@inproceedings{kjedelig, author = {Martin Gilje Jaatun and Hanne S{\ae}le}, title = {A Checklist for Supply Chain Security for Critical Infrastructure Operators}, booktitle = {Proceedings of the 2023 Cyber Science Conference}, year = 2023, url = {https://jaatun.no/papers/2023/A_Checklist_for_Supply_Chain_Security.pdf} } @inproceedings{Cali23, author = {Umit Cali and Ferhat {\"{O}}zg{\"{u}}r {\c{C}}atak and Zsolt Gy{\"{o}}rgy Balogh and Rita Ugarelli and Martin Gilje Jaatun}, editor = {Aleksandra Mileva and Steffen Wendzel and Virginia N. L. Franqueira}, title = {Cyber-physical Hardening of the Digital Water Infrastructure}, booktitle = {Proceedings of the 2023 European Interdisciplinary Cybersecurity Conference, {EICC} 2023, Stavanger, Norway, June 14-15, 2023}, pages = {181--188}, publisher = {{ACM}}, year = {2023}, url = {https://doi.org/10.1145/3590777.3591408}, doi = {10.1145/3590777.3591408}, } @article{Tondel22, author = {Inger Anne T{\o}ndel and Daniela Soares Cruzes and Martin Gilje Jaatun and Guttorm Sindre}, title = {Influencing the security prioritisation of an agile software development project}, journal = {Comput. Secur.}, volume = {118}, pages = {102744}, year = {2022}, url = {https://doi.org/10.1016/j.cose.2022.102744}, doi = {10.1016/j.cose.2022.102744}, timestamp = {Mon, 24 Oct 2022 01:00:00 +0200}, biburl = {https://dblp.org/rec/journals/compsec/TondelCJS22.bib}, bibsource = {dblp computer science bibliography, https://dblp.org} } @article{Rong22, author = {Chunming Rong and Jiahui Geng and Thomas J. Hacker and Haakon Bryhni and Martin Gilje Jaatun}, title = {OpenIaC: open infrastructure as code - the network is my computer}, journal = {J. Cloud Comput.}, volume = {11}, pages = {12}, year = {2022}, url = {https://doi.org/10.1186/s13677-022-00285-7}, doi = {10.1186/s13677-022-00285-7}, } @article{bernsmed2022adopting, title={Adopting threat modelling in agile software development projects}, author={Bernsmed, Karin and Cruzes, Daniela Soares and Jaatun, Martin Gilje and Iovan, Monica}, journal={Journal of Systems and Software}, volume={183}, pages={111090}, year={2022}, issn = {0164-1212}, doi = {https://doi.org/10.1016/j.jss.2021.111090}, publisher={Elsevier} } @inproceedings{Erdogan22a, author = {Gencer Erdogan and Inger Anne T{\o}ndel and Shukun Tokas and Michele Garau and Martin Gilje Jaatun}, editor = {Hans{-}Georg Fill and Marten van Sinderen and Leszek A. Maciaszek}, title = {Needs and Challenges Concerning Cyber-risk Assessment in the Cyber-physical Smart Grid}, booktitle = {Proceedings of the 17th International Conference on Software Technologies, {ICSOFT} 2022, Lisbon, Portugal, July 11-13, 2022}, pages = {21--32}, publisher = {{SCITEPRESS}}, year = {2022}, url = {https://doi.org/10.5220/0011137100003266}, doi = {10.5220/0011137100003266}, } @inproceedings{Erdogan22b, author = {Gencer Erdogan and Iver Bakken Sperstad and Michele Garau and Oddbj{\o}rn Gjerde and Inger Anne T{\o}ndel and Shukun Tokas and Martin Gilje Jaatun}, editor = {Hans{-}Georg Fill and Marten van Sinderen and Leszek A. Maciaszek}, title = {Adapting Cyber-Risk Assessment for the Planning of Cyber-Physical Smart Grids Based on Industrial Needs}, booktitle = {Software Technologies - 17th International Conference, {ICSOFT} 2022, Lisbon, Portugal, July 11-13, 2022, Revised Selected Papers}, series = {Communications in Computer and Information Science}, volume = {1859}, pages = {98--121}, publisher = {Springer}, year = {2022}, url = {https://doi.org/10.1007/978-3-031-37231-5\_5}, doi = {10.1007/978-3-031-37231-5\_5}, } @inproceedings{DID-eFed, author = {Jiahui Geng and Neel Kanwal and Martin Gilje Jaatun and Chunming Rong}, title = {DID-eFed: Facilitating Federated Learning as a Service with Decentralized Identities}, booktitle = {Evaluation and Assessment in Software Engineering}, year = {2021}, url = {https://arxiv.org/abs/2105.08671}, publisher = {ACM} } @inproceedings{champions, author = {Martin Gilje Jaatun and Daniela Soares Cruzes}, title = {Care and Feeding of your Security Champion}, booktitle = {Cyber Science 2021 -- CyberSA for Trustworthy and Transparent Artificial Intelligence}, pages = {63--69}, publisher = {{IEEE}}, year = {2021}, } @inproceedings{HSEcyber, author = {Lars Bodsberg and Tor Olav Gr{\o}tan and Martin Gilje Jaatun and Irene W{\ae}r{\o}}, title = {HSE and Cyber Security in Remote Work}, booktitle = {Cyber Science 2021 -- CyberSA for Trustworthy and Transparent Artificial Intelligence}, pages = {133--142}, publisher = {{IEEE}}, year = {2021}, } @inproceedings{smartgridTMT, author = {Lars Halvdan Fl{\aa} and Ravishankar Borgaonkar and Inger Anne T{\o}ndel and Martin Gilje Jaatun}, title = {Tool-assisted Threat Modeling for Smart Grid Cyber Security}, booktitle = {2021 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA)}, pages = {99--106}, publisher = {{IEEE}}, year = {2021}, doi={10.1109/CyberSA52016.2021.9478258} } @ARTICLE{mars-venus, author={Inger Anne T{\o}ndel and Martin Gilje Jaatun and Daniela Soares Cruzes}, journal={IEEE Security \& Privacy}, title={IT Security Is From Mars, Software Security Is From Venus}, year={2020}, volume={18}, number={4}, pages={48-54},} @inproceedings{cineldi-misuse, author = {Inger Anne T{\o}ndel and Ravishankar Borgaonkar and Martin Gilje Jaatun and Christian Fr{\o}ystad}, title = {What Could Possibly Go Wrong? Smart Grid Misuse Case Scenarios}, booktitle = {2020 International Conference on Cyber Security and Protection of Digital Services, Cyber Security 2020, Dublin, Ireland, June 15-19, 2020}, pages = {1--8}, publisher = {{IEEE}}, year = {2020}, url = {https://doi.org/10.1109/CyberSecurity49315.2020.9138892}, doi = {10.1109/CyberSecurity49315.2020.9138892}, timestamp = {Fri, 24 Jul 2020 16:56:33 +0200}, biburl = {https://dblp.org/rec/conf/cybersecpods/TondelBJF20.bib}, bibsource = {dblp computer science bibliography, https://dblp.org} } @inproceedings{ptil-cert, author = {Martin Gilje Jaatun and Lars Bodsberg and Tor Olav Gr{\o}tan and Marie Elisabeth Gaup Moe}, title = {An Empirical Study of {CERT} Capacity in the North Sea}, booktitle = {2020 International Conference on Cyber Security and Protection of Digital Services, Cyber Security 2020, Dublin, Ireland, June 15-19, 2020}, pages = {1--8}, publisher = {{IEEE}}, year = {2020}, url = {https://doi.org/10.1109/CyberSecurity49315.2020.9138865}, doi = {10.1109/CyberSecurity49315.2020.9138865}, timestamp = {Fri, 24 Jul 2020 16:56:33 +0200}, biburl = {https://dblp.org/rec/conf/cybersecpods/JaatunBGM20.bib}, bibsource = {dblp computer science bibliography, https://dblp.org} } @inproceedings{goodenough, author = {Inger Anne T{\o}ndel and Daniela Soares Cruzes and Martin Gilje Jaatun}, editor = {Jingyue Li and Letizia Jaccheri and Torgeir Dings{\o}yr and Ruzanna Chitchyan}, title = {Achieving "Good Enough" Software Security: The Role of Objectivity}, booktitle = {{EASE} '20: Evaluation and Assessment in Software Engineering, Trondheim, Norway, April 15-17, 2020}, pages = {360--365}, publisher = {{ACM}}, year = {2020}, url = {https://doi.org/10.1145/3383219.3383267}, doi = {10.1145/3383219.3383267}, timestamp = {Wed, 06 May 2020 15:01:55 +0200}, biburl = {https://dblp.org/rec/conf/ease/TondelCJ20.bib}, bibsource = {dblp computer science bibliography, https://dblp.org} } @inproceedings{agile-ara, author = {Martin Gilje Jaatun}, title = {Architectural Risk Analysis in Agile Development of Cloud Software}, booktitle = {2019 {IEEE} International Conference on Cloud Computing Technology and Science (CloudCom), Sydney, Australia, December 11-13, 2019}, pages = {295--300}, publisher = {{IEEE}}, year = {2019}, url = {https://doi.org/10.1109/CloudCom.2019.00050}, doi = {10.1109/CloudCom.2019.00050}, timestamp = {Fri, 31 Jan 2020 19:07:01 +0100}, biburl = {https://dblp.org/rec/conf/cloudcom/Jaatun19.bib}, bibsource = {dblp computer science bibliography, https://dblp.org} } @inproceedings{Westerlund19, author = {Magnus Westerlund and Martin Gilje Jaatun}, title = {Tackling the Cloud Forensic Problem While Keeping Your Eye on the {GDPR}}, booktitle = {2019 {IEEE} International Conference on Cloud Computing Technology and Science (CloudCom), Sydney, Australia, December 11-13, 2019}, pages = {418--423}, publisher = {{IEEE}}, year = {2019}, url = {https://doi.org/10.1109/CloudCom.2019.00071}, doi = {10.1109/CloudCom.2019.00071}, timestamp = {Fri, 31 Jan 2020 19:07:01 +0100}, biburl = {https://dblp.org/rec/conf/cloudcom/WesterlundJ19.bib}, bibsource = {dblp computer science bibliography, https://dblp.org} } @inproceedings{smartgridrisk, author = {Karin Bernsmed and Martin Gilje Jaatun and Christian Fr{\o}ystad}, title = {Is a Smarter Grid Also Riskier?