Rapid increases in information technology also changed the existing markets and transformed them into emarkets (e-commerce) from physical markets. Equally with the e-commerce evolution, enterprises have to recover a safer approach for implementing E-commerce and maintaining its logical security. SOA is one of the best techniques to fulfill these requirements. SOA holds the vantage of being easy to use, flexible, and recyclable. With the advantages, SOA is also endowed with ease for message tampering and unauthorized access. This causes the security technology implementation of E-commerce very difficult at other engineering sciences. This paper discusses the importance of using SOA in E-commerce and identifies the flaws in the existing security analysis of E-commerce platforms. On the foundation of identifying defects, this editorial also suggested an implementation design of the logical security framework for SOA supported E-commerce system.
Parsing of xml file to make secure transaction in mobile commerceijcsa
Mobile commerce M-Commerce is transaction using mobile devices. Now a day’s users are dependable on mobile phone because of its anytime, anywhere features. User purchase and pay more with their mobile device than desktop. Therefore, the security of M-commerce transaction should be strong enough to enhance its performance. Mobile phones use WAP, i-mode and J2ME technologies for programming for making transaction. The data during transaction is sent as XML file. The XML processor takes more time to encrypt which leads to breakdown the security during transaction. This paper has defined the code to parse XML file which reduces it size so that data during transaction would be sent with ease and fast. The code is written in XML and J2ME as these technologies can easily run on multiple platform.
Bluedog white paper - Our WebObjects Web Security Modeltom termini
At Bluedog, our seminal product, Workbench “Always on the Job!” social collaboration SAAS platform is secured the way we have architected all our three-tier Java-based web applications. We secure the application with input validation, a core authentication authorization framework based on LDAP and JINDI, configuration management that ensures testing for vulnerabilities, and strong use of cryptography. In addition, we utilize session management, exception control, auditing and logging to ensure security of the app and web services.
We also secure our routers and other aspects of the network as well as securing the host servers (patching, account management, directory access, and port monitoring). Most importantly, we design our WebObject web applications securely from the get-go.
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
In this research, we have focused on the most challenging issue that Web Services face, i.e. how to secure their information. Web Services security could be guaranteed by employing security standards, which is the main focus of this search. Every suggested model related to security design should put in the account the securities' objectives; integrity, confidentiality, non- repudiation, authentication, and authorization. The proposed model describes SOAP messages and the way to secure their contents. Due to the reason that SOAP message is the core of the exchanging information in Web Services, this research has developed a security model needed to ensure e-business security. The essence of our model depends on XML encryption and XML signature to encrypt and sign SOAP message. The proposed model looks forward to achieve a high speed of transaction and a strong level of security without jeopardizing the performance of transmission information.
Data Stream Controller for Enterprise Cloud ApplicationIJSRD
Cloud computing is an emerging computing paradigm where computing resources are provided as services over Internet while residing in a large data center. Even though it enables us to dynamically provide servers with the ability to address a wide range of needs, this paradigm brings forth many new challenges for the data security and access control as users outsource their sensitive data to clouds, which are beyond the same trusted domain as data owners. The occupier need not be concerned with how the Paas system achieves expansion under high load.MAC systems differ as security policy is defined for the entire system, typically by administrators. Information flow control (IFC) is a MAC approach, developed originally from military information management methodologies. IFC can be used to enforce more general policies, using appropriate labeling and checking schemes. The labels can be used to manage both confidentiality and integrity concerns, tracking “secrecy†and “quality†of data, respectively. Decentralized Information Flow Control (DIFC) is an approach to security that allows application writers to control how data flow between the pieces of application and the outside world. As applied to privacy DIFC allows un trusted software to compute with private data while trusted security code controls the release of that data. As applied to integrity DIFC allows trusted code to protect un trusted software from unexpected inputs.
Parsing of xml file to make secure transaction in mobile commerceijcsa
Mobile commerce M-Commerce is transaction using mobile devices. Now a day’s users are dependable on mobile phone because of its anytime, anywhere features. User purchase and pay more with their mobile device than desktop. Therefore, the security of M-commerce transaction should be strong enough to enhance its performance. Mobile phones use WAP, i-mode and J2ME technologies for programming for making transaction. The data during transaction is sent as XML file. The XML processor takes more time to encrypt which leads to breakdown the security during transaction. This paper has defined the code to parse XML file which reduces it size so that data during transaction would be sent with ease and fast. The code is written in XML and J2ME as these technologies can easily run on multiple platform.
Bluedog white paper - Our WebObjects Web Security Modeltom termini
At Bluedog, our seminal product, Workbench “Always on the Job!” social collaboration SAAS platform is secured the way we have architected all our three-tier Java-based web applications. We secure the application with input validation, a core authentication authorization framework based on LDAP and JINDI, configuration management that ensures testing for vulnerabilities, and strong use of cryptography. In addition, we utilize session management, exception control, auditing and logging to ensure security of the app and web services.
We also secure our routers and other aspects of the network as well as securing the host servers (patching, account management, directory access, and port monitoring). Most importantly, we design our WebObject web applications securely from the get-go.
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
In this research, we have focused on the most challenging issue that Web Services face, i.e. how to secure their information. Web Services security could be guaranteed by employing security standards, which is the main focus of this search. Every suggested model related to security design should put in the account the securities' objectives; integrity, confidentiality, non- repudiation, authentication, and authorization. The proposed model describes SOAP messages and the way to secure their contents. Due to the reason that SOAP message is the core of the exchanging information in Web Services, this research has developed a security model needed to ensure e-business security. The essence of our model depends on XML encryption and XML signature to encrypt and sign SOAP message. The proposed model looks forward to achieve a high speed of transaction and a strong level of security without jeopardizing the performance of transmission information.
Data Stream Controller for Enterprise Cloud ApplicationIJSRD
Cloud computing is an emerging computing paradigm where computing resources are provided as services over Internet while residing in a large data center. Even though it enables us to dynamically provide servers with the ability to address a wide range of needs, this paradigm brings forth many new challenges for the data security and access control as users outsource their sensitive data to clouds, which are beyond the same trusted domain as data owners. The occupier need not be concerned with how the Paas system achieves expansion under high load.MAC systems differ as security policy is defined for the entire system, typically by administrators. Information flow control (IFC) is a MAC approach, developed originally from military information management methodologies. IFC can be used to enforce more general policies, using appropriate labeling and checking schemes. The labels can be used to manage both confidentiality and integrity concerns, tracking “secrecy†and “quality†of data, respectively. Decentralized Information Flow Control (DIFC) is an approach to security that allows application writers to control how data flow between the pieces of application and the outside world. As applied to privacy DIFC allows un trusted software to compute with private data while trusted security code controls the release of that data. As applied to integrity DIFC allows trusted code to protect un trusted software from unexpected inputs.
E-Mail Systems In Cloud Computing Environment Privacy,Trust And Security Chal...IJERA Editor
In this paper, SMCSaaS is proposed to secure email system based on Web Service and Cloud Computing
Model. The model offers end-to-end security, privacy, and non-repudiation of PKI without the associated
infrastructure complexity. The Proposed Model control risks in Cloud Computing like Insecure Application
Programming Interfaces, Malicious Insiders, Data Loss Shared Technology Vulnerabilities, or Leakage,
Account, Service, Traffic Hijacking and Unknown Risk Profile
Cloud computing is a major trend and a fast growing phenomena in the IT world. Organizations working in different sectors such as education or business are becoming more interested in moving their applications to the cloud to boost their infrastructure resources; increase their applications’ scalability and reduce costs. This boost in demand for cloud services led to the need for clouds to federate, in order to flawlessly deliver the required computation power and other services. In addition, there is major trend in delegating identity management tasks to identity providers in order to reduce cost. Managing identity and access control across different domains is a challenge. This paper proposes a framework for managing identity in federated clouds based on the use of a Security Assertion Markup Language (SAML) Agent. The agent acts as an interface for a cloud identity manager where it sends and receives identity assertion requests from and to other clouds in the federation. In addition, the agent assigns roles to users using identity attributes received in assertions and cloud’s internal role mapping rules. For testing the agent’s capability to scale and sustain load, a prototype implementation was developed. Performance evaluation results demonstrate the viability of the proposed framework.
