An integrated security framework for a semantic web is proposed based on the social intelligence of an individual's avoiding harm and preserving transaction logic-integrity. The framework extends the semantic web mod...An integrated security framework for a semantic web is proposed based on the social intelligence of an individual's avoiding harm and preserving transaction logic-integrity. The framework extends the semantic web model and controls the dynamic security of semantic web services, such as trust, logic and reasoning. It includes four layers, that is, a trust entrance layer, a social intelligence layer, a transaction layer, and a TCP/IP security protocols layer. The trust entrance layer deals with trustable features from users. Social intelligence layer is responsible for logical questions for a semantic web. The transaction layer carries out transaction reasoning. And the TCP/IP security protocols layer ensures security communication. These layers can cooperate to build closed-security-ring with different security grades. The integrated security framework provides an integrated security method for semantic web flow so that it is universal for various semantic web technologies.展开更多
To detect security vulnerabilities in a web application,the security analyst must choose the best performance Security Analysis Static Tool(SAST)in terms of discovering the greatest number of security vulnerabilities ...To detect security vulnerabilities in a web application,the security analyst must choose the best performance Security Analysis Static Tool(SAST)in terms of discovering the greatest number of security vulnerabilities as possible.To compare static analysis tools for web applications,an adapted benchmark to the vulnerability categories included in the known standard Open Web Application Security Project(OWASP)Top Ten project is required.The information of the security effectiveness of a commercial static analysis tool is not usually a publicly accessible research and the state of the art on static security tool analyzers shows that the different design and implementation of those tools has different effectiveness rates in terms of security performance.Given the significant cost of commercial tools,this paper studies the performance of seven static tools using a new methodology proposal and a new benchmark designed for vulnerability categories included in the known standard OWASP Top Ten project.Thus,the practitioners will have more precise information to select the best tool using a benchmark adapted to the last versions of OWASP Top Ten project.The results of this work have been obtaining using widely acceptable metrics to classify them according to three different degree of web application criticality.展开更多
Along with the development of Internet, Web Services technology is a new branch of Web application program, and it has become a hotspot in computer science. However, it has not made great progress in research on Web S...Along with the development of Internet, Web Services technology is a new branch of Web application program, and it has become a hotspot in computer science. However, it has not made great progress in research on Web Services security. Traditional security solutions cannot satisfy the Web Services security require of selective protection, end-to-end security and application layer security. Web Services technology needs a solution integrated in Web Services framework to realize end-to-end security. Based on cryptography and Web Services technology and according to W3C, XML encryption specification, XML digital Signature specification and WS-Security, which proposed by IBM and Microsoft, a new Web services security model based on message layer is put forward in this paper. The message layer is composed of message handlers. It is inserted into the message processing sequence and provides transparent security services for Web Services. To verify the model, a Web Services security system is realized on, net platform. The implementation version of the model can provide various security services, and has advantages such as security, scalability, security controllability and end-to-end security in message level. Key words Web services - Web services security - message layer CLC number TP 393.08 Biography: WANG Cui-ru (1954-), female, Professor, research direction: database and information management system.展开更多
In recent years, web security has been viewed in the context of securing the web application layer from attacks by unauthorized users. The vulnerabilities existing in the web application layer have been attributed eit...In recent years, web security has been viewed in the context of securing the web application layer from attacks by unauthorized users. The vulnerabilities existing in the web application layer have been attributed either to using an inappropriate software development model to guide the development process, or the use of a software development model that does not consider security as a key factor. Therefore, this systematic literature review is conducted to investigate the various security vulnerabilities used to secure the web application layer, the security approaches or techniques used in the process, the stages in the software development in which the approaches or techniques are emphasized, and the tools and mechanisms used to detect vulnerabilities. The study extracted 519 publications from respectable scientific sources, i.e. the IEEE Computer Society, ACM Digital Library, Science Direct, Springer Link. After detailed review process, only 56 key primary studies were considered for this review based on defined inclusion and exclusion criteria. From the review, it appears that no one software is referred to as a standard or preferred software product for web application development. In our SLR, we have performed a deep analysis on web application security vulnerabilities detection methods which help us to identify the scope of SLR for comprehensively investigation in the future research. Further in this SLR considering OWASP Top 10 web application vulnerabilities discovered in 2012, we will attempt to categories the accessible vulnerabilities. OWASP is major source to construct and validate web security processes and standards.展开更多
