Architecting secure software systems

Architecting Secure Software Systems

Volumn , Issue , 2008, Pages 1-446

  Talukder, Asoke K ^a   Chaitanya, Manish ^a  

^a NONE

Author keywords

[No Author keywords available]

Indexed keywords

EID: 85055853682     PISSN: None     EISSN: None     Source Type: Book    
DOI: 10.1201/9781420087857     Document Type: Book

References (260)

1. Global Information Infrastructure principles and framework architecture, ITU-T Recommendation Y.110, June 1998.
2. Wikipedia-the Free Encyclopedia, http://www.wikipedia.org.
3. SANS (SysAdmin, Audit, Network, Security) Institute, http://www.sans.org.
4. Open Source Software, http://sourceforge.net.
5. Tcpdump: http://www.tcpdump.org/.
6. Ethereal: http://www.ethereal.com/.
7. Libpcap (http://www.tcpdump.org).
8. Syverson, P., A taxonomy of replay attacks, Proceedings of the Computer Security Foundations Workshop (CSFW97), June 1994, pp. 187-191.
9. Malladi, S., Alves-Foss, J., Heckendorn, R., On preventing replay attacks on security protocols, Proceedings of the International Conference on Security and Management, June 2002, pp. 77-83.
10. GSM 03.40: Digital cellular telecommunications system (Phase 2+); Technical realization of the Short Message Service (SMS) Point-to-Point (PP).
11. Secure Computer System: Unified Exposition and Multics Interpretation, ESD-TR-75-306, United States Air Force, March 1971, csrc.nist.gov/publications/history/bell76.pdf.
12. William Stallings, Cryptography and Network Security, 4th Edition, Prentice Hall, Saddle River, New Jersey, USA, 2005.
13. Smith, R., Introduction to Multilevel Security, http://www.cs.stthomas.edu/faculty/resmith/r/mls/m1intro.html.
14. Elliott, B.D., LaPadula, L.J., Secure Computer Systems: Mathematical Foundations, MITRE Technical Report 2547, Vol I, March 1, 1973.
15. Boykin, J., Kirschen, D., Langerman, A., LoVerso, S., Programming under Mach, Addison-Wisley, Reading, MA, USA, 1993.
16. Baecher, P., Koetter, M., Holz, T., Dornseif, M., Freiling, F., The nepenthes platform: An efficient approach to collect malware, Proceedings of the 9th Symposium on Recent Advances in Intrusion Detection (RAID’06), 2006, pp. 165-184.
17. Database Security in Oracle8i, An Oracle Technical White Paper November 1999.
18. Sandhu, R.S., Chapter 1-2-3 Relational database access controls using SQL, Handbook of Information Security Management, Krause, M., Tipton, H.F. (Editor), Boca Raton, FL, USA, http://www.cccure. org/Documents/HISM/ewtoc.html.
19. Talukder, A.K., Yavagal, R., Mobile Computing-Technology, Applications, and Service Creation, McGraw-Hill, New York, 2007.
20. Specification for the Advanced Encryption Standard (AES), Federal Information Processing Standards Publication 197, November 26, 2001.
21. Ross, R., Katzke, S., Johnson, A., Swanson, M., Stoneburner, G., Rogers, G., NIST Special Publication 800-53 Revision 1, Information Security, Recommended Security Controls for Federal Information Systems, December 2006.
22. SSE-CMM, Systems Security Engineering Capability Maturity Model, Model Description Document, Version 3.0, June 15, 2003.
23. Howard, M., Lipner, S. The Security Development Lifecycle, Microsoft Press, Redmond, Washington, USA, 2006.
24. Parsons, R., Components and the World of Chaos, IEEE Software, 83, May/June 2003, http:// martinfowler.com/ieeeSoftware/componentChaos.pdf.
25. IEEE Standard 830-1998, IEEE Recommended Practice for Software Requirements Specifications, Software Engineering Standards Committee of the IEEE Computer Society, 1998.
26. Jacobson, I., Object-Oriented Software Engineering: A Use Case Driven Approach, Addison-Wesley, 1992.
27. Jacobson, I., Booch, G., Rumbaugh, J., The Unified Software Development Process, Addison-Wesley, 1992.
28. Sindre, G., Opdahl, A.L., Eliciting security requirements by misuse cases, Proceedings of the TOOLS Pacific 2000, November 20-23, 120-131, 2000.