An explicit trust model towards better system securitycsandit
Trust is an absolute necessity for digital communications; but is often viewed as an implicit
singular entity. The use of the internet as the primary vehicle for information exchange has
made accountability and verifiability of system code almost obsolete. This paper proposes a
novel approach towards enforcing system security by requiring the explicit definition of trust for
all operating code. By identifying the various classes and levels of trust required within a
computing system; trust is defined as a combination of individual characteristics. Trust is then
represented as a calculable metric obtained through the collective enforcement of each of these
characteristics to varying degrees. System Security is achieved by facilitating trust to be a
constantly evolving aspect for each operating code segment capable of getting stronger or
weaker over time.
A study of SAAS of cloud computing securing methodology against Poodle Attack†are taken for discussion. Cloud –It’s a resource centric technology. So secure it’s a main concern like POODLE (Padding Oracle on Downgraded Legacy Encryption) attack will affect SSL based connection system between client and server which is a serious cost. POODLE will disconnect the SSL connections. In Cloud it’s a open connectivity, over the network we can access the resources for user requirement. Connection Setup, recently everywhere used SSL. So far, Strong Authentication in connection setup, Server side authentication should be in Cloud. For sever side Keystone which is in OPENSTACK, for sever side authentication. So in this paper for mainly for SAAS (Secure As A Service) model for Cloud Environment.
Algorithm for Securing SOAP Based Web Services from WSDL Scanning Attacksiosrjce
IOSR Journal of Computer Engineering (IOSR-JCE) is a double blind peer reviewed International Journal that provides rapid publication (within a month) of articles in all areas of computer engineering and its applications. The journal welcomes publications of high quality papers on theoretical developments and practical applications in computer technology. Original research papers, state-of-the-art reviews, and high quality technical notes are invited for publications.
RESOLVING NETWORK DEFENSE CONFLICTS WITH ZERO TRUST ARCHITECTURES AND OTHER E...IJNSA Journal
Network defense implies a comprehensive set of software tools to preclude malicious entities from conducting activities such as exfiltration of data, theft of credentials, blocking of services and other nefarious activities. For most enterprises at this time, that defense builds upon a clear concept of the fortress approach. Many of the requirements are based on inspection and reporting prior to delivery of the communication to the intended target. These inspections require decryption of packets and this implies that the defensive suite either impersonates the requestor, or has access to the private cryptographic keysof the servers that are the target of communication. This is in contrast to an end-to-end paradigm where known good entities can communicate directly and no other entity has access to the content unless that content is provided to them. There are many new processes that require end-to-end encrypted communication, including distributed computing, endpoint architectures, and zero trust architectures and enterprise level security. In an end-to-end paradigm, the keys used for authentication, confidentiality, and integrity reside only with the endpoints. This paper examines a formulation that allows unbroken communication, while meeting the inspection and reporting requirements of a network defense. This work is part of a broader security architecture termed Enterprise Level Security (ELS)framework.
RESOLVING NETWORK DEFENSE CONFLICTS WITH ZERO TRUST ARCHITECTURES AND OTHER E...IJNSA Journal
Network defense implies a comprehensive set of software tools to preclude malicious entities from conducting activities such as exfiltration of data, theft of credentials, blocking of services and other nefarious activities. For most enterprises at this time, that defense builds upon a clear concept of the fortress approach. Many of the requirements are based on inspection and reporting prior to delivery of the communication to the intended target. These inspections require decryption of packets and this implies that the defensive suite either impersonates the requestor, or has access to the private cryptographic keysof the servers that are the target of communication. This is in contrast to an end-to-end paradigm where known good entities can communicate directly and no other entity has access to the content unless that content is provided to them. There are many new processes that require end-to-end encrypted communication, including distributed computing, endpoint architectures, and zero trust architectures and enterprise level security. In an end-to-end paradigm, the keys used for authentication, confidentiality, and integrity reside only with the endpoints. This paper examines a formulation that allows unbroken communication, while meeting the inspection and reporting requirements of a network defense. This work is part of a broader security architecture termed Enterprise Level Security (ELS)framework.
INFORMATION AND COMMUNICATION SECURITY MECHANISMS FOR MICROSERVICES-BASED SYS...IJNSA Journal
Security has become paramount in modern software services as more and more security breaches emerge, impacting final users and organizations alike. Trends like the Microservice Architecture bring new security challenges related to communication, system design, development, and operation. The literature presents a plethora of security-related solutions for microservices-based systems, but the spread of information difficult practitioners' adoption of novel security related solutions. In this study, we aim to present a catalogue and discussion of security solutions based on algorithms, protocols, standards, or implementations; supporting principles or characteristics of information security, considering the three possible states of data, according to the McCumber Cube. Our research follows a Systematic Literature Review, synthesizing the results with a meta-aggregation process. We identified a total of 30 primary studies, yielding 75 security solutions for the communication of microservices.
Architecting Secure Service Oriented Web ServicesIDES Editor
The importance of the software security has been
profound, since most attacks to software systems are based on
vulnerabilities caused by poorly designed and developed
software. Design flaws account for fifty percent of security
problems and risk analysis plays essential role in solid security
problems. Service Web Services are an integral part of next
generation Web applications. The development and use of
these services is growing at an incredible rate, and so too
security issues surrounding them. If the history of interapplication
communication repeats itself, the ease with which
web services architectures publish information about
applications across the network is only going to result in more
application hacking. At the very least, it’s going to put an even
greater burden on web architects and developers to design
and write secure code. Developing specification like WSSecurity
should be leveraged as secure maturity happens over
firewalls. In this paper, we want to discuss security
architectures design patterns for Service Oriented Web
Services. Finally, we validated this by implementing a case
study of a Service Oriented Web Services application
StockTrader Security using WS-Security and WS-Secure
Conversation.
Grid computing is concerned with the sharing and use of resources in dynamic distributed virtual
organizations. The dynamic nature of Grid environments introduces challenging security concerns that
demand new technical approaches. In this brief overview we review key Grid security issues and outline
the technologies that are being developed to address those issues. We focus on works done by Globus
Toolkits to provide security and also we will discuss about the cyber security in Grid.
XML Encryption and Signature for Securing Web ServicesCSEIJJournal
In this research, we have focused on the most challenging issue that Web Services face, i.e. how to secure
their information. Web Services security could be guaranteed by employing security standards, which is the
main focus of this search. Every suggested model related to security design should put in the account the
securities' objectives; integrity, confidentiality, non- repudiation, authentication, and authorization. The
proposed model describes SOAP messages and the way to secure their contents. Due to the reason that
SOAP message is the core of the exchanging information in Web Services, this research has developed a
security model needed to ensure e-business security. The essence of our model depends on XML encryption
and XML signature to encrypt and sign SOAP message. The proposed model looks forward to achieve a
high speed of transaction and a strong level of security without jeopardizing the performance of
transmission information.
