Web Application Weakness Ontology Based on Vulnerability Data

Web applications are becoming more ubiquitous. All manner of physical devices are now connected and often have a variety of web applications and web-interfaces. This proliferation of web applications has been accompanied by an increase in reported software vulnerabilities. The objective of this analysis of vulnerability data is to understand the current landscape of reported web application flaws. Along those lines, this work reviews ten years (2011 - 2020) of vulnerability data in the National Vulnerability Database. Based on this data, most common web application weaknesses are identified and their profiles presented. A weakness ontology is developed to capture the attributes of these weaknesses. These include their attack method and attack vectors. Also described is the impact of the weaknesses to software quality attributes. Additionally, the technologies that are susceptible to each weakness are presented, they include programming languages, frameworks, communication protocols, and data formats

Achieving autonomic Web service compositions with models at runtime

[EN] Several exceptional situations may arise in the complex, heterogeneous, and changing contexts where Web service operations run. For instance, a Web service operation may have greatly increased its execution time or may have become unavailable. The contribution of this article is to provide a tool-supported framework to guide autonomic adjustments of context-aware service compositions using models at runtime. During execution, when problematic events arise in the context, models are used by an autonomic architecture to guide changes of the service composition. Under the closed-world assumption, the possible context events are fully known at design time. Nevertheless, it is difficult to foresee all the possible situations arising in uncertain contexts where service compositions run. Therefore, the proposed framework also covers the dynamic evolution of service compositions to deal with unexpected events in the open world. An evaluation demonstrates that our framework is efficient during dynamic adjustments.Alférez-Salinas, GH.; Pelechano Ferragud, V. (2017). Achieving autonomic Web service compositions with models at runtime. Computers & Electrical Engineering. 63:332-352. doi:10.1016/j.compeleceng.2017.08.004S3323526

Enabling adaptability in service aggregates using transparent shaping techniques

Distributed applications are exposed as reusable components that are dynamically discovered and integrated to create new applications. These new applications, in the form of aggregate services, are vulnerable to failure due to the autonomous and distributed nature of their integrated components. This vulnerability creates the need for adaptability in aggregate services. The need for adaptation is accentuated for complex long-running applications as is found in scientific Grid computing, where distributed computing nodes may participate to solve computation and data-intensive problems. Such applications integrate services for coordinated problem solving in areas such as Bioinformatics. For such applications, when a constituent service fails, the application fails, even though there are other nodes that can substitute for the failed service. This concern is not addressed in the specification of high-level composition languages such as that of the Business Process Execution Language (BPEL). We propose an approach to transparently autonomizing existing BPEL processes in order to make them modifiable at runtime and more resilient to the failures in their execution environment. By transparent introduction of adaptive behavior, adaptation preserves the original business logic of the aggregate service and does not tangle the code for adaptive behavior with that of the aggregate service. The major contributions of this dissertation are: first, we assessed the effectiveness of BPEL language support in developing adaptive mechanisms. As a result, we identified the strengths and limitations of BPEL and came up with strategies to address those limitations. Second, we developed a technique to enhance existing BPEL processes transparently in order to support dynamic adaptation. We proposed a framework which uses transparent shaping and generative programming to make BPEL processes adaptive. Third, we developed a technique to dynamically discover and bind to substitute services. Our technique was evaluated and the result showed that dynamic utilization of components improves the flexibility of adaptive BPEL processes. Fourth, we developed an extensible policy-based technique to specify how to handle exceptional behavior. We developed a generic component that introduces adaptive behavior for multiple BPEL processes. Fifth, we identify ways to apply our work to facilitate adaptability in composite Grid services

Composing aggregate Web services in BPEL

Web services are increasingly being used to expose applications over the Internet. These Web services are being integrated within and across enterprises to create higher function services. BPEL is a workflow language that facilitates this integration. Although both academia and industry acknowledge the need for workflow languages, there are few technical papers focused on BPEL. In this paper, we provide an overview of BPEL and discuss its promises, limitations and challenges

TRAP/BPEL: A framework for dynamic adaptation of composite services

Abstract. TRAP/BPEL is a framework that adds autonomic behavior into existing BPEL processes automatically and transparently. We define an autonomic BPEL process as a composite Web service that is capable of responding to changes in its execution environment (e.g., a failure in a partner Web service). Unlike other approaches, TRAP/BPEL does not require any manual modifications to the original code of the BPEL processes and there is no need to extend the BPEL language nor its BPEL engine. Furthermore, TRAP/BPEL promotes the reuse of code in BPEL processes as well as in their corresponding autonomic behavior. In this paper, we describe the details of the TRAP/BPEL framework and use a case study to demonstrate the feasibility and effectiveness of our approach. Keywords: TRAP/BPEL, generic proxy, self-management, dynamic service discovery.

Robustbpel-2: Transparent autonomization in aggregate web services using dynamic proxies

We recently introduced RobustBPEL [13], a software toolkit that provides a systematic approach to making existing aggregate Web services more tolerant to the failure of their constituent Web services. Using RobustBPEL, we demonstrated how an aggregate Web service, defined as a BPEL process, can be instrumented automatically to monitor its partner Web services at runtime and replace failed services via a generated proxy. While in the previous work the proxy is statically bound to a limited number of alternative Web services, in this paper we propose an extension to the RobustBPEL toolkit to generate a proxy that dynamically discovers and binds to existing services. Further, we present details of the generation process, the architecture of the dynamic proxy, and finally use a case study to demonstrate how the generated dynamic proxy is used to support self-healing and self-optimization (specifically, to improve the fault-tolerance and performace) in an instrumented BPEL process

Enabling robustness in existing bpel processes

Abstract: Web services are increasingly being used to expose applications over the Internet. To promote efficiency and the reuse of software, these Web services are being integrated both within enterprises and across enterprises, creating higher function services. BPEL is a workflow language that can be used to facilitate this integration. Unfortunately, the autonomous nature of Web services leaves BPEL processes susceptible to the failures of their constituent services. In this paper, we present a systematic approach to making existing BPEL processes more fault tolerant by monitoring the involved Web services at runtime, and by replacing delinquent Web services. To show the feasibility of our approach, we developed a prototype implementation that generates more robust BPEL processes from existing ones automatically. The use of the prototype is demonstrated using an existing Loan Approval BPEL process.