29. Sindre, G., Opdahl, A.L., Templates for misuse case description, Proceedings of the 7th International Workshop on Requirements Engineering, Foundation for Software Quality (REFSQ’2001), Sydney, Australia, 2001.
30. Swiderski, F., Snyder, W., Th reat Modeling, Microsoft Press, 2005.
31. Hernan, S., Lambert, S., Ostwald, T., Shostack, A., Threat Modeling-Uncover Security Design Flaws Using The STRIDE Approach, 2006, http://msdn2.microsoft.com/hi-in/magazine/cc163519(en-us). aspx.
32. Moore, A.P., Ellison, R.J., Linger, R.C., Attack Modeling for Information Security and Survivability, Technical Note CMU/SEI-2001-TN-001, 2001.
33. Threat Risk Modeling, Open Web Application Security Project (OWASP), http://www.owasp.org/index.php/Th reat_Risk_Modeling.
34. Attack Surface, Wikipedia, The Free Encyclopedia, http://en.wikipedia.org/.
35. Alexander, C., A Pattern Language: Towns, Buildings, Construction. Oxford University Press, Oxford, UK, 1977.
36. Gamma, E., Helm, R., Johnson, R., Vlissides, J., Design Patterns: Elements of Reusable Object-Oriented Software, Addison-Wesley Professional, 1994.
37. Brown, W., Malveau, R., Mowbray, T., AntiPatterns: Refactoring Software, Architectures, and Projects in Crisis, Wiley, 1998.
38. Schumacher, M., Fernandez-Buglioni, E., Hybertson, D., Buschmann, F., Sommerlad, P., Security Patterns: Integrating Security and Systems Engineering, Wiley Software Patterns Series, West Sussex, England, 2006.
39. Yoder, J., Barcalow, J., Architectural Patterns for Enabling Application Security, The 4th Pattern Languages of Programming Conference, Washington University Tech. Report (wucs-97-34), 1997.
40. ANSI INCITS 359-2004, American National Standards for Information Technology-Role Based Access Control, 2004.
41. Talukder, A. K., Sharma D., Rao V. B., Pal, R., Multifactor TLS Protocol for Holistic Security in Mobile Environment, Special issue on “Protocols for Resource, Link and Mobility Management for Wireless and Satellite Communication Networks.” IETE Journal of Research, 52 (2 &3), 239-246, March-June 2006.
42. Singh, S., The Code Book: The Evolution of Secrecy from Mary Queen Scot to Quantum Cryptography, Doubleday, 1999.
43. Stallings, W., Cryptography and Network Security, 4th Edition, Prentice Hall, 2005.
44. Specification for the Advanced Encryption Standard (AES), Federal Information Processing Standards Publication 197, 2001.
45. Schneier, B., Applied Cryptography, Wiley, 1996.
46. Rivest, R.L., Shamir, A., Adleman, L., A method for obtaining digital signatures and public-key cryptosystems, Communications of the ACM, 21(2), 120-126, 1978.
47. Rosing, M., Implementing Elliptic Curve Cryptography, Manning, 1998.
48. Shamir, A., How to share a secret, Communication of the ACM, 22, 612, November 1979.
49. Martin, T., Woll, H., How to share a secret with cheaters, Journal of Cryptography, 133, 1988.
50. Talukder, A.K., Clean & tidy, IEE Communications Engineer, 38-41, August/September 2005.
51. Talukder, A.K., Das, D., Artificial hygiene: Non-proliferation of virus in cellular network, Journal of Systems and Information Technology, 8, 10-22, December 2004.
52. Talukder, A.K., Rao, V.B., Kapoor, V., Sharma, D., Artificial hygiene: A critical step towards safety from email virus, Proceedings of the IEEE INDICON 2004, 484-489, 2004.
53. Strasser, T., Reflections on cardiovascular diseases, Interdisciplinary Science Review, 3, 225-230, 1978.
54. Howard, M., A process for performing security code reviews, IEEE Security & Privacy, 4(4), 74-79, 2006.
55. Meier, J.D., Mackman, A., Wastell, B., Bansode, P., Taylor, J., Araujo, R., How to: Perform a Security Code Review for Managed Code (Baseline Activity), Patterns & Practices Developer Center, Microsoft Corporation, http://msdn2.microsoft.com/en-us/library/ms998364.aspx.
56. Musa, J.D., Software Reliability Engineering, More Reliable Software, Faster and Cheaper, 2nd Edition, McGraw-Hill, New York, 2004.
