DOI: 10.7256/2454-0714.2015.2.16767

Abstract: The article considers the prevailing contradictions between the nature of the vulnerabilities in source code, safety requirements limitations of regulatory and methodological basis of tests and software developers who do not provide the source code for testing purposes. Methods of software products analysis that do not require the source code of programs, are widely used abroad but in our country are not well known yet. The article investigates the question can such methods and means increase the effectiveness of certification testing of software. The authors determine the necessary changes in the regulations to open up the possibility of applying the methods of testing programs without source code in the certification tests. Methods used in the study: software engineering, analysis of complex systems, the theory of reliability of complex systems, the synthesis software, compiling software. The paper shows that the use of methods for testing without source code allows to find such common vulnerabilities in the software that can’t be effectively detected because of the regulatory restrictions for the presence of source code. The experience of certification tests on the absence of undeclared features and program bookmarks, as well as independent software testing allows to determine the priority areas for improvement of the regulatory, based on the application of the methods of testing software without source code.

DOI: 10.7256/2454-0714.2015.1.14124

Abstract: The subject of study is the problem of formalized description of conflicts arising in the protection of information from unauthorized access, for more information on possible action potential enemy and their consequences for the benefit of the selection and implementation of the defense strategy of information in automated systems. The initial data are the list of objects of the automated system and the value of the processed information to them; a list of information security and their cost; a list of possible methods of implementing the threat of unauthorized access to information, cost and efficiency. The result is the most effective means of protection configuration information for each object with the estimates of the effectiveness and cost of its implementation. Methods used: game theory, probability theory, reliability theory, system analysis, the theory of the collection and processing of expert information. The application of the developed models of information security processes for optimum configuration of information security for which each option protection system is characterized by unique quantification of having a clear physical meaning (security measure), so it is possible to choose a specific embodiment of the object of protection of the automated system by the criterion of maximum security (with cost constraints) or minimum value (for fixed requirements for security). Furthermore, the optimization of the composition and structure of information protection system design and in changing the original data is not time-consuming.