Security Assessment
Quality and Security Assessment
QMEditor
Nowadays, there is a large diffusion of open and dynamic cooperative architectures that are based on services (SOA). In these architectures, problems may be solved by existing services or by composing them.
The Customer of a service is not only interested to its functionality, but also on its quality (i.e. performance, cost, reliability, security and so on). In this scenario, models, techniques and tools supporting the effective selection of the service that provides the better quality are needed.
QMEditor supports the process of definition of quality policies for the Customer and for the Provider, too. QMEditor uses Java 1.6.
An AHP-Based Framework for Quality and Security Evaluation
Valentina Casola, Anna Rita Fasolino, Nicola Mazzocca, Porfirio Tramontana:
An AHP-Based Framework for Quality and Security Evaluation. CSE (3) 2009: 405-411
A policy-based evaluation framework for Quality and Security in Service Oriented Architectures
Valentina Casola, Anna Rita Fasolino, Nicola Mazzocca, Porfirio Tramontana:
A policy-based evaluation framework for Quality and Security in Service Oriented Architectures. ICWS 2007: 1181-1190
Security of Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web Applications
Giuseppe A. Di Lucca, Anna Rita Fasolino, M. Mastoianni, Porfirio Tramontana:
Identifying Cross Site Scripting Vulnerabilities in Web Applications. WSE 2004: 71-80
Cross site scripting (XSS) is a vulnerability of a Web application that is essentially caused by the failure of the application to check up on user input before returning it to the client's Web browser. Without an adequate validation, user input may include malicious code that may be sent to other clients and unexpectedly executed by their browsers, thus causing a security attack. Techniques to prevent this type of attacks require that all application input must be checked up and filtered, encoded, or validated before sending them to any user. In order to discover the XSS vulnerabilities in a Web application, traditional source code analysis techniques can be exploited. In this paper, in order to assess the XSS vulnerability of a Web application, an approach that combines static and dynamic analysis of the Web application is presented. Static analysis based criteria have been defined to detect potential vulnerabilities in the server pages of a Web application, while a process of dynamic analysis has been proposed in order to detect actual vulnerabilities. Some case studies have been carried out, giving encouraging results.
Research Directions in Web Site Evolution II: Web Application Security
Porfirio Tramontana, Thomas R. Dean, Scott R. Tilley:
Research Directions in Web Site Evolution II: Web Application Security. WSE 2007: 105-106
The growth of inexpensive bandwidth and the maturation of Web development technology have enabled a significant adoption of Web-based applications for interactions between customers and business, between businesses, and between citizens and institutions. However, those same improvements in bandwidth and corresponding rise in Web system complexity has also been of use to those with malicious intent. Thus Web security (the applications and the site itself) is of increasing importance to academics, industry, and government. This working session is meant to stimulate discussion among all symposium participants related to research directions in Web security.