57. Herzog, P., The Open-Source Security Testing Methodology Manual, 2003, OSSTMM 2.1., available at http://isecom.securenetltd.com/osstmm.en.2.1.pdf.
58. Gallagher, T., Jeffries, B., Landauer, L., Hunting Security Bugs, Microsoft Press, 2006.
59. Wack, J., Tracy, M., Souppaya, M., Guideline on Network Security Testing - Recommendations of the National Institute of Standards and Technology, NIST Special Publication 800-42, October 2003.
60. Forrester, J.E., Miller B. P., An Empirical Study of the Robustness of Windows NT Applications Using Random Testing, 4th USENIX Windows System Symposium, Seattle, 2000.
61. Du, W., Mathur, A. P., Vulnerability Testing of Software System Using Fault Injection, Technical Report COAST TR 98-02, Purdue University, USA, 1998, http://www.cerias.purdue.edu/apps/reports_and_papers/view/32/.
62. Functional safety and IEC 61508, IEC Functional Safety Zone, available at http://www.iec.ch/functional safety.
63. Vienneau, R. L, 1993. A Review of Formal Methods, available at https://www.dacs.dtic.mil/techs/fmreview/title.php, 1993.
64. Lecomte, T., Servat, T., Pouzancre, G., Formal Methods in Safety-Critical Railway Systems, Proceedings of $BMF 2007, 2007, http://rodin.cs.ncl.ac.uk/Publications/fm_sc_rs_v2.pdf.
65. Bach, M.J., The Design of the UNIX Operating System, Prentice Hall Software Series, Upper Saddle River, New Jersey, USA, 1986.
66. Boykin, J., Kirschen, D., Langerman, A., LoVerso, S., Programming under Mach, Addison-Wesley, Reading, MA, 1993.
67. POSIX. IEEE Standard 1003.1-1988.
68. Wikipedia, The Free Encyclopedia, http://www.wikipedia.org.
69. EROS: The Extremely Reliable Operating System, http://www.eros-os.org/.
70. What is a Capability, Anyway?, http://www.eros-os.org/essays/capintro.html.
71. The Veterans Health Information Systems and Technology Architecture (VistA), http://worldvista. org/.
72. Levy, H.M., Capability-Based Computer Systems, Digital Press, 1984. http://www.cs.washington. edu/homes/levy/capabook/.
73. Wheeler, D.A., Secure Programming for Linux and UNIX HOWTO, v3.010 Edition, http://www.tldp.org/HOWTO/Secure-Programs-HOWTO/index.html.
74. Secure UNIX Programming FAQ, Version 0.5, May 1999, http://www.whitefang.com/sup/.
75. Woo, T.Y.C., Bindignavle, R., Su, S., Lam, S.S., SNP: An interface for secure network programming, Proceedings of the USENIX Summer 1994 Technical Conference, Boston, Massachusetts, USA, 1994.
76. Ballard, K., Secure programming with the OpenSSL API, Part 1: Overview of the API, Create Basic Secure and Unsecure Connections, http://www.ibm.com/developerworks/linux/library/l-openssl. html?ca=dgr-lnxw16OpenSSL.
77. OpenSSL Library, http://www.openssl.org/docs/ssl/ssl.html.
78. Rescorla, E., An Introduction to OpenSSL Programming (Part I), October 5, 2001.
79. Kernighan, B.W., Ritchie, D.M., The C Programming Language, 2nd Edition, Prentice Hall, New York, 1988.
80. Deitel, H.M., P.J. Deitel, C++ How to Program, 5th Edition, Prentice-Hall of India Private Limited, New Delhi, India, 2005.
81. One, A., Smashing the Stack for Fun and Profit, http://www.phrack.org/archives/49/P49-14, http:// insecure.org/stf/smashstack.html.
82. Pincus, J., Baker, B., Beyond Stack Smashing: Recent Advances in exploiting buffer overruns, IEEE Security & Privacy, 2(4), 20-27, July/August 2004.
83. Baratloo, A., Tsai, T., Singh, N., Libsafe: Protecting Critical Elements of Stacks, http://www.belllabs. com/org/11356/libsafe.html.
84. CERT C Programming Language Secure Coding Standard, Document No. N1255, September 2007.
85. Platt, D.S., Introducing Microsoft .NET, Prentice Hall, New York, 2003.
86. Microsoft Developer Network (MSDN), http://msdn.microsoft.com, msdn2.microsoft.com.
87. Kennedy, A., Syme, D., Design and Implementation of Generics for the .NET Common Language Runtime, ACM SIGPLAN, 36(5), 342, 2001.