The backdoor or information leak of Web servers can be detected by using Web Mining techniques on some abnormal Web log and Web application log data. The security of Web servers can be enhanced and the damage of illeg...The backdoor or information leak of Web servers can be detected by using Web Mining techniques on some abnormal Web log and Web application log data. The security of Web servers can be enhanced and the damage of illegal access can be avoided. Firstly, the system for discovering the patterns of information leakages in CGI scripts from Web log data was proposed. Secondly, those patterns for system administrators to modify their codes and enhance their Web site security were provided. The following aspects were described: one is to combine web application log with web log to extract more information,so web data mining could be used to mine web log for discovering the information that firewall and Information Detection System cannot find. Another approach is to propose an operation module of web site to enhance Web site security. In cluster server session, Density -Based Clustering technique is used to reduce resource cost and obtain better efficiency.展开更多
Software-related security aspects are a growing and legitimate concern,especially with 5G data available just at our palms.To conduct research in this field,periodic comparative analysis is needed with the new techniq...Software-related security aspects are a growing and legitimate concern,especially with 5G data available just at our palms.To conduct research in this field,periodic comparative analysis is needed with the new techniques coming up rapidly.The purpose of this study is to review the recent developments in the field of security integration in the software development lifecycle(SDLC)by analyzing the articles published in the last two decades and to propose a way forward.This review follows Kitchenham’s review protocol.The review has been divided into three main stages including planning,execution,and analysis.From the selected 100 articles,it becomes evident that need of a collaborative approach is necessary for addressing critical software security risks(CSSRs)through effective risk management/estimation techniques.Quantifying risks using a numeric scale enables a comprehensive understanding of their severity,facilitating focused resource allocation and mitigation efforts.Through a comprehensive understanding of potential vulnerabilities and proactive mitigation efforts facilitated by protection poker,organizations can prioritize resources effectively to ensure the successful outcome of projects and initiatives in today’s dynamic threat landscape.The review reveals that threat analysis and security testing are needed to develop automated tools for the future.Accurate estimation of effort required to prioritize potential security risks is a big challenge in software security.The accuracy of effort estimation can be further improved by exploring new techniques,particularly those involving deep learning.It is also imperative to validate these effort estimation methods to ensure all potential security threats are addressed.Another challenge is selecting the right model for each specific security threat.To achieve a comprehensive evaluation,researchers should use well-known benchmark checklists.展开更多
This study presents a methodology to evaluate and prevent security vulnerabilities issues for web applications.The analysis process is based on the use of techniques and tools that allow to perform security assessment...This study presents a methodology to evaluate and prevent security vulnerabilities issues for web applications.The analysis process is based on the use of techniques and tools that allow to perform security assessments of white box and black box,to carry out the security validation of a web application in an agile and precise way.The objective of the methodology is to take advantage of the synergies of semi-automatic static and dynamic security analysis tools and manual checks.Each one of the phases contemplated in the methodology is supported by security analysis tools of different degrees of coverage,so that the results generated in one phase are used as feed for the following phases in order to get an optimized global security analysis result.The methodology can be used as part of other more general methodologies that do not cover how to use static and dynamic analysis tools in the implementation and testing phases of a Secure Software Development Life Cycle(SSDLC).A practical application of the methodology to analyze the security of a real web application demonstrates its effectiveness by obtaining a better optimized vulnerability detection result against the true and false positive metrics.Dynamic analysis with manual checking is used to audit the results,24.6 per cent of security vulnerabilities reported by the static analysis has been checked and it allows to study which vulnerabilities can be directly exploited externally.This phase is very important because it permits that each reported vulnerability can be checked by a dynamic second tool to confirm whether a vulnerability is true or false positive and it allows to study which vulnerabilities can be directly exploited externally.Dynamic analysis finds six(6)additional critical vulnerabilities.Access control analysis finds other five(5)important vulnerabilities such as Insufficient Protected Passwords or Weak Password Policy and Excessive Authentication Attacks,two vulnerabilities that permit brute force attacks.展开更多
