts of a document while retaining the underlying data format characteristics dates back to XML and XML security. The specification of the data portions to be protected is conceptually based on referencing mechanisms inherent to XML. Adopting such schemes to data formats not containing any referencing mechanism natively is henceforth not feasible in a straightforward manner. Moreover, the application of referencing approaches showed to be error-prone in practice, leading to vulnerabilities such as XML Signature Wrapping attacks.

This paper introduces a scheme for encrypting and signing selective parts of an hierarchical data structure based on a document partitioning that preserves the document structure. This facilitates the merging of the parts allowing the reconstruction of the originating document in the process of reverting the protection means. Besides according theoretical constructions, a proof of concept implementation is introduced based on the structured data format JSON, which offers a suitable evaluation target due to the lacking native referencing capabilities and the evolving JSON Object Signing and Encryption (JOSE) data security standard not considering selective data protection so far.},
url = {https://doi.org/10.1109/Trustcom.2015.450}
}

@book{book/hanser2015/Gorski,
title = {{WebSockets: Moderne HTML5-Echtzeitanwendungen entwickeln}},
author = {P. L. Gorski and L. Lo Iacono and H. V. Nguyen},
year = {2015},
date = {2015-01-15},
publisher = {{Carl Hanser Verlag GmbH & Co. KG}},
abstract = {Dieses Buch führt Sie umfassend in die WebSocket-Technik und die damit einhergehenden neuen Entwicklungsmöglichkeiten ein. Unter den zahlreichen exemplarischen Anwendungen finden sich Beispiele auf Basis von Node.js, Vert.x, und JSR 356, als Programmiersprachen werden Java und JavaScript eingesetzt.

Nach einer Einführung in die notwendigen Grundlagen von HTTP lernen Sie zunächst die Mechanismen für höhere Interaktivität und Echtzeitfähigkeit bei Webanwendungen kennen. Weiter geht es mit dem WebSocket-Protokoll und der WebSocket-API. An dieser Stelle werden Sie mit JavaScript erste Beispiele für WebSocket-Clientanwendungen in Webbrowsern programmieren. Es folgen WebSocket-Implementierungen auf der Serverseite auf Basis gebräuchlicher Frameworks.

Weitere Themen sind das Testen von verteilten Web-Socket-basierten Applikationen, Performance-Eigenschaften und – ganz wichtig – Sicherheitsaspekte, insbesondere wenn die Anwendung aus verteilten Komponenten zusammengesetzt ist, die über offene Netze miteinander gekoppelt sind.

Schließlich werden Sie verschiedene größere und vollständige Anwendungen implementieren: eine generische Fernsteuerung für Webanwendungen, ein klassisches Chatsystem, eine Heatmap für Usability-Tests und eine Überwachungskamera per Webcam.},
url = {https://www.hanser-fachbuch.de/buch/WebSockets/9783446443716}
}

@inproceedings{conf/webist2015/LoIacono,
title = {{Towards Conformance Testing of REST-based Web Services}},
author = {L. {Lo Iacono} and H. V. Nguyen},
url = {https://doi.org/10.5220/0005412202170227},
year = {2015},
booktitle = {{11th International Conference on Web Information Systems and Technologies (WEBIST)}},
abstract = {Despite the lack of standardisation for building REST-ful HTTP applications, the deployment of REST-based Web Services has attracted an increased interest. This gap causes, however, an ambiguous interpretation of REST and induces the design and implementation of REST-based systems following proprietary approaches instead of clear and agreed upon definitions. Issues arising from these shortcomings have an influence on service properties such as the loose coupling of REST-based services via a unitary service contract and the automatic generation of code. To overcome such limitations, at least two prerequisites are required: the availability of specifications for implementing REST-based services and auxiliaries for auditing the compliance of those services with such specifications.
This paper introduces an approach for conformance testing of REST-based Web Services. This appears conflicting at the first glance, since there are no specifications available for implementing REST by, e.g., the prevalent technology set HTTP/URI to test against. Still, by providing a conformance test tool and leaning it on the current practice, the exploration of service properties is enabled. Moreover, the real demand for standardisation gets explorable by such an approach. First investigations conducted with the developed conformance test system targeting major Cloud-based storage services expose inconsistencies in many respects which emphasizes the necessity for further research and standardisation.}
}