88. Meijer, E., Gough, J., Technical Overview of the Common Language Runtime, http://research. microsoft.com/~emeijer/papers/CLR.pdf.
89. Meier, J. D., Vasireddy, S., Babbar, A., Mackman, A., Improving .NET Application Performance and Scalability, Microsoft Patterns & Practices, 2004, http://msdn.microsoft.com/en-us/library/ms998530.aspx.
90. Howard, M., LeBlanc, D., Writing Secure Code, Microsoft Press, 2003.
91. Hoppe, O.A., Security Architectures in the Microsoft.NET Framework, http://icsa.cs.up.ac.za/issa/2002/proceedings/A028.pdf.
92. Meier, J.D., Mackman, A., Vasireddy, S., Dunner, M., Escamilla, R., Murukan, A., Improving Web Application Security-threats and countermeasures, Microsoft Corporation, 2006.
93. Meier, J.D., Mackman, A., Vasireddy, S., Dunner, M., Building Secure ASP.NET Applications-Authentication, Authorization, and Secure Communication, Microsoft Patterns & Practices, 2002, http://msdn.microsoft.com/en-us/library/aa302415.aspx.
94. Web Services Security (WS-Security), Version 1.0, April, 2002.
95. OASIS Standard 200401, Web Services Security: SOAP Message Security 1.0 (WS-Security 2004), March 2004.
96. OASIS Standard 200401, Web Services Security, X.509 Certificate Token Profile, March 2004.
97. OASIS Standard 200401, Web Services Security, UsernameToken Profile 1.0, March 2004.
98. Web Service Security Scenarios, Patterns, and Implementation Guidance for Web Services Enhancements (WSE) 3.0, Patterns & Practices, 2005, http://msdn.microsoft.com/en-us/library/aa480545.aspx.
99. Web Services Trust Language (WS-Trust), February 2005.
100. Web Services Secure Conversation Language (WS-SecureConversation), February 2005.
101. Rofail, A., Shohoud, Y., Mastering COM and COM+, Sybex, 1999.
102. Eddon, G., The COM+ Security Model Gets You out of the Security Programming Business, Microsoft System Journal, November 1999, http://www.microsoft.com/msj/1199/comsecurity/comsecurity.aspx.
103. Beauchemin, B., Microsoft SQL Server 2005, SQL Server 2005 Security Best Practices-Operational and Administrative Tasks, March 2007, http://download.microsoft.com/download/8/5/e/85eea4fab3bb-4426-97d0-7f7151b2011c/SQL2005SecBestPract.doc.
104. Rask, A., Rubin, D., Neumann, B., Microsoft SQL Server 2005, Implementing Row- and Cell-Level Security in Classified Databases Using SQL Server 2005, September 2005, http://www.microsoft. com/technet/prodtechnol/sql/2005/multisec.mspx.
105. Kline, K., Gould, L., Zanevsky, A., Transact-SQL Programming, O’Reilly, March 1999.
106. Kiely, D., Microsoft SQL Server 2005 Protect Sensitive Data Using Encryption in SQL Server 2005, December 2006, download.microsoft.com/download/4/7/a/47a548b9-249e-484c-abd7-29f31282b04d/SQLEncryption.doc.
107. Tutorial: NET Programming security, http://etutorials.org.
108. Barnett, M., .NET Remoting Authentication and Authorization Sample-Part I and Part II, January 2004, http://msdn2.microsoft.com/en-us/library/ms973911.aspx.
109. RFC2743: Generic Security Service Application Program Interface Version 2, Update 1, January 2000.
110. Miller, S.P., Neuman, B.C., Schiller, J.I., Saltzer, J.H., Section E.2.1: Kerberos Authentication and Authorization System, Project Athena Technical Plan, MIT Project Athena, Cambridge, MA, 1988.
111. RFC4120: The Kerberos Network Authentication Service (V5), July 2005.
112. RFC4178: The Simple and Protected Generic Security Service Application Program Interface (GSSAPI) Negotiation Mechanism, October 2005.
113. RFC4559: SPNEGO-Based Kerberos and NTLM HTTP Authentication in Microsoft Windows, June 2006.
114. Richard Stevens, W., TCP/IP Illustrated, Vol 1-3, Professional Computing Series, Addison-Wesley, Reading, MA, 1996.
115. Wikipedia, http://en.wikipedia.org/wiki/Internet.
116. RFC147, The Definition of a Socket.
117. RFC3330, Special-Use IPv4 Addresses.
118. Camarillo, G., Garcia-Martin, M.A., The 3G IP Multimedia Subsystem (IMS), Willey, New York, 2004.
119. Poikselka, M., Niemi, A., Khartabil, H., Mayer, G., The IMS: IP Multimedia Concepts and Services, Wiley, England, 2006.