}, booktitle = {Security and Trust Management. STM 2019}, publisher = {Springer}, address = {Cham}, pages = {36--52}, year = 2019, } @inproceedings{Borgaonkar19, author = {Ravishankar Borgaonkar and Martin Gilje Jaatun}, title = {5G as an Enabler for Secure IoT in the Smart Grid : Invited Paper}, booktitle = {First International Conference on Societal Automation, {SA} 2019, Krakow, Poland, September 4-6, 2019}, pages = {1--7}, publisher = {{IEEE}}, year = {2019}, url = {https://doi.org/10.1109/SA47457.2019.8938064}, doi = {10.1109/SA47457.2019.8938064}, timestamp = {Tue, 11 Feb 2020 19:17:02 +0100}, biburl = {https://dblp.org/rec/conf/sa/BorgaonkarJ19.bib}, bibsource = {dblp computer science bibliography, https://dblp.org} } @inproceedings{Rindell19, author = {Kalle Rindell and Karin Bernsmed and Martin Gilje Jaatun}, title = {Managing Security in Software: Or: How {I} Learned to Stop Worrying and Manage the Security Technical Debt}, booktitle = {Proceedings of the 14th International Conference on Availability, Reliability and Security, {ARES} 2019, Canterbury, UK, August 26-29, 2019}, pages = {60:1--60:8}, publisher = {{ACM}}, year = {2019}, url = {https://doi.org/10.1145/3339252.3340338}, doi = {10.1145/3339252.3340338}, timestamp = {Sun, 11 Aug 2019 18:59:45 +0200}, biburl = {https://dblp.org/rec/conf/IEEEares/RindellBJ19.bib}, bibsource = {dblp computer science bibliography, https://dblp.org} } @inproceedings{security-intention, author = {Inger Anne T{\o}ndel and Daniela Soares Cruzes and Martin Gilje Jaatun and Kalle Rindell}, title = {The Security Intention Meeting Series as a way to increase visibility of software security decisions in agile development projects}, booktitle = {Proceedings of the 14th International Conference on Availability, Reliability and Security, {ARES} 2019, Canterbury, UK, August 26-29, 2019}, pages = {59:1--59:8}, publisher = {{ACM}}, year = {2019}, url = {https://doi.org/10.1145/3339252.3340337}, doi = {10.1145/3339252.3340337}, timestamp = {Sun, 11 Aug 2019 18:59:45 +0200}, biburl = {https://dblp.org/rec/conf/IEEEares/TondelCJR19.bib}, bibsource = {dblp computer science bibliography, https://dblp.org} } @inproceedings{DBLP:conf/cybersecpods/BernsmedJ19, author = {Karin Bernsmed and Martin Gilje Jaatun}, title = {Threat modelling and agile software development: Identified practice in four Norwegian organisations}, booktitle = {2019 International Conference on Cyber Security and Protection of Digital Services, Cyber Security 2018, Oxford, United Kingdom, June 3-4, 2019}, pages = {1--8}, publisher = {{IEEE}}, year = {2019}, url = {https://doi.org/10.1109/CyberSecPODS.2019.8885144}, doi = {10.1109/CyberSecPODS.2019.8885144}, timestamp = {Mon, 11 Nov 2019 19:28:09 +0100}, biburl = {https://dblp.org/rec/conf/cybersecpods/BernsmedJ19.bib}, bibsource = {dblp computer science bibliography, https://dblp.org} } @inproceedings{new-blockchain, author = {Chunlei Li and Chunming Rong and Martin Gilje Jaatun}, title = {A Cost-efficient Protocol for Open Blockchains}, booktitle = {Proceedings of Cyber Science 2019}, pages = {74--80}, year = {2019}, } @inproceedings{account-keynote, author = {Martin Gilje Jaatun and Siani Pearson}, title = {Putting the "Account" into Cloud Accountability}, booktitle = {Proceedings of the 9th International Conference on Cloud Computing and Services Science, {CLOSER} 2019, Heraklion, Crete, Greece, May 2-4, 2019.}, pages = {9--18}, year = {2019}, } @article{pp-journal, author = {Inger Anne T{\o}ndel and Martin Gilje Jaatun and Daniela Soares Cruzes and Laurie Williams, L.}, year = 2019, title = "Collaborative security risk estimation in agile software development", journal = {Information \& Computer Security}, Vol = {}. No = {}, doi = {https://doi.org/10.1108/ICS-12-2018-0138 } } @InProceedings{understanding-protectionpoker, author="T{\o}ndel, Inger Anne and Jaatun, Martin Gilje and Cruzes, Daniela and Oyetoyan, Tosin Daniel", editor="Katsikas, Sokratis K. and Cuppens, Fr{\'e}d{\'e}ric and Cuppens, Nora and Lambrinoudakis, Costas and Ant{\'o}n, Annie and Gritzalis, Stefanos and Mylopoulos, John and Kalloniatis, Christos", title="Understanding Challenges to Adoption of the Protection Poker Software Security Game", booktitle="Computer Security", year="2019", publisher="Springer International Publishing", address="Cham", pages="153--172", abstract="Currently, security requirements are often neglected in agile projects. Despite many approaches to agile security requirements engineering in literature, there is little empirical research available on why there is limited adoption of these techniques. In this paper we describe a case study on challenges facing adoption of the Protection Poker game; a collaborative and lightweight software security risk estimation technique that is particularly suited for agile teams. Results show that Protection Poker has the potential to be adopted by agile teams. Key benefits identified include good discussions on security and the development project, increased knowledge and awareness of security, and contributions to security requirements. Challenges include managing discussions and the time it takes to play, ensuring confidence in the results from playing the game, and integrating results in a way that improves security of the end-product.", isbn="978-3-030-12786-2", doi ={10.1007/978-3-030-12786-2_10}, url={http://jaatun.no/papers/2019/understanding-protectionpoker.pdf} } @incollection{threat-chapter, author = "Martin Gilje Jaatun and Karin Bernsmed and Daniela S. Cruzes and Inger Anne T{\o}ndel", title = "Threat Modeling in Agile Software Development", booktitle = "Exploring Security in Software Architecture and Design", editor = {Michael Felderer and Riccardo Scandariato}, publisher = {IGI Global}, year = "2019", url={http://jaatun.no/papers/2019/Threat-Modeling-in-Agile-Software-Development.pdf} } @incollection{measure-chapter, author = "Tosin Daniel Oyetoyan and Martin Gilje Jaatun and Daniela S. Cruzes", title = "Measuring Developers’ Software Security Skills, Usage, and Training Needs", booktitle = "Exploring Security in Software Architecture and Design", editor = {Michael Felderer and Riccardo Scandariato}, publisher = {IGI Global}, year = "2019", url = {http://jaatun.no/papers/2019/Measuring-Developers'-Software-Security-Skills-Usage-and-Training-Needs.pdf} } @inproceedings{ASWEC2018, author = "Daniela S. Cruzes and Martin Gilje Jaatun and Karin Bernsmed and Inger Anne T{\o}ndel", title = "Challenges and Experiences with Applying Microsoft Threat Modeling in Agile Development Projects", booktitle = "Proc. 25th Australasian Software Engineering Conference ({ASWEC})", address = "Adelaide, Australia", month = Nov, year = "2018", url = {http://jaatun.no/papers/2018/Threat_modeling-aswec-2018_final.pdf} } @techreport{ams-risk-report, author = {Christian Fr{\o}ystad and Martin Gilje Jaatun and Karin Bernsmed and Marie Moe}, title ={ROS-analyse AMS-DMS-SCADA -- Risikoanalyse av økt integrasjon mellom AMS, DMS og SCADA}, year = 2018, number = {2018:01083}, organization = {SINTEF Digital}, url = {\url{http://publikasjoner.nve.no/eksternrapport/2018/eksternrapport2018_15.pdf}} } @INPROCEEDINGS{flisr, author={Martin Gilje {Jaatun} and Marie E. Gaup {Moe} and Per Erik {Nordbø}}, booktitle={2018 International Conference on Cyber Security and Protection of Digital Services (Cyber Security)}, title={Cyber Security Considerations for Self-healing Smart Grid Networks}, year={2018}, volume={}, number={}, pages={1-7}, keywords={fault location;power distribution faults;power engineering computing;power system restoration;power system security;security of data;smart power grids;cyber security considerations;self-healing smart grid networks;distribution network failures;FLISR system;security implications;alternative FLISR placements;local solutions;centralized FLISR solutions;fault location isolation and system restoration mechanisms}, doi={10.1109/CyberSecPODS.2018.8560668}, month={June},} @inproceedings{howlow, title= {Safety Critical Software and Security -- How Low Can You Go?