面向软件攻击面的Web应用安全评估模型研究

Web应用已成为互联网和企事业单位信息管理的主要模式。随着Web应用的普及,攻击者越来越多地利用它的漏洞实现恶意攻击,Web应用的安全评估已成为信息安全研究的热点。结合Web应用的业务逻辑,提出了其相关资源软件攻击面的形式化描述方法,构造了基于软件攻击面的攻击图模型,在此基础上,实现对Web应用的安全评估。本文构造的安全评估模型,在现有的通用漏洞检测模型基础上,引入业务逻辑安全性关联分析,解决了现有检测模型业务逻辑安全检测不足的缺陷,实现了Web应用快速、全面的安全评估。     

Two decades of Web application testing—A survey of recent advances

Since its inception of just over two decades ago, the World Wide Web has become a truly ubiquitous and transformative force in our life, with millions of Web applications serving billions of Web pages daily. Through a number of evolutions, Web applications have become interactive, dynamic and asynchronous. The Web׳s ubiquity and our reliance on it have made it imperative to ensure the quality, security and correctness of Web applications. Testing is a widely used technique for validating Web applications. It is also a long-standing, active and diverse research area. In this paper, we present a broad survey of recent Web testing advances and discuss their goals, targets, techniques employed, inputs/outputs and stopping criteria.     

Security of the Internet Transactions

The new generation of networked business solutions brings legacy data and applications to the world wide Web, and lets companies redefine internal and external business processes. The present need for internet transaction has forced many business to adopt the internet forms of distribution of its business items. This has threatened security, hence needs to be given a key priority. This paper alights the key areas on how to protect the information we transact on the internet. It also aims at improving the security of our data and the computers we use to access this data.     

基于XML数据安全交换的方法

Web Services使用基于XML的消息机制作为服务的创建和访问机制。客户通过Web协议就可以方便地访问Web Services所封装的特定的功能和商业逻辑。通过对Web Services中可能实现的安全防范措施进行研究,分析比较了现有解决方案的优劣。最后,提供了一种实现基于XML数据安全交换的方法,依据此加密方法可以解决大多常见的安全漏洞问题。     

试论Web应用系统的安全性测试技术

由于当前对于Web应用系统安全性的研究仅仅停留在服务安全的实现方面,对于安全测试性技术研究依然薄弱。随着Web应用的普及,越来越多的技术研究人员开始重视Web应用系统的安全性检测,越来越多的检查工具被开发了出来。本文基于Web常见的安全性问题,分析Web服务安全性测试框架,以此来探讨安全性测试技术,希望能够提升Web应用系统的安全性。     

Web服务提供方安全模型的设计、建模与分析

随着Web服务应用的迅速发展,Web服务提供方的安全问题已成为制约其实际应用的主要障碍之一。文中着重讨论了Web服务提供方面临的安全问题,引入了一种基于安全策略与实现分离的信息安全解决模型,并根据Web服务的实际情况进行了改进,方便了Web服务提供方动态地制定安全策略、灵活地实现策略指导下的各种安全措施。最后,采用投影时序逻辑(PTL,Projection Temporal Logic)形式化描述了该模型中资源访问决策部分的规范说明。     

Web Service的安全机制

Web Service采用松散的方式将计算服务整合在一起，在电子商务、企业应用系统集成等分布式计算环境中发挥着重要的作用，随着Web Service应用的普及，安全问题也受到了重视。针对利用SSL和防火墙技术实现Web Service安全的不足，本文从Web Service的体系结构入手，将Web Service的安全分为企业处理层安全、Web Service目录及注册层安全、通信层安全 3个层次，并阐明了Web Service不同层次的安全策略和实现方法。     

Web 2.0 Injection Infection Vulnerability Class

ABSTRACT

Web 2.0 defines a changing trend in the use of World Wide Web application development and web design technology. Web 2.0 design concepts have led to the evolution of a web culture that has allowed social-networking and ease of design use of non-secure component applications to enter the business domain of the enterprise. These Web 2.0 component applications are then commingled with other business legacy applications including databases. This article focuses on the taxonomy of the injection infection class of vulnerabilities associated with Web 2.0 application security issues.     

基于Spark的油田应用日志行为分析系统

随着油田信息化建设的不断发展,越来越多的IT业务系统在油田各级单位普及应用.由于油田应用数量庞大、种类复杂,如何快速评估各类系统的运行情况和安全状况成为油田关注的重要问题.在使用这些应用系统的同时,一些访问信息会以日志的形式储存下来,因此通过分析日志数据可以挖掘出用户访问喜好,发觉业务系统潜在的安全问题,进而为油田应用评估提供决策依据.然而随着IT业务访问量剧增,应用日志的数量、容量也随之增加,仅依靠单机环境对海量数据进行分析已经无法满足油田业务需求.针对这个问题本文提出了基于Spark计算框架的应用日志行为分析方法,同时设计了可视化平台完成对整个分析系统的管理.     

An analysis of the driving forces for Web services adoption

Web services are supported by major IT vendors and have been adopted by some enterprises in various applications. However, due to the hype surrounding Web services, information technology (IT) personnel and business managers often have difficulty assessing the potential uses, impacts, and benefits of Web services. Based on literature review and technical information, as well as field and Web-based case studies, we have developed a framework for analyzing the driving forces for Web services adoption. The framework and detailed benefits analysis model can be used by IT and business strategy planners to identify technical options and business opportunities, as well as to formulate Web services implementation strategies.     