120. RFC 1287, Towards the Future Internet Architecture.
121. RFC1752, The Recommendation for the IP Next Generation Protocol.
122. RFC1886, DNS Extensions to support IP version 6.
123. RFC1971, IPv6 Stateless Address Autoconfiguration.
124. RFC1993, PPP Gandalf FZA Compression Protocol.
125. RFC2292, Advanced Sockets API for IPv6.
126. RFC2373, IP Version 6 Addressing Architecture.
127. RFC2460, Internet Protocol, Version 6 (IPv6) Specification.
128. RFC2473, Generic Packet Tunneling in IPv6 Specification.
129. Srinivasan, L., Treadwell, J., An Overview of Service-oriented Architecture, Web Services and Grid Computing, HP Software Global Business Unit, November 3, 2005.
130. WebServices.org, http://www.webservices.org.
131. Component Object Model (COM), DCOM, and Related Capabilities, Carnegie Mellon Software Engineering Institute, http://www.sei.cmu.edu/str/descriptions/com.html.
132. Talukder, A.K., Yavagal R., Mobile Computing - Technology, Applications, and Service Creation, McGraw-Hill, 2007.
133. Jean-Christophe, M., Policy-Based Networks, Sun BluePrints OnLine - October 1999, http://www.sun.com/blueprints/1099/policy.pdf.
134. OASIS Web Services Security, Kerberos Token Profile 1.1, OASIS Standard Specification, February 1, 2006.
135. RC1831, Remote Procedure Call Protocol Specification Version 2.
136. Richard Stevens, W., UNIX Network Programming, Prentice Hall Software Series, New York, 1990.
137. ONC+ Developer’s Guide, http://docs.sun.com/app/docs/doc/802-1997/6i6091la7?a=view.
138. SUN RPC: A lesson based on UNIX Network Programming by W. Richard Stevens, Prentice Hall, Inc., http://www.eng.auburn.edu/cse/classes/cse605/examples/rpc/stevens/SUNrpc.html.
139. Mahmoud, Q.H., Distributed Java Programming with RMI and CORBA, 2002, http://java.sun. com/developer/technicalArticles/RMI/rmi_corba/.
140. CORBA Security Service Specification, formal/02-03-11 v1.8, 2002.
141. Real-time CORBA with TAO (The ACE ORB), http://www.cs.wustl.edu/~schmidt/TAO.html.
142. Microsoft Developer Network (MSDN), http://msdn2.microsoft.com.
143. Java Security at Sun Microsystems, http://Java.sun.com/Javase/technologies/security/index.jsp.
144. Gosling, J., McGilton, H., The Java Language Environment: A White Paper, Sun Microsystems, May 1995, http://www.cab.u-szeged.hu/WWW/java/whitepaper/java-whitepaper-1.html.
145. Venner, B., An Overview of the JVM’s Security Model and a Look at Its Built-In Safety Feature, JavaWorld.com, 08/01/97.
146. Java Language Specification, http://Java.sun.com/docs/books/jls/index.html.
147. Venner, B., A Look at The Role Played by Class Loaders in the JVM’s Overall Security Model, JavaWorld.com, 09/01/97.
148. The Last Stage of Delirium Research Group, Poland, Java and Java Virtual Machine security vulnerabilities and their exploitation technique, Black Hat Briefings, Singapore, Oct 3rd-4th, 2002.
149. Wikipedia, http://en.wikipedia.org/wiki/Java_Cryptography_Architecture.
150. Cheong, P. Y., Create your own HTTPS tunneling socket for your Java Secure Socket Extension application:by, JavaWorld.com, 05/18/01.
151. All About Sockets (Sun Tutorial), http://java.sun.com/docs/books/tutorial/networking/sockets/.
152. IBM, Java Secure Socket Extension, https://www6.software.ibm.com/developerworks/education/j-jsse/section4.html.
153. Talukder, A. K., Yavagal, R., Mobile Computing-Technology, Applications, and Service Creation, McGraw-Hill, New York, 2007.
154. 3GPP TS 22.057: Technical Specification Group Services and System Aspects, Mobile Station Application Execution Environment (MExE), Service Description, Stage 1.