XML ENCRYPTION AND SIGNATURE FOR SECURING WEB SERVICESijcsit
In this research, we have focused on the most challenging issue that Web Services face, i.e. how to secure their information. Web Services security could be guaranteed by employing security standards, which is the main focus of this search. Every suggested model related to security design should put in the account the securities' objectives; integrity, confidentiality, non- repudiation, authentication, and authorization. The proposed model describes SOAP messages and the way to secure their contents. Due to the reason that SOAP message is the core of the exchanging information in Web Services, this research has developed a security model needed to ensure e-business security. The essence of our model depends on XML encryption
and XML signature to encrypt and sign SOAP message. The proposed model looks forward to achieve a high speed of transaction and a strong level of security without jeopardizing the performance of transmission information.
This paper analyzes vulnerabilities of the SSL/TLS
Handshake
protocol
, which
is
responsible
for
authentication of
the parties in the
communication
and
negotiation of
security parameters
that
will be used
to protect
confidentiality and
integrity of the
data
. It
will
be
analyzed the
attacks
against the implementation of Handshake
protocol, as well as the
attacks against the other
elements
necessary to SSL/TLS protocol to discover security
flaws that were exploited, modes of
attack, the potential consequences, but also studyi
ng methods of defense
.
All versions of the
protocol are going to be the subject of the researc
h but
emphasis will be placed
on the critical
attack that
the most endanger the safety of data.
The goal of
the research
is
to point out the
danger of
existence
of at least
vulnerability
in the SSL/TLS protocol
, which
can be exploited
and
endanger the safety of
the data
that should be protected.
E-Mail Systems In Cloud Computing Environment Privacy,Trust And Security Chal...IJERA Editor
In this paper, SMCSaaS is proposed to secure email system based on Web Service and Cloud Computing
Model. The model offers end-to-end security, privacy, and non-repudiation of PKI without the associated
infrastructure complexity. The Proposed Model control risks in Cloud Computing like Insecure Application
Programming Interfaces, Malicious Insiders, Data Loss Shared Technology Vulnerabilities, or Leakage,
Account, Service, Traffic Hijacking and Unknown Risk Profile
Cloud computing is a major trend and a fast growing phenomena in the IT world. Organizations working in different sectors such as education or business are becoming more interested in moving their applications to the cloud to boost their infrastructure resources; increase their applications’ scalability and reduce costs. This boost in demand for cloud services led to the need for clouds to federate, in order to flawlessly deliver the required computation power and other services. In addition, there is major trend in delegating identity management tasks to identity providers in order to reduce cost. Managing identity and access control across different domains is a challenge. This paper proposes a framework for managing identity in federated clouds based on the use of a Security Assertion Markup Language (SAML) Agent. The agent acts as an interface for a cloud identity manager where it sends and receives identity assertion requests from and to other clouds in the federation. In addition, the agent assigns roles to users using identity attributes received in assertions and cloud’s internal role mapping rules. For testing the agent’s capability to scale and sustain load, a prototype implementation was developed. Performance evaluation results demonstrate the viability of the proposed framework.
An explicit trust model towards better system securitycsandit
Trust is an absolute necessity for digital communications; but is often viewed as an implicit
singular entity. The use of the internet as the primary vehicle for information exchange has
made accountability and verifiability of system code almost obsolete. This paper proposes a
novel approach towards enforcing system security by requiring the explicit definition of trust for
all operating code. By identifying the various classes and levels of trust required within a
computing system; trust is defined as a combination of individual characteristics. Trust is then
represented as a calculable metric obtained through the collective enforcement of each of these
characteristics to varying degrees. System Security is achieved by facilitating trust to be a
constantly evolving aspect for each operating code segment capable of getting stronger or
weaker over time.
A study of SAAS of cloud computing securing methodology against Poodle Attack†are taken for discussion. Cloud –It’s a resource centric technology. So secure it’s a main concern like POODLE (Padding Oracle on Downgraded Legacy Encryption) attack will affect SSL based connection system between client and server which is a serious cost. POODLE will disconnect the SSL connections. In Cloud it’s a open connectivity, over the network we can access the resources for user requirement. Connection Setup, recently everywhere used SSL. So far, Strong Authentication in connection setup, Server side authentication should be in Cloud. For sever side Keystone which is in OPENSTACK, for sever side authentication. So in this paper for mainly for SAAS (Secure As A Service) model for Cloud Environment.
Algorithm for Securing SOAP Based Web Services from WSDL Scanning Attacksiosrjce
IOSR Journal of Computer Engineering (IOSR-JCE) is a double blind peer reviewed International Journal that provides rapid publication (within a month) of articles in all areas of computer engineering and its applications. The journal welcomes publications of high quality papers on theoretical developments and practical applications in computer technology. Original research papers, state-of-the-art reviews, and high quality technical notes are invited for publications.
RESOLVING NETWORK DEFENSE CONFLICTS WITH ZERO TRUST ARCHITECTURES AND OTHER E...IJNSA Journal
Network defense implies a comprehensive set of software tools to preclude malicious entities from conducting activities such as exfiltration of data, theft of credentials, blocking of services and other nefarious activities. For most enterprises at this time, that defense builds upon a clear concept of the fortress approach. Many of the requirements are based on inspection and reporting prior to delivery of the communication to the intended target. These inspections require decryption of packets and this implies that the defensive suite either impersonates the requestor, or has access to the private cryptographic keysof the servers that are the target of communication. This is in contrast to an end-to-end paradigm where known good entities can communicate directly and no other entity has access to the content unless that content is provided to them. There are many new processes that require end-to-end encrypted communication, including distributed computing, endpoint architectures, and zero trust architectures and enterprise level security. In an end-to-end paradigm, the keys used for authentication, confidentiality, and integrity reside only with the endpoints. This paper examines a formulation that allows unbroken communication, while meeting the inspection and reporting requirements of a network defense. This work is part of a broader security architecture termed Enterprise Level Security (ELS)framework.
RESOLVING NETWORK DEFENSE CONFLICTS WITH ZERO TRUST ARCHITECTURES AND OTHER E...IJNSA Journal
Network defense implies a comprehensive set of software tools to preclude malicious entities from conducting activities such as exfiltration of data, theft of credentials, blocking of services and other nefarious activities. For most enterprises at this time, that defense builds upon a clear concept of the fortress approach. Many of the requirements are based on inspection and reporting prior to delivery of the communication to the intended target. These inspections require decryption of packets and this implies that the defensive suite either impersonates the requestor, or has access to the private cryptographic keysof the servers that are the target of communication. This is in contrast to an end-to-end paradigm where known good entities can communicate directly and no other entity has access to the content unless that content is provided to them. There are many new processes that require end-to-end encrypted communication, including distributed computing, endpoint architectures, and zero trust architectures and enterprise level security. In an end-to-end paradigm, the keys used for authentication, confidentiality, and integrity reside only with the endpoints. This paper examines a formulation that allows unbroken communication, while meeting the inspection and reporting requirements of a network defense. This work is part of a broader security architecture termed Enterprise Level Security (ELS)framework.
