Distributed Access Control for Web and Business Processes

Middleware influenced the research community in developing a number of systems for controlling access to distributed resources. Nowadays a new paradigm for the lightweight integration of business resources from different partners is starting to take hold – Web Services and Business Processes for Web Services. Security and access control policies for Web Services protocols and distributed systems are well studied and almost standardized, but there is not yet a comprehensive proposal for an access control architecture for business processes. So, it is worth looking at the available approaches to distributed authorization as a starting point for a better understanding of what they already have and what they still need to address the security challenges for business processes

Security for Grid Services

Grid computing is concerned with the sharing and coordinated use of diverse resources in distributed "virtual organizations." The dynamic and multi-institutional nature of these environments introduces challenging security issues that demand new technical approaches. In particular, one must deal with diverse local mechanisms, support dynamic creation of services, and enable dynamic creation of trust domains. We describe how these issues are addressed in two generations of the Globus Toolkit. First, we review the Globus Toolkit version 2 (GT2) approach; then, we describe new approaches developed to support the Globus Toolkit version 3 (GT3) implementation of the Open Grid Services Architecture, an initiative that is recasting Grid concepts within a service oriented framework based on Web services. GT3's security implementation uses Web services security mechanisms for credential exchange and other purposes, and introduces a tight least-privilege model that avoids the need for any privileged network service.Comment: 10 pages; 4 figure

BlackWatch:increasing attack awareness within web applications

Web applications are relied upon by many for the services they provide. It is essential that applications implement appropriate security measures to prevent security incidents. Currently, web applications focus resources towards the preventative side of security. Whilst prevention is an essential part of the security process, developers must also implement a level of attack awareness into their web applications. Being able to detect when an attack is occurring provides applications with the ability to execute responses against malicious users in an attempt to slow down or deter their attacks. This research seeks to improve web application security by identifying malicious behaviour from within the context of web applications using our tool BlackWatch. The tool is a Python-based application which analyses suspicious events occurring within client web applications, with the objective of identifying malicious patterns of behaviour. This approach avoids issues typically encountered with traditional web application firewalls. Based on the results from a preliminary study, BlackWatch was effective at detecting attacks from both authenticated, and unauthenticated users. Furthermore, user tests with developers indicated BlackWatch was user friendly, and was easy to integrate into existing applications. Future work seeks to develop the BlackWatch solution further for public release

Enhancement of Web Security Against External Attack

The security of web-based services is currently playing a vital role for the software industry. In recent years, many technologies and standards have emerged in order to handle the security issues related to web services. This paper shows techniques to enhance the security of web services, and some of the recent challenges and recommendations of a proposed model to secure web services. It shows the security process of a real life web application, which includes; HTML5 forms, login security, and a single signon solution. This paper also aim to discuss the ten (10) most common web security vulnerabilities and how to prevent the web application from three (3) of the vulnerabilities. Amongst them are; SQL Injection, Cross Site Scripting and Broken Authentication, and Session Management

Advanced eGovernment Information Service Bus (eGov-Bus)

The eGov-Bus project provides citizens and businesses with improved access to virtual public services, which are based on existing national eGovernment Web services and which support cross-border life events. Requirements and specific rules of these life events are considered, and personalization of user preferences is supported. eGov-Bus is based on adaptable process management technologies, allowing for virtual services which are dynamically combined from existing national eGovernment services. In this way, a comprehensive workflow process is set up, allowing for service-level agreements, an audit trail and explanation of the process to the end user. The eGov-Bus process engine operates on top of a virtual repository, providing a high-level semantic view of information retrieved from heterogeneous information sources, such as eGovernment Web services. Further, eGov-Bus relies on a security framework to ensure all high-level security requirements are met. The eGov-Bus architecture is business oriented, it focuses on Service Oriented Architecture (SOA) concepts, asynchronously combining Web services and providing a Service Bus.Frameworks and Guidelines, eGovernment Ontologies, Admininistrative Process Design, Life Events, Web Services, Service Bus Integration

E-commerce Systems and E-shop Web Sites Security

Fruitfulnes of contemporary companies rests on new business model development, elimination of communication obstacles, simplification of industrial processes, possibilities of responding in real-time and above all meeting the floating custom needs. Quite a number of company activities and transactions are realized within the framework of e-business. Business transactions are supported by e-commerce systems. One of the e-commerce system part is web interface (web sites). Present trend is putting the accent on security. E-commerce system security and web sites security is the most overlooked aspect of securing data. E-commerce system security depends on technologies and its correct exploitation and proceedings. If we want e-commerce system and e-shops web sites with all services to be safety, it is necessary to know all possible risks, use up to date technologies, follow conventions of web sites development and have good security management system. The article deals with definition and description of risk areas refer to e-commerce systems and e-shop web sites and show fundamental principles of e-commerce systems and e-shop web sites security.E-commerce system, e-shop web sites, security, security proceedings, web technologies

Engineering Secure Adaptable Web Services Compositions

Service-oriented architecture defines a paradigm for building applications by assembling autonomous components such as web services to create web service compositions. Web services are executed in complex contexts where unforeseen events may compromise the security of the web services composition. If such compositions perform critical functions, prompt action may be required as new security threats may arise at runtime. Manual interventions may not be ideal or feasible. To automatically decide on valid security changes to make at runtime, the composition needs to make use of current security context information. Such security changes are referred to as dynamic adaptation. This research proposes a framework to develop web services compositions that can dynamically adapt to maintain the same level of security when unforeseen security events occur at runtime. The framework is supported by mechanisms that map revised security requirements arising at runtime to a new security configuration plan that is used to adapt the web services composition

3PAC: Enforcing Access Policies for Web Services

Web services fail to deliver on the promise of ubiquitous deployment and seamless interoperability due to the lack of a uniform, standards-based approach to all aspects of security. In particular, the enforcement of access policies in a service oriented architecture is not addressed adequately. We present a novel approach to the distribution and enforcement of credentials-based access policies for Web services (3PAC) which scales well and can be implemented in existing deployments