On a Classification Approach for SOA Vulnerabilities

Proceedings - International Computer Software and Applications Conference

Volumn 2, Issue , 2009, Pages 439-444

  Lowis, Lutz ^a   Accorsi, Rafael ^a  

^a UNIVERSITY OF FREIBURG   (Germany)

Author keywords

Security; SOA; Vulnerability Classification; Vulnerability Management

Indexed keywords

BUSINESS PROCESS; CLASSIFICATION APPROACH; OPERATING SYSTEMS; VULNERABILITY MANAGEMENT; WEB APPLICATION;

COMPUTER OPERATING SYSTEMS; INFORMATION SERVICES; NETWORK SECURITY; SERVICE ORIENTED ARCHITECTURE (SOA); WORD PROCESSING;

COMPUTER APPLICATIONS;

EID: 70449636536     PISSN: 07303157     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/COMPSAC.2009.173     Document Type: Conference Paper

References (43)

1. G. Trub and L. Olski, "Global report on soa/web services security initiatives," GMG Insights, Tech. Rep., 2008.
2. N. Gruschka, M. Jensen, R. Herkenhöner, and N. Luttenberger, "Soa and web services: New technologies, new standards - new attacks," in Proceedings of the 5th IEEE European Conference on Web Services (ECOWS), Halle(Saale), Germany, 2007.
3. National Institute of Standards and Technology, "National vulnerability database," http://nvd.nist.gov/, 2009. [Online]. Available: http://nvd.nist.gov/
4. Open Security Foundation (OSF), "Open Source Vulnerability Database (OSVDB)," http://osvdb.org, 2009. [Online]. Available: http://osvdb.org
5. SecurityFocus, "Securityfocus vulnerability database," 2009. [Online]. Available: http://www.securityfocus.com/vulnerabilities
6. SANS, "Sans top 20 security risks," http://www.sans.org/top20/, 2007. [Online]. Available: http://www.sans.org/top20/
7. MITRE Corporation, "Making security measurable," http://measurablesecurity.mitre.org/, 2009. [Online]. Available: http://measurablesecurity.mitre.org/
8. The OWASP Foundation, "Open web application security project (owasp)," http://www.owasp.org/, 2009. [Online]. Available: http://www.owasp.org/
9. Web Application Security Consortium, "Web application security consortium threat classification," 2009. [Online]. Available: http://www.webappsec.org/projects/threat/
10. D. Turner, M. Fossi, E. Johnson, T. Mack, J. Blackbird, S. Entwisle, M. K. Low, D. McKinney, and C. Wueest, "Symantec global internet security threat report: Trends for july to december 2007," Symantec, Tech. Rep., 2008.
11. M. Bishop, Introduction to Computer Security. Addison-Wesley, Pearson Education, 2004.
12. U. Shankar, K. Talwar, J. S. Foster, and D. Wagner, "Detecting format string vulnerabilities with type qualifiers," in In Proceedings of the 10th USENIX Security Symposium, 2001, pp. 201-220.
13. B. Chess and G. McGraw, "Static analysis for security," IEEE Security and Privacy, vol.Nov/Dec, pp. 32-35, 2004.
14. M. Martin, B. Livshits, and M. S. Lam, "Finding application errors and security flaws using pql: a program query language," in 20th Annual ACM Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA), San Diego, California, USA, 2005.
15. OASIS, "Reference model for service oriented architecture v1.0," OASIS, 2006. [Online]. Available: http://www.oasis-open.org/ committees/tc home.php?wg abbrev=soa-rm
16. - , "Reference architecture for service oriented architecture v1.0," OASIS, 2008. [Online]. Available: http://www.oasis-open.org/ committees/tc home.php?wg abbrev=soa-rm
17. D. Krafzig, K. Banke, and D. Slama, Enterprise SOA. Prentice Hall, 2004.
18. A. Arsanjani, L.-J. Zhang, M. Ellis, A. Allam, and K. Channabasavaiah, "Ibm developer works: Design an soa solution using a reference architecture," 2007. [Online]. Available: http://www.ibm.com/ developerworks/architecture/library/ar-archtemp/index.html?S TACT=105AGX20&SCMP=EDU
19. W. D. Yu, D. Aravind, and P. Supthaweesuk, "Software vulnerability analysis for web services software systems," in Proceedings of the 11th IEEE Symposium on Computers and Communications (ISCC), 2006, pp. 740- 748.