INFORMATION AND COMMUNICATION SECURITY MECHANISMS FOR MICROSERVICES-BASED SYS...IJNSA Journal
Security has become paramount in modern software services as more and more security breaches emerge, impacting final users and organizations alike. Trends like the Microservice Architecture bring new security challenges related to communication, system design, development, and operation. The literature presents a plethora of security-related solutions for microservices-based systems, but the spread of information difficult practitioners' adoption of novel security related solutions. In this study, we aim to present a catalogue and discussion of security solutions based on algorithms, protocols, standards, or implementations; supporting principles or characteristics of information security, considering the three possible states of data, according to the McCumber Cube. Our research follows a Systematic Literature Review, synthesizing the results with a meta-aggregation process. We identified a total of 30 primary studies, yielding 75 security solutions for the communication of microservices.
Architecting Secure Service Oriented Web ServicesIDES Editor
The importance of the software security has been
profound, since most attacks to software systems are based on
vulnerabilities caused by poorly designed and developed
software. Design flaws account for fifty percent of security
problems and risk analysis plays essential role in solid security
problems. Service Web Services are an integral part of next
generation Web applications. The development and use of
these services is growing at an incredible rate, and so too
security issues surrounding them. If the history of interapplication
communication repeats itself, the ease with which
web services architectures publish information about
applications across the network is only going to result in more
application hacking. At the very least, it’s going to put an even
greater burden on web architects and developers to design
and write secure code. Developing specification like WSSecurity
should be leveraged as secure maturity happens over
firewalls. In this paper, we want to discuss security
architectures design patterns for Service Oriented Web
Services. Finally, we validated this by implementing a case
study of a Service Oriented Web Services application
StockTrader Security using WS-Security and WS-Secure
Conversation.
Grid computing is concerned with the sharing and use of resources in dynamic distributed virtual
organizations. The dynamic nature of Grid environments introduces challenging security concerns that
demand new technical approaches. In this brief overview we review key Grid security issues and outline
the technologies that are being developed to address those issues. We focus on works done by Globus
Toolkits to provide security and also we will discuss about the cyber security in Grid.
XML Encryption and Signature for Securing Web ServicesCSEIJJournal
In this research, we have focused on the most challenging issue that Web Services face, i.e. how to secure
their information. Web Services security could be guaranteed by employing security standards, which is the
main focus of this search. Every suggested model related to security design should put in the account the
securities' objectives; integrity, confidentiality, non- repudiation, authentication, and authorization. The
proposed model describes SOAP messages and the way to secure their contents. Due to the reason that
SOAP message is the core of the exchanging information in Web Services, this research has developed a
security model needed to ensure e-business security. The essence of our model depends on XML encryption
and XML signature to encrypt and sign SOAP message. The proposed model looks forward to achieve a
high speed of transaction and a strong level of security without jeopardizing the performance of
transmission information.
XML ENCRYPTION AND SIGNATURE FOR SECURING WEB SERVICESijcsit
In this research, we have focused on the most challenging issue that Web Services face, i.e. how to secure their information. Web Services security could be guaranteed by employing security standards, which is the main focus of this search. Every suggested model related to security design should put in the account the securities' objectives; integrity, confidentiality, non- repudiation, authentication, and authorization. The proposed model describes SOAP messages and the way to secure their contents. Due to the reason that SOAP message is the core of the exchanging information in Web Services, this research has developed a security model needed to ensure e-business security. The essence of our model depends on XML encryption
and XML signature to encrypt and sign SOAP message. The proposed model looks forward to achieve a high speed of transaction and a strong level of security without jeopardizing the performance of transmission information.
This paper analyzes vulnerabilities of the SSL/TLS
Handshake
protocol
, which
is
responsible
for
authentication of
the parties in the
communication
and
negotiation of
security parameters
that
will be used
to protect
confidentiality and
integrity of the
data
. It
will
be
analyzed the
attacks
against the implementation of Handshake
protocol, as well as the
attacks against the other
elements
necessary to SSL/TLS protocol to discover security
flaws that were exploited, modes of
attack, the potential consequences, but also studyi
ng methods of defense
.
All versions of the
protocol are going to be the subject of the researc
h but
emphasis will be placed
on the critical
attack that
the most endanger the safety of data.
The goal of
the research
is
to point out the
danger of
existence
of at least
vulnerability
in the SSL/TLS protocol
, which
can be exploited
and
endanger the safety of
the data
that should be protected.
This paper analyzes vulnerabilities of the SSL/TLS Handshake protocol, which is responsible for authentication of the parties in the communication and negotiation of security parameters that will be used to protect confidentiality and integrity of the data. It will be analyzed the attacks against the implementation of Handshake protocol, as well as the attacks against the other
elements necessary to SSL/TLS protocol to discover security flaws that were exploited, modes of
attack, the potential consequences, but also studying methods of defense. All versions of the
protocol are going to be the subject of the research but emphasis will be placed on the critical attack that the most endanger the safety of data. The goal of the research is to point out the
danger of existence of at least vulnerability in the SSL/TLS protocol, which can be exploited and endanger the safety of the data that should be protected.
SOA is becoming important for Business Process Management and Enterprises. Now SOA is widely used by Enterprises as it provides seamless environment, flexibility, interoperability, but at the same time security should also consider because the basic SOA framework doesn�t possess any security. It depends upon the respective proprietor for security [1]. In recent times many research work had done for SOA security. Researchers have also proposed various frameworks and models such as FIX [2], SAVT [3] which tries a lot, but cannot achieve any landmark as they are based on XML schema.This proposed novel work contains an inbuilt security module which was based on PKI. At the same time this model will intact the flexibility and interoperability as the security module is embedded by analyzing the nature of WSDL, UDDI, SOAP and XML. These protocols are also compatible with PKI. Proposed Model was implemented in the asp.net environment then experimental results are compared with other security methods such as data mining based web security and automata based web security
Soa Testing An Approach For Testing Security Aspects Of Soa Based ApplicationJaipal Naidu
This paper has been co authored by me and has been shortlisted by QAI Global as an emerging area best practise to be presented in the Annual Software Testing Conference 2009
A Survey on Authorization Systems for Web Applicationsiosrjce
IOSR Journal of Computer Engineering (IOSR-JCE) is a double blind peer reviewed International Journal that provides rapid publication (within a month) of articles in all areas of computer engineering and its applications. The journal welcomes publications of high quality papers on theoretical developments and practical applications in computer technology. Original research papers, state-of-the-art reviews, and high quality technical notes are invited for publications.
Comparative Analysis of Open-SSL Vulnerabilities & Heartbleed Exploit DetectionCSCJournals
Since its introduction in 1994 the Secure Socket Layer (SSL) protocol (later renamed to Transport Layer Security (TLS)) evolved to the de facto standard for securing the transport layer. SSL/TLS can be used for ensuring data confidentiality, integrity and authenticity during transport. A main feature of the protocol is its flexibility. Modes of operation and security aims can easily be configured through different cipher suites. During its evolutionary development process several flaws were found. However, the flexible architecture of SSL/TLS allowed efficient fixes in order to counter the issues. This paper presents an overview on theoretical and practical attacks of the last 20 years.
HTTPI BASED WEB SERVICE SECURITY OVER SOAP IJNSA Journal
Now a days, a new family of web applications 'open applications’, are emerging (e.g., Social Networking, News and Blogging). Generally, these open applications are non-confidential. The security needs of these applications are only client/server authentication and data integrity. For securing these open applications, effectively and efficiently, HTTPI, a new transport protocol is proposed, which ensures the entire security requirements of open applications. Benefit of using the HTTPI is that it is economical in use, well-suited for cache proxies, like HTTP is, and provides security against many Internet attacks (Server Impersonation and Message Modification) like HTTPS does. In terms of performance HTTPI is very close to the HTTP, but much better than HTTPS. A Web service is a method of communication between two ends over the Internet. These web services are developed over XML and HTTP. Today, most of the open applications use web services for most of their operations. For securing these web services, security design based on HTTPI is proposed. Our work involves securing the web services over SOAP, based on the HTTPI. This secure web service might be applicable for open applications, where authentication and integrity is needed, but no confidentiality required.
