Security Testing: A Survey

Identifying vulnerabilities and ensuring security functionality by security testing is a widely applied measure to evaluate and improve the security of software. Due to the openness of modern software-based systems, applying appropriate security testing techniques is of growing importance and essential to perform effective and efficient security testing. Therefore, an overview of actual security testing techniques is of high value both for researchers to evaluate and refine the techniques and for practitioners to apply and disseminate them. This chapter fulfills this need and provides an overview of recent security testing techniques. For this purpose, it first summarize the required background of testing and security engineering. Then, basics and recent developments of security testing techniques applied during the secure software development lifecycle, i.e., model-based security testing, code-based testing and static analysis, penetration testing and dynamic analysis, as well as security regression testing are discussed. Finally, the security testing techniques are illustrated by adopting them for an example three-tiered web-based business application

Security policy architecture for web services environment

An enhanced observer is model that observes behaviour of a service and then automatically reports any changes in the state of the service to evaluator model. The e-observer observes the state of a service to determine whether it conforms to and obeys its intended behaviour or policy rules. E-observer techniques address most problems, govern and provide a proven solution that is re-usable in a similar context. This leads to an organisation and formalisation policy which is the engine of the e-observer model. Policies are used to refer to specific security rules for particular systems. They are derived from the goals of management that describe the desired behaviour of distributed heterogeneous systems and networks. These policies should be defended by security which has become a coherent and crucial issue. Security aims to protect these policies whenever possible. It is the first line of protection for resources or assets against events such as loss of availability, unauthorised access or modification of data. The techniques devised to protect information from intruders are general purpose in nature and, therefore, cannot directly enforce security that has no universal definition, the high degree of assurance of security properties of systems used in security-critical areas, such as business, education and financial, is usually achieved by verification. In addition, security policies express the protection requirements of a system in a precise and unambiguous form. They describe the requirements and mechanisms for securing the resources and assets between the sharing parties of a business transaction. However, Service-Oriented Computing (SOC) is a new paradigm of computing that considers "services" as fundamental elements for developing applications/solutions. SOC has many advantages that support IT to improve and increase its capabilities. SOC allows flexibility to be integrated into application development. This allows services to be provided in a highly distributed manner by Web services. Many organisations and enterprises have undertaken developments using SOC. Web services (WSs) are examples of SOC. WSs have become more powerful and sophisticated in recent years and are being used successfully for inter-operable solutions across various networks. The main benefit of web services is that they use machine-to-machine interaction. This leads initially to explore the "Quality" aspect of the services. Quality of Service (QoS) describes many techniques that prioritise one type of traffic or programme that operates across a network connection. Hence, QoS has rules to determine which requests have priority and uses these rules in order to specify their priority to real-time communications. In addition, these rules can be sophisticated and expressed as policies that constrain the behaviour of these services. The rules (policies) should be addressed and enforced by the security mechanism. Moreover, in SOC and in particular web services, services are black boxes where behaviour may be completely determined by its interaction with other services under confederation system. Therefore, we propose the design and implementation of the “behaviour of services,” which is constrained by QoS policies. We formulate and implement novel techniques for web service policy-based QoS, which leads to the development of a framework for observing services. These services interact with each other by verifying them in a formal and systematic manner. This framework can be used to specify security policies in a succinct and unambiguous manner; thus, we developed a set of rules that can be applied inductively to verify the set of traces generated by the specification of our model’s policy. These rules could be also used for verifying the functionality of the system. In order to demonstrate the protection features of information system that is able to specify and concisely describe a set of traces generated, we subsequently consider the design and management of Ponder policy language to express QoS and its associated based on criteria, such as, security. An algorithm was composed for analysing the observations that are constrained by policies, and then a prototype system for demonstrating the observation architecture within the education sector. Finally, an enforcement system was used to successfully deploy the prototype’s infrastructure over Web services in order to define an optimisation model that would capture efficiency requirements. Therefore, our assumption is, tracing and observing the communication between services and then takes the decision based on their behaviour and history. Hence, the big issue here is how do we ensure that some given security requirements are satisfied and enforced? The scenario here is under confederation system and based on the following: System’s components are Web-services. These components are black boxes and designed/built by various vendors. Topology is highly changeable. Consequently, the main issues are: • The proposal, design and development of a prototype of observation system that manages security policy and its associated aspects by evaluating the outcome results via the evaluator model. • Taming the design complexity of the observation system by leaving considerable degrees of freedom for their structure and behaviour and by bestowing upon them certain characteristics, and to learn and adapt with respect to dynamically changing environments.Saudi Arabian Cultural Burea

Service oriented computing for dynamic virtual learning environments

Using the Internet for teaching and learning has become a trend in modern higher education, facilitated through the exploitation of advanced computing technologies. Virtual Learning Environment (VLE) applications support online learning over the Internet, and VLEs have thus emerged as e-learning domains that are essential prerequisites in cutting edge design and implementation technologies in education. Service Oriented Computing (SOC), as a novel software development and implementation approach, has become an active area of research and development. Web services, as an example of SOC, support the integration of software applications in an incremental way, using existing platforms and languages that utilize and adopt existing legacy systems. Thus, VLEs should be particularly well suited to Web ser- vices through the SOC approach. VLE services is a field subjected to continuous development but VLEs as Web services are still not generally accessible for academic institutions, although they have been adopted by some scientific projects. The next generation of VLEs should address the limitations of the current online systems by providing a richer context for online learning, one that is sensitive to the specific domain requirements of e-learning. Web Services Matching and Selection (WSMS), as a part of the functional requirements of Web services, has received less attention from SOC researchers. It involves discovering a set of semantically equivalent services by filtering a set of available services based on service metadata, and instantaneously selecting the best possible service. WSMS is the discovery of a service by a user, where correspondence is established between the objectives of the consumer and the capabilities of the service. It thereby aims to match and select the optimal service that best meets the requestor's needs. The main aim of this doctoral work is to explore novel architectural designs for VLEs, based on the SOC paradigm and its related techniques. In addition, this investigation aims to extend the core ideas behind VLE tools, which are gradually becoming dominant within academic institutes. Another aim is to devise a policy- based technique to enforce security requirements for VLEs and to build a test-bed for VLE security based on Modular Moodle. The fundamental contribution of this thesis that it demonstrates that VLEs can be considered as services, which can be published, discovered and composed as perceived in the SOC paradigm. An additional contribution to the knowledge is that it has built a new extension to the structure of Web services: the Web Services Matching and Selection (WSMS) system. Another contribution to the knowledge is that traditional security requirements have been modified to cater for the highly mobile and changeable environment of VLEs; this has been achieved through policy- based techniques. These contributions to the body of knowledge have been published in learned journals and at conferences