This file was created by the TYPO3 extension bib --- Timezone: UTC Creation date: 2025-02-17 Creation time: 20-13-53 --- Number of references 2 article 2024_welten_pasta PASTA-4-PHT: A Pipeline for Automated Security and Technical Audits for the Personal Health Train arXiv 2024 12 2 With the introduction of data protection regulations, the need for innovative privacy-preserving approaches to process and analyse sensitive data has become apparent. One approach is the Personal Health Train (PHT) that brings analysis code to the data and conducts the data processing at the data premises. However, despite its demonstrated success in various studies, the execution of external code in sensitive environments, such as hospitals, introduces new research challenges because the interactions of the code with sensitive data are often incomprehensible and lack transparency. These interactions raise concerns about potential effects on the data and increases the risk of data breaches. To address this issue, this work discusses a PHT-aligned security and audit pipeline inspired by DevSecOps principles. The automated pipeline incorporates multiple phases that detect vulnerabilities. To thoroughly study its versatility, we evaluate this pipeline in two ways. First, we deliberately introduce vulnerabilities into a PHT. Second, we apply our pipeline to five real-world PHTs, which have been utilised in real-world studies, to audit them for potential vulnerabilities. Our evaluation demonstrates that our designed pipeline successfully identifies potential vulnerabilities and can be applied to real-world studies. In compliance with the requirements of the GDPR for data management, documentation, and protection, our automated approach supports researchers using in their data-intensive work and reduces manual overhead. It can be used as a decision-making tool to assess and document potential vulnerabilities in code for data processing. Ultimately, our work contributes to an increased security and overall transparency of data processing activities within the PHT framework. health 10.48550/arXiv.2412.01275 SaschaWelten KarlKindermann AhmetPolat MartinGörz MaximilianJugl LaurenzNeumann AlexanderNeumann JohannesLohmöller JanPennekamp StefanDecker inproceedings 2024_dahlmanns_lua-iot LUA-IoT: Let's Usably Authenticate the IoT 2024 11 20 Following the advent of the Internet of Things (IoT), users and their devices transmit sensitive data over the Internet. For the Web, Let’s Encrypt offers a usable foundation to safeguard such data by straightforwardly issuing certificates. However, its approach is not directly applicable to the IoT as deployments lack a (dedicated) domain or miss essentials to prove domain ownership required for Let’s Encrypt. Thus, a usable approach to secure IoT deployments by properly authenticating IoT devices is missing. To close this research gap, we propose LUA-IoT, our framework to Let’s Usably Authenticate the IoT. LUA-IoT enables autonomous certificate enrollment by orienting at the success story of Let’s Encrypt, seamlessly integrating in the setup process of modern IoT devices, and relying on process steps that users already know from other domains. In the end, LUA-IoT binds the authenticity of IoT deployments to a globally valid user identifier, e.g., an email address, that is included in certificates directly issued to the IoT deployments. We exemplarily implement LUA-IoT to show that it is realizable on commodity IoT hardware and conduct a small user study indicating that LUA-IoT indeed nudges users to safeguard their devices and data (transmissions). Lecture Notes in Computer Science (LNCS) internet-of-production Springer Proceedings of the 27th Annual International Conference on Information Security and Cryptology (ICISC '24), November 20-22, 2024, Seoul, Korea Seoul, Korea International Conference on Information Security and Cryptology November 20-22, 2024 accepted 0302-9743 1 MarkusDahlmanns JanPennekamp RobinDecker KlausWehrle