}, author = {Karin Bernsmed and Martin Gilje Jaatun and Per H{\aa}kon Meland}, booktitle = {Procedings of 37th AIAA/IEEE Digital Avionics Systems Conference (DASC)}, year= 2018, url = {http://jaatun.no/papers/2018/DASC-How-Low-Can-You-go-paper.pdf} } @inproceedings{HIC2018:STOP_IT__Strategic_Tactical, author = {Rita Ugarelli and Juliane Koti and Enric Bonet and Christos Makropoulos and Juan Caubet and Stephanos Camarinopoulos and Manthos Bimpas and Mehdi Ahmadi and Lisa Zimmermann and Martin Gilje Jaatun}, title = {STOP-IT - Strategic, Tactical, Operational Protection of Water Infrastructure Against Cyber-Physical Threats}, booktitle = {HIC 2018. 13th International Conference on Hydroinformatics}, editor = {Goffredo La Loggia and Gabriele Freni and Valeria Puleo and Mauro De Marchis}, series = {EPiC Series in Engineering}, volume = {3}, pages = {2112--2119}, year = {2018}, publisher = {EasyChair}, bibsource = {EasyChair, https://easychair.org}, issn = {2516-2330}, url = {https://easychair.org/publications/paper/zJL7}, doi = {10.29007/461f}} @Article{sym10040124, AUTHOR = {Jaatun, Martin Gilje and T{\o}ndel, Inger Anne and Moe, Nils Brede and Cruzes, Daniela Soares and Bernsmed, Karin and Haugset, B{\o}rge}, TITLE = {Accountability Requirements in the Cloud Provider Chain}, JOURNAL = {Symmetry}, VOLUME = {10}, YEAR = {2018}, NUMBER = {4}, ARTICLE NUMBER = {124}, URL = {http://www.mdpi.com/2073-8994/10/4/124}, ISSN = {2073-8994}, ABSTRACT = {In order to be responsible stewards of other people’s data, cloud providers must be accountable for their data handling practices. The potential long provider chains in cloud computing introduce additional accountability challenges, with many stakeholders involved. Symmetry is very important in any requirements’ elicitation activity, since input from diverse stakeholders needs to be balanced. This article ventures to answer the question “How can one create an accountable cloud service?” by examining requirements which must be fulfilled to achieve an accountability-based approach, based on interaction with over 300 stakeholders.}, DOI = {10.3390/sym10040124} } @INPROCEEDINGS{OWASP-startups, author={Halldis {S{\o}hoel} and Martin Gilje {Jaatun} and Colin {Boyd}}, booktitle={2018 International Conference on Cyber Security and Protection of Digital Services ({Cyber Security)}}, title={{OWASP Top 10 -- Do Startups Care?}}, year={2018}, pages={1-8},} @inproceedings{Tondel-EoP-2018, author = {T{\o}ndel, Inger Anne and Oyetoyan, Tosin Daniel and Jaatun, Martin Gilje and Cruzes, Daniela}, title = {Understanding Challenges to Adoption of the Microsoft Elevation of Privilege Game}, booktitle = {Proceedings of the 5th Annual Symposium and Bootcamp on Hot Topics in the Science of Security}, series = {HoTSoS '18}, year = {2018}, isbn = {978-1-4503-6455-3}, location = {Raleigh, North Carolina}, pages = {2:1--2:10}, articleno = {2}, numpages = {10}, url = {http://doi.acm.org/10.1145/3190619.3190633}, doi = {10.1145/3190619.3190633}, acmid = {3190633}, publisher = {ACM}, address = {New York, NY, USA}, note = {http://jaatun.no/papers/2018/eop_hotsos.pdf} } @inproceedings{Cruzes-CAR-2018, author = {Cruzes, Daniela S. and Jaatun, Martin G. and Oyetoyan, Tosin D.}, title = {Challenges and Approaches of Performing Canonical Action Research in Software Security: Research Paper}, booktitle = {Proceedings of the 5th Annual Symposium and Bootcamp on Hot Topics in the Science of Security}, series = {HoTSoS '18}, year = {2018}, isbn = {978-1-4503-6455-3}, location = {Raleigh, North Carolina}, pages = {8:1--8:11}, articleno = {8}, numpages = {11}, url = {http://doi.acm.org/10.1145/3190619.3190634}, doi = {10.1145/3190619.3190634}, acmid = {3190634}, publisher = {ACM}, address = {New York, NY, USA}, keywords = {action research, canonical action research, experimental software engineering, software practices, software security}, note = {http://jaatun.no/papers/2018/Canonical-action-research-Cruzes_Jaatun_Oyetoyan_final.pdf} } @inproceedings{swsec-im-devops, author = {Martin Gilje Jaatun}, editor = {Sebastian Doerr and Mathias Fischer and Sebastian Schrittwieser and Dominik Herrmann}, title = {Software Security Activities that Support Incident Management in Secure DevOps}, booktitle = {Proceedings of the 13th International Conference on Availability, Reliability and Security, {ARES} 2018, Hamburg, Germany, August 27-30, 2018}, pages = {8:1--8:6}, publisher = {{ACM}}, year = {2018}, url = {https://doi.org/10.1145/3230833.3233275}, doi = {10.1145/3230833.3233275}, timestamp = {Thu, 17 Jan 2019 22:19:51 +0100}, biburl = {https://dblp.org/rec/conf/IEEEares/Jaatun18.bib}, bibsource = {dblp computer science bibliography, https://dblp.org} } @INPROCEEDINGS{req-cloudcom, author={Martin Gilje Jaatun and Inger Anne T{\o}ndel and Nils Brede Moe and Daniela S. Cruzes and Karin Bernsmed and B{\o}rge Haugset}, booktitle={2017 IEEE International Conference on Cloud Computing Technology and Science (CloudCom)}, title={Accountability Requirements for the Cloud}, year={2017}, volume={}, number={}, pages={375-382}, keywords={Cloud computing;Conferences;Measurement;Security;Stakeholders;Tools}, doi={10.1109/CloudCom.2017.61}, ISSN={}, month={Dec}, url = {http://jaatun.no/papers/2017/cloudreq-cloudcom.pdf}} @inproceedings{secdevops, author = {Jaatun, Martin Gilje and Cruzes, Daniela S. and Luna, Jesus}, title = {DevOps for Better Software Security in the Cloud}, subtitle = {Invited Paper}, booktitle = {Proceedings of the 12th International Conference on Availability, Reliability and Security}, series = {ARES '17}, year = {2017}, isbn = {978-1-4503-5257-4}, location = {Reggio Calabria, Italy}, pages = {69:1--69:6}, articleno = {69}, numpages = {6}, url = {http://jaatun.no/papers/2017/secdevops-author.pdf}, doi = {10.1145/3098954.3103172}, acmid = {3103172}, publisher = {ACM}, address = {New York, NY, USA}, keywords = {Cloud Security, DevOps, Security Metrics, Software Security}, } @article{ijsse-editorial-8-4, author = {Martin Gilje Jaatun}, title = "Risk in the Age of Software Security", journal = {International Journal of Secure Software Engineering}, volume = 8, number =4, pages = {iv}, year = {2017} } @article{ijsse-editorial-8-3, author = {Martin Gilje Jaatun}, title = "A Stitch in Time Saves Nine", journal = {International Journal of Secure Software Engineering}, volume = 8, number =3, pages = {iv}, year = {2017} } @article{ijsse-editorial-8-2, author = {Martin Gilje Jaatun}, title = "Secure Software Engineering is not About Security Features", journal = {International Journal of Secure Software Engineering}, volume = 8, number =2, pages = {iv}, year = {2017} } @Inbook{Duncan2017, author="Duncan, Bob and Whittington, Mark and Jaatun, Martin Gilje and Z{\'u}{\~{n}}iga, Alfredo Ramiro Reyes", editor="Chang, Victor and Ramachandran, Muthu and Walters, Robert J. and Wills, Gary", title="Could the Outsourcing of Incident Response Management Provide a Blueprint for Managing Other Cloud Security Requirements?", bookTitle="Enterprise Security: Second International Workshop, ES 2015, Vancouver, BC, Canada, November 30 -- December 3, 2015, Revised Selected Papers", year="2017", publisher="Springer International Publishing", address="Cham", pages="19--39", abstract="In this chapter, we consider whether the outsourcing of incident management is a viable technological approach that may be transferable to other cloud security management requirements. We review a viable approach to outsourcing incident response management and consider whether this can be applied to other cloud security approaches, starting with the concept of using proper measurement for a cloud security assurance model. We demonstrate how this approach can be applied, not only to the approach under review, but how it may be applied to address other cloud security requirements.", isbn="978-3-319-54380-2", doi="10.1007/978-3-319-54380-2_2", url="https://doi.org/10.1007/978-3-319-54380-2_2", url= {http://jaatun.no/papers/2017/outsourcing-blueprint.pdf} } @article{skill-journal, author = {Tosin Daniel Oyetoyan and Martin Gilje Jaatun and Daniela Soares Cruzes}, title = "A Lightweight Measurement of Software