Adaptive security management in SaaS applications

Security, Privacy and Trust in Cloud Systems

Volumn 9783642385865, Issue , 2013, Pages 73-102

  Almorsy, Mohamed ^a   Ibrahim, Amani ^a   Grundy, John ^a  

^a SWINBURNE UNIVERSITY OF TECHNOLOGY   (Australia)

Author keywords

[No Author keywords available]

Indexed keywords

ADAPTIVE SECURITY; BENEFIT/COST; CLOUD-COMPUTING; COMPUTING MODEL; COST SAVING; POTENTIAL BENEFITS; SECURITY MANAGEMENT; SOFTWARE INFRASTRUCTURE;

SOFTWARE ENGINEERING;

EID: 84929688744     PISSN: None     EISSN: None     Source Type: Book    
DOI: 10.1007/978-3-642-38586-5_3     Document Type: Chapter

References (47)

1. European Network and Information Security Agency (ENISA) (2009) Cloud computing: benefits, risks and recommendations for information security. http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment. Accessed on July 2010
2. International Data Corporation (2010) IDC ranking of issues of cloud computing model. http://blogs.idc.com/ie/?p=210. Accessed on July 2010
3. Kandukuri BR, Paturi R, RakshitA(2009) Cloud security issues. In: Proceedings of the (2009) IEEE international conference on services computing, pp 517-520
4. Chaves SAD, Westphall CB, Lamin FR (2010) SLA perspective in security management for cloud computing. In: Sixth international conference on networking and services, Cancun, Mexico, pp 212-217
5. National Institute of standards and technology (NIST) The federal information security management act (FISMA), U.S. Government Printing 2002, Washington. http://csrc.nist.gov/drivers/documents/FISMA-final.pdf. Accessed on Aug 2010
6. International Organization for Standardization (ISO) (2009) ISO/IEC 27000-Information technology, security techniques, information security management systems, overview and vocabulary. ISO/IEC 27001:2005(E). http://webstore.iec.ch/preview/info-isoiec27000% 7Bed1.0%7Den.pdf. Accessed on July 2010
7. Humphreys E (2008) Information security management standards: compliance, governance and risk management. Inf Sec Tech Rep 13:247-255
8. Tsohou A, Kokolakis S, Lambrinoudakis C, Gritzalis S (2010) Information systems security management: a review and a classification of the ISO standards. In: Sideridis A, Patrikakis C (eds) Next generation society. Technological and legal issues. Springer, Berlin, pp 220-235
9. Chinchani R, Iyer A, Ngo H, Upadhyaya S (2004) A target-centric formal model for insider threat and more. Technical Report 2004-16, University of Buffalo, US2004
10. Sheyner O, Haines J, Jha S, Lippmann R, Wing JM(2002) Automated generation and analysis of attack graphs. In: Security and privacy, 2002. Proceedings. 2002 IEEE Symposium on, pp 273-284
11. Hewett R, Kijsanayothin P (2008) Host-centric model checking for network vulnerability analysis. In: Computer security applications conference, (2008) ACSAC 2008. Annual, pp 225-234
12. Ou X, Govindavajhala S, AppelAW(2005) MulVAL: a logic-based network security analyzer. Presented at the 14th USENIX security symposium, MD, USA, August, Baltimore
13. Yee G, Xie X, Majumdar S (2010) Automated threat identification for UML. In: Proceedings of the international conference on security and cryptography (SECRYPT), pp 1-7
14. Manadhata PK, Wing JM(2011) An attack surface metric. IEEE Trans Softw Eng 37:371-386
15. Abi-Antoun M, Barnes JM (2010) Analyzing security architectures. Presented at the proceedings of the IEEE/ACMinternational conference on automated software engineering, Antwerp, Belgium
16. Jimenez W, Mammar A, Cavalli A (2009) Software vulnarabilities, prevention and detection methods: a review. In: Proceedings of European workshop on security in model driven architecture, Enschede, The Netherlands, pp 6-13
17. NIST (2007) Source code security analysis tool functional specification version 1.1. Accessed on 2011
18. Halfond WGJ, Orso A, Manolios P (2006) Using positive tainting and syntax-aware evaluation to counter SQL injection attacks. In: Proceedings of 14th ACM SIGSOFT international symposium on Foundations of software engineering, Oregon, USA, pp 175-185
19. Dasgupta A, Narasayya V, SyamalaM, A static analysis framework for database applications. In: Proceedings of (2009) IEEE international conference on data. Engineering, pp 1403-1414
20. MartinM, Livshits B, LamMS (2005) Finding application errors and security flaws using PQL: a program query language. In: Proceedings of the 20th annual ACMSIGPLAN conference on object-oriented programming, systems, languages, and applications CA, USA, pp 365-383
21. Lam MS, Martin M, Livshits B, Whaley J (2008) Securing web applications with static and dynamic information flow tracking. In: Proceedings of (2008) ACM SIGPLAN symposium on partial evaluation and semantics-based program manipulation, California, USA, pp 3-12