Transformation from conventional business management systems to smart digital systems is a recurrent trend in the current era.This has led to digital revolution,and in this context,the hardwired technologies in the so...Transformation from conventional business management systems to smart digital systems is a recurrent trend in the current era.This has led to digital revolution,and in this context,the hardwired technologies in the software industry play a significant role However,from the beginning,software security remains a serious issue for all levels of stakeholders.Software vulnerabilities lead to intrusions that cause data breaches and result in disclosure of sensitive data,compromising the organizations’reputation that translates into,financial losses as well.Most of the data breaches are financially motivated,especially in the healthcare sector.The cyber invaders continuously penetrate the E-Health data because of the high cost of the data on the dark web.Therefore,security assessment of healthcare web-based applications demands immediate intervention mechanisms to weed out the threats of cyber-attacks.The aim of this work is to provide efficient and effective healthcare web application security assessment.The study has worked with the hybrid computational model of Multi-Criteria Decision Making(MCDM)based on Analytical Hierarchy Process(AHP)and Technique for Order of Preference by Similarity to Ideal-Solutions(TOPSIS)under the Hesitant Fuzzy(HF)environment.Hesitant fuzzy sets provide effective solutions to address decision making problems where experts counter hesitation to make a decision.The proposed research endeavor will support designers and developers in identifying,selecting and prioritizing the best security attributes for web applications’development.The empirical analysis concludes that Robustness got highest priority amongst the assessed security attributes set followed by Encryption,Authentication,Limit Access,Revoke Access,Data Validation,and Maintain Audit Trail.The results of this research endeavor depict that this proposed computational procedure would be the most conversant mechanism for determining the web application security.The study also establishes guidelines which the developers can refer for the identification and prioritization of security attributes to build more secure and trustworthy web-based applications.展开更多
In the recent years,the booming web-based applications have attracted the hackers’community.The security risk of the web-based hospital management system(WBHMS)has been increasing rapidly.In the given context,the mai...In the recent years,the booming web-based applications have attracted the hackers’community.The security risk of the web-based hospital management system(WBHMS)has been increasing rapidly.In the given context,the main goal of all security professionals and website developers is to maintain security divisions and improve on the user’s confidence and satisfaction.At this point,the different WBHMS tackle different types of security risks.In WBHMS,the security of the patients’medical information is of utmost importance.All in all,there is an inherent security risk of data and assets in the field of the medical industry as a whole.The objective of this study is to estimate the security risk assessment of WBHMS.The risks assessment pertains to securing the integrity of the information in alignment with the Health Insurance Portability and Accountability Act.This includes protecting the relevant financial records,as well as the identification,evaluation,and prevention of a data breach.In the past few years,according to the US-based cyber-security firm Fire-eye,6.8 million data thefts have been recorded in the healthcare sector in India.The breach barometer report mentions that in the year 2019,the data breaches found were up to 48.6%as compared to the year 2018.Therefore,it is very important to assess the security risk in WBHMS.In this research,we have followed the hybrid technique fuzzy analytic hierarchy process-technique for order of preference by similarity to ideal solution(F-AHPTOPSIS)approach to assess the security risk in WBHMS.The place of this empirical database is at the local hospital of Varanasi,U.P.,India.Given the affectability of WBHMS for its board framework,this work has used diverse types of web applications.The outcomes obtained and the procedure used in this assessment would support future researchers and specialists in organizing web applications through advanced support of safety and security.展开更多
With the development and application of SOA technology, security issues of Web services based on heterogeneous platform have become increasingly prominent. The security of SOAP message is of great importance to Web se...With the development and application of SOA technology, security issues of Web services based on heterogeneous platform have become increasingly prominent. The security of SOAP message is of great importance to Web service security. In order to solve the security issue of heterogeneous platforms, a security processing model named SIMSA (Security Interactive Model based on SOAP and Authentication) based on SOAP and authentication is proposed in this paper. By experimental verification, the model ensures the safety of SOAP message transmission and enhances the security of Web service in heterogeneous platforms.展开更多
基金The National Natural Science Foundation of China(No.60474037),Program for New Century Excellent Talents in Univer-sity (No.NCET-04-415).