Security Skills, Usage and Training Needs in Agile Teams", journal = {International Journal of Secure Software Engineering}, volume = 8, number =1, pages = { 1--27}, year = {2017} } @article{interdependencies, title = "Interdependencies and Reliability in the Combined \{ICT\} and Power System: An overview of current research ", journal = "Applied Computing and Informatics ", volume = "", number = "", pages = " - ", year = "2017", note = "", issn = "2210-8327", doi = "http://dx.doi.org/10.1016/j.aci.2017.01.001", url = "http://www.sciencedirect.com/science/article/pii/S2210832716300552", author = "Inger Anne T{\o}ndel and J{\o}rn Foros and Stine Skaufel Kilskar and Per Hokstad and Martin Gilje Jaatun", keywords = "Interdependencies", keywords = "smart grid", keywords = "power system", keywords = "ICT", keywords = "reliability", keywords = "cyber-security " } @article{tondel2017risk, title={Risk Centric Activities in Secure Software Development in Public Organisations}, author={T{\o}ndel, Inger Anne and Jaatun, Martin Gilje and Cruzes, Daniela Soares and Moe, Nils Brede}, journal={International Journal of Secure Software Engineering (IJSSE)}, volume={8}, number={4}, pages={1--30}, year={2017}, publisher={IGI Global} } @inproceedings{jaatun2016protection, title = "Playing Protection Poker for Practical Software Security", author = "Martin Gilje Jaatun and Inger Anne T{\o}ndel", editor="Abrahamsson, Pekka and Jedlitschka, Andreas and Nguyen Duc, Anh and Felderer, Michael and Amasaki, Sousuke and Mikkonen, Tommi", booktitle = "Product-Focused Software Process Improvement", year = 2016, publisher="Springer International Publishing", address="Cham", pages="679--682", abstract="Software security is about creating software that keeps performing as intended even when exposed to an active attacker. Secure software engineering is thus relevant for all software, not only security software. We describe Protection Poker, a tool for risk estimation to be used as part of the iteration planning meeting, and discuss some preliminary experiences.", isbn="978-3-319-49094-6", url = "http://jaatun.no/papers/2016/protection-poker-profes.pdf" } @article{advanced-healthcare, title = "Advanced Healthcare Services Enabled by a Computerized Pain Body Map ", journal = "Procedia Computer Science ", volume = "98", number = "", pages = "251 - 258", year = "2016", note = "The 7th International Conference on Emerging Ubiquitous Systems and Pervasive Networks (EUSPN 2016)/The 6th International Conference on Current and Future Trends of Information and Communication Technologies in Healthcare (ICTH-2016)/Affiliated Workshops ", issn = "1877-0509", doi = "http://dx.doi.org/10.1016/j.procs.2016.09.040", url = "//www.sciencedirect.com/science/article/pii/S187705091632169X", author = "Ellen A.A. Jaatun and Martin Gilje Jaatun", keywords = "pain body map", keywords = "CPBM", keywords = "cancer pain", keywords = "patient-centered design", keywords = "clinical tools " } @INPROCEEDINGS{atm-incident, author={Martin Gilje Jaatun and Rainer K\"{o}lle}, booktitle={2016 11th International Conference on Availability, Reliability and Security (ARES)}, title={Cyber Security Incident Management in the Aviation Domain}, year={2016}, pages={510-516}, keywords={aerospace computing;security of data;aviation;critical infrastructure;cyber incident response management;cyber security incident management;Computer security;Europe;Information security;Risk management;ATM Security;Incident Management;MSSC;SESAR;SJU;SWIM}, doi={10.1109/ARES.2016.41}, month={Aug},} @INPROCEEDINGS{skillsurvey, author={Tosin Daniel Oyetoyan and Daniela Soares Cruzes and Martin Gilje Jaatun}, booktitle={2016 11th International Conference on Availability, Reliability and Security (ARES)}, title={An Empirical Study on the Relationship between Software Security Skills, Usage and Training Needs in Agile Settings}, year={2016}, pages={548-555}, keywords={security of data;software prototyping;agile software development;software security activity;software security skill;software security training needs;software security usage;Organizations;Programming;Security;Software;Standards organizations;Testing;Training;Agile software development;Empirical study;Software security;Software security activities}, doi={10.1109/ARES.2016.103}, month={Aug},} @Inbook{zebras, author="Jaatun, Martin Gilje and Bartnes, Maria and T{\o}ndel, Inger Anne", editor="Fahrnberger, G{\"u}nter and Eichler, Gerald and Erfurth, Christian", title="Zebras and Lions: Better Incident Handling Through Improved Cooperation", bookTitle="Innovations for Community Services: 16th International Conference, I4CS 2016, Vienna, Austria, June 27-29, 2016, Revised Selected Papers", year="2016", publisher="Springer International Publishing", address="Cham", pages="129--139", isbn="978-3-319-49466-1", doi="10.1007/978-3-319-49466-1_9", url="http://dx.doi.org/10.1007/978-3-319-49466-1_9" } @inproceedings{imt, author = {Christian Fr{\o}ystad and Erlend Andreas Gj{\ae}re and Inger Anne T{\o}ndel and Martin Gilje Jaatun}, title = {Security Incident Information Exchange for Cloud Services}, booktitle = {Proceedings of International Conference on Internet of Things and Big Data}, year = 2016, } @inproceedings{temporal, author = {Martin Gilje Jaatun}, title = {I'll Trust You -- For Now}, booktitle = {Proceedings of International Conference on Internet of Things and Big Data}, year = 2016, } @article{guidinglights-journal, author= {Martin Gilje Jaatun and Siani Pearson and Fr\'{e}d\'{e}ric Gittler and Ronald Leenes and Maartje Niezen}, title = {Enhancing Accountability in the Cloud}, journal = {International Journal of Information Management}, issn = "0268-4012", doi = "http://dx.doi.org/10.1016/j.ijinfomgt.2016.03.004", url = "//www.sciencedirect.com/science/article/pii/S0268401216301475", year = 2016, } @Inbook{transparencychapter, author="Jaatun, Martin Gilje and Cruzes, Daniela S. and Angulo, Julio and Fischer-H{\"u}bner, Simone", editor="Helfert, Markus and M{\'e}ndez Mu{\~{n}}oz, V{\'i}ctor and Ferguson, Donald", chapter="Accountability Through Transparency for Cloud Customers", title="Cloud Computing and Services Science: 5th International Conference, CLOSER 2015, Lisbon, Portugal, May 20-22, 2015, Revised Selected Papers", year="2016", publisher="Springer International Publishing", address="Cham", pages="38--57", isbn="978-3-319-29582-4", doi="10.1007/978-3-319-29582-4_3", url="http://dx.doi.org/10.1007/978-3-319-29582-4_3" } @article{does-size-matter, title = "Current practices and challenges in industrial control organizations regarding information security incident management – Does size matter? Information security incident management in large and small industrial control organizations ", journal = "International Journal of Critical Infrastructure Protection ", volume = "12", pages = "12--26 ", year = "2016", issn = "1874-5482", doi = "http://dx.doi.org/10.1016/j.ijcip.2015.12.003", url = "http://www.sciencedirect.com/science/article/pii/S1874548215000815", author = "Maria Bartnes Line and Inger Anne T{\o}ndel and Martin G. Jaatun", keywords = "Industrial control systems", keywords = "Electric power distribution", keywords = "Norway", keywords = "Information security", keywords = "Incident management", keywords = "Incident response " } @INPROCEEDINGS{passingthebuck, author={Alfredo R. Reyes Z\'{u}\~{n}iga and Martin Gilje Jaatun}, booktitle={2015 IEEE 7th International Conference on Cloud Computing Technology and Science (CloudCom)}, title={Passing the Buck: Outsourcing Incident Response Management}, year={2015}, pages={503-508}, keywords={outsourcing;security of data;computer operation outsourcing;computer security incident management;incident response management;Guidelines;Information security;Organizations;Outsourcing;Standards organizations;Outsourcing;incident response;security}, doi={10.1109/CloudCom.2015.42}, month={Nov},} @incollection{swsec-public, year={2015}, isbn={978-3-319-23317-8}, booktitle={Information Security}, volume={9290}, series={Lecture Notes in Computer Science}, editor={Lopez, Javier and Mitchell, Chris J.