22. Wassermann G, Su Z (2008) Static detection of cross-site scripting vulnerabilities. In: Proceedings of 30th international conference on Software engineering, Leipzig, Germany, pp 171-180
23. Jovanovic N, Kruegel C, Kirda E (2006) Pixy: a static analysis tool for detecting web application vulnerabilities. In: Proceedings of 2006 IEEE symposium on security and privacy, pp 258-263
24. GaneshV, Kie?zunA, Artzi S, Guo PJ, Hooimeijer P, ErnstM(2011) HAMPI: a string solver for testing, analysis and vulnerability detection. In: Proceedings of 23rd international conference on Computer aided verification, Snowbird, UT, pp 1-19
25. Kieyzun A, Guo PJ, Jayaraman K, Ernst MD (2009) Automatic creation of SQL injection and cross-site scripting attacks. In: Proceedings of 31st international conference on, software engineering, pp 199-209
26. Bau J, Bursztein E, Gupta D, Mitchell J (2010) State of the art: automated black-box web application vulnerability testing. In: Proceedings of 2010 IEEE symposium on security and privacy, pp 332-345
27. Kals S, Kirda E, Kruegel C, Jovanovic N (2006) SecuBat: a web vulnerability scanner. Presented at the proceedings of 15th international conference on World Wide Web, Edinburgh, Scotland
28. Balzarotti D, Cova M, Felmetsger V, Jovanovic N, Kirda E, Kruegel C, Vigna G (2008) Saner: composing static and dynamic analysis to validate sanitization in web applications. In: Proceedings of 2008 IEEE symposium on security and privacy, pp 387-401
29. Anderson R (2001) Security engineering: a guide to building dependable distributed systems. Wiley, New York
30. Sindre G, Opdahl A (2005) Eliciting security requirements with misuse cases. Requirements Eng 10:34-44
31. Jürjens J (2001) Towards development of secure systems using UMLsec. In: Fundamental approaches to software engineering, vol 2029. Springer, Berlin, pp 187-200
32. Lodderstedt T, Basin D, Doser J (2002) SecureUML: a UML-based modeling language for model-driven security. In: The 5th international conference on the Unified Modeling Language, Dresden, Germany, pp 426-441
33. Hashii B, Malabarba S, Pandey R et al (2000) Supporting reconfigurable security policies for mobile programs. Presented at the proceedings of the 9th international World Wide Web conference on computer networks, Amsterdam, The Netherlands
34. ScottK, Kumar N, Velusamy S et al (2003) Retargetable and reconfigurable software dynamic translation. Presented at the proceedings of the international symposium on Code generation and optimization, San Francisco, California
35. Sanchez-Cid F, Mana A (2008) SERENITY pattern-based software development life-cycle. In: 19th international workshop on database and expert systems application, pp 305-309
36. Morin B, MouelhiT, Fleurey F, LeTraonY, BaraisO, Jézéquel J (2010) Security-drivenmodelbased dynamic adaptation. Presented at the the 25nd IEEE/ACM international conference on automated software engineering, Antwerp, Belgium
37. Cai H, Wang N, Zhou MJ (2010) A transparent approach of enabling SaaS multi-tenancy in the cloud. In: 2010 6th World Congress on Services (SERVICES-1), pp 40-47
38. Guo CJ, Sun W, Huang Y, Wang ZH, Gao B (2007) A framework for native multi-tenancy application development and management. In: E-Commerce technology and the 4th IEEE international conference on enterprise computing, E-Commerce, and E-Services, 2007. CEC/EEE 2007. The 9th IEEE international conference on, pp 551-558
39. Pervez Z, Lee S, LeeY-K(2010) Multi-tenant, secure, load disseminated SaaS architecture. In: 12th international conference on advanced communication technology, Gangwon-Do, South Korea, pp 214-219
40. Menzel M, Warschofsky R, Thomas I, Willems C, Meinel C (2010) The service security lab: a model-driven platform to compose and explore service security in the cloud. In: 2010 6th World Congress on Services (SERVICES-1), pp 115-122
41. Chew E, Swanson M, Stine K, Bartol N et al (2008) Performance measuremenet guide for information security. National Institute of Standards and Technology
42. Chandra S, Khan RA (2009) Software security metric identification framework (SSM). Presented at the proceedings of the international conference on advances in computing. Communication and Control, Mumbai, India
43. Bayuk J (2011) Cloud security metrics. In: 2011 6th international conference on system of systems engineering (SoSE), pp 341-345
44. NIST Concept of Operations (CONOPS)-FedRAMP NIST2012
45. MitreCorporation (2010) Making security measurable.Available at http://measurablesecurity. mitre.org/
46. National Institute of Standards and Technology-NIST (2010) National vulnerabilities database home. Available at http://nvd.nist.gov/
47. Salehie M, Tahvildari L (2009) Self-adaptive software: landscape and research challenges. ACM Trans Auton Adapt Syst 4:1-42