In our paper, we introduce a web service security model based on HTTPI protocol over SOAP and develop a preliminary implementation of this model. We also analyze the performance of our approach through an experiment and show that our proposed approach provides higher throughput, lower average response time and lower response size than HTTPS based web service security approach.
The project work explores in detail, the security issues in a SOA environment and also describes the various approaches to these issues. The different approaches to SOA security (i.e. message level security, security as a service and policy driven security) are not standalone solutions, but can be deployed as mix and match solutions. A SOA security solution can make use of all the approaches to address specific security concerns. Finally the project work describes a generic SOA security model which acts as a reference model to identify security vulnerabilities in enterprise application integration (EAI). These vulnerabilities can then be addressed by the different approaches to security.
Web applications can provide convenience and efficiency, however there are also a number of new security threats, which could potentially pose significant risks to an organisation's information technology infrastructure if not handled properly.
Similar to Designing A Logical Security Framework for E-Commerce System Based on SOA (20)
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)MdTanvirMahtab2
This presentation is about the working procedure of Shahjalal Fertilizer Company Limited (SFCL). A Govt. owned Company of Bangladesh Chemical Industries Corporation under Ministry of Industries.
Automobile Management System Project Report.pdfKamal Acharya
The proposed project is developed to manage the automobile in the automobile dealer company. The main module in this project is login, automobile management, customer management, sales, complaints and reports. The first module is the login. The automobile showroom owner should login to the project for usage. The username and password are verified and if it is correct, next form opens. If the username and password are not correct, it shows the error message.
When a customer search for a automobile, if the automobile is available, they will be taken to a page that shows the details of the automobile including automobile name, automobile ID, quantity, price etc. “Automobile Management System” is useful for maintaining automobiles, customers effectively and hence helps for establishing good relation between customer and automobile organization. It contains various customized modules for effectively maintaining automobiles and stock information accurately and safely.
When the automobile is sold to the customer, stock will be reduced automatically. When a new purchase is made, stock will be increased automatically. While selecting automobiles for sale, the proposed software will automatically check for total number of available stock of that particular item, if the total stock of that particular item is less than 5, software will notify the user to purchase the particular item.
Also when the user tries to sale items which are not in stock, the system will prompt the user that the stock is not enough. Customers of this system can search for a automobile; can purchase a automobile easily by selecting fast. On the other hand the stock of automobiles can be maintained perfectly by the automobile shop manager overcoming the drawbacks of existing system.
Quality defects in TMT Bars, Possible causes and Potential Solutions.PrashantGoswami42
Maintaining high-quality standards in the production of TMT bars is crucial for ensuring structural integrity in construction. Addressing common defects through careful monitoring, standardized processes, and advanced technology can significantly improve the quality of TMT bars. Continuous training and adherence to quality control measures will also play a pivotal role in minimizing these defects.
Student information management system project report ii.pdfKamal Acharya
Our project explains about the student management. This project mainly explains the various actions related to student details. This project shows some ease in adding, editing and deleting the student details. It also provides a less time consuming process for viewing, adding, editing and deleting the marks of the students.
Courier management system project report.pdfKamal Acharya
It is now-a-days very important for the people to send or receive articles like imported furniture, electronic items, gifts, business goods and the like. People depend vastly on different transport systems which mostly use the manual way of receiving and delivering the articles. There is no way to track the articles till they are received and there is no way to let the customer know what happened in transit, once he booked some articles. In such a situation, we need a system which completely computerizes the cargo activities including time to time tracking of the articles sent. This need is fulfilled by Courier Management System software which is online software for the cargo management people that enables them to receive the goods from a source and send them to a required destination and track their status from time to time.
Hybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdffxintegritypublishin
Advancements in technology unveil a myriad of electrical and electronic breakthroughs geared towards efficiently harnessing limited resources to meet human energy demands. The optimization of hybrid solar PV panels and pumped hydro energy supply systems plays a pivotal role in utilizing natural resources effectively. This initiative not only benefits humanity but also fosters environmental sustainability. The study investigated the design optimization of these hybrid systems, focusing on understanding solar radiation patterns, identifying geographical influences on solar radiation, formulating a mathematical model for system optimization, and determining the optimal configuration of PV panels and pumped hydro storage. Through a comparative analysis approach and eight weeks of data collection, the study addressed key research questions related to solar radiation patterns and optimal system design. The findings highlighted regions with heightened solar radiation levels, showcasing substantial potential for power generation and emphasizing the system's efficiency. Optimizing system design significantly boosted power generation, promoted renewable energy utilization, and enhanced energy storage capacity. The study underscored the benefits of optimizing hybrid solar PV panels and pumped hydro energy supply systems for sustainable energy usage. Optimizing the design of solar PV panels and pumped hydro energy supply systems as examined across diverse climatic conditions in a developing country, not only enhances power generation but also improves the integration of renewable energy sources and boosts energy storage capacities, particularly beneficial for less economically prosperous regions. Additionally, the study provides valuable insights for advancing energy research in economically viable areas. Recommendations included conducting site-specific assessments, utilizing advanced modeling tools, implementing regular maintenance protocols, and enhancing communication among system components.
Vaccine management system project report documentation..pdfKamal Acharya
The Division of Vaccine and Immunization is facing increasing difficulty monitoring vaccines and other commodities distribution once they have been distributed from the national stores. With the introduction of new vaccines, more challenges have been anticipated with this additions posing serious threat to the already over strained vaccine supply chain system in Kenya.
About
Indigenized remote control interface card suitable for MAFI system CCR equipment. Compatible for IDM8000 CCR. Backplane mounted serial and TCP/Ethernet communication module for CCR remote access. IDM 8000 CCR remote control on serial and TCP protocol.
• Remote control: Parallel or serial interface.
• Compatible with MAFI CCR system.
• Compatible with IDM8000 CCR.
• Compatible with Backplane mount serial communication.
• Compatible with commercial and Defence aviation CCR system.
• Remote control system for accessing CCR and allied system over serial or TCP.
• Indigenized local Support/presence in India.
• Easy in configuration using DIP switches.
Technical Specifications
Indigenized remote control interface card suitable for MAFI system CCR equipment. Compatible for IDM8000 CCR. Backplane mounted serial and TCP/Ethernet communication module for CCR remote access. IDM 8000 CCR remote control on serial and TCP protocol.
Key Features
Indigenized remote control interface card suitable for MAFI system CCR equipment. Compatible for IDM8000 CCR. Backplane mounted serial and TCP/Ethernet communication module for CCR remote access. IDM 8000 CCR remote control on serial and TCP protocol.
• Remote control: Parallel or serial interface
• Compatible with MAFI CCR system
• Copatiable with IDM8000 CCR
• Compatible with Backplane mount serial communication.
• Compatible with commercial and Defence aviation CCR system.
• Remote control system for accessing CCR and allied system over serial or TCP.
• Indigenized local Support/presence in India.
Application
• Remote control: Parallel or serial interface.
• Compatible with MAFI CCR system.
• Compatible with IDM8000 CCR.
• Compatible with Backplane mount serial communication.
• Compatible with commercial and Defence aviation CCR system.
• Remote control system for accessing CCR and allied system over serial or TCP.
• Indigenized local Support/presence in India.