}, doi={10.1007/978-3-319-23318-5_7}, title={Software Security Maturity in Public Organisations}, url={http://dx.doi.org/10.1007/978-3-319-23318-5_7}, publisher={Springer International Publishing}, keywords={Software security; Secure software engineering; Maturity; BSIMM}, author={Jaatun, Martin Gilje and Cruzes, Daniela S. and Bernsmed, Karin and T{\o}ndel, Inger Anne and R{\o}stad, Lillian}, pages={120-138}, language={English} } @inproceedings{howmuch, author = {Martin Gilje Jaatun and Inger Anne T{\o}ndel}, title = {How Much Cloud Can You Handle?}, booktitle={Availability, Reliability and Security (ARES), 2015 10th International Conference on}, year={2015}, pages={467-473}, doi={10.1109/ARES.2015.38}, } @inproceedings{transparency-closer, author={Daniela Cruzes and Martin Gilje Jaatun}, title={Cloud Provider Transparency - A View from Cloud Customers}, booktitle={Proceedings of the 5th International Conference on Cloud Computing and Services Science}, year={2015}, pages={30-39}, doi={10.5220/0005439000300039}, isbn={978-989-758-104-5}, } @INPROCEEDINGS{guidinglights, author={Jaatun, Martin Gilje and Pearson, Siani and Gittler, Fr\'{e}d\'{e}ric and Leenes, Ronald}, booktitle={Cloud Computing Technology and Science (CloudCom), 2014 IEEE 6th International Conference on}, title={Towards Strong Accountability for Cloud Service Providers}, year={2014}, month={Dec}, pages={1001-1006}, keywords={Context;Guidelines;Law;Monitoring;Privacy;Security;Cloud computing;accountability;privacy;security}, doi={10.1109/CloudCom.2014.123},} @inproceedings{learntoswim, author = {Matias Krempel and Martin Gilje Jaatun}, title = "Learn to {SWIM}", booktitle = {Proceedings of ARES 2014}, pages = {556--560}, year = 2014, doi = { http://doi.ieeecomputersociety.org/10.1109/ARES.2014.82}, } @inproceedings{healthcloud, author= {Karin Bernsmed and Daniela Soares Cruzes and Martin Gilje Jaatun and B{\o}rge Haugset and Erlend Andreas Gj{\ae}re}, title ="Healthcare Services in the Cloud - Obstacles to Adoption, and a Way Forward", booktitle = {Proceedings of ARES 2014}, year = 2014, } @article{incidentpractice, title = "Information security incident management: Current practice as reported in the literature ", journal = "Computers \& Security ", volume = "45", number = "0", pages = "42 - 57", year = "2014", note = "", issn = "0167-4048", doi = "http://dx.doi.org/10.1016/j.cose.2014.05.003", url = "http://www.sciencedirect.com/science/article/pii/S0167404814000819", author = "Inger Anne T{\o}ndel and Maria B. Line and Martin Gilje Jaatun", keywords = "Information security", keywords = "Incident management", keywords = "Incident response", keywords = "ISO/IEC 27035", keywords = "Systematic review " } @inproceedings{healthpad, author ="Martin Gilje Jaatun and Ellen A. A. Jaatun and Russel Moser", title = "{Security Considerations for Tablet-based eHealth Applications}", booktitle = "Proceedings of the Second European Workshop on Practical Aspects of Health Informatics (PAHI 2014)", year = 2014, pages = "27--36", url = "http://ceur-ws.org/Vol-1251/paper4.pdf" } @INPROCEEDINGS{failure, author={Line, Maria B. and T{\o}ndel, Inger Anne and Jaatun, Martin Gilje}, booktitle={IT Security Incident Management IT Forensics (IMF), 2014 Eighth International Conference on}, title={Information Security Incident Management: Planning for Failure}, year={2014}, month={May}, pages={47-61}, keywords={control engineering computing;electricity supply industry;failure analysis;industrial control;power distribution;power engineering computing;security of data;distribution service operators;documented plans;failure planning;incident management preparation activities;information security incident management;organization operating industrial control systems;power industry;smart grids;Control systems;ISO standards;Information security;Interviews;Organizations;Training;Incident management;Industrial control systems;Information security;Information technology;Power industry;Smart grids}, doi={10.1109/IMF.2014.10},} @article{checklist, title = "Security Checklists: A Compliance Alibi, or a Useful Tool for Water Network Operators? ", journal = "Procedia Engineering ", volume = "70", number = "0", pages = "872 - 876", year = "2014", note = "12th International Conference on Computing and Control for the Water Industry, \{CCWI2013\} ", issn = "1877-7058", doi = "http://dx.doi.org/10.1016/j.proeng.2014.02.096", url = "http://www.sciencedirect.com/science/article/pii/S1877705814000988", author = "Martin Gilje Jaatun and Jon R{\o}stum and Stig Petersen and Rita Ugarelli", keywords = "information security", keywords = "checklists", keywords = "water and wastewater networks " } @article{SLAjournal, Title = {Expressing cloud security requirements for SLAs in deontic contract languages for cloud brokers}, Author ={Per H{\aa}kon Meland and Karin Bernsmed and Martin Gilje Jaatun and Humberto Nicol\'{a}s Castej\'{o}n and Astrid Undheim}, Journal ={Int. J. of Cloud Computing}, year = 2014, Volume = 3, Number = 1, pages = {69 -- 93} } @incollection{cspforum, year={2013}, isbn={978-3-642-41204-2}, booktitle={Cyber Security and Privacy}, volume={182}, series={Communications in Computer and Information Science}, editor={Felici, Massimo}, doi={10.1007/978-3-642-41205-9_3}, title={{Bringing Accountability to the Cloud: Addressing Emerging Threats and Legal Perspectives}}, url={http://dx.doi.org/10.1007/978-3-642-41205-9_3}, publisher={Springer Berlin Heidelberg}, keywords={Accountability; Data governance; Cloud computing}, author={Felici, Massimo and Jaatun, Martin Gilje and Kosta, Eleni and Wainwright, Nick}, pages={28-40}, language={English} } @incollection{gprssec, year={2013}, isbn={978-3-642-40510-5}, booktitle={Availability, Reliability, and Security in Information Systems and HCI}, volume={8127}, series={Lecture Notes in Computer Science}, editor={Cuzzocrea, Alfredo and Kittl, Christian and Simos, Dimitris E. and Weippl, Edgar and Xu, Lida}, doi={10.1007/978-3-642-40511-2_14}, title={{GPRS Security for Smart Meters}}, url={http://dx.doi.org/10.1007/978-3-642-40511-2_14}, publisher={Springer Berlin Heidelberg}, keywords={Security; GPRS; Smartgrid; AMI; Smart Metering}, author = "Martin Gilje Jaatun and Inger Anne T{\o}ndel and Geir Myrdahl K{\o}ien", pages={195-207} } @inproceedings{riskperception, author="{\AA}smund Ahlmann Nyre and Martin Gilje Jaatun ", title = "Seeking Risks: Towards a quantitative risk perception measure", booktitle ="Proceedings of CD-ARES", year = 2013, } @inproceedings{AFTERsec, author = "Inger Anne T{\o}ndel and Bodil Aamnes Mostue and Martin Gilje Jaatun and Gerd Kj{\o}lle ", title ="Towards improved understanding and holistic management of the cyber security challenges in power transmission systems", booktitle ="Proceedings of CD-ARES", year = 2013, } @inproceedings{ontology, author = {Karin Bernsmed and Astrid Undheim and Per H{\aa}kon Meland and Martin Gilje Jaatun}, title = "Towards an Ontology for Cloud Security Obligations", booktitle = "Proceedings of the Internation Workshop on Security Ontologies (SecOnt 2013)", year = 2013, } @inproceedings{healthin, author =" Ellen A. A. Jaatun and Kari Sand and Martin Gilje Jaatun ", title = "{HealthIn: Toward a New Paradigm for Physician-Patient Communication}", pages = "67--74", booktitle = "Proceedings of the European Workshop on Practical Aspects of Health Informatics (PAHI 2013)", year = 2013, url = "http://ceur-ws.org/Vol-984/paper7.pdf" } @article{whydontthey, author = "Jostein Jensen and Martin Gilje Jaatun", title = "{Federated Identity Management -- We Built It; Why Won't They Come?}", journal = {"IEEE Security \& Privacy"}, year = "2013", volume = "11", number = "2", pages = "34--41", doi = "10.1109/MSP.2012.135" } @inproceedings{sinkorswim, author = "Martin Gilje Jaatun and Tor Erlend F{\ae}gri", title = "{Sink or SWIM: Information Security Requirements in the Sky}", booktitle={{Availability, Reliability and Security (ARES), 2013 Eighth International Conference on}}, year = 2013, month={Sept}, pages={794--801}, doi={10.1109/ARES.2013.106} } @article{lightning, title = "Beyond lightning: A survey on security challenges in cloud computing", journal = "Computers \& Electrical Engineering", volume = "39", number = "1", year = "2013", note = "", issn = "0045-7906", doi = "10.1016/j.compeleceng.2012.04.015", url = "http://www.sciencedirect.com/science/article/pii/S0045790612000870", author = "Chunming Rong and Son T. Nguyen and Martin Gilje Jaatun" } @inproceedings{thunder, author = {Karin Bernsmed and Martin Gilje Jaatun and Per H{\aa}kon Meland and Astrid Undheim}, booktitle = {Proceedings of the 4th IEEE International Conference on Cloud Computing Technology and Science (CloudCom 2012)}, title = "{Thunder in the Clouds: Security Challenges and Solutions for Federated Clouds}", year = {2012} } @inproceedings{aardvarks, author="Martin Gilje Jaatun", title ="{Hunting for Aardvarks: Can Software Security be Measured?