155. 3GPP TS 23.140: Digital cellular telecommunications system (Phase 2+), Universal Mobile Telecommunications System (UMTS), Multimedia Messaging Service (MMS), Functional Description.
156. 3GPP TS 31.101: Universal Mobile Telecommunications System (UMTS), UICC-Terminal Interface, Physical and Logical Characteristics.
157. ETSI TR 187 002 V1.1.1 (2006-03) Technical Report, Telecommunications and Internet Converged Services and Protocols for Advanced Networking (TISPAN); TISPAN NGN Security (NGN_SEC), Th reat and Risk Analysis.
158. ETSI ETR 332, Security Techniques Advisory Group (STAG), Security Requirements Capture.
159. ETSI EG 202 387, Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN); Security Design Guide; Method for application of Common Criteria to ETSI deliverables.
160. Feng, Y., Zhu, J., Wireless Java Programming with J2ME, Sans Publishing, 2001.
161. GSM 03.40: Digital Cellular Telecommunications System (Phase 2), Technical Realization of the Short Message Service (SMS) Point-to-Point (PP).
162. GSM 03.48: Digital Cellular Telecommunications System (Phase 2+), Security Mechanisms for SIM Application Toolkit.
163. 3GPP TS 31.102: Universal Mobile Telecommunications System (UMTS), Characteristics of the Universal Subscriber Identity Module (USIM) application.
164. Chen, Z., Java Card Technology for Smart Cards-Architecture and Programmer’s Guide, Addison-Wesley, Reading, MA, 2000.
165. GSM 03.19: Digital cellular telecommunications system (Phase 2+), Subscriber Identity Module Application Programming Interface (SIM API), SIM API for Java Card (TM), Stage 2 (ETSI TS 101 476).
166. Girard, P., Lanet, J-L., New Security Issues Raised by Open Cards, Technical Report SM-99-03, Gemplus Research Lab, June 1999.
167. Wireless Application Protocol Architecture Specification, WAPForum, 1998.
168. Wireless Application Protocol Wireless Application Environment Specification Version 1.2, WAPForum, 1999.
169. Jansen, W., Karygiannis, T., NIST Special Publication 800-19 - Mobile Agent Security, src.nist. gov/publications/nistpubs/800-19/sp800-19.pdf.
170. RFC2001: Mobile Ad hoc Networking (MANET): Routing Protocol Performance Issues and Evaluation Considerations.
171. Coyle, K., The Technology of Rights: Digital Rights Management, Talk at Library of Conference, November 19, 2003. Available at http://www.kcoyle.net/drm_basics.pdf.
172. Executive Summary: Digital Rights Management Survey, April 2007. Available at http://instat.com/panels/pdf/2007/apr07digitalrightsmgmt.pdf.
173. Open Mobile Alliance Digital Rights Management, OMA-Download-DRM-V1_0-20040615-A, Version 1.0, June 15, 2004.
174. Iannella, R., Digital Rights Management (DRM) Architectures, D-Lib Magazine, 7(6), 2001. Available at http://www.dlib.org/dlib/june01/iannella/06iannella.html.
175. Iannella, R., Open Digital Rights management, W3C DRM Workshop, 2000.
176. Stefan Bechtold, The present and future of Digital Rights Management, Digital Rights Management-Technological, Economic, Legal and Political Aspects, Springer, Berlin, 2003, pp. 597-654. Available at http://www.jura.uni-tuebingen.de/bechtold/pub/2003/Future_DRM.pdf.
177. CERT Advisory Malicious HTML HTML Tags Embedded in Client Web Requests http://www.cert. org/advisories/CA-2000-02.html.
178. Endler, D., Brute-Force Exploitation of Web Application Session Ids, http://www.idefense. com/application/poi/researchreports/display.
179. The National Electronic Commerce Coordinating Council Identity Management, A White Paper, Presented at the NECCC Annual Conference, December 4-6, 2002, New York.
180. Goodner, M., Hondo, M., Nadalin, A., McIntosh, M., Schmidt, D., Understanding WS-Federation, Version 1.0, May 28, 2007.
181. Microsoft Passport Network Privacy Supplement, http://privacy.microsoft.com/en-us/passport.aspx.
182. Oracle Enterprise Single Sign On, http://www.oracle.com/technology/products/id_mgmt/esso/index. html.
183. SAML OASIS Standards, http://www.oasis-open.org/committees/security/.
184. Authorization (AZN) API Technical Standard, Open Group Technical Standard Document Number:C908, 2000.
185. RSA Federated Identity Manager, http://www.rsa.com/node.aspx?id=1191.
186. ITU-T Recommendation X.500: Series X: Data Networks, Open System Communications and Security, Information Technology-Open Systems Interconnection-The Directory: Overview of Concepts, Models and Services, August 2005.