• Easy in configuration using DIP switches.
Designing A Logical Security Framework for E-Commerce System Based on SOA
1. International Journal on Soft Computing (IJSC) Vol. 5, No. 2, May 2014
DOI: 10.5121/ijsc.2014.5201 1
DESIGNING A LOGICAL SECURITY FRAMEWORK
FOR E-COMMERCE SYSTEM BASED ON SOA
Ashish Kr. Luhach1
, Dr. Sanjay K. Dwivedi2
, Dr. C. K. Jha3
1
Dronacharya College of Engineering, Gurgaon, Hr, India
2
BBA University, Lucknow, U.P., India
3
Banasthali University, Jaipur, Rajasthan, India.
Abstract
Rapid increases in information technology also changed the existing markets and transformed them into e-
markets (e-commerce) from physical markets. Equally with the e-commerce evolution, enterprises have to
recover a safer approach for implementing E-commerce and maintaining its logical security. SOA is one of
the best techniques to fulfill these requirements. SOA holds the vantage of being easy to use, flexible, and
recyclable. With the advantages, SOA is also endowed with ease for message tampering and unauthorized
access. This causes the security technology implementation of E-commerce very difficult at other
engineering sciences. This paper discusses the importance of using SOA in E-commerce and identifies the
flaws in the existing security analysis of E-commerce platforms. On the foundation of identifying defects,
this editorial also suggested an implementation design of the logical security framework for SOA supported
E-commerce system.
Keywords
Service oriented Architecture, web services, system consolidation, logical security.
1. INTRODUCTION
The customarily architecture models used for E-commerce modeling are Common Object
Request Broker Architecture (CORBA) and Component Object Model (COM). These
architectures are based on distributed object technology having different data standards and
protocols, which are relatively complex to implement. These architecture models are tightly
coupled in nature which means if new business associates have to tie into the existing system or
codification, the whole existing code or system has to redevelop to add the young business
associate. This redevelopment brings in high operational cost and low performance to the whole
organization. These architectures are not compatible with modern E-commerce systems which
call for loose coupling, flexibility and other demands of dynamic commercial enterprise
applications or environments.
Service Oriented Architecture (SOA) fulfills the demands of modern E-commerce, such as loose
coupling of business uses and flexibility of services. SOA enables the infrastructure resources of
an endeavor to defend a society of its users and applications through services that are spread
athwart the enterprise [1]. SOA can be limited as an approach of planning and building systems
that are elastic, adaptable and scalable in order to support dynamic business applications or
environments. SOA allows enterprises to deploy, build, design and integrate the services that are
independent of applications and platforms on which they operate. These services are linked
together through business processes in order to form composite services and applications which
execute the line affairs. Each service implements an action or procedure. Services are not
affiliated with each other; they are units of functionality which are generally coupled with each
2. International Journal on Soft Computing (IJSC) Vol. 5, No. 2, May 2014
2
other and apply the standard protocols to limit the communication between them. They need the
metadata, which identifies the characteristics of all the services as well as the data that drive these
services [3].
SOA has advantages of being gentle to use, flexible, reusable, and scalable. These advantages
made SOA the paramount choice to implement E-commerce. With the advantages, SOA endows
with ease for message tampering and unauthorized access which makes, “the security
implementation of E-commerce”, more complex and unmanageable. The primary concern of this
research is to ascertain the security of SOA based E-commerce. This column is intended to design
an implementation; security framework of SOA based E-commerce.
2. CURRENT SECURITY STANDARDS AND TECHNOLOGY –
RELATED WORK
In this part, we will talk about the various security criteria and technologies for E-commerce
system and security attacks related to these technologies. The various security standard and
technologies are:
2.1 Transport layer security (TLS): Secure Socket Layer (SSL)
Transfer Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL) is a non XML
security framework and widely applied to transport layer data communication. This security
standard provides authentication, integrity and confidentiality of the transmitted messages. SSL
uses public and secret key cryptography to maintain the safe data communication. SSL can be
utilized in different modes according to the security necessities, the popular, modes are No
authentication, Server authentication and two way authentications. No authentication means
neither the customer nor the server authenticates itself to the other. In such case, only
confidentiality is applied. Server authentication means only the server authenticates itself to the
customer. Two-way authentication means both client and server authenticate themselves to each
other. The various applications of TLS/SSL are E-commerce system (internet sites), Key
exchange, Cipher, Web browsers and Libraries
2.1.1 Security Attacks against TLS & SSL
Following are the significant security attacks against TLS/SSL:
Renegotiation attacks.
Version rollback attacks.
BEAST attacks.
CRIME and BREACH attacks.
Padding attacks.
RC4 attacks.
Survey of websites.
Truncation attacks.
2.2 XML Encryption
XML encryption, is a security standard developed by the World Wide Web Consortium (W3C) in
2002. XML encryption is primarily applied for encryption and decoding of XML documents and
can used for any kind of information. XML encryption uses various encryption algorithms to
code and decode the data elements for example AES, RSA and triple DES are mainly utilized for
the same. XML encryption supports both forms of symmetric and asymmetric cryptography.
XML encryption ensures the confidentiality of the communicated messages. There are five types
3. International Journal on Soft Computing (IJSC) Vol. 5, No. 2, May 2014
3
of XML encryption, which are Encryption XML Element, Encryption XML Element Content
(Elements), Encryption XML Element Content (Character Data), Encryption Arbitrary Data and
XML Documents and Super-Encryption.
2.2.1 Security Attacks against XML encryption
Weak chaining of cipher-text blocks: we can able decrypt the data by sending modified
cipher-texts to the server and gather information from the error messages.
2.3 XML Signature
As digital signature, XML signatures are applied as a standard for verifying the parentage of the
transmitted messages. XML signatures were developed by the W3C with the collaboration of
Internet Engineering Task Force (IETF). XML signature can be applied for securing any type of
messages, but typically used in an XML document. Any text files which are accessible through
Uniform Resource Allocator (URL) can be stopped up by XML signature. XML Signature
supports authentication, information integrity, and non-renunciation. The most significant
characteristic of an XML signature is it can digitally sign a lot of XML document instead of
signing the whole text file as a digital signature. XML signature allows multiple signatures to
different portion of an XML document. To validate the XML signature's authenticity a procedure
called Core validation is applied. XML signatures are more flexible in comparison with other
sorts of signatures as it utilizes the XML content instead of the binary information.
2.3.1 Security issues in XML signature
XML signature is criticized for their security architecture in general as of their
complexity and poor performance.
XML signatures are not suitable for sensitive SOA applications.
The use of XML signatures in SOAP and WS-security can be vulnerable if not properly
implemented.
2.4 XML key management specification (XKMS)
XML key management specification (XKMS) is defined as web services, which supply an
intermediate interface between XML application and Public Key Infrastructure (PKI). XKMS
were developed by the W3C with the collaboration of Internet Engineering Task Force (IETF).
XKMS greatly simplifies the deployment of enterprise strength Public Key Infrastructure by
transferring complex processing tasks from the client application to a Trust Service [7]. XKMS
supports XML signatures and XML encryptions. XKMS basically designed for the distribution
and enrollment of public keys. The design criteria of XKMS include the following factors, which
are Compatible with XML signature and XML encryption, Implementation of XKMS should be
simple as possible using XML tools and minimize the client code and configuration. XKMS was
built in two parts, which are XML Key Information Service Specification (X-KISS) are used for
processes and validates the public keys and XML Key Registration Service Specification (X-
KRSS) used for registration of public keys and provides four services such as revoke, re-issue,
register and recover.