@inproceedings{conf/fnss2015/LoIacono,
title = {{Authentication Scheme for REST}},
author = {L. {Lo Iacono} and H. V. {Nguyen}},
url = {https://doi.org/10.1007/978-3-319-19210-9_8 },
year = {2015},
booktitle = {{International Conference on Future Network Systems and Security (FNSS)}},
publisher = {Springer International Publishing},
abstract = {REST has been established as an architectural style for designing distributed hypermedia systems. With an increased adoption in Cloud and Service-oriented Computing, REST is confronted with requirements not having been central to it so far. Most often the protection of REST-based service systems is, e.g., solely ensured by transport-oriented security. For mission-critical enterprise applications securing data in transit only, is, however, not a sufficient safeguard. This introduces a vital demand for REST Security, which is currently an active research and development topic, focusing on one specific instantiation of REST merely, though, namely on HTTP.

This paper augments REST by an authentication scheme, while remaining on the same level of abstraction as the architectural style itself. The introduced authentication scheme for REST is then mapped to HTTP. Based on this concrete instantiation, an empirical study is conducted in order to analyse the current state of the art in authentication techniques for REST-ful HTTP. The developed scheme and its HTTP instantiation in particular offer a methodical framework for assessing and comparing the available work, which shows to be incompatible and incomplete in terms of the provided protection. Moreover, this generic authentication scheme can be used to deduce other concrete means related to existing and upcoming technologies for implementing REST-based systems.}
}

@article{journals/dud2016/Gorski,
title = {{Web of Services Security - Mehr als die Sicherheit von Webanwendungen}},
author = {P. L. Gorski and L. {Lo Iacono} and H. V. Nguyen and D. B. Torkian},
url = {http://link.springer.com/article/10.1007%2Fs11623-015-0420-x},
year = {2015},
journal = {{DuD - Datenschutz und Datensicherheit}},
volume = {39},
number = {5},
pages = {317-322},
abstract = {Die Bezeichnung „Web of Services“ bezieht sich nach einer Definition des W3C auf ein nachrichtenbasiertes Designprinzip, das häufig zum Entwurf von Internet-Anwendungen oder Unternehmenssoftware zum Einsatz kommt. Die beiden dominierenden Ansätze sind hier derzeit SOAP und REST. Für REST existiert jedoch keine der SOAP-Security entsprechende Sicherheitsarchitektur. Mit den zunehmenden Einsatzmöglichkeiten in verteilten Anwendungen wird eine solche „REST-Security“ jedoch immer dringender benötigt. Diese muss abstrakte Sicherheitsmethoden definieren, deren konkrete Umsetzung über die bei Webanwendungen gebräuchlichen Sicherheitsmechanismen hinausgeht. Der Beitrag gibt einen Überblick über den aktuellen Stand der Technik und formuliert offene Forschungs- und Entwicklungsaufgaben in Form von Anforderungen an REST-Security.}
}

@article{journals/dud2016/LoIacono,
title = {Signalschutz im Zeitalter von TV-Ökosystemen},
author = {L. {Lo Iacono}},
url = {http://link.springer.com/article/10.1007%2Fs11623-015-0371-2},
year = {2015},
date = {2015-01-01},
journal = {{DuD - Datenschutz und Datensicherheit}},
volume = {39},
number = {2},
pages = {89-92},
abstract = {Google TV verknüpft das klassische Fernsehen mit Zusatzdiensten aus dem Internet. Dies wirft neue Frage- und Problemstellungen in Bezug auf die mögliche Einflussnahme auf das Sehverhalten, den Schutz der Privatsphäre des Fernsehkonsumenten und den Signalschutz auf.}
}