187. ITU-T Recommendation X.500: Series X: Data Networks, Open System Communications and Security, Information Technology-Open Systems Interconnection-The Directory: Overview of Concepts, Models and Services, August 2005.
188. ITU-T Recommendation X.519: Series X: Data Networks, Open System Communications and Security, Information Technology-Open Systems Interconnection-The Directory: Protocol Specifications, August 2005.
189. ITU-T Recommendation X.509, Series X: Data Networks, Open System Communications and Security, Information Technology-Open Systems Interconnection-The Directory: Public-Key and Attribute Certificate Frameworks, August 2005.
190. ITU-T Corrigendum X.509, Series X: Data Networks, Open System Communications and Security, Information Technology-Open Systems Interconnection-The Directory: Public-Key and Attribute Certificate Frameworks, January 2007.
191. Venkatraman, J., Raghavan, V., Das, D., Talukder, A.K., Trust and Security Realization for Mobile Users in GSM Cellular Networks, Proceedings of Asian Applied Computer Conference, Kathmandu October 29-31, 2004; LNCS 3285 pp-302-309.
192. Shamir, A., Identity Based Cryptosystems and Signature Schemes, Advances in Cryptology-Proceedings of Crypto '84, Lecture Notes in Computer Science, Vol. 196, Springer-Verlag, pp. 47-53, 1984.
193. Boneh, D., Franklin, M., Identity-Based Encryption from the Weil Pairing, SIAM Journal of Computing, Vol. 32, No. 3, pp. 586-615, 2003.
194. Bellare, M., Minery, S.K., A Forward-Secure Digital Signature Scheme, July 13, 1999.
195. Sullivan, B., Malicious Code Injection: It’s Not Just for SQL Anymore, http://www.infosecwriters. com/text_resources/pdf/Advanced_Injection_BSullivan.pdf.
196. SQL Injection Walkthrough, http://www.securiteam.com/securityreviews/5DP0N1P76E.html.
197. Finnigan, Pete, SQL injection and Oracle, http://www.securityfocus.com/infocus/1644.
198. Anley, C., Advanced SQL injection, http://www.nextgenss.com/papers/advanced_sql_injection.pdf.
199. Wheeler, D., Secure Programming for Linux and Unix HOWTO, http://www.dwheeler.com/secure-programs/.
200. Cross Site Scripting (XSS) FAQ, http://www.cgisecurity.com/articles/xss-faq.shtml.
201. O’Reilly, T., What Is Web 2.0, Design Patterns and Business Models for the Next Generation of Software, http://www.oreillynet.com/pub/a/oreilly/tim/news/2005/09/30/what-is-web-20.html.
202. Top 100 Network Security Tools, http://sectools.org/.
203. Brutus - A Brut Force Online Password Cracker, http://www.hoobie.net/brutus/.
204. dig - Internet Search Engine Software, Available at www.htdig.org.
205. dnsa - DNS Auditing Tool, Available at http://www.packetfactory.net/projects/dnsa/.
206. dsniff- Tool for Network Auditing and Penetration testing, Available at http://www.monkey. org/~dugsong/dsniff/.
207. dnsspoof - DNS Spoofing Tool, http://downloads.openwrt.org/people/nico/man/man8/dnsspoof.8.html.
208. hunt, TCP hijacking tool, http://www.securiteam.com/tools/3X5QFQUNFG.html.
209. hunt-TCP hijacking tool (http://lin.fsid.cvut.cz/~kra/index.html).
210. nmap Free Secure Scanner, -scan the NW, http://nmap.org/.
211. ntop - Network Traffic Probe, http://www.ntop.org/ntop.html.
212. nikto Web Server Scanner, http://www.cirt.net/code/nikto.shtml.
213. nemesis Packet Injection Utility, http://www.packetfactory.net/projects/nemesis/.
214. nessus the Network Vulnerability Scanner, http://www.nessus.org/.