Integration with Web services

There's a difference between what we'd like our enterprise computing systems to be and what they really are. We like to envision them as orderly multitier arrangements comprising software buses, hubs, gateways, and adapters - all deployed at just the right places to maximize scale, load, application utility, and ultimately, business value. Unfortunately, we know that there's a wide gulf between this idealistic vision and reality. In practice, our enterprise computing systems typically are tangles of numerous technologies, protocols, and applications, often hastily hard-wired together with inflexible point-to-point connections. The whole point of middleware is to hide the diversity and complexity of the computing machinery underneath it. By adopting the abstractions that middleware provides, we're supposedly isolating our applications from the variety of ever-changing hardware platforms, operating systems, networks, protocols, and transports that make up our enterprise computing systems. We can use Web services to provide "middleware for middleware" abstraction layer for modern integration applications.     

Web应用SQL注入漏洞分析及防御研究

基于Web的互联网应用蓬勃发展。Web应用在每个人的日常生活中扮演着重要的角色,积聚了大量的用户信息和数据,引起了黑客们的广泛关注。这使得Web应用的安全形势日渐严峻。保障Web应用程序和用户数据安全关系重大,本文对存在范围广、威胁程度高的SQL注入攻击进行了论述,分析了SQL注入攻击的机理及可能造成的危害,探讨了发现SQL注入攻击的方法以及如何实施防御措施,以期为Web应用安全性能的提升、为开发人员、网络安全工作者提供参考。     

基于GMF的WS-Security安全策略配置工具研究与实现

现有的基于WS-Security(Web服务安全)的安全工具在技术层面上提供了Web服务安全的基础设施,但是这些工具需要用户拥有丰富的安全知识,并且没有提供展现业务上下文的手段,给业务用户对安全设施的使用带来了困难。基于MDA的思想设计了一个与业务流程结合的安全策略模型。在这个安全模型中,将描述业务流程的应用模型和描述协同应用安全信息的安全模型结合起来,并基于安全模型使用GMF框架实现了相应的配置工具。业务人员可以在可视化的业务流程之上,基于预定义的安全策略模型,配置Web服务安全策略。工具自动将配置的安全策略转换为WS-Security Policy规范文档。     

Value Webs: using ontologies to bundle real-world services

Real-world services - that is, nonsoftware-based services - differ significantly from Web services, usually defined as software functionality accessible and configurable over the Web. Because of the economic, social, and business importance of the service concept in general, we believe it's necessary to rethink what this concept means in an ontological and computational sense. We deal about the OBELIX (ontology-based electronic integration of complex products and value chains) project has therefore developed a generic component-based ontology for real-world services. This OBELIX service ontology is first of all a formalization of concepts that represent the consensus in the business science literature on service management and marketing. We express our service ontology in a graphical, network-style representation, and we've developed support tools that facilitate end-user modeling of services. Then, automated knowledge-based configuration methods let business designers and analysts analyze service bundles. We've tested our ontology, methods, and tools on applications in real-world case studies of different industry sectors.     

Measuring and modeling usage and reliability for statistical Webtesting

Statistical testing and reliability analysis can be used effectively to assure quality for Web applications. To support this strategy, we extract Web usage and failure information from existing Web logs. The usage information is used to build models for statistical Web testing. The related failure information is used to measure the reliability of Web applications and the potential effectiveness of statistical Web testing. We applied this approach to analyze some actual Web logs. The results demonstrated the viability and effectiveness of our approach     

云计算应用的安全问题分析简

近年来,作为一个基于互联网的商业模式,云计算已经取得了长足的发展,对现代生活产生了巨大的影响。随着云计算应用范围的扩大,作为云计算应用可靠性的保证,其安全问题成为用户普遍关注的一个重要问题。本文主要从分析云计算应用存在的安全问题入手,重点分析应该采取哪些措施来加强云计算应用的安全管理。     

基于静态分析和动态检测的xss漏洞发现

Web应用程序数量多、应用广泛,然而它们却存在各种能被利用的安全漏洞,这当中跨站脚本(XSS)的比例 是最大的。因此为了更好地检测Web应用中的XSS漏洞,提出了一种结合污染传播模型的代码静态分析及净化单元 动态检测的方法,其中包括XSS漏洞所对应的源规则、净化规则和接收规则的定义及净化单元动态检测算法的描述。 分析表明,该方法能有效地发现W cb应用中的XSS漏洞。     

WEB系统测试的应用与研究

本文的目的是对现有的一些典型Web测试方法与技术进行剖析。首先讨论了Web测试的必要性及其特殊性;接着针对Web应用特殊的体系结构,分析故障可能产生的位置;然后详细讨论了各种具体的测试技术;最后介绍了一些Web测试的常见工具。     

A Formal Framework for Web Services Coordination

Recently the term Web Services Choreography has been introduced to address some issues related to Web Services Composition and Coordination. Several proposals for describing Choreography for Business Processes have been presented in the last years and many of these languages (e.g. BPEL4WS) make use of concepts as long-running transactions and compensations for coping with error handling. However, the complexity of BPEL4WS makes it difficult to formally define this framework, thus limiting the formal reasoning about the designed applications. In this paper, we formally address Web Services Coordination with particular attention to Web transactions. We enhance our past work - the Event Calculus - introducing two main novelties: i) a multicast event notification mechanism, and ii) event scope names binding. The former enables an easier specification of complex coordination scenarios — such as E-commerce applications require — while the latter allows many new interesting behaviors which can be very useful in business scenarios: the introduction of private event scope names — used to deal with security and privacy — and a dynamic event scopes definition that can be used to manage multiple instances of the same application.