27-12-2011, 09:20 PM
Check out the attachment
17-02-2012, 12:56 AM
ppt for vulnerabilties analysis in SOA based business process
ppt for vulnerability analysis in soa based business processes
27-06-2012, 03:44 PM
Vulnerability Analysis in SOA-based Business Processes
Vulnerability Analysis in SOA-based Business Processes.pdf (Size: 1.29 MB / Downloads: 114) Abstract Business processes and services can more flexibly be combined when based upon standards. However, such flexible compositions practically always contain vulnerabilities, which imperil the security and dependability of processes. Vulnerability management tools require patterns to find or monitor vulnerabilities. Such patterns have to be derived from vulnerability types. Existing analysis methods such as attack trees and FMEA result in such types, yet require much experience and provide little guidance during the analysis. Our main contribution is ATLIST, a new vulnerability analysis method with improved transferability. Especially in service-oriented architectures, which employ a mix of established web technologies and SOA-specific standards, previously observed vulnerability types and variations thereof can be found. Therefore, we focus on the detection of known vulnerability types by leveraging previous vulnerability research. A further contribution in this respect is the, to the best of our knowledge, most comprehensive compilation of vulnerability information sources to date. INTRODUCTION DEPENDABLE and secure computing intends to provide services with a high degree of availability, reliability, safety, integrity, maintainability, and confidentiality [1, Sect. 2.3]. Vulnerabilities continue to undermine that goal [2]–[4], and exploits incur high costs on the victim’s side [5]. In a service-oriented architecture (SOA), where business processes are implemented as flexible composition of local and remote services, the challenge of finding vulnerabilities becomes more complicated and more pressing at the same time. For example, a company offering a vulnerable service to others will not only suffer locally from an exploit, but might face charges and penalties arising from, e.g., compliance violations. Using services to increase the degree of automation increases the degree to which businesses depend on services. This in turn increases the need to find the vulnerabilities that jeopardize the dependability and security of SOA-based business processes. TERMS AND DEFINITIONS Vulnerabilities are flaws in information systems which can be abused to violate the security policy. The actual abuse is called an exploit [15, chapter 20]. Vulnerability analysis supports avoiding, finding, fixing, and monitoring vulnerabilities. These vulnerability management [16] tasks typically require patterns, for example, to perform static or dynamic analysis of source code. A vulnerability pattern is a formal representation of a vulnerability’s attributes, with which a software tool can identify the vulnerability. Listing 1 shows such a pattern as PQL query [17], which detects simple SQL injection vulnerabilities and replaces the unsafe call “c.execute(p)”. THE ATLIST VULNERABILITY ANALYSIS METHOD General analysis methods such as fault trees and FMEA (cf. Section 4.1) offer little guidance on where to start the analysis and how to proceed with it. Admittedly, this is a strength of those methods when the creativity of security experts is to be explored. Nevertheless, an analysis of previous vulnerability classifications and the entries of vulnerability databases (cf. Sections 4.2 and 4.3) shows that completely new types of vulnerabilities are extremely rare (also observed by Arbaugh et al. [11] and, as early as 1989, by Neumann and Parker [10]). Vulnerabilities of known types or close variations form the vast majority of reported incidents, so that it seems reasonable to concentrate on these.
25-07-2012, 10:03 AM
VULNERABILITY ANALYSIS IN SOA-BASED BUSINESS PROCESSES VULNERABILITY ANALYSIS.pptx (Size: 569.17 KB / Downloads: 48) OBJECTIVE To implement a new vulnerability analysis method with improved transferability. ABSTRACT Business process practically always contain vulnerabilities, which imperil the security and dependability of processes. Vulnerability management tools require patterns to find or monitor vulnerabilities. Our main contribution is ATLIST, a new vulnerability analysis method INTRODUCTION Secure computing intends to provide services with a high degree of integrity Availability Reliability Safety Maintainability and Confidentiality Vulnerabilities continue to undermine that goal and exploits incur high costs on the victim’s side. In SOA using services to increase the degree of automation increases the degree to which businesses depend on services. LITRATURE SURVEY Avoiding Serialization Vulnerabilities through the Use of Synchronization Contracts. This paper describes a technique for removing serialization vulnerabilities from existing code in source or (with linker support) binary form, thereby permitting the code to be safely integrated into an application that is written using synchronization contracts.We have applied the technique in writing a multi-threaded web server using synchronization contracts. Disadvantages of Existing System Creativity and experience is required to find and scrutinize the relevant chains of effects. Selection of components to be included in the analysis is of the same high importance and difficulty for both methods. Proposed System[ATLIST] Recent analysis confirms that new types of vulnerabilities are very rare. In a SOA, we expect that the majority of vulnerabilities will be of a previously observed type. Therefore we propose ATLIST, a new vulnerability analysis method. Advantages of Proposed System Explicitly builds upon the vulnerability knowledge extracted from various sources. Focuses on known vulnerability types rather than completely new ones. Offers better transferability than previous methods. ATLIST tree can be build in a guided and repeatable manner. Vulnerability analysis Supports avoiding, finding, fixing, and monitoring vulnerabilities. First, a specific attack is selected for analysis. Possible causes are refined until the fundamental vulnerabilities of the causal chain have been identified. The analyst will not only be able to identify known vulnerabilities in the system,but alo new ones. Access control vulnerabilities An error due to the lack of enforcement pertaining to users or functions that are permitted, or denied, access to an object or a resource. Files, objects, or processes can be accessed directly without authentication or routing. Authentication vulnerabilities An error due to inadequate identification mechanisms. An unauthorized, or less privileged user (for example, Guest user), or a less privileged process gains higher privileges or weak password. Boundary condition vulnerabilities Boundary limits for an entity are not properly defined or checked. By supplying data which is greater than what the entity can hold. Results in a memory spill over into other areas and thereby corrupt the instructions or code. INPUT VALIDATION VULNERABILITIES It is an error due to a lack of verification mechanisms to validate the input data or contents. Due to poor input validation, access to system-privileged programs may be obtained. CONCLUSION To meet the resulting challenge of finding vulnerabilities, we have presented ATLIST. Applying ATLIST to an exemplary scenario, we experienced it as easier and faster to apply than attack trees or FMEA. ATLIST is beneficial as it helps to document which parts of an IT system have been analyzed. |
|