Strategic Techniques for Enhancing Web Services Security in Cloud Computing Model

The 21st century has witnessed an integration of enterprise business process with emerging techniques in a quest to maximize opportunities and organisational strength. In spite of these, vulnerabilities and risks still abound due to the integration for an effective operational mechanism. Mitigating against these requires strategic techniques for enhancing web services security. It is on this background that this paper has been presented. A critical study of web services architecture and cloud computing model as an emerging technology has been given a succinct digest. Furthermore, an evaluation of recent trends in web services and cloud computing model security issues were x-rayed. The threat to web services application deployed in cloud computing were identified hence presenting strategic techniques for enhancing web services security as a proactive measure to enhancing enterprise success. This paper concludes by re-iterating the need to understanding various security threats and proactively and dynamically reacting to them. Keywords: Web Services, Cloud Computing, Cross Site Scripting, SQL Injection and Web Securit

Web attack risk awareness with lessons learned from high interaction honeypots

Tese de mestrado, Segurança Informática, Universidade de Lisboa, Faculdade de Ciências, 2009Com a evolução da web 2.0, a maioria das empresas elabora negócios através da Internet usando aplicações web. Estas aplicações detêm dados importantes com requisitos cruciais como confidencialidade, integridade e disponibilidade. A perda destas propriedades influencia directamente o negócio colocando-o em risco. A percepção de risco providencia o necessário conhecimento de modo a agir para a sua mitigação. Nesta tese foi concretizada uma colecção de honeypots web de alta interacção utilizando diversas aplicações e sistemas operativos para analisar o comportamento do atacante. A utilização de ambientes de virtualização assim como ferramentas de monitorização de honeypots amplamente utilizadas providencia a informação forense necessária para ajudar a comunidade de investigação no estudo do modus operandi do atacante, armazenando os últimos exploits e ferramentas maliciosas, e a desenvolver as necessárias medidas de protecção que lidam com a maioria das técnicas de ataque. Utilizando a informação detalhada de ataque obtida com os honeypots web, o comportamento do atacante é classificado entre diferentes perfis de ataque para poderem ser analisadas as medidas de mitigação de risco que lidam com as perdas de negócio. Diferentes frameworks de segurança são analisadas para avaliar os benefícios que os conceitos básicos de segurança dos honeypots podem trazer na resposta aos requisitos de cada uma e a consequente mitigação de risco.With the evolution of web 2.0, the majority of enterprises deploy their business over the Internet using web applications. These applications carry important data with crucial requirements such as confidentiality, integrity and availability. The loss of those properties influences directly the business putting it at risk. Risk awareness provides the necessary know-how on how to act to achieve its mitigation. In this thesis a collection of high interaction web honeypots is deployed using multiple applications and diverse operating systems in order to analyse the attacker behaviour. The use of virtualization environments along with widely used honeypot monitoring tools provide the necessary forensic information that helps the research community to study the modus operandi of the attacker gathering the latest exploits and malicious tools and to develop adequate safeguards that deal with the majority of attacking techniques. Using the detailed attacking information gathered with the web honeypots, the attacking behaviour will be classified across different attacking profiles to analyse the necessary risk mitigation safeguards to deal with business losses. Different security frameworks commonly used by enterprises are analysed to evaluate the benefits of the honeypots security concepts in responding to each framework’s requirements and consequently mitigating the risk

Security Analysis of an Operations Support System

Operations support systems (OSS) are used by Communications service providers (CSP) to configure and monitor their network infrastructure in order to fulfill, assure and bill services. With the industry moving towards cloud-based deployments, CSPs are apprehensive about their internal OSS applications being deployed on external infrastructure. Today's OSS systems are complex and have a large attack surface. Moreover, a literature review of OSS systems security does not reveal much information about the security analysis of OSS systems. Hence, a security analysis of OSS systems is needed. In this thesis, we study a common architecture of an OSS system for provisioning and activation (P&A) of telecommunications networks. We create a threat model of the P&A system. We create data flow diagrams to analyse the entry and exit points of the application and list different threats using the STRIDE methodology. We also describe various vulnerabilities based on the common architecture that OSS vendors must address. We describe mitigation for the threats and vulnerabilities found and mention dos and don'ts for OSS developers and deployment personnel. We also present the results of a survey we conducted to find out the current perception of security in the OSS industry. Finally, we conclude by stressing the importance of a layered security approach and recommend that the threat model and mitigation must be validated periodically. We also observe that it is challenging to create a common threat model for OSS systems because of the lack of an open architecture and the closed nature of OSS software

