Information Security

The Information Security (IS) group is concerned with securing information in distributed information systems and the security of the systems themselves. This includes all three main goals of information security: confidentiality, integrity, and availability. Today, information security affects virtually every company and most IT projects and the InIT covers a broad range of topics within this research area and has proven its competence in various successful research and development projects with and services for companies.

Covering a broad range of topic means that we have, for instance, expertise in the are of secure software development, which is the basis for developing secure applications - especially of web applications. We also are experienced in the area of security testing, whether manual (e.g. penetration tests) or automated (supported by tools). In particular automated, reproducible secuity testing gets more and more important because it's the only option to achieve a certain level of software quality and security when software development follows a continuous build approach - as it is often the case with web application today.

In addition, we have made significant contributions in the area of designing innovative security solutions, for instance in the context of DoubleSec, an authentication method for smartphones. Finally, we also have competencies in the are of active and passive network monitoring, which is useful for attack and anomaly detection and also to determine trends (e.g. the development of service usage over time).

Activity domains of the IS group

• Secure software development, focussing on web application security
• Automated security testing
• Design and development of security-critical system components (e.g. key management, SuisseID integration, authentication methods for smartphones etc.)
• Passive and active network monitoring with a focus on attack and anomaly detction
• Security assessments (penetration tests, conceptual security analyses etc.)
• Risk assessment and risk engineering of IT systems in companies and as part of critical IT infrastructures