The fundamentals of information security

Some quality models, such as IS0 9126, fail to include computer security. The author explains why security is an essential but difficult facet of quality. As a software professional, you can take several actions to improve the security of your code: (1) learn the techniques of security; (2) when incorporating security features into a system, think like the attacker, i.e. consider each point as a potential weakest link; and, finally, (3) consult an expert     

Adaptive security architecture for protecting RESTful web services in enterprise computing environment

In this modern era of enterprise computing, the enterprise application integration (EAI) is a well-known industry-recognized architectural principle that is built based on loosely coupled application architecture, where service-oriented architecture (SOA) is the architectural pattern for the implementation of EAI, whose computational elements are called as “services.” Though SOA can be implemented in a wide range of technologies, the web services implementation of SOA becomes the current selective choice due to its simplicity that works on basic Internet protocols. Web service technology defines several supporting protocols and specifications such as SOAP and WSDL for communication with client and server for data interchange. A new architectural paradigm has emerged in SOA in recent years called REpresentational State Transfer (REST) that is also used to integrate loosely coupled service components, named RESTful web services, by system integration consortiums. This SOA implementation does not possess adequate security solutions within it, and its security is completely dependent on network/transport layer security that is obsolete owing to latest web technologies such as Web 2.0 and its upgraded version, Web 3.0. Vendor security products have major implementation constraints such as they need secured organizational environment and breach to SOA specifications, hence introducing new vulnerabilities. Herein, we examine the security vulnerabilities of RESTful web services in the view of popular OWASP rating methodologies and analyze the gaps in the existing security solutions. We hence propose an adaptive security solution for REST that uses public key infrastructure techniques to enhance the security architecture. The proposed security architecture is constructed as an adaptive way-forward Internet-of-Things (IoT) friendly security solution that is comprised of three cyclic parts: learn, predict and prevent. A novel security component named “intelligent security engine” is introduced which learns the possible occurrences of security threats on SOA using artificial neural networks learning algorithms, then it predicts the potential attacks on SOA based on obtained results by the developed theoretical security model, and the written algorithms as part of security solution prevent the SOA attacks. This paper is written to present one of such algorithms to prevent SOA attacks on RESTful web services along the discussion on the obtained results of the conducted proof-of-concept on the real-time SOA environment. A comparison of the proposed system with other competing solutions demonstrates its superiority.     

Anonymity in the global network — A first world dream

This may not read like a computer security article initially, that is, unless you also read between the lines! If, being a member of the digital community constantly involves you trying to avoid or divert a continuous onslaught of junk mail, or, manically trying to extricate yourself from listservs, then, this is a security issue.     

面向SOA的安全架构研究综述

研究面向服务的体系架构（SOA）的安全问题,分析传统的安全措施应用于SOA的适用性问题;在应用WS-Security安全规范的基础上,援引构建安全服务的思想,研究混合多级的访问控制安全模型,提出SOA架构下的安全服务方案,以保证SOA系统的安全。     

Intelligent security and access control framework for service-oriented architecture

One of the most significant difficulties with developing Service-Oriented Architecture (SOA) involves meeting its security challenges, since the responsibilities of SOA security are based on both the service providers and the consumers. In recent years, many solutions to these challenges have been implemented, such as the Web Services Security Standards, including WS-Security and WS-Policy. However, those standards are insufficient for the new generation of Web technologies, including Web 2.0 applications. In this research, we propose an intelligent SOA security framework by introducing its two most promising services: the Authentication and Security Service (NSS), and the Authorization Service (AS). The suggested autonomic and reusable services are constructed as an extension of WS-¹ security standards, with the addition of intelligent mining techniques, in order to improve performance and effectiveness. In this research, we apply three different mining techniques: the Association Rules, which helps to predict attacks, the Online Analytical Processing (OLAP) Cube, for authorization, and clustering mining algorithms, which facilitate access control rights representation and automation. Furthermore, a case study is explored to depict the behavior of the proposed services inside an SOA business environment. We believe that this work is a significant step towards achieving dynamic SOA security that automatically controls the access to new versions of Web applications, including analyzing and dropping suspicious SOAP messages and automatically managing authorization roles.     

Software security and SOA: danger, Will Robinson!

The current buzzword of choice among the technical elite (at least those subject to marketing departments) is service-oriented architecture, or SOA (pronounced 'SO-uh'). As SOA moves from hype to practice, an opportunity exists to do security right, but a similar opportunity exists for disaster if security is done wrong. This article describes 13 snares that we must avoid to end up with SOA security that makes sense.     