2.4.1 Security issues in XKMS
Reply attacks.
Denial of service attacks.
Key recovery policy.
4. International Journal on Soft Computing (IJSC) Vol. 5, No. 2, May 2014
4
2.5 Security Assertions Markup Language (SAML)
Security Assertions Markup Language (SAML) is specified as open standard data format, which
is based on XML. SAML is used for authentication and authorization of data between
communicating parties. SAML developed by the Organization for the Advancement of Structured
Information Standards (OASIS) in 2001. Endrei et al. [7] Defines SAML as the first standard
widely adopted by industry for securing e-business dealings based on XML. The inspiration
behind to develop SAML was to furnish a common means for sharing security services for
commercial enterprise to business (b2b) and business to consumer (b2c) transactions. SAML
provides better authorization, profile information and certification for the parties involved in the
communication.
SAML includes four different components [8], which are: SAML Assertions, it contain the
security information such as how authentication and authorization information are defined. It
usually transferred to service providers by identity providers. SAML assertion can be utilized to
prevent man-in-middle and replay attacks [8]. SAML assertions can be signed by XML
signatures and encrypted by XML encryption. It too holds in several statements that used for
access control decisions by service providers. The different types of statements used in SAML are
Authentication statement, Attribute statement and Authorization decision statement.
SAML Protocols: it defines how SAML requests and response are handled. It also defines various
rules for the same. It can be defined as a simple request and response protocol. The most
important SAML protocol requests are known as a query. SAML binding it binds the SAML
protocol messages with the industry adopted protocols. For example SAML SOAP bind specifies
how SAML encapsulated with SOAP bound to SOAP message. SAML Profiles it defines how
SAML assertions, protocols and bindings are combined together to support a particular use case.
2.5.1 Security flaws in SAML
SAML recommends a variety of security mechanisms such as:
XML signature and XML encryption.
TLS and SSL.
2.6 Kerberos
Kerberos is used as authentication protocol, which helps to ensure the identity among users
communicating over an unsecured network. Kerberos provides mutual authentication in a typical
client server environment where customer and server both verifies each other identity. Kerberos
provides a secure environment against eavesdropping and reply attacks. Kerberos uses symmetric
key cryptography.
2.6.1 Drawbacks of Kerberos
Single point of failure.
Restricted time requirement.
Requires user accounts.
3. SECURITY ANALYSIS OF SOA BASED E-COMMERCE
The general system architecture of an E - commerce system is presented above in figure 1. E-
commerce systems provide users with a variety of business service components and user can call
any of these business service components online such as trading information services, contract
management services and other information management services, if they are authenticated and
5. International Journal on Soft Computing (IJSC) Vol. 5, No. 2, May 2014
5
passed. Before calling business service component's user submits their authentication through
HTTP to a WWW host. Users can log on to the component requested through Simple Object
Access Protocol (SOAP) and at the same time user may utilize other services as well, which is
furnished by other collaborators such as banking and logistics services. E-commerce platform is
hardly used for online transactions, but also can be practiced as a serial publication of services
such as banking and revenue enhancement. So, E-commerce provides a complete lay down of
business procedures which consist of various inspection and repairs. These services are originated
by different vendors and managed or kept up by diverse departments within an endeavor, which
makes E-commerce a service oriented heterogeneous system. This heterogeneous system will
confront a kind of security threats and risk factors which are:
3.1 Certificate Duplicity
Approach to business service components, users should submit their authentication through
HTTP and get it validated from web hosts. In return an authentication credential is released for
users as a validation of certification. After getting this authentication certificate user can access
business service components. This process of issuing the authentication certificate is managed by
the Identity, Management Service (IMS). It is possible to generate a duplicate certificate or forge
the certificate and submit it to the web server instead of the original user and identity
authentication is bypassed and call to the Business Service Component can be attained. One of
the possible implementation solutions for this is to use better communication protocols such as
HTTPS, which can’t be worked well.
Figure 1: Basic architecture of E-commerce systems
3.2 Unsecure Protocol
When petitions are cleared to access the business service components or domain services, identity
authentication is required and the request is passed to the corresponding service component
through HTTP. Comparatively HTTP is not a secure protocol when it comes to handling MAN–
IN-MIDDLE attacks. MAN-IN-MIDDLE attacks are a form of attacks in which attackers gain a
connection with receivers and transmitters of messages and attackers relay messages between
them giving sender and receiver an illusion that they are communicating directly. The assailant is
able to encode the communication between them equally comfortably.
6. International Journal on Soft Computing (IJSC) Vol. 5, No. 2, May 2014
6
3.3 No filters mentioned on the application level
Filters are really important at the application level and the absence of these filters may allow an
attacker to send malicious codes through the web application and perform attacks like Cross Site
Scripting, Remote/Local File Inclusion etc. which may immediately or indirectly lead to a
successful attack.
3.4 Unsecure Database
In most of E-commerce models, database is maintained on the same server without going through
any security bars. Thither are a number of security risks related to database that are as follows:
• Malware infections into the database may also go to incidents like leakage or disclosure of
important information.
• Malfunctioned database may deny service to authorized users and failure of database services
can’t be foreseen.
3.5 Denial of Service Attacks
It brings up to an attempt to establish the system unavailable to its intended users. The existing E-
commerce model does not provide any method to prevent the DOS or DDOS attack.
4. PROPOSED SECURITY FRAMEWORK
The proposed Security Framework of SOA based E-commerce is shown in Figure 2. The
proposed security framework resolves all the above mentioned security threats and risk involved
in E-commerce security. E-commerce provides access to various business service components
such as Transaction information Services, Online Transaction Services, etc. These business
service components can be accessed by the user if they are authorized and authenticated. The
authentication of users is handled by the Identity, Management Service (IMS). E-commerce also
supports a series of services as well, such as insurance services, banking services, etc. Users can
choose any of these business services from the miscellany of the services provided by E-
commerce. Users can predict any of these services, by sending access requests to that
corresponding service through IMS. The process of IMS is shown in figure 3. For the services to
communicate with each other, they need to post a petition to the IMS, which in return generates a
certificate of certification. Just when the certificate is successfully approved the services are
allowed to communicate with each other.
The approach to business service components can be achieved with two different behaviors which
includes land access and remote access. A two tier security is preserved on the web server to
insure that the proper validation of authentication is submitted by the user and that the user can’t
generate a duplicate certificate or forge the certificate. This three level security can be achieved
through:
4.1 Input Sanitization
To access the business service components, the user submits a request to the web server through a
more secure protocol HTTPS. Before sending the service request to the corresponding service
component, the user’s data are first sanitized and then forwarded to the web server. If the user
request consists of some extra qualities such as ‘#@abc*’, then it can clean and handled as ‘ABC’
7. International Journal on Soft Computing (IJSC) Vol. 5, No. 2, May 2014
7
with the action of input sanitization rules and the attempt of the user to bypass the authentication
can be forestalled. Input sanitization can solve the risks of certificate duplicity, which is one of
the important risk factors in E-commerce security.
4.2 Rule based Plug-in for additional protection
It allows wrapping an extra layer of protection around the web server. If the sanitization is
bypassed by the assailant, it can be clogged by this additional security layer. This layer works as
an external security layer, which facilitates to increase protection, such as detection and prevent
attacks before the intruder reaches the business service part. To carry out this extra layer of
security, for instance, we can use ‘Apache mod-security’, which is a rule-based plug-in of Apache
which allows one to create rules describing abnormal requests to the WWW host. When
malicious requests are cleared to access business service components, first they are equated with
the rulers that were created if matched, then the requests are denied and the details are logged.