%2014

@article{journals/jait2014/LoIacono,
title = {{Efficient and Adaptive Web-native Live Video Streaming}},
author = {L. {Lo Iacono} and S. Santano Guillen},
url = {https://www.researchgate.net/profile/Silvia_Santano_Guillen/publication/270686334_Efficient_and_Adaptive_Web-native_Live_Video_Streaming/links/54be13300cf218d4a16a4bcc.pdf},
year = {2014},
journal = {INTERNATIONAL JOURNAL ON ADVANCES IN INTERNET TECHNOLOGY},
volume = {7},
number = {3 & 4},
abstract = {The usage of the Web has experienced a vertiginous
growth in the last few years. Watching video online has been one
major driving force for this growth lately. Until the appearance of
the HTML5 agglomerate of (still draft) specifications, the access
and consumption of multimedia content in the Web has not
been standardized. Hence, the use of proprietary Web browser
plugins flourished as intermediate solution. With the introduction
of the HTML5 VideoElement, Web browser plugins are replaced
with a standardized alternative. Still, HTML5 Video is currently
limited in many respects, including the access to only file-based
media. This paper investigates on approaches to develop video live
streaming solutions based on available Web standards. Besides
a pull-based design based on HTTP, a push-based architecture
is introduced, making use of the WebSocket protocol being
part of the HTML5 standards family as well. The evaluation
results of both conceptual principles emphasize, that pushbased
approaches have a higher potential of providing resource
and cost efficient solutions as their pull-based counterparts. In
addition, initial approaches to instrument the proposed pushbased
architecture with adaptiveness to network conditions have
been developed.}
}

@inproceedings{conf/css2014/LoIacono,
title = {{UI-Dressing to Detect Phishing}},
author = {L. {Lo Iacono} and H.V. Nguyen and  T. Hirsch and M. Baiers and S. Möller},
year = {2014},
booktitle = {{IEEE 6th International Symposium on Cyberspace Safety and Security (CSS)}},
abstract = {Phishing has been and still is a prevalent attack causing serious damage to numerous ingenuous Internet users every year. Usable security is understood as one required pillar for developing effective protection means in this context. We therefore survey and discuss on available usable security mechanisms against phishing. Our investigations show that existing solutions contain too many obstacles for the users. This experienced ambiguity is further amplified by the vast amount of distinct designs varying amongst vendors, platforms and versions of web browsers even within one class of security warnings.

This paper introduces a novel anti-phishing mechanisms which relies on the idea that the whole appearance of a web application is dressable according to an individual user’s preferences. The guiding principle behind our proposal is to implant security warnings as an intrinsic part of the application instead of
having it placed somewhere in the runtime environment, which is the web browser in this context. One goal is to render the cloning of a website practically infeasible for an attacker by increasing the number of web pages to retrieve and store in order to create an identical copy of that site. The second and more important
goal is to raise the attention of the users for an unofficial site due to a wrong appearance which is not in conformance with an actual user’s page dress. A user study based on a developed online banking service supporting our suggested UI-Dressing has been conducted. It reveals that the proposed approach takes the
desired effect in empowering users to detect fake sites and thus makes our introduced approach a valuable path to follow up.},
url = {https://dx.doi.org/10.1109/HPCC.2014.126}
}

@inproceedings{conf/web2014/LoIacono,
title = {{Web-native Video Live Streaming}},
author = {L. Lo Iacono and S. Santano Guillen},
url = {https://www.researchgate.net/profile/Silvia_Santano_Guillen/publication/261874584_Web-native_Video_Live_Streaming/links/0f317535bb3a686c5c000000.pdf},
doi = {10.13140/2.1.1729.4400},
year = {2014},
booktitle = {{2nd International Conference on Building and Exploring Web Based Environments (WEB)}},
pages = {464-471},
abstract = {The usage of the Web has experienced a vertiginous
growth in the last few years. Watching video online has been one
major driving force for this growth lately. Until the appearance of
the HTML5 agglomerate of (still draft) specifications, the access
and consumption of multimedia content in the Web has not been
standardized. Hence, the use of proprietary Web browser plugins
flourished as intermediate solution.
With the introduction of the HTML5 video element, Web browser
plugins are replaced with a standardized alternative. Still,
HTML5 video is currently limited in many respects, including
the access to only file-based media. This paper investigates on
approaches to develop video live streaming solutions based on
available Web standards. Besides a pull-based design based on
HTTP, a push-based architecture is introduced, making use of the
WebSocket protocol being part of the HTML5 standards family
as well. The evaluation results of both conceptual principles
emphasize, that push-based approaches have a higher potential of
providing resource and cost efficient solutions as their pull-based
counterparts.}
}