Auditing the network environment at a technical level: Why's,how's and aha!'s

One of the pervasive concerns in dealing with cyber-security is the dreaded information systems (IS) audit. Most companies of a goodly size have an IS audit staff and if you work for a financial organization like a bank, you can count on regular visits by the populus thereof. We have all been indoctrinated to the necessity of IS audits and if you have ever worked for a larger company, you have been through them more than once — usually with mixed results, some good, some bad, some you are not terribly sure about. I have seen the entire gamut of IS audit results in my career and, unfortunately, when it comes to network security audits, most are on the “we're not sure how to really find the right data and therefore did a lame job and the networking geeks know it and are laughing at us” end of the spectrum.     

Matchmaking semantic security policies in heterogeneous clouds

The adoption of the cloud paradigm to access IT resources and services has posed many security issues which need to be cared of. Security becomes even a much bigger concern when services built on top of many commercial clouds have to interoperate. Among others, the value of the service delivered to end customers is strongly affected by the security of network which providers are able to build in typical SOA contexts. Currently, every provider advertises its own security strategy by means of proprietary policies, which are sometimes ambiguous and very often address the security problem from a non-uniform perspective. Even policies expressed in standardized languages do not appear to fit a dynamic scenario like the SOA’s, where services need to be sought and composed on the fly in a way that is compatible with the end-to-end security requirements. We then propose an approach that leverages on the semantic technology to enrich standardized security policies with an ad-hoc content. The semantic annotation of policies enables machine reasoning which is then used for both the discovery and the composition of security-enabled services. In the presented approach the semantic enrichment of policies is enforced by an automatic procedure. We further developed a semantic framework capable of matchmaking in a smart way security capabilities of providers and security requirements of customers, and tested it on a use case scenario.     

企业实施SOA面向服务架构初探

SOA的目标是把各个应用程序集成为一个无缝的整体,SOA中的应用是一套可重复使用的服务,通过组合这些服务可以很容地搭建功能完善的企业应用,或者通过重新组合这些服务构建全新的应用来满足企业不断变化的需求.     

基于SOA的网络安全探讨

介绍了一种面向服务架构SOA的网络安全系统的设计与实现。概述了SOA架构的概念、特点、网络安全管理,并详细阐述了基于SOA的网络安全系统的实现。应用实践表明,相对于同类系统,基于SOA的网络安全系统的柔性、重用性和可扩展性更好。     

基于SOA的网络安全系统应用研究

提出了一种基于面向服务架构SOA的网络安全系统,详细分析了系统的特点,对于基于SOA的网络安全系统与传统的网络安全系统的不同之处进行了比较,给出了一个基于SOA的网络安全扫描系统的实例。研究表明,基于SOA的网络安全系统具有更好的柔性、重用性和可扩展性。     

基于SOA的电子商务集成设计研究

云计算的兴起、物联网时代的到来,使得企业对于电子商务集成的要求越来越高,传统的企业应用集成系统存在数据安全性差、暴露业务逻辑以及紧耦合性等问题,不利于业务流程的优化。SOA技术以其独特的优势取代传统的EAI成为集成的基础框架。文章分析了SOA集成研究现状,阐述了其在应用集成方面的关键技术,并以汽车制造业的供应链管理系统为例,建立了基于SOA的电子商务集成系统,实现了服务的柔性集成。     

The social side of services

Blogs typically allow readers to comment on your postings as well, meaning you can obtain valuable feedback and incorporate it into your promotions for SOA adoption. Despite their utility, blogs and wikis are no substitute for face-to-face conversations with key stakeholders. Whether you're the CIO or just another developer, convincing key people to buy, into service orientation is ultimately the only way to get it adopted. Keep in mind, however, that building service-oriented systems is hard. Even if you get buy-in from the right people, it doesn't mean that actually building and deploying services is trivial. After all, you still have to deal with changes in development processes, training, tools, and perhaps new avenues of technical collaboration with other teams. Nevertheless, actively addressing the social side of the equation greatly increases your chances for success with SOA.     