}", year={2012}, isbn={978-3-642-32497-0}, booktitle={Multidisciplinary Research and Practice for Information Systems}, volume={7465}, series={Lecture Notes in Computer Science}, editor={Quirchmayr, Gerald and Basl, Josef and You, Ilsun and Xu, Lida and Weippl, Edgar}, doi={10.1007/978-3-642-32498-7_7}, url={http://dx.doi.org/10.1007/978-3-642-32498-7_7}, publisher={Springer Berlin Heidelberg}, pages={85-92}, language={English} } @inproceedings{stride-ami, author="Inger Anne T{\o}ndel and Martin Gilje Jaatun and Maria Bartnes Line", title ="{Threat Modeling of AMI}", booktitle = {"Proceedings of the 7th International Conference on Critical Information Infrastructures Security (CRITIS 2012)"}, year = "2012", date = "September", } @Article{rainjournal, AUTHOR = {Jaatun, Martin Gilje and Zhao, Gansen and Vasilakos, Athanasios and Nyre, {\AA}smund Ahlmann and Alapnes, Stian and Tang, Yong}, TITLE = {The Design of a Redundant Array of Independent Net-storages for Improved Confidentiality in Cloud Computing}, JOURNAL = {Journal of Cloud Computing: Advances, Systems and Applications}, VOLUME = {1}, YEAR = {2012}, NUMBER = {1}, PAGES = {13}, URL = {http://www.journalofcloudcomputing.com/content/1/1/13}, DOI = {10.1186/2192-113X-1-13}, ISSN = {2192-113X}, ABSTRACT = {This article describes how a Redundant Array of Independent Net-storages (RAIN) can be deployed for confidentiality control in Cloud Computing. The RAIN approach splits data into segments and distributes segments between multiple storage providers; by keeping the distribution of segments and the relationships between the distributed segments private, the original data cannot be re-assembled by an observer. As long as each segment is small enough, an individual segment discloses no meaningful information to others, and hence RAIN is able to ensure the confidentiality of data stored in the clouds. We describe the inter-cloud communication protocol, and present a formal model, security analysis, and simulation results.}, } @Article{openstack-journal, AUTHOR = {TaheriMonfared, Aryan and Jaatun, Martin Gilje }, TITLE = {"Handling Compromised Components in an IaaS Cloud Installation"}, JOURNAL = {Journal of Cloud Computing: Advances, Systems and Applications}, VOLUME = {1}, YEAR = {2012}, NUMBER = {1}, PAGES = {16}, URL = {http://www.journalofcloudcomputing.com/content/1/1/16}, DOI = {10.1186/2192-113X-1-16}, ISSN = {2192-113X}, } @inproceedings{sla-idea, author="Martin Gilje Jaatun and Karin Bernsmed and Astrid Undheim", title ="{Security SLAs -- an idea whose time has come?}", booktitle = {"Proceedings of the International Cross Domain Conference and Workshop (CD-ARES)"}, year = "2012", date = "August", } @inproceedings{ucon-industry, author="{\AA}smund Ahlmann Nyre and Martin Gilje Jaatun ", title ="{Usage control in inter-organisational collaborative environments - a case study from an industry perspective}", booktitle = {"Proceedings of the International Cross Domain Conference and Workshop (CD-ARES)"}, year = "2012", date = "August", url={https://link.springer.com/content/pdf/10.1007/978-3-642-32498-7_24.pdf} } @inproceedings{drizzle, author="Martin Gilje Jaatun and Christian Askeland and Anders Emil Salvesen", title ="{Drizzle: The RAIN Prototype}", booktitle = {"Proceedings of the 12th International Conference on Innovative Internet Community Systems"}, year = "2012", date = "June", } @article{deployment, author = {Zhao, Gansen and Rong, Chunming and Jaatun, Martin Gilje and Sandnes, Frode}, affiliation = {South China Normal University School of Computer Science Guangzhou China}, title = {Reference deployment models for eliminating user concerns on cloud security}, journal = {The Journal of Supercomputing}, volume = 61, number = 2, publisher = {Springer Netherlands}, issn = {0920-8542}, keyword = {Computer Science}, pages = {337--352}, url = {http://dx.doi.org/10.1007/s11227-010-0460-9}, note = {10.1007/s11227-010-0460-9}, year = {2012} } @inproceedings{TelenorSINTEFSecSLA2012, author = {Per H{\aa}kon Meland and Karin Bernsmed and Martin Gilje Jaatun and Humberto Castejon and Astrid Undheim}, booktitle = {Proceedings of the 2nd International Conference on Cloud Computing and Services Science (CLOSER 2012)}, title = "{Expressing Cloud Security Requirements in Deontic Contract Languages}", year = {2012} } @incollection{pets4business, author={Martin Gilje Jaatun and {\AA}smund Ahlmann Nyre and Inger Anne T{\o}ndel and Karin Bernsmed}, title ={{Privacy Enhancing Technologies for Information Control}}, booktitle = {Privacy Protection Measures and Technologies in Business Organizations: Aspects and Standards}, publiser ={ IGI Global}, editor = {George M. Yee}, year = 2012, } @article{newdawn, author ="Graarud, Espen and Bowitz, Anne and Brown, Lawrie and Jaatun, Martin Gilje", year=2011, title ="{A New Dawn for the Dark Knight: Securing BATMAN}", journal = "Journal of Information Security Research", volume = 2, number = 3, pages ="118--128" } @article{notready, author ="Jostein Jensen and Martin Gilje Jaatun", title = "Not Ready for Prime Time: A Survey on Security in Model Driven Development", journal ="International Journal of Secure Software Engineering", volume = 2, number = 4, pages = "49--61", year = 2011 } @INPROCEEDINGS{batcave, author={Bowitz, Anne G. and Graarud, Espen G. and Brown, Lawrie and Jaatun, Martin Gilje}, booktitle={Digital Information Management (ICDIM), 2011 Sixth International Conference on}, title={BatCave: Adding security to the BATMAN protocol}, year={2011}, month={sept.}, volume={}, number={}, pages={199--204}, keywords={BatCave;OLSR;better approach to mobile ad hoc networking protocol;network participation;network routing;security extensions;mobile ad hoc networks;protocols;telecommunication network routing;telecommunication security;}, doi={10.1109/ICDIM.2011.6093328}, } @INPROCEEDINGS{secmda, author={Jensen, Jostein and Jaatun, Martin Gilje}, booktitle={Availability, Reliability and Security (ARES), 2011 Sixth International Conference on}, title={Security in Model Driven Development: A Survey}, year={2011}, month={aug.}, pages={704--709}, keywords={model driven development security;software development;security of data;software engineering;}, doi={10.1109/ARES.2011.110} } @incollection{sodachapter, author ="Jaatun, Martin Gilje and Jensen, Jostein and Meland, Per H{\aa}kon and T{\o}ndel, Inger Anne", title = "{A Lightweight Approach to Secure Software Engineering}", booktitle = "A Multidisciplinary Introduction to Information Security", publisher = "CRC Press", year = 2011, ISBN = "978-1-4200-8590-7", pages = "183--216" } @INPROCEEDINGS{line11, author={Line, Maria Bartnes and T{\o}ndel, Inger Anne and Jaatun, Martin Gilje}, booktitle={Innovative Smart Grid Technologies (ISGT Europe), 2011 2nd IEEE PES International Conference and Exhibition on}, title={Cyber security challenges in Smart Grids}, year={2011}, month={dec.