文摘An integrated security framework for a semantic web is proposed based on the social intelligence of an individual's avoiding harm and preserving transaction logic-integrity. The framework extends the semantic web model and controls the dynamic security of semantic web services, such as trust, logic and reasoning. It includes four layers, that is, a trust entrance layer, a social intelligence layer, a transaction layer, and a TCP/IP security protocols layer. The trust entrance layer deals with trustable features from users. Social intelligence layer is responsible for logical questions for a semantic web. The transaction layer carries out transaction reasoning. And the TCP/IP security protocols layer ensures security communication. These layers can cooperate to build closed-security-ring with different security grades. The integrated security framework provides an integrated security method for semantic web flow so that it is universal for various semantic web technologies.
文摘To detect security vulnerabilities in a web application,the security analyst must choose the best performance Security Analysis Static Tool(SAST)in terms of discovering the greatest number of security vulnerabilities as possible.To compare static analysis tools for web applications,an adapted benchmark to the vulnerability categories included in the known standard Open Web Application Security Project(OWASP)Top Ten project is required.The information of the security effectiveness of a commercial static analysis tool is not usually a publicly accessible research and the state of the art on static security tool analyzers shows that the different design and implementation of those tools has different effectiveness rates in terms of security performance.Given the significant cost of commercial tools,this paper studies the performance of seven static tools using a new methodology proposal and a new benchmark designed for vulnerability categories included in the known standard OWASP Top Ten project.Thus,the practitioners will have more precise information to select the best tool using a benchmark adapted to the last versions of OWASP Top Ten project.The results of this work have been obtaining using widely acceptable metrics to classify them according to three different degree of web application criticality.
文摘Along with the development of Internet, Web Services technology is a new branch of Web application program, and it has become a hotspot in computer science. However, it has not made great progress in research on Web Services security. Traditional security solutions cannot satisfy the Web Services security require of selective protection, end-to-end security and application layer security. Web Services technology needs a solution integrated in Web Services framework to realize end-to-end security. Based on cryptography and Web Services technology and according to W3C, XML encryption specification, XML digital Signature specification and WS-Security, which proposed by IBM and Microsoft, a new Web services security model based on message layer is put forward in this paper. The message layer is composed of message handlers. It is inserted into the message processing sequence and provides transparent security services for Web Services. To verify the model, a Web Services security system is realized on, net platform. The implementation version of the model can provide various security services, and has advantages such as security, scalability, security controllability and end-to-end security in message level. Key words Web services - Web services security - message layer CLC number TP 393.08 Biography: WANG Cui-ru (1954-), female, Professor, research direction: database and information management system.
文摘In recent years, web security has been viewed in the context of securing the web application layer from attacks by unauthorized users. The vulnerabilities existing in the web application layer have been attributed either to using an inappropriate software development model to guide the development process, or the use of a software development model that does not consider security as a key factor. Therefore, this systematic literature review is conducted to investigate the various security vulnerabilities used to secure the web application layer, the security approaches or techniques used in the process, the stages in the software development in which the approaches or techniques are emphasized, and the tools and mechanisms used to detect vulnerabilities. The study extracted 519 publications from respectable scientific sources, i.e. the IEEE Computer Society, ACM Digital Library, Science Direct, Springer Link. After detailed review process, only 56 key primary studies were considered for this review based on defined inclusion and exclusion criteria. From the review, it appears that no one software is referred to as a standard or preferred software product for web application development. In our SLR, we have performed a deep analysis on web application security vulnerabilities detection methods which help us to identify the scope of SLR for comprehensively investigation in the future research. Further in this SLR considering OWASP Top 10 web application vulnerabilities discovered in 2012, we will attempt to categories the accessible vulnerabilities. OWASP is major source to construct and validate web security processes and standards.