Data provenance in SOA: security, reliability, and integrity

Due to the dynamic nature, such as services composition and evaluation, it is critical for a Service-Oriented Architecture (SOA) system to consider its data provenance, which concerns security, reliability, and integrity of data as they are being routed in the system. In a traditional software system, one focuses on the software itself to determine the security, reliability, and integrity of the software. In an SOA system, however, one also needs to consider origins and routes of data and their impact, i.e., data provenance. This paper first analyzes the unique nature and characteristics of data provenance in an SOA system, particularly related to data security, reliability, and integrity. Then it proposes a new framework for data provenance analysis in an SOA system. Finally, this paper uses an example which illustrates these techniques.     

Ajax/SOA模型下的SOAP附件安全策略

客户端Ajax与服务器端SOA的结合成为了软件架构发展的一种趋势,然而Ajax/SOA架构的安全性也需要重新考虑。该文通过对Ajax和SOA的综合考虑得出,SOAP消息的安全性,尤其是SOAP消息附件的安全性对于这一新的架构来说是至关重要的。因此,该文针对SOAP消息附件介绍了一种新型的SOAP消息附件安全模型,并对其中的时序控制算法做了相应的改进。     

Security as a Systems Property

How do we protect systems? The answer is straightforward: each component must be evaluated independently and protected as necessary. Beware the easy answers, such as deploying stronger encryption while ignoring vulnerable end points; that's too much like looking under the streetlamp for lost keys, not because they're likely to be there but because it's an easy place to search. Remember, too, that people and processes are system components as well, and often the weakest ones—think about phishing, but also about legitimate emails that are structurally indistinguishable from phishing attacks. I'm not saying you should ignore one weakness because you can't afford to address another serious one—but in general, your defenses should be balanced. After that, of course, you have to evaluate the security of the entire system. Components interact, not always in benign ways, and there may be gaps you haven't filled.     

Security modeling for service-oriented systems using security pattern refinement approach

Security is one of the critical aspects of current systems, which are based on loosely coupled and technology-agnostic service-oriented architectures (SOA). Though SOA is the driving force for enterprises to open their ends for global business collaborations, nevertheless it evolves many challenges for modeling and enforcing security. One of the main problems for designing secure systems is the lack of consistent frameworks and methodologies for modeling security concerns. Traditional approaches consider security at the end of system development, which evolves inflexible and un-configurable systems, which are too difficult to maintain and manage. The other major problem with current approaches is that they assume pre-defined and hard-coded security patterns and mechanisms for secure system design. Whereas, the evolving SOA systems require configurable security to realize different security patterns and security policies in a variety of business scenarios. To solve these problems, it is necessary to model security concerns from the beginning of system modeling in a platform-independent way. This paper proposes a pattern refinement approach for security modeling to achieve configurable and declarative security, based on the principles of abstraction, refinement, separation-of-concerns and maintainability to achieve flexible configurations of SOA security. In the proposed approach, a Domain Expert defines abstract policies using common security vocabulary and a Security Expert models security with patterns and refines them for a target architecture in successive systematic refinements. Furthermore, it facilitates the transformation of abstract security models into executable security policies for the target platforms.     

面向SOA的密码服务安全框架研究

SOA环境下用户管理的分布性、业务协作的动态性、以及服务的开放性给密码服务带来了极大的安全挑战。文章建立了一种安全框架,该框架定义了完整的安全服务集合和接口,可满足密码服务安全接入、访问控制、安全共享的特殊要求,为面向SOA的密码服务提供了安全保障。     

基于SOA的企业信息平台开发关键技术

基于SOA的企业信息平台开发关键技术为研究对象,针对相关问题进行了讨论。首先简要概述了SOA的相关概念和特点,阐述了Web服务的相关内容,然后分析了SOA与Web服务,最后阐述了SOA安全控制的相关技术。旨在为基于SOA的企业信息平台开发提供安全性和可靠性方面的技术保证,同时对于相关领域的理论研究也能起到借鉴和参考的作用。     

Four ways to improve security

How can you tell if an IT security product (or a product that includes security components) can secure your application? How can you be certain that a product will fully deliver on its claims that it will protect against malice in a deployed environment? Unfortunately, few vendors - and even fewer customers - can make these judgments. The article won't make you a security wizard, but it will give you a feel for what to look for in, and when to be concerned about, a vendor's claims. To ensure that a product has a chance of being secure; customers should check that vendors use adequate approaches in four primary areas. In order of importance (and maturity and availability), they are: quality-control (QC) mechanisms; cryptographic primitives; hardware assist mechanisms; and separation mechanisms.