}, doi={10.1109/ISGTEurope.2011.6162695}, ISSN={2165-4816}, } @INPROCEEDINGS{rain-protocol, author={Jaatun, Martin Gilje and Gansen Zhao and Alapnes, Stian}, booktitle={Cloud Computing Technology and Science (CloudCom), 2011 IEEE Third International Conference on}, title={A Cryptographic Protocol for Communication in a Redundant Array of Independent Net-storages}, year={2011}, month={November}, pages={172--179}, keywords={RAIN;cloud computing;cloud processing;cloud storage;cryptographic protocol;data processing;data storage;redundant array-of-independent net-storages;RAID;cloud computing;cryptographic protocols;data handling;}, doi={10.1109/CloudCom.2011.32}, } @INPROCEEDINGS{strong, author={TaheriMonfared, Aryan and Jaatun, Martin Gilje}, booktitle={Cloud Computing Technology and Science (CloudCom), 2011 IEEE Third International Conference on}, title={As Strong as the Weakest Link: Handling Compromised Components in OpenStack}, year={2011}, month={November}, pages={189--196}, keywords={OpenStack;compromised components handling;incident handling procedures;infrastructure-as-a-service cloud computing platform;cloud computing;data handling;object-oriented programming;}, doi={10.1109/CloudCom.2011.34}, } @inproceedings{monfared-monitoring-2011, title = {Monitoring Intrusions and Security Breaches in Highly Distributed Cloud Environments}, booktitle = {Cloud Computing Technology and Science {(CloudCom)}, 2011 {IEEE} Third International Conference on}, author = {Monfared, Aryan T. and Jaatun, Martin Gilje}, year = {2011}, pages = {772--777}, } @inproceedings{TelenorSINTEFSecSLAFed2011, author = {Karin Bernsmed and Martin Gilje Jaatun and Per H{\aa}kon Meland and Astrid Undheim}, booktitle = {Proceedings of the Sixth International Conference on Availability, Reliability and Security (AReS 2011)}, title = "{Security SLAs for Federated Cloud Services}", year = {2011} } @inproceedings{TelenorSINTEFSecSLA2011, author = {Karin Bernsmed and Martin Gilje Jaatun and Astrid Undheim}, booktitle = {Proceedings of the 1st International Conference on Cloud Computing and Services Science (CLOSER 2011)}, title = "{Security in Service Level Agreements for Cloud Computing}", year = {2011} } @inproceedings{deliverance, author = {Gansen Zhao and Martin Gilje Jaatun and Athanasios Vasilakos and {\AA}smund Ahlmann Nyre and Stian Alapnes and Qiang Ye and Yong Tang}, title = "{Deliverance from Trust through a Redundant Array of Independent Net-storages in Cloud Computing}", booktitle = "{Proceedings of IEEE Infocom}", year = "2011", date = "April" } @inproceedings{farewell, author = {Martin Gilje Jaatun and {\AA}smund Ahlmann Nyre and Stian Alapnes and Gansen Zhao}, title = "{A Farewell to Trust: An Approach to Confidentiality Control in the Cloud}", booktitle = "{Proceedings of the 2nd International Conference on Wireless Communications, Vehicular Technology, Information Theory and Aerospace \& Electronic Systems Technology (Wireless Vitae Chennai 2011)}", year = "2011", date = "February" } @article{probabilistic, title={A Probabilistic Approach to Information Control}, author={{\AA}smund Ahlmann Nyre and Martin Gilje Jaatun}, journal = {Journal of Internet Technology}, volume = {11}, year = {2010}, number = {3}, pages = {407--416} } @article{straight, author =" Nicolaysen, Torstein and Richard Sassoon and Maria Bartnes Line and Martin Gilje Jaatun", title = "{Agile Software Development: The Straight and Narrow Path to Secure Software?}", journal ="International Journal of Secure Software Engineering", volume = 1, number = 3, year = 2010, pages ="71--85", doi = "10.4018/jsse.2010070105", } @article{roadtohell, author = {Richard Sasson and Martin Gilje Jaatun and Jostein Jensen}, title = {The Road to Hell is Paved with Good Intentions: A Story of (In)secure Software Development}, journal ={Availability, Reliability and Security, International Conference on}, volume = {0}, isbn = {978-0-7695-3965-2}, year = {2010}, pages = {501-506}, doi = {http://doi.ieeecomputersociety.org/10.1109/ARES.2010.44}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}, } @INPROCEEDINGS{ying, author={Ying Qian and Yulin Fang and Jaatun, Martin Gilje and Johnsen, Stig Ole and Gonzalez, Jos\'{e} J.}, booktitle={System Sciences (HICSS), 2010 43rd Hawaii International Conference on}, title={Managing Emerging Information Security Risks during Transitions to Integrated Operations}, year={2010}, month={jan.}, volume={}, number={}, pages={1 -11}, keywords={Norwegian Oil and Gas Industry;incident response capability;information communication technology;information security risks;onshore control centers;reactive mental model;natural gas technology;oil technology;production engineering computing;risk management;security of data;}, doi={10.1109/HICSS.2010.260}, ISSN={1530-1605},} @inproceedings{zhao-deployment-2010, title = {Deployment models: Towards eliminating security concerns from cloud computing}, shorttitle = {Deployment models}, booktitle = {High Performance Computing and Simulation {(HPCS)}, 2010 International Conference on}, author = {Zhao, Gansen and Rong, Chunming and Jaatun, Martin Gilje and Sandnes, Frode Eika}, year = {2010}, pages = {189--195}, }, @incollection {privacy-cloudcom, author = {Nyre, {\AA}smund Ahlmann and Jaatun, Martin Gilje}, affiliation = {SINTEF ICT, NO-7465 Trondheim, Norway}, title = {Privacy in a Semantic Cloud: What’s Trust Got to Do with It?}, booktitle = {Cloud Computing}, series = {Lecture Notes in Computer Science}, editor = {Jaatun, Martin and Zhao, Gansen and Rong, Chunming}, publisher = {Springer Berlin / Heidelberg}, isbn = {978-3-642-10664-4}, keyword = {Computer Science}, pages = {107-118}, volume = {5931}, url = {http://dx.doi.org/10.1007/978-3-642-10665-1_10}, note = {10.1007/978-3-642-10665-1\_10}, year = {2009} } @INPROCEEDINGS{reusable, author={Jensen, Jostein and T{\o}ndel, Inger Anne and Jaatun, Martin Gilje and Meland, Per H{\aa}kon and Andresen, Herbj{\o}rn}, booktitle={Availability, Reliability and Security, 2009. ARES '09. International Conference on}, title={Reusable Security Requirements for Healthcare Applications}, year={2009}, month={March}, pages={380-385}, keywords={data privacy;formal specification;health care;legislation;medical information systems;security of data;software reusability;electronic healthcare system development;healthcare information system;legal requirement;patient privacy protection;security requirements engineering reusability;Data mining;Information security;Information systems;Law;Legal factors;Legislation;Medical services;National security;Privacy;Protection;healthcare;legislation;reuse;security requirements}, doi={10.1109/ARES.2009.107},} @article{fools, title = "{Fools Download Where Angels Fear to Tread}", volume = {7}, number = {2}, journal = {Security \& Privacy, {IEEE}}, author = {Jaatun, Martin Gilje and Jensen, Jostein and Vegge, H{\aa}vard and Halvorsen, Finn Michael and Nerg{\aa}rd, Rune Wals{\o}}, year = {2009}, pages = {83--86}, } @inproceedings{vegge-where-2009, title = {Where Only Fools Dare to Tread: An Empirical Study on the Prevalence of {Zero-Day} Malware}, shorttitle = {Where Only Fools Dare to Tread}, booktitle = {Internet Monitoring and Protection, 2009. {ICIMP'09.} Fourth International Conference on}, author = {Vegge, H{\aa}vard and Halvorsen, Finn Michael and Nerg{\aa}rd, Rune Wals{\o} and Jaatun, Martin Gilje and Jensen, Jostein}, year = {2009}, pages = {66--71}, }, @inproceedings{nyre-secure-2009, title = {A secure {MANET} routing protocol for first responders}, booktitle = {Security and Communication Networks {(IWSCN)}, Proceedings of the 1st International Workshop on}, author = {Nyre, {\AA}smund Ahlmann and Jaatun, Martin Gilje and T{\o}ndel, Inger Anne}, year = {2009}, pages = {1–7}, } @inproceedings{tondel-security-2009, title = {Security requirements for {MANETs} used in emergency and rescue operations}, booktitle = {Security and Communication Networks {(IWSCN)}, 2009 Proceedings of the 1st International Workshop on}, author = {T{\o}ndel, Inger Anne and Jaatun, Martin Gilje and Nyre, {\AA}smund Ahlmann}, year = {2009}, pages = {1–7}, } @article{sesa-journal, title = "{Secure remote access to autonomous safety systems: A good practice approach}", volume = {2}, shorttitle = {Secure remote access to autonomous safety systems}, number = {3}, journal = {International Journal of Autonomous and Adaptive Communications Systems}, author = {Jaatun, Martin Gilje and Line, Maria B. and Gr{\o}tan, Tor Olav}, year = {2009}, pages = {297--312}, } @article {irma-journal, author = "Martin Gilje Jaatun and Eirik Albrechtsen and Maria B. Line and Inger Anne T{\o}ndel and Odd Helge Longva", title = "{A Framework for Incident Response Management in the Petroleum Industry}", journal = "International Journal of Critical Infrastructure Protection", year = "2009", volume = "2", number = {1--2}, pages = "26--37", issn = "1874-5482" } @incollection {mms, author = {S{\o}rensen, Jan and Jaatun, Martin Gilje}, affiliation = {mnemonic as, NO-0167 Oslo, Norway}, title = {An Analysis of the Manufacturing Messaging Specification Protocol}, booktitle = {Ubiquitous Intelligence and Computing}, series = {Lecture Notes in Computer Science}, editor = {Sandnes, Frode and