Figure 2: Proposed Security Framework Design
4.3 Predefined Action filter
In the proposed security framework filters on the application level is utilized which is responsible
for separating out the actions specified on web pages. If somehow intruder bypasses the
additional security layer, it enters into predefined action function filters. If the user visits a
particular service component and if its corresponding activity is available in the database, then the
petition is simply forwarded to the respective service component and the petition will be
discharged; and if its action is not available in the database, and so the petition will not be turned
over to the service component and an error message will be displayed to the user. Intrusion
detection system (IDS) and Intrusion protection system (IPS) is employed in the proposed
security framework to provide spare security to business service components and database
related. In offering a security framework, business service components and connected database
are maintained on different hosts. Server I maintain business service components and network
hosts. Server II maintains the databases connected with business service components. The
8. International Journal on Soft Computing (IJSC) Vol. 5, No. 2, May 2014
8
communication between server I and server II is monitored by a firewall. If an attempt is
discovered by the Intrusion Detection System (IDS), the firewall will automatically disconnect
both servers from one another to assure minimal data loss.
5. IMPLEMENTATION BENEFITS OF PROPOSED SECURITY
FRAMEWORK
The proposed security framework is implemented and validated on an open source E-commerce
website and it proves that it achieves most of the quality attributes. The approach to business
service components can be achieved with two different methods, which include field access and
remote access. Multiple-layer security is maintained on the web server to insure the proper proof
of authentication submitted by the user and that the user can’t generate a duplicate certificate or
forge the certificate. The main implementation benefits and effects of the proposed plan are as
follows:
5.1 Database Encryption
The database kept up on a totally different host (Server II), which monitored by IDS/IPS. The
database itself encrypted with a unique key which is stashed away in the data service component
on a server I. In lawsuit of an attack IDS/IPS, will automatically disconnect all connections
between server I and server II to ensure minimum harm. The encryption will provide protection
for data being misused by the assailant.
5.2 Indirect Access to Enterprise Applications
The Enterprise Applications are not permitted to pass directly with the business services;
alternatively, it is linked via the same web host. The application would provide a different user
interface and will also ensure the guard of the servers by preventing most attacks.
.
5.3 Prevention Against DoS and DDos
The presentation of IDS/IPS on both the servers will prevent most of the Denial of Service attacks
as they would monitor and separate out all the incoming information. The IDS/IPS can be easily
configured to bar the IP Addresses generating multiple requests within a suitable interval of the
fourth dimension.
5.4 Post-Exploitation Prevention
This is in case an attacker manages to go around the firewall and somehow run his code.
Figure 3: Process of Identity management service
9. International Journal on Soft Computing (IJSC) Vol. 5, No. 2, May 2014
9
The decisive aim of the security would be to prevent damage from the attempt. Post exploitation
prevention can be enabled by editing functions permissions.
6. THE FRAMEWORK EVALUATION
The proposed security framework is implemented on an open source E-commerce system through
which the proposed framework is examined to discover its strengths and weakness in the light of
security threats discussed above. The methodology for evaluating the framework depends upon
the character of security threats. The rating also depends on the security requirements and
arranging for the endeavor. Some of the character attributes which are already achieved are
discussed infra:
6.1 Input Sanitization
To access the business service components, the user submits their request to web server through a
more secure protocol HTTPS. Before transmitting the service request to the corresponding
service component, the user’s data are first sanitized and then forwarded to the web host. If a user
request consists of some extra qualities such as ‘#@abc*’ as a request, then with the action of
input sanitization rules it can clean and handled as ‘ABC’ and the attempt of user to bypass the
authentication can be forestalled. Input sanitization can solve the risks of certificate duplicity,
which is one of the important risk factors in E-commerce security. The figure 4.1 shows the
infected input submitted by user and figure 4.2 shows the input sanitization for the proposed
security plan.
Figure 4.1 users infected input as “#@abc*”
Figure 4.2 the input sanitization for the proposed security design.
10. International Journal on Soft Computing (IJSC) Vol. 5, No. 2, May 2014
10
7. CONCLUSION
This paper presents and analyzes the current security issues for E-commerce system and proposed
a security framework for E-commerce system. The proposed framework is based on SOA. The
proposed framework provides a secure E-commerce system from the whole of the major
computing attacks or threats. The proposed framework is initially implemented on an open source
E-commerce system and proves that it reach the reference attributes. For evaluating the proposed
security framework all the major computing attacks are tested on. The main contribution and
impact of this research is to align the benefits of SOA with E-commerce system, so that
organizations can assume the combined benefits of both. The proposed security framework helps
enterprise to organize an absolute suite of amalgamated security architecture which protect SOA
based E-commerce.
REFERENCES
[1] Min Huang et al, “Research for E-Commerce Platform Security Framework Based On SOA”,
proceeding of the 2011 4th International Conference on Biomedical Engineering and Informatics
(BMEI), Shanghai, China, Pg. No. 2171-2174, October 15-17, 2011.
[2] A. K. Luhach, Dr. S. K. Dwivedi, “Service-Oriented Architecture and Web Services Concepts,
Technologies, and Tools”, 2011 IEEE International Conference on Computational Intelligence and
Computing Research, 2011.
[3] Dr. S. K. Dwivedi, Ashish kr. Luhach, Dr. Jitender Kumar, “Enterprise Transformation to Service
Oriented Architectures”, 2011IEEE International Conference on Computational Intelligence and
Computing Research, 2011.
[4] Li Xiong-Yi, “Research and application of SOA in B2B electronic commerce”, 2009 International
Conference on Computer Technology and Development, 2009.
[5] Pei Yan, Jiao Guo, “Researching and Designing the Architecture of E-government based on SOA”,
2010 International Conference on E-Business and E-Government, 2010.
[6] Huadong Wang, Qiang Hu, “Research and Application of an Integration Platform for E-Commerce
System Based on SOA”, 2009 International Conference on Management of e-Commerce and e-
Government, 2009.
[7] Endrei, A., et al. Patterns: Service- Oriented Architecture and Web Services, IBM Publication, 2004.
[8] Oracle Corporation. Web Services Security: What’s Required To Secure A Service-Oriented
Architecture. U.S.A.:White paper. January 2008.
[9] Sanjay Misra et al, “An Approach for E-Commerce On-Demand Service Oriented Product Line
Development”, Acta Polytechnica Hungarica, Vol. –10, No.-2, Pg. No 69-87, 2013.
[10] Ali Yavari et al, “Measuring the Failure Rate in Service Oriented Architecture Using Fuzzy Logic”,
Journal of mathematics and computer Science, Vol. –7, No.-3, Pg. No 160-170, 2013.
[11] Mohammad H. Danesh et al, “A framework for process and performance management in service
oriented virtual organisations”, International Journal of Computer Information Systems and Industrial
Management Applications, Vol. -5, Pg. No. 203-215, 2013.
[12] Deepu Raveendran et al, “A Study on Secure and Efficient Access Control Framework for SOA”,
International Journal of Computer Science and Telecommunications, Vol.-3, No.-6, Pg. No. 71-76,
June 2012.
[13] Seyyed Mohammad Reza Farshchi et al., “Study of Security Issues on Traditional And New
Generation of E-Commerce Model, proceeding of the 2011 International Conference on Software
and Computer Applications, Kathmandu, Nepal, July 1-2, 2011, published by IPCSIT, Singapore,
Vol.-9, Pg. No. 113- 117.