@article{ObjektspektrumPaper,
title = {{SOA und REST-Services: Ist REST reif genug, um SOA-Umgebungen zu verwirklichen?}},
author = {P. L. Gorski and L. Lo Iacono and H. V. Nguyen and D. B. Torkian and C. Naldony and M. Roskosch and B. Horvat},
url = {http://www.sigs-datacom.de/fachzeitschriften/objektspektrum/archiv/artikelansicht.html?tx_mwjournals_pi1%5Bmode%5D=1&tx_mwjournals_pi1%5BshowUid%5D=7795},
year = {2014},
journal = {{OBJEKTspektrum}},
volume = {01/2015},
pages = {34-39},
abstract = {Als alternativer Ansatz zu SOAP, um verteilte Systeme auf Basis von Services zu erstellen, nimmt REST Fahrt auf, weil es leichtgewichtig und datenformatunabhängig ist. Ob es sich dafür eignet, auch auf SOA basierende Systeme umzusetzen, ist die Fragestellung, der sich dieser Artikel annimmt. Um eine Antwort hierauf geben zu können, wurden eine theoretische Analyse und eine empirische Studie zu REST-Frameworks durchgeführt. Die Ergebnisse zeigen, dass aktuell insbesondere die SOA-Kernprinzipien in Bezug auf das Auffinden und das lose Koppeln von Services fehlen.}
}

@inproceedings{conf/icws2014/Gorski,
title = {Service Security Revisited},
author = {P. L. Gorski and L. Lo Iacono and H. V. Nguyen and D. B. Torkian},
url = {http://ieeexplore.ieee.org/xpl/articleDetails.jsp?arnumber=6930568},
doi = {10.1109/SCC.2014.68},
year = {2014},
date = {2014-01-01},
booktitle = {11th IEEE International Conference on Services Computing (SCC)},
pages = {464-471},
abstract = {Developing contemporary software architectures requires the consideration and adoption of the Service-oriented Architecture (SOA) principles. Distributed applications are a very common domain in which SOA guides design decisions in particular. For a long time, SOAP and its related stack of standards have been the only technological choice for implementing SOA- based systems. With the increased adoption of the REST concept, an alternative to SOAP is gaining traction.

Security considerations have been part of the SOAP-based standardization work since the very beginning. As a result, a mature and comprehensive set of security-related standards is available for building SOAP-based service systems. REST-ful service systems, however, cannot take advantage of such a fully developed security framework yet. This paper therefore revisits the SOAP-based web services security stack in order to identify commonalities, differences and gaps in the security available for REST-ful services. From these findings a desired REST-ful web services security stack is proposed together with related research, development and standardization challenges.}
}

@inproceedings{conf/esocc14/Gorski,
title = {SOA-Readiness of REST},
author = {P. L. Gorski and L. Lo Iacono and H. V. Nguyen and D. B. Torkian},
url = {http://link.springer.com/chapter/10.1007%2F978-3-662-44879-3_6},
year = {2014},
date = {2014-01-01},
booktitle = {3rd European Conference on Service-Oriented and Cloud Computing (ESOCC)},
publisher = {Springer International Publishing},
abstract = {SOA is a core concept for designing distributed applications based on the abstraction of software services. The main strength lies in the ability to discover services and loosely-couple them with service consumers across platform-boundaries. The evolved service protocol SOAP and its accompanying standards provide a stable, rich and wide-spread technology stack for implementing SOA-based systems.
As an alternative approach to design and implement distributed systems based on services, the architectural style REST gains traction, due to its more light-weight and data format independent nature. Whether REST is also suited for acting as a basis for implementing SOA-based systems is still an open issue, however. This paper focuses on this question and provides an analysis on the SOA-readiness of REST. Both, a theoretical analysis and an empirical study of REST frameworks have been conducted in order to obtain a comprehensive understanding on this matter. The results show a lack of core SOA principles mainly related to the discoverability and the loose coupling of services.}
}

