An empirical comparison of commercial and open‐source web vulnerability scanners

Web vulnerability scanners (WVSs) are tools that can detect security vulnerabilities in web services. Although both commercial and open-source WVSs exist, their vulnerability detection capability and performance vary. In this article, we report on a comparative study to determine the vulnerability detection capabilities of eight WVSs (both open and commercial) using two vulnerable web applications: WebGoat and Damn vulnerable web application. The eight WVSs studied were: Acunetix; HP WebInspect; IBM AppScan; OWASP ZAP; Skipfish; Arachni; Vega; and Iron WASP. The performance was evaluated using multiple evaluation metrics: precision; recall; Youden index; OWASP web benchmark evaluation; and the web application security scanner evaluation criteria. The experimental results show that, while the commercial scanners are effective in detecting security vulnerabilities, some open-source scanners (such as ZAP and Skipfish) can also be effective. In summary, this study recommends improving the vulnerability detection capabilities of both the open-source and commercial scanners to enhance code coverage and the detection rate, and to reduce the number of false-positives

A performance evaluation of mobile web services security

Abstract: It is now feasible to host basic web services on a smart phone due to the advances in wireless devices and mobile communication technologies. The market capture of mobile web services also has increased significantly, in the past years. While the applications are quite welcoming, the ability to provide secure and reliable communication in the vulnerable and volatile mobile ad-hoc topologies is vastly becoming necessary. Even though a lot of standardized security specifications like WS-Security, SAML exist for web services in the wired networks, not much has been analyzed and standardized in the wireless environments. In this paper we give our analysis of adapting some of the security standards, especially WS-Security to the cellular domain, with performance statistics. The performance latencies are obtained and analyzed while observing the performance and quality of service of our Mobile Host

Participant Domain Name Token Profile for security enhancements supporting service oriented architecture

This research proposes a new secure token profile for improving the existing Web Services security standards. It provides a new authentication mechanism. This additional level of security is important for the Service-Oriented Architecture (SOA), which is an architectural style that uses a set of principles and design rules to shape interacting applications and maintain interoperability. Currently, the market push is towards SOA, which provides several advantages, for instance: integration with heterogeneous systems, services reuse, standardization of data exchange, etc. Web Services is one of the technologies to implement SOA and it can be implemented using Simple Object Access Protocol (SOAP). A SOAP-based Web Service relies on XML for its message format and common application layer protocols for message negotiation and transmission. However, it is a security challenge when a message is transmitted over the network, especially on the Internet. The Organization for Advancement of Structured Information Standards (OASIS) announced a set of Web Services Security standards that focus on two major areas. “Who” can use the Web Service and “What” are the permissions. However, the location or domain of the message sender is not authenticated. Therefore, a new secure token profile called: Participant Domain Name Token Profile (PDNT) is created to tackle this issue. The PDNT provides a new security feature, which the existing token profiles do not address. Location-based authentication is achieved if adopting the PDNT when using Web Services. In the performance evaluation, PDNT is demonstrated to be significantly faster than other secure token profiles. The processing overhead of using the PDNT with other secure token profiles is very small given the additional security provided. Therefore all the participants can acquire the benefits of increased security and performance at low cost

О новом роде верхнепалеозойских растений Brovuchkia Parfenova gen. nov. из Кемеровского района Кузбасса

Multimedia information systems have been developed into service-ware. With the paradigms of web services, service oriented architectures (SOA), and Web 2.0 widgets, multimedia has become truly ubiquitous. However, interoperability, scalability, reliability and security are arising challenges at mobile multimedia service development. This paper focuses on the analysis, design, development and evaluation of a middleware that allows access from mobile devices to a bundle of multimedia services. The services are based on the international multimedia metadata description standard MPEG-7. The implementation is based on new generation of service-oriented application servers called Lightweight Application Server (LAS). Mobile web services refer to the fact that mobile servers host web services. A prototype was developed as a proof of concept, showing how to access MPEG-7 based multimedia services from a Mobile Host and the analysis results of providing MPEG-7 based multimedia services in the form of web services from the Mobile Host to other mobile devices. An alternative solution is to apply enterprise service bus technology as the middleware. The performance evaluation results of both approaches show the reliable accessibility of MPEG-7 based multimedia services via the enterprise service bus solution

Combining information seeking services into a meta supply chain of facts

The World Wide Web has become a vital supplier of information that allows organizations to carry on such tasks as business intelligence, security monitoring, and risk assessments. Having a quick and reliable supply of correct facts from perspective is often mission critical. By following design science guidelines, we have explored ways to recombine facts from multiple sources, each with possibly different levels of responsiveness and accuracy, into one robust supply chain. Inspired by prior research on keyword-based meta-search engines (e.g., metacrawler.com), we have adapted the existing question answering algorithms for the task of analysis and triangulation of facts. We present a first prototype for a meta approach to fact seeking. Our meta engine sends a user's question to several fact seeking services that are publicly available on the Web (e.g., ask.com, brainboost.com, answerbus.com, NSIR, etc.) and analyzes the returned results jointly to identify and present to the user those that are most likely to be factually correct. The results of our evaluation on the standard test sets widely used in prior research support the evidence for the following: 1) the value-added of the meta approach: its performance surpasses the performance of each supplier, 2) the importance of using fact seeking services as suppliers to the meta engine rather than keyword driven search portals, and 3) the resilience of the meta approach: eliminating a single service does not noticeably impact the overall performance. We show that these properties make the meta-approach a more reliable supplier of facts than any of the currently available stand-alone services

Evaluating SOAP for High Performance Business Applications: Real-Time Trading Systems

Web services, with an emphasis on open standards and flexibility, may provide benefits over existing capital markets integration practices. However, web services must first meet certain technical requirements including performance, security and fault--tolerance. This paper presents an experimental evaluation of SOAP performance using realistic business application message content. To get some indication of whether SOAP is appropriate for high performance capital markets systems, the results are compared with a widely used existing protocol. The study finds that, although SOAP performs relatively poorly, the difference is less than in scientific computing environments. Furthermore, we find that in realistic business applications it is possible for text--based wire formats to have comparable performance to binary, and that the text--based nature of XML is not sufficient to explain SOAP's inefficiency. This suggests that further work may enable SOAP to become a viable wire format for high performance business applications

Web services security evaluation considerations

Web services development is a key theme in utilisation of the commercial exploitation of the semantic web. Paramount to the development and offering of such services is the issue of security features and the way these are applied in instituting trust amongst participants and recipients of the service. Implementing such security features is a major challenge to developers as they need to balance these with performance and interoperability requirements. Being able to evaluate the level of security offered is a desirable feature for any prospective participant. The authors attempt to address the issues of security requirements and evaluation criteria, while they discuss the challenges of security implementation through a simple web service application case

Comparison of web service architecture based on architecture quality properties

Web service research has been focused on the issues of automatic binding, performance, scalability, and security, however, little research has been done in evaluation of web service architectures, namely Broker based. Examples of these are Matchmaker Broker, Layered Matchmaker, Facilitator, Layered facilitator, and Peer to peer (P2P) based, such as P2P Discovery, Match Maker and P2P, Split Code and P2P execution, Mobile Code with P2P etc. Another consideration is its impact on the adoption in distributed Internet environment. In this paper we introduce a methodology for measuring and evaluating web service architecture style, and we present our development of a set of architectural quality properties, and use these quality properties to carry out comparison and contract of current web services architectures. We provide a detailed analysis and critique of these, and these could be served as a guidelines for the next generation of web services development, which could adopted into the distributed environment