A Framework of DevSecOps for Software Development Teams

This master's thesis explores a broad evaluation of automated security testing in the context of DevOps practices. The primary objective of this study is to propose a framework that facilitates the seamless integration of security scanning tools within DevOps practices. The thesis will focus on examining the existing set of tools and their effective integration into fully automated DevOps CI/CD pipelines. The thesis starts by examining the theoretical concepts of DevOps and provides guidelines for integrating security within DevOps methodologies. Furthermore, it assesses the current state of security by analysing the OWASP Web API top 10 security vulnerability list and evaluating existing security automation tools. Additionally, the research investigates the performance and efficacy of these tools across various stages of the SDLC and investigates ongoing research and development activities. A fully automated DevOps CI/CD pipeline is implemented to integrate security scanning tools, enforcing complete security checks throughout the SDLC. Azure DevOps build and release pipelines, along with Snyk, were used to create a comprehensive automated security scanning framework. The study considerably investigates the integration of these security scanning tools and assesses their influence on the overall security posture of the developed applications. The finding of the study reveals that security scanning tools can be efficiently integrated into fully automated DevOps practices. Based on the results, recommendations are provided for the selection of suitable tools and techniques to achieve a DevSecOps practice. In conclusion, this thesis provides valuable insights into security integration in DevOps practices, highlighting the effectiveness of security automation tools. The research also recommends areas for further improvements to meet the industry's evolving requirements

Unified System on Chip RESTAPI Service (USOCRS)

Abstract. This thesis investigates the development of a Unified System on Chip RESTAPI Service (USOCRS) to enhance the efficiency and effectiveness of SOC verification reporting. The research aims to overcome the challenges associated with the transfer, utilization, and interpretation of SoC verification reports by creating a unified platform that integrates various tools and technologies. The research methodology used in this study follows a design science approach. A thorough literature review was conducted to explore existing approaches and technologies related to SOC verification reporting, automation, data visualization, and API development. The review revealed gaps in the current state of the field, providing a basis for further investigation. Using the insights gained from the literature review, a system design and implementation plan were developed. This plan makes use of cutting-edge technologies such as FASTAPI, SQL and NoSQL databases, Azure Active Directory for authentication, and Cloud services. The Verification Toolbox was employed to validate SoC reports based on the organization’s standards. The system went through manual testing, and user satisfaction was evaluated to ensure its functionality and usability. The results of this study demonstrate the successful design and implementation of the USOCRS, offering SOC engineers a unified and secure platform for uploading, validating, storing, and retrieving verification reports. The USOCRS facilitates seamless communication between users and the API, granting easy access to vital information including successes, failures, and test coverage derived from submitted SoC verification reports. By automating and standardizing the SOC verification reporting process, the USOCRS eliminates manual and repetitive tasks usually done by developers, thereby enhancing productivity, and establishing a robust and reliable framework for report storage and retrieval. Through the integration of diverse tools and technologies, the USOCRS presents a comprehensive solution that adheres to the required specifications of the SOC schema used within the organization. Furthermore, the USOCRS significantly improves the efficiency and effectiveness of SOC verification reporting. It facilitates the submission process, reduces latency through optimized data storage, and enables meaningful extraction and analysis of report data

Online failure prediction in air traffic control systems

This thesis introduces a novel approach to online failure prediction for mission critical distributed systems that has the distinctive features to be black-box, non-intrusive and online. The approach combines Complex Event Processing (CEP) and Hidden Markov Models (HMM) so as to analyze symptoms of failures that might occur in the form of anomalous conditions of performance metrics identified for such purpose. The thesis presents an architecture named CASPER, based on CEP and HMM, that relies on sniffed information from the communication network of a mission critical system, only, for predicting anomalies that can lead to software failures. An instance of Casper has been implemented, trained and tuned to monitor a real Air Traffic Control (ATC) system developed by Selex ES, a Finmeccanica Company. An extensive experimental evaluation of CASPER is presented. The obtained results show (i) a very low percentage of false positives over both normal and under stress conditions, and (ii) a sufficiently high failure prediction time that allows the system to apply appropriate recovery procedures

Application Security Verification Standard Compliance Analysis of a Low Code Development Platform

Low-code development platforms (LCDPs) are software development platforms that use artificial intelligence to help automate simple and routine tasks and make the software development process faster. By 2024, 60% of application development expect to be done using these platforms. Even though these platforms are gaining popularity, they have not been popular research topics, and their security features have not been assessed. One way to conduct such an assessment is by using Application Security Verification Standard (ASVS). ASVS is a community-driven security standard for web applications and services. ASVS is made of three requirement levels, and the security controls become more strict when moved up. ASVS is designed to give organizations a tool to develop and maintain more secure applications. One example of an LCDP is OutSystems, which is said to be “designed for the developers, by the developers”. OutSystems belongs to the Leader category in the 2021 release of Gartner® Magic QuadrantTM for Enterprise Low-Code Application Platforms. In this thesis, we will conduct a first of its kind compliance analysis between OutSystems and ASVS levels 1 and 2 to find out if and how compliant OutSystems is with the standard. This kind of compliance analysis has not been done before. Based on our analysis, we will do a “lessons learned” and write a guideline on how to evaluate LCDPs’ security features in the future. The results themselves show that OutSystems, for the most part, is compliant with ASVS. The biggest deficiencies in OutSystems are with authentication and input validation. We show that the deficiencies with authentication are trivial to fix, but meeting the requirements with the input validation requires some work. From the assessment, we learned that assessing LCDPs is not completely similar to a traditional security assessment. We learned that some functionalities are pre-made, and the developer can not customise them. We found that it is easier to evaluate first if the platform meets the requirement. If not, then see if the developer can do something about it