@article{journals/scn7.5/Gruschka,
title = {{Analysis of the current state in website certificate validation}},
author = {N. Gruschka and L. Lo Iacono and C. Sorge},
url = {http://dx.doi.org/10.1002/sec.799},
doi = {10.1002/sec.799},
year = {2014},
journal = {{Security and Communication Networks}},
volume = {7},
number = {5},
pages = {865-877},
abstract = {This paper presents an in-depth analysis of the certificate validation process employed in current web browsers. It discusses the shortcomings especially arising from the inappropriate management of the certificate status. Various improvements proposed so far are presented and analyzed with the aid of a threat model. The results are further enriched by some empirical studies. Finally, the outcomes of the aforementioned analysis are used to sketch an extended website certificate validation process with the aim of allowing for a better protection.},
}

%2013

@inproceedings{conf/csc2013/LoIacono,
title = {A System-Oriented Approach to Full-Text Search on Encrypted Cloud Storage},
author = {L. Lo Iacono and D. B. Torkian},
url = {https://doi.org/10.1109/CSC.2013.12},
year = {2013},
date = {2013-11-04},
booktitle = {International Conference on Cloud and Service Computing (CSC)},
pages = {24-29},
organization = {IEEE},
abstract = {Today's Cloud market offers a wide variety of online storage services which provide reliable and inexpensive storage accessible from almost every device at almost any location. Still, it proofs to be difficult to satisfy the user's confidence concerning the confidentiality and integrity of the own data in the Cloud. This is especially true since the user is forced to take a tradeoff between security and functionality. Storage services which allow the adoption of self-selected and self-controlled security mechanisms provide a high security level but miss on the other side a set of useful operations such as e.g. a full-text search or a synchronization across distinct devices. Such features require that the server-side is capable of accessing the data in unencrypted form for processing purposes. This paper presents an system-oriented approach to this issue by introducing an architecture that allows to integrate a full-text search operation with file-based Cloud storage services in the presence of user-selected and user-controlled security. Different instances of the presented architecture allow furthermore for a more fine-grained balance between the level of security and the provided functionality by the Cloud storage service.}
}

@article{journals/tdsc10.4/Bohl,
title = {Security and Privacy-Enhancing Multicloud Architectures},
author = {J.-M. Bohli and N. Gruschka and M. Jensen and L. Lo Iacono and N. Marnau},
url = {https://doi.org/10.1109/TDSC.2013.6},
year = {2013},
journal = {IEEE Transactions on Dependable Secure Computing},
volume = {10},
number = {4},
abstract = {Security challenges are still among the biggest obstacles when considering the adoption of cloud services. This triggered a lot of research activities, resulting in a quantity of proposals targeting the various cloud security threats. Alongside with these security issues, the cloud paradigm comes with a new set of unique features, which open the path toward novel security approaches, techniques, and architectures. This paper provides a survey on the achievable security merits by making use of multiple distinct clouds simultaneously. Various distinct architectures are introduced and discussed according to their security and privacy capabilities and prospects.}
}

@book{book/oldenbourg2013/Gruschka,
title = {Sicherheit in Kommunikationsnetzen},
author = {N. Gruschka and C. Sorge and L. Lo Iacono},
year = {2013},
publisher = {Oldenbourg Wissenschaftsverlag},
abstract = {Fast täglich werden neue Angriffe auf IT-Systeme bekannt, bei denen sensible Daten entwendet werden. Meist spielen bei diesen Angriffen Computernetze eine entscheidende Rolle. Das vorliegende Buch vermittelt die wesentlichen Grundlagen, die zur Absicherung von solchen Netzen benötigt werden. Es spannt dabei einen breiten Bogen von der Netzinfrastruktur bis zur Sicherheit im World Wide Web. Es werden Technologien dargestellt, die im breiten praktischen Einsatz sind. Stets legen die Autoren dabei Wert auf eine verständliche Darstellung, die – soweit möglich – auf abstrakte Modelle und formalen Notationen verzichtet. Zu jedem Kapitel werden Aufgaben zur Kontrolle von Wissensstand und Verständnis angeboten.},
url = {http://www.degruyter.com/view/product/231461}
}


%2012%