Service oriented architecture is fast becoming ubiquitous enterprise software architecture standard in public and private sector alike. Study of literature and current attacks suggests that with the ...proliferation of Web API and RESTFul services, the attack vectors prioritized by OWASP top 10, including but not limited to cross site scripting (XSS), cross site request forgery (CSRF), injection, direct object reference, broken authentication and session management now equally apply to web services. In addition service oriented architecture relies heavily on XML/RESTFul web services which are vulnerable to XML Signature Wrapping Attack, Oversize Payload, Coercive parsing, SOAP Action Spoofing, XML Injection, WSDL Scanning, Metadata Spoofing, Oversized Cryptography, BPEL State Deviation, Instantiation Flooding, Indirect Flooding, WS-Addressing spoofing and Middleware Hijacking to name a few. In this paper, we review various such security issues pertaining to service oriented architecture. These and similar techniques, have been employed by Anonymous and other hacktivists, resulting in denial of service attacks on financial applications. While discussing the national security perils of hacktivism, there is an excessive focus on network layer security, and the application layer perspective is not always part of the discussion. In this research, we provide background information and rationale for securing application layer vulnerabilities to facilitate true defense in depth approach for cyber security.
This paper presents the mechanisms on integrating security related activities to an established software process in an organization. The main challenge is to attain a security model that is fit to ...the organization's security objectives and environment. We quest for an adapted security model that is lightweight yet provides an optimized security impacts in delivering software products. Implementation of the adapted security model must also comprehend the limiting factor of people resources. We share experiences and lesson learned in transforming the adapted security model into secure software process.
Testing tools for application security have become an integral part of secure development life-cycles. Despite their ability to spot important software weaknesses, the high number of findings require ...rigorous prioritization. Most testing tools provide generic ratings to support prioritization. Unfortunately, ratings from established tools lack context information especially with regard to the security requirements of respective components or source code. Thus experts often spend a great deal of time re-assessing the prioritization provided by these tools. This paper introduces our lightweight tool AVUS that adjusts context-free ratings of software weaknesses according to a user-defined security model. We also present a first evaluation applying AVUS to a well-known open source project and the findings of a popular, commercially available application security testing tool.
When conducting security awareness and training for our organization, it is very important that we partner well with all of the stakeholders involved. We need to target training for the intended ...audience and modify our training and awareness methods accordingly. We should also carefully evaluate the effectiveness of our training efforts so that we can adjust them in the future to gain efficiencies and greater effectiveness.
Software Security Sametinger, Johannes
2013 20th IEEE International Conference and Workshops on Engineering of Computer Based Systems (ECBS),
2013-April
Conference Proceeding
The importance of IT security is out of doubt. Data, computer and network security are essential for any business or organization. Software security often remains out of focus, from an ...organization's, a developer's and from an end-user's point of view. We will consider security terminology, security bugs, security flaws, and mitigation issues.
ESA is developing, deploying, and operating a wide variety of mission data systems. These are mainly used for the command & control of spacecraft and the exploitation and dissemination of space-based ...services to end users. A new ESA activity, the European Space Situational Awareness (SSA) Initiative, requires a novel generation of mission data systems to be developed. These systems are based on a service-oriented architecture (SOA) and capable of supporting a large system-of-systems environment. At the same time, information security is an area of growing concern in the space business and among space agencies. Especially in the area of SOA-based environments, where interconnectivity of components is a core principle, an efficient and robust security concept needs to be put in place to ensure secure mission operations. In this paper, we describe an application security framework for SOA-based mission data systems. This framework increases significantly the robustness and security of web services and web applications through use of a Secure Software Development Lifecycle (SSDLC) and provision of tools & templates for SSA mission data system developers. We are confident that the application security framework will drastically improve the security and robustness of SOA-based mission data systems that will be used in the European SSA Initiative and other ESA projects, while at the same time keeping the related additional effort minimal.
Automated threat identification for UML Yee, George; Xie, Xingli; Majumdar, Shikharesh
2010 International Conference on Security and Cryptography (SECRYPT),
2010-July
Conference Proceeding
In tandem with the growing important roles of software in modern society is the increasing number of threats to software. Building software systems that are resistant to these threats is one of the ...greatest challenges in information technology. Threat identification methods for secure software development can be found in the literature. However, none of these methods has involved automatic threat identification based on analyzing UML models. Such an automated approach should offer benefits in terms of speed and accuracy when compared to manual methods, and at the same time be widely applicable due to the ubiquity of UML. This paper addresses this shortcoming by proposing an automated threat identification method based on parsing UML diagrams.
Building secure software is about taking security into account during all phases of software development. This practice is missing in, widely used, traditional developments due to domain immaturity, ...newness of the field and process complexity. Software development includes two views, a product view and a process view. Product view defines what the product is, whereas process view describes how the product is developed. Here we are concerned with the process view. Modelling the process allows simulate and analyze a software development process, which can help developers better understand, manage and optimize the software development process. In this paper we present our approach S2D-ProM, for Secure Software Development Process Model, which is a strategy oriented process model. This latter, capture steps and strategies that are required for the development of secure software and provide a two level guidance. The first level guidance is strategic helping developers choosing one among several strategies. The second level guidance is tactical helping developers achieving their selection for producing secure software. The proposed process model is easily extensible and allows building customized processes adapted to context, developer's finalities and product state. This flexibility allows the environment evolving through time to support new securing strategies.
In this paper, we present the results of a security assessment performed on a home care system based on SOA, realized as web services. The security design concepts of this platform were specifically ...tailored to meet new security challenges and to be compliant with legal frameworks applicable to the healthcare domain. This security design was fed as input to the development team,which implemented the system. However, our assessment revealed a software platform with severe security weaknesses and vulnerabilities, demonstrating pitfalls that are, or should be, well known. Our experience re-confirms that security must be built as an intrinsic software property and emphasizes the need for security awareness throughout the whole software development lifecycle.