215. Packet Storm, www.packetstormsecurity.org.
216. Tcpdump, http://www.tcpdump.org/.
217. Achilles - Web Application Security Assessment Tool, http://achilles.mavensecurity.com/.
218. OWASP Guide, http://www.owasp.org/.
219. OWASP Top 10 2007, The Ten Most Critical Web Application security Vulnerabilities, OWASP Foundation, 2007.
220. OASIS Application Vulnerability Description Language v1.0, OASIS Standard, May 2004.
221. J2EE Tutorial, java.sun.com.
222. Sun Java Blueprints, http://java.sun.com/reference/blueprints/index.html.
223. Huseby, S.H., Common Security Problems in the Code of Dynamic Web Applications, Version 1.0, last modified on June 1, 2005, http://www.webappsec.org/projects/articles/062105.shtml.
224. Java Servlet Specification, http://java.sun.com/products/servlet/.
225. RFC2617: HTTP Authentication: BASIC and DIGEST Access Authentication, http://www.ietf. org/rfc/rfc2617.
226. HTTP Status Code Definitions, http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html.
227. Andonov, A., The Unexpected SQL Injection, When Escaping Is Not Enough, Version 1.0, last modified on September 1, 2007, http://www.webappsec.org/projects/articles/091007.shtml.
228. Klein, A., DOM Based Cross Site Scripting or XSS of the Th ird Kind A Look at an Overlooked Flavor of XSS (aksecurity@hotpop.com) Version 0.2.8, last modified on July 4, 2005, http://www.webappsec. org/projects/articles/071105.shtml.
229. Bugtraq, http://www.securityfocus.com/archive.
230. Apache Struts, http://struts.apache.org.
231. Gulzar, N., Fast Track to Struts: What I does and how, The ServerSide.com, November 4, 2002.
232. OWASP: Java Server Faces, http://www.owasp.org/index.php/Java_Server_Faces.
233. Mills, D., JSF Security Quickie: Problems and Solutions, The Java Web Users Group 2006.
234. The Web Application Security Consortium (WASC), http://www.webappsec.org/.
235. The Web Security Th reat Classification, http://www.webappsec.org/projects/threat/.
236. Java Web Application Security-Best Practice Guide V. 2.0, www.secologic.de.
237. http://www.developer.com.
238. Grossman, J., The 80/20 Rule for Web Application Security: Version 1.8, last modified on January 31, 2005, WASC, http://www.webappsec.org/projects/articles/013105.shtml.
239. Sun EJB Specifications, http://java.sun.com/products/ejb/docs.html.
240. Ed Roman, Mastering Enterprise JavaBeans, 2nd ed., Wiley, Hoboken, NJ, USA.
241. Web Services Security, www.trl.ibm.com/projects/xml/soap/.
242. Wikipedia, http://en.wikipedia.org/wiki/Internet.
243. World Wide Web Consortium, http://www.w3.org/TR/SOAP/.
244. Security in a Web Services World: A Proposed Architecture and Roadmap, IBM DeveloperWorks, http://www-106.ibm.com/developerworks/webservices/library/ws-secmap/?loc=dwmain.
245. OWASP-Open Web Application Security Project, http://www.owasp.org.
246. XML Signature, World Wide Web Consortium, www.w3.org/TR/SOAP-dsig/.
247. Microsoft Developer Network, http://msdn.microsoft.com/security.
248. Liu, Z., Song, X., Tang, W., Chang, X., Zhou, D., Wuhan University Journal of Natural Sciences:A Message-Level Security Model consisting of Multiple Security Tokens: Article ID: 1007-1202 (2007)01-0001-04.
249. Shin, S., Web Service & SOA Security Standards, Java Technology Evangelist, Sun Microsystems Inc. http://www.javapassion.com/webservices/webservicessecurity2.pdf.
250. OASIS-Organization for the Advancement of Structured Information Standards, http://www.oasis-open.org.
251. The Liberty Alliance, http://www.projectliberty.org/.
252. Web Service Standards, www.ws-standards.com.
253. W3C XML Schema Reference, http://www.w3.org/XML/Schema.
254. Java Security for the Enterprise, http://www.j2ee-security.net.
255. Apache Axis, http://ws.apache.org.
256. W3C XPath Reference, www.w3.org/TR/xpath.
257. Kuznetsov, E., Federated identity management and Web services. News.com Published on ZDNet News: January 13, 2005 7:37:00 PM.
258. Sun Federated Identity Management, http://www.sun.com/software/media/flash/demo_federation/index.html.
259. Open Financial Exchange, Specification 2.1.1, May 1, 2006.
260. IFX Forum, Interactive Financial Exchange, XML Implementation Specification, Version 1.0.1 April 26, 2000.