文摘The backdoor or information leak of Web servers can be detected by using Web Mining techniques on some abnormal Web log and Web application log data. The security of Web servers can be enhanced and the damage of illegal access can be avoided. Firstly, the system for discovering the patterns of information leakages in CGI scripts from Web log data was proposed. Secondly, those patterns for system administrators to modify their codes and enhance their Web site security were provided. The following aspects were described: one is to combine web application log with web log to extract more information,so web data mining could be used to mine web log for discovering the information that firewall and Information Detection System cannot find. Another approach is to propose an operation module of web site to enhance Web site security. In cluster server session, Density -Based Clustering technique is used to reduce resource cost and obtain better efficiency.
文摘Software-related security aspects are a growing and legitimate concern,especially with 5G data available just at our palms.To conduct research in this field,periodic comparative analysis is needed with the new techniques coming up rapidly.The purpose of this study is to review the recent developments in the field of security integration in the software development lifecycle(SDLC)by analyzing the articles published in the last two decades and to propose a way forward.This review follows Kitchenham’s review protocol.The review has been divided into three main stages including planning,execution,and analysis.From the selected 100 articles,it becomes evident that need of a collaborative approach is necessary for addressing critical software security risks(CSSRs)through effective risk management/estimation techniques.Quantifying risks using a numeric scale enables a comprehensive understanding of their severity,facilitating focused resource allocation and mitigation efforts.Through a comprehensive understanding of potential vulnerabilities and proactive mitigation efforts facilitated by protection poker,organizations can prioritize resources effectively to ensure the successful outcome of projects and initiatives in today’s dynamic threat landscape.The review reveals that threat analysis and security testing are needed to develop automated tools for the future.Accurate estimation of effort required to prioritize potential security risks is a big challenge in software security.The accuracy of effort estimation can be further improved by exploring new techniques,particularly those involving deep learning.It is also imperative to validate these effort estimation methods to ensure all potential security threats are addressed.Another challenge is selecting the right model for each specific security threat.To achieve a comprehensive evaluation,researchers should use well-known benchmark checklists.
文摘This study presents a methodology to evaluate and prevent security vulnerabilities issues for web applications.The analysis process is based on the use of techniques and tools that allow to perform security assessments of white box and black box,to carry out the security validation of a web application in an agile and precise way.The objective of the methodology is to take advantage of the synergies of semi-automatic static and dynamic security analysis tools and manual checks.Each one of the phases contemplated in the methodology is supported by security analysis tools of different degrees of coverage,so that the results generated in one phase are used as feed for the following phases in order to get an optimized global security analysis result.The methodology can be used as part of other more general methodologies that do not cover how to use static and dynamic analysis tools in the implementation and testing phases of a Secure Software Development Life Cycle(SSDLC).A practical application of the methodology to analyze the security of a real web application demonstrates its effectiveness by obtaining a better optimized vulnerability detection result against the true and false positive metrics.Dynamic analysis with manual checking is used to audit the results,24.6 per cent of security vulnerabilities reported by the static analysis has been checked and it allows to study which vulnerabilities can be directly exploited externally.This phase is very important because it permits that each reported vulnerability can be checked by a dynamic second tool to confirm whether a vulnerability is true or false positive and it allows to study which vulnerabilities can be directly exploited externally.Dynamic analysis finds six(6)additional critical vulnerabilities.Access control analysis finds other five(5)important vulnerabilities such as Insufficient Protected Passwords or Weak Password Policy and Excessive Authentication Attacks,two vulnerabilities that permit brute force attacks.