Zhang, Yan and Rong, Chunming and Yang, Laurence and Ma, Jianhua}, publisher = {Springer Berlin / Heidelberg}, isbn = {978-3-540-69292-8}, keyword = {Computer Science}, pages = {602-615}, volume = {5061}, url = {http://dx.doi.org/10.1007/978-3-540-69293-5_47}, note = {10.1007/978-3-540-69293-5\_47}, year = {2008} } @incollection {sesa-atc, author = {Jaatun, Martin Gilje and Gr{\o}tan, Tor and Line, Maria}, affiliation = {SINTEF ICT}, title = {Secure Safety: Secure Remote Access to Critical Safety Systems in Offshore Installations}, booktitle = {Autonomic and Trusted Computing}, series = {Lecture Notes in Computer Science}, editor = {Rong, Chunming and Jaatun, Martin Gilje and Sandnes, Frode and Yang, Laurence and Ma, Jianhua}, publisher = {Springer Berlin / Heidelberg}, isbn = {978-3-540-69294-2}, keyword = {Computer Science}, pages = {121-133}, volume = {5060}, url = {http://dx.doi.org/10.1007/978-3-540-69295-9_12}, note = {10.1007/978-3-540-69295-9\_12}, year = {2008} } @inproceedings{irma-critis, author = "Maria Bartnes Line and Eirik Albrechtsen and Martin Gilje Jaatun and Inger Anne T{\o}ndel and Stig Ole Johnsen and Odd Helge Longva and Irene W{\ae}r{\o}", title = "A structured approach to incident response management in the oil and gas industry", booktitle = "{Proceedings of the 3rd International Workshop on Critical Information Infrastructures Security, CRITIS'08}", year = 2008 } @incollection {irma-study, author = {Jaatun, Martin and Albrechtsen, Eirik and Line, Maria and Johnsen, Stig and W{\ae}r{\o}, Irene and Longva, Odd and T{\o}ndel, Inger}, affiliation = {SINTEF ICT NO-7465 Trondheim Norway}, title = {A Study of Information Security Practice in a Critical Infrastructure Application}, booktitle = {Autonomic and Trusted Computing}, series = {Lecture Notes in Computer Science}, editor = {Rong, Chunming and Jaatun, Martin and Sandnes, Frode and Yang, Laurence and Ma, Jianhua}, publisher = {Springer Berlin / Heidelberg}, isbn = {978-3-540-69294-2}, keyword = {Computer Science}, pages = {527-539}, volume = {5060}, url = {http://dx.doi.org/10.1007/978-3-540-69295-9_42}, note = {10.1007/978-3-540-69295-9\_42}, year = {2008} } @incollection {opc, author = {Line, Maria and Jaatun, Martin and Cheah, Zi-bin and Faruk, A. and Garnes, Håvard and Wedum, Petter}, affiliation = {SINTEF ICT, N-7465 Trondheim, Norway}, title = "{Penetration Testing of OPC as Part of Process Control Systems}", booktitle = {Ubiquitous Intelligence and Computing}, series = {Lecture Notes in Computer Science}, editor = {Sandnes, Frode and Zhang, Yan and Rong, Chunming and Yang, Laurence and Ma, Jianhua}, publisher = {Springer Berlin / Heidelberg}, isbn = {978-3-540-69292-8}, keyword = {Computer Science}, pages = {271-283}, volume = {5061}, url = {http://dx.doi.org/10.1007/978-3-540-69293-5_22}, note = {10.1007/978-3-540-69293-5\_22}, year = {2008} } @inproceedings{assets, author = {Martin Gilje Jaatun and Inger Anne T{\o}ndel}, title = {Covering Your Assets in Software Engineering}, booktitle = {The Third International Conference on Availability, Reliability and Security (ARES 2008)}, year = {2008}, pages = {1172--1179}, address = {Barcelona, Spain}, url = {http://jaatun.no/papers/2008/jaatun-asset.pdf} } @article{ingat-sw, author = {Inger Anne T{\o}ndel and Martin Gilje Jaatun and Per H{\aa}kon Meland}, title = "{Security Requirements for the Rest of Us: A Survey}", journal = {IEEE Software}, volume = {25}, number = {1}, year = {2008}, } @INPROCEEDINGS{tondel-test, title={Learning from Software Security Testing}, author={T{\o}ndel, Inger Anne and Jaatun, Martin Gilje and Jensen, Jostein}, booktitle={Software Testing Verification and Validation (Security Testing Workshop), 2008. ICSTW '08. IEEE International Conference on}, year={2008}, month={April}, volume={}, number={}, pages={286-294}, abstract={Software security testing tools and m77ethodologies are presently abundant, and the question no longer seems to be "if to test" for security, but rather "where and when to test" and "then what?". In this paper we present a review of security testing literature, and propose a software security testing scheme that exploits an intra-organisational repository of discovered vulnerabilities that closes the loop after the testing of one application is complete, providing useful input to the next application to be tested.}, keywords={program testing, security of dataintra-organisational repository, software products, software security testing}, doi={10.1109/ICSTW.2008.25}, } @ARTICLE{oban-commag, author={Panken, Frans and Hoekstra, Gerard and Barankanira, Delphin and Francis, John Charles and Schwendener, Rico and Gr{\o}ndalen, Ole and Jaatun, Martin Gilje}, journal={Communications Magazine, IEEE}, title="{Extending 3G/WiMAX Networks and Services through Residential Access Capacity[Wireless Broadband Access]}", year={2007}, month={December }, volume={45}, number={12}, pages={62--69}, keywords={3G networks;WLAN access points;WiMAX networks;broadband residential acces;home networks;public subscribers;residential access capacity;surplus capacity;3G mobile communication;WiMax;broadband networks;radio access networks;wireless LAN;}, doi={10.1109/MCOM.2007.4395367}, ISSN={0163-6804},} @incollection {survive, author = {Jaatun, Martin Gilje and Nyre, {\AA}smund and S{\o}rensen, Jan}, affiliation = {SINTEF ICT, NO-7465 Trondheim Norway}, title = "{Survival by Deception}", booktitle = {Computer Safety, Reliability, and Security}, series = {Lecture Notes in Computer Science}, editor = {Saglietti, Francesca and Oster, Norbert}, publisher = {Springer Berlin / Heidelberg}, isbn = {978-3-540-75100-7}, keyword = {Computer Science}, pages = {197--208}, volume = {4680}, url = {http://dx.doi.org/10.1007/978-3-540-75101-4_19}, note = {10.1007/978-3-540-75101-4\_19}, year = {2007} } @article{telektronikk, author = "Martin Gilje Jaatun and Inger Anne T{\o}ndel and Tor Hjalmar Johannessen", year =2006, number = "3/4", journal = "Telektronikk", title = "{Security in Fast Handovers}", pages = "111--124", url = "http://telenor.com/wp-content/uploads/2012/05/T06_3-4.pdf" } @incollection{oban-kerberos, title = "{Secure Fast Handover in an Open Broadband Access Network using Kerberos-style Tickets}", url = {http://dx.doi.org/10.1007/0-387-33406-8_33}, abstract = {In an Open Broadband Access Network consisting of multiple Internet Service Providers, delay due to multi-hop processing of authentication credentials is a major obstacle to fast handover between access points, effectively preventing delay-sensitive interactive applications such as Voice over {IP.} By exploiting existing trust relationships between service providers and access points, it is possible to pre-authenticate a mobile terminal to an access point, creating a Kerberos-style ticket that can be evaluated locally. The terminal can thus perform a handover and be authenticated to the new access point, without incurring communication and processing delays by involving other servers.}, booktitle = {Security and Privacy in Dynamic Environments}, author = {Jaatun, Martin Gilje and T{\o}ndel, Inger Anne and Paint, Fr\'{e}d\'{e}ric and Johannessen, Tor and Francis, John Charles and Duranton, Claire}, year = {2006}, pages = {389--400}, file = {SpringerLink Snapshot:/home/gilje/.mozilla/firefox/1strb3f8.slt/zotero/storage/TWD5N97F/rlm0n58546040573.html:text/html} }, @inproceedings{oban-nordsec, author = {Martin Gilje Jaatun and Inger Anne T{\o}ndel and Maria B. Dahl and Thomas J. Wilke }, title = "A {S}ecurity {A}rchitecture for an {O}pen {B}roadband {A}ccess {N}etwork", booktitle = "Proceedings of the 10th Nordic Workshop on Secure IT Systems (Nordsec)", year = {2005}, isbn = "9949-11-153-6" } @INPROCEEDINGS{jaatun02, author = {Martin Gilje Jaatun and Geir Hallingstad}, title = {Techniques for Increasing Survivability in {NATO CIS}}, booktitle = {proceedings of the 1st European Survivability Workshop}, year = {2002}, address = {K\"{o}ln-Wahn, Germany}, month = feb, } @Inproceedings{tencon, author = "Lawrence P. Brown and Martin Gilje {II} Jaatun", title = "Secure File Transfer over {TCP/IP}", booktitle = "Proceedings of the 1992 IEEE Region 10 International Conference", pages = "494--498", year = "1992", month = "November", URL = "http://www.unsw.adfa.edu.au/~lpb/papers/tr922.ps.gz", }