20. R. Abbott, J. Chin, J. Donnelley, W. Konigsford, S. Tokubo, and D. Webb, "Security analysis and enhancements of computer operating systems. technical report nbsir 76-1041," ICET, National Bureau of Standards, Washington, DC 20234, Tech. Rep., 1976.
21. R. Bisbey II and D. Hollingworth, "Protection analysis: Final report. technical report isi/sr-78-13," University of Southern California Information Sciences Institute, Marina Del Rey, CA, Tech. Rep., 1978.
22. C. Landwehr, A. Bull, J. McDermott, and W. Choi, "A taxonomy of computer program security flaws," Computing Surveys 26, vol.3, pp. 211-254, 1994.
23. T. Aslam, I. Krsul, and E. H. Spafford, "Use of a taxonomy of security faults," in Proceedings of the 19th National Information Systems Security Conference, pp. 551-560, 1996.
24. I. V. Krsul, "Software vulnerability analysis," Ph.D. dissertation, Purdue University, May 1998.
25. K. Tsipenyuk, B. Chess, and G. McGraw, "Seven pernicious kingdoms: A taxonomy of software security errors," IEEE Security and Privacy, vol.3, no.6, pp. 81-84, 2005.
26. H. H. Thompson and S. G. Chase, The Software Vulnerability Guide. Charles River Media, 2005.
27. M. Howard, D. LeBlanc, and J. Viega, 19 Deadly Sins of Software Security. McGraw-Hill Osborne Media, 2005.
28. Forum Of Incident Response And Security Teams (FIRST), "Common vulnerability scoring system 2.0," 2007. [Online]. Available: http://www.first.org/cvss
29. P. Parrend and S. Frénot, "Classification of component vulnerabilities in Java service oriented programming (SOP) platforms," in Conference on Component-based Software Engineering (CBSE'2008), ser. LNCS, vol.5282/2008. Springer, October 2008.
30. MITRE Corporation, "Common weakness enumeration," http://cwe.mitre.org, 2009. [Online]. Available: http://cwe.mitre.org/
31. M. Bishop, "Vulnerabilities analysis," in Proceedings of the Second International Symposium on Recent Advances in Intrusion Detection, 1999, pp. 125-136.
32. C. V. Berghe, J. Riordan, and F. Piessens, "A vulnerability taxonomy methodology applied to web services," in Proceedings of the 10th Nordic Workshop on Secure IT Systems (NordSec), Helger Lipmaa, Dieter Gollman, Ed., 2005.
33. N. Gruschka, M. Jensen, and N. Luttenberger, "A Stateful Web Service Firewall for BPEL," in Proceedings of the International Conference on Web Services (ICWS), 2007, pp. 142-149.
34. MITRE Corporation, "Common Attack Pattern Enumeration and Classification (CAPEC)," http://capec.mitre.org/, 2009. [Online]. Available: http://capec.mitre.org/
35. - , "Open Vulnerability and Assessment Language (OVAL)," http://oval.mitre.org/, 2007. [Online]. Available: http://oval.mitre.org/
36. L. Lowis, "Towards automated risk identification in serviceoriented architectures," in Proceedings of the Multikonferenz Wirtschaftsinformatik (MKWI), 2008, pp. 253-254.
37. R. Accorsi, Y. Sato, and S. Kai, "Compliance monitor for early warning risk determination," Wirtschaftsinformatik, vol.50, no.5, October 2008.
38. R. Accorsi and C. Wonnemann, "Detective information flow analysis for business processes," in Business Processes, Services Computing and Intelligent Service Management, ser. LNI, vol.147. GI, 2009, pp. 223-224.
39. G. Canfora and M. di Penta, "Service-oriented architectures testing: A survey," Springer LNCS: Software Engineering: International Summer Schools, ISSSE 2006-2008, Salerno, Italy, Revised Tutorial Lectures, vol.1, pp. 78-105, 2009.
40. IT Governance Institute, "Cobit 4.1," 2007.
41. J. Gilligan, "Consensus audit guidelines," http://www.sans.org/ cag/, 2009. [Online]. Available: http: //www.sans.org/cag/
42. S. Höhn and J. Jürjens, "Rubacon: automated support for model-based compliance engineering," in Proceedings of the 30th International Conference on Software Engineering (ICSE). New York, NY, USA: ACM, 2008, pp. 875-878.
43. R. Accorsi and T. Stocker, "Automated privacy audits based on pruning of log data," in Proceedings of the International Workshop on Security and Privacy in Enterprise Computing. IEEE Computer Society, 2008.