基金This Project was funded by the Taif University Researchers Supporting Projects at Taif University,Kingdom of Saudi Arabia,under Grant Number:TURSP-2020/211.
文摘Transformation from conventional business management systems to smart digital systems is a recurrent trend in the current era.This has led to digital revolution,and in this context,the hardwired technologies in the software industry play a significant role However,from the beginning,software security remains a serious issue for all levels of stakeholders.Software vulnerabilities lead to intrusions that cause data breaches and result in disclosure of sensitive data,compromising the organizations’reputation that translates into,financial losses as well.Most of the data breaches are financially motivated,especially in the healthcare sector.The cyber invaders continuously penetrate the E-Health data because of the high cost of the data on the dark web.Therefore,security assessment of healthcare web-based applications demands immediate intervention mechanisms to weed out the threats of cyber-attacks.The aim of this work is to provide efficient and effective healthcare web application security assessment.The study has worked with the hybrid computational model of Multi-Criteria Decision Making(MCDM)based on Analytical Hierarchy Process(AHP)and Technique for Order of Preference by Similarity to Ideal-Solutions(TOPSIS)under the Hesitant Fuzzy(HF)environment.Hesitant fuzzy sets provide effective solutions to address decision making problems where experts counter hesitation to make a decision.The proposed research endeavor will support designers and developers in identifying,selecting and prioritizing the best security attributes for web applications’development.The empirical analysis concludes that Robustness got highest priority amongst the assessed security attributes set followed by Encryption,Authentication,Limit Access,Revoke Access,Data Validation,and Maintain Audit Trail.The results of this research endeavor depict that this proposed computational procedure would be the most conversant mechanism for determining the web application security.The study also establishes guidelines which the developers can refer for the identification and prioritization of security attributes to build more secure and trustworthy web-based applications.
基金funded by Grant No.12-INF2970-10 from the National Science,Technology and Innovation Plan(MAARIFAH)the King Abdul-Aziz City for Science and Technology(KACST),Saudi Arabia.
文摘In the recent years,the booming web-based applications have attracted the hackers’community.The security risk of the web-based hospital management system(WBHMS)has been increasing rapidly.In the given context,the main goal of all security professionals and website developers is to maintain security divisions and improve on the user’s confidence and satisfaction.At this point,the different WBHMS tackle different types of security risks.In WBHMS,the security of the patients’medical information is of utmost importance.All in all,there is an inherent security risk of data and assets in the field of the medical industry as a whole.The objective of this study is to estimate the security risk assessment of WBHMS.The risks assessment pertains to securing the integrity of the information in alignment with the Health Insurance Portability and Accountability Act.This includes protecting the relevant financial records,as well as the identification,evaluation,and prevention of a data breach.In the past few years,according to the US-based cyber-security firm Fire-eye,6.8 million data thefts have been recorded in the healthcare sector in India.The breach barometer report mentions that in the year 2019,the data breaches found were up to 48.6%as compared to the year 2018.Therefore,it is very important to assess the security risk in WBHMS.In this research,we have followed the hybrid technique fuzzy analytic hierarchy process-technique for order of preference by similarity to ideal solution(F-AHPTOPSIS)approach to assess the security risk in WBHMS.The place of this empirical database is at the local hospital of Varanasi,U.P.,India.Given the affectability of WBHMS for its board framework,this work has used diverse types of web applications.The outcomes obtained and the procedure used in this assessment would support future researchers and specialists in organizing web applications through advanced support of safety and security.
文摘With the development and application of SOA technology, security issues of Web services based on heterogeneous platform have become increasingly prominent. The security of SOAP message is of great importance to Web service security. In order to solve the security issue of heterogeneous platforms, a security processing model named SIMSA (Security Interactive Model based on SOAP and Authentication) based on SOAP and authentication is proposed in this paper. By experimental verification, the model ensures the safety of SOAP message transmission and enhances the security of Web service in heterogeneous platforms.
