Towards full protection of web applications based on Aspect Oriented Programming

Web application security is a critical issue. Security concerns are often scattered through different parts of the system. Aspect oriented programming is a programming paradigm that provides explicit mechanisms to modularize these concerns. In this paper we present a technique for detecting and preventing common attacks in web applications like Cross Site Scripting (XSS) and SQL Injection using an aspect oriented approach by analyzing and validating user input strings. We use an aspect to capture input strings and compare them to predefined patterns. The intrusion detection aspect is implemented in AspectJ and is woven into the target system. The resulting system has the ability to detect malicious user input and prevent SQL Injection and Cross Site Scripting. We present an experimental evaluation by applying it to an insecure web application. The results of our tests show that our technique was able to detect all the attempted attacks without generating any false positives

A taxonomy of approaches for integrating attack awareness in applications

Software applications are subject to an increasing number of attacks, resulting in data breaches and financial damage. Many solutions have been considered to help mitigate these attacks, such as the integration of attack-awareness techniques. In this paper, we propose a taxonomy illustrating how existing attack awareness techniques can be integrated into applications. This work provides a guide for security researchers and developers, aiding them when choosing the approach which best fits the needs of their application

SOFTWARE: FROM PRODUCT TO SERVICE THE EVOLUTION OF A MODEL

Among the consequences of the Enterprise 2.0 family technologies’ growingpopularity, we can observe the rise of a set of new business models for the use and employment ofsoftware applications, some of them also applicable for infrastructure components. The mostpopular of these models is by far Software as a Service (also called SaaS). SaaS is a softwaredistribution model assuming the software applications are hosted and maintained by the vendor orthe distributor, the user access being granted exclusively by means of the Internet. The paper athand is a literature review and also an action research, meant to provide an objective and unbiasedcomparison of the two major software distribution models, and also to identify the strengths, theweaknesses and the favorite areas of applicability for each model. The paper is a part of a largerresearch performed by the author in the field of Enterprise 2.0 technologies.Organizational knowledge, Enterprise 2.0, Software as a Service, Web 2.0, Semantic Web

Enterprise 2.0 – Is The Market Ready?

Enterprise 2.0 family technologies have growing popularity, the cloud computing market is growing rapidly and, as a consequence, companies of all sizes start to evaluate the potential fit. The use of “Software as a Service”, “Platform as a Service” and “Infrastructure as a Service” has been evolving during the past years and has become increasingly popular. As its computing viability and benefits are legitimized, the adoption rate is rapidly increasing. The most popular business model in the abovementioned family is by far “Software as a Service” (also called SaaS), which is a software distribution model assuming the software applications are hosted and maintained by the vendor or the distributor, and user access is granted exclusively by means of the Internet. Based on both literature review and action research, the paper at hand is a synthesis for the results of an empirical study performed during the last two years among Romanian and foreign companies, in order to outline and provide an objective and unbiased answer to the question: “Is the market ready for these technologies or did they come too soon?”. The paper is a part of a larger research performed by the author in the field of Enterprise 2.0 technologies.Enterprise 2.0, Software as a Service, Platform as a Service, Infrastructure as a Service, Empirical study

EFFICIENT RUNTIME SECURITY SYSTEM FOR DECENTRALISED DISTRIBUTED SYSTEMS

Distributed systems can be defined as systems that are scattered over geographical distances and provide different activities through communication, processing, data transfer and so on. Thus, increasing the cooperation, efficiency, and reliability to deal with users and data resources jointly. For this reason, distributed systems have been shown to be a promising infrastructure for most applications in the digital world. Despite their advantages, keeping these systems secure, is a complex task because of the unconventional nature of distributed systems which can produce many security problems like phishing, denial of services or eavesdropping. Therefore, adopting security and privacy policies in distributed systems will increase the trustworthiness between the users and these systems. However, adding or updating security is considered one of the most challenging concerns and this relies on various security vulnerabilities which existing in distributed systems. The most significant one is inserting or modifying a new security concern or even removing it according to the security status which may appear at runtime. Moreover, these problems will be exacerbated when the system adopts the multi-hop concept as a way to deal with transmitting and processing information. This can pose many significant security challenges especially if dealing with decentralized distributed systems and the security must be furnished as end-to-end. Unfortunately, existing solutions are insufficient to deal with these problems like CORBA which is considered a one-to-one relationship only, or DSAW which deals with end-to-end security but without taking into account the possibility of changing information sensitivity during runtime. This thesis provides a proposed mechanism for enforcing security policies and dealing with distributed systems’ security weakness in term of the software perspective. The proposed solution utilised Aspect-Oriented Programming (AOP), to address security concerns during compilation and running time. The proposed solution is based on a decentralized distributed system that adopts the multi-hop concept to deal with different requested tasks. The proposed system focused on how to achieve high accuracy, data integrity and high efficiency of the distributed system in real time. This is done through modularising the most efficient security solutions, Access Control and Cryptography, by using Aspect-Oriented Programming language. The experiments’ results show the proposed solution overcomes the shortage of the existing solutions by fully integrating with the decentralized distributed system to achieve dynamic, high cooperation, high performance and end-to-end holistic security

Security-Driven Software Evolution Using A Model Driven Approach

High security level must be guaranteed in applications in order to mitigate risks during the deployment of information systems in open network environments. However, a significant number of legacy systems remain in use which poses security risks to the enterprise’ assets due to the poor technologies used and lack of security concerns when they were in design. Software reengineering is a way out to improve their security levels in a systematic way. Model driven is an approach in which model as defined by its type directs the execution of the process. The aim of this research is to explore how model driven approach can facilitate the software reengineering driven by security demand. The research in this thesis involves the following three phases. Firstly, legacy system understanding is performed using reverse engineering techniques. Task of this phase is to reverse engineer legacy system into UML models, partition the legacy system into subsystems with the help of model slicing technique and detect existing security mechanisms to determine whether or not the provided security in the legacy system satisfies the user’s security objectives. Secondly, security requirements are elicited using risk analysis method. It is the process of analysing key aspects of the legacy systems in terms of security. A new risk assessment method, taking consideration of asset, threat and vulnerability, is proposed and used to elicit the security requirements which will generate the detailed security requirements in the specific format to direct the subsequent security enhancement. Finally, security enhancement for the system is performed using the proposed ontology based security pattern approach. It is the stage that security patterns derived from security expertise and fulfilling the elicited security requirements are selected and integrated in the legacy system models with the help of the proposed security ontology. The proposed approach is evaluated by the selected case study. Based on the analysis, conclusions are drawn and future research is discussed at the end of this thesis. The results show this thesis contributes an effective, reusable and suitable evolution approach for software security