SlideShare a Scribd company logo

Vulnerabilities in SaaS layer of cloud computing

Download as PPTX, PDF
Clinton DSouza
Clinton DSouza
1 of 14
Vulnerabilities in SaaS Layer of Cloud Computing Clinton D Souza Rafael Santana Arizona State University
Overview  Introduction  Cloud Computing Overview  Research  Results  Conclusion  Discussion  Future work  Q&A
Introduction  Research funded by Fulton Undergraduate Research Initiative (FURI).  Co-Author: Dr. Partha Dasgupta.  Purpose of research is bring to attention, existent vulnerabilities in Software as a Service layer of cloud computing.
Cloud Computing Overview  Cloud Computing architecture is divided into three layers:  Infrastructure as a Service (IaaS)  Platform as a Service (Paas)  Software as a Service (SaaS) http://lh6.ggpht.com/-t0mXLnfOQnM/ThMyEzI34LI/AAAAAAAAALU/6OLqERfVAu8/cloud-delivery- models_thumb%25255B4%25255D.png
Cloud Computing Models  Most common cloud computing models:  Public Cloud  Private Cloud  Hybrid Cloud
Simple Cloud Security Structure
Research  Two main points of entry into SaaS layer:  User Point of Entry o Most common point of attack in a SaaS model  Provider Point of Entry  An example query that exploits the vulnerability in most database servers like PostgresSQL and MySQL, which will grant the attacker administrator privileges could be: <?php // $uid: ' or uid like '%admin% $query = "UPDATE usertable SET pwd='...' WHERE uid='' or uid like '%a dmin%';"; // $pwd: hehehe', trusted=100, admin='yes $query = "UPDATE usertable SET pwd='hehehe', trusted=100, admin='yes' WHERE ...;"; ?>
Research  To connect to the uploaded SaaS application, user will have to use a client/user portal which uses a web service interface that is vulnerable to a variety of attacks, some of which include:  Buffer Overflow  Cross Site Scripting  SQL Injection  Denial of Service
Result w  The most common •Denial of Service Availability •Account lockout attacks associated with •Buffer-over-flo SaaS model in a public •Cross-site scrip ng cloud infrastructure. Data Security •Access control weakness •Privilege escala on  They are divided into the •Network Penetra on Network Security •Session Hijacking following four groups: •Data Packet Intercep on Iden ty Management •Authen ca on Weakness •Insecure Trust SaaS (Software as a Service) vulnerabilities
Discussion  Zero-Day Vulnerability Found in McAfee’s SaaS Products ( April 2011)  Attacker can execute arbitrary code by exploiting the flaw if victim visits a malicious page or open the file.  Common Vulnerability Scoring System score it to be 9 out of 10 maximum.  Method will accept commands that are passed to a function that simply executes them without authentication.  McAfee SaaS includes:  Email Protection (Protection against viruses and spam)  McAfee Integrated Suites (Protection against viruses, web threats, etc…)  Patch released in August 2011. http://news.softpedia.com/news/Zero-Day-Vulnerability-Found-in-McAfee-s-SaaS-Products-247051.shtml
Conclusion  Two main points of entry into SaaS layer:  User Point of Entry o Most common point of attack in a SaaS model  Provider Point of Entry w •Denial of Service Availability •Account lockout •Buffer-over-flo •Cross-site scrip ng Data Security •Access control weakness •Privilege escala on •Network Penetra on Network Security •Session Hijacking •Data Packet Intercep on Iden ty Management •Authen ca on Weakness •Insecure Trust SaaS (Software as a Service) vulnerabilities
Future Work  Next approach is to design test cases of a security breach common to the SaaS structure including the web-services involved.  Propose a suitable solution for how to minimize the intensity of the penetration attack.  Document resultant effects and extent of the exploit and compare with other research projects/paper results.  Document and explore the extent to which data can be exploited.
Q&A
References:  [1] GoGrid Cloud Hosting, “Cloud Infrastructure”, http://pyramid.gogrid.com/#/, 2010  [2] Tipton,Harold F. ; Nozaki, Micki Krause , Information Security Management Handbook. 6th ed. USA: CRS Press. 2012  [3] Verizon Bussiness, “2012 Data Breach Investigations Report” http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report- 2012_en_xg.pdf, 2012  [4] The PHP Group,”SQL Injection”, http://php.net/manual/en/security.database.sql- injection.php, 2001-2012  http://www.butyoudontlooksick.com/wpress/wp-content/uploads/2010/09/cloudy-question.jpg

Recommended

Security concerns with SaaS layer of cloud computing
Security concerns with SaaS layer of cloud computingSecurity concerns with SaaS layer of cloud computing
Security concerns with SaaS layer of cloud computingClinton DSouza
 
The security of SAAS and private cloud
The security of SAAS and private cloudThe security of SAAS and private cloud
The security of SAAS and private cloudAzure Group
 
Intel SaaS Security Playbook
Intel SaaS Security PlaybookIntel SaaS Security Playbook
Intel SaaS Security PlaybookIntel IT Center
 
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORKZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORKMaganathin Veeraragaloo
 
Security As A Service
Security As A ServiceSecurity As A Service
Security As A Serviceguest536dd0e
 
Rik Ferguson
Rik FergusonRik Ferguson
Rik FergusonCloudExpoEurope
 
Security As A Service
Security As A ServiceSecurity As A Service
Security As A ServiceOlav Tvedt
 
Protect your business with identity and access management in the cloud
Protect your business with identity and access management in the cloudProtect your business with identity and access management in the cloud
Protect your business with identity and access management in the cloudMicrosoft
 

Recommended

Security concerns with SaaS layer of cloud computing
Security concerns with SaaS layer of cloud computingSecurity concerns with SaaS layer of cloud computing
Security concerns with SaaS layer of cloud computingClinton DSouza
 
The security of SAAS and private cloud
The security of SAAS and private cloudThe security of SAAS and private cloud
The security of SAAS and private cloudAzure Group
 
Intel SaaS Security Playbook
Intel SaaS Security PlaybookIntel SaaS Security Playbook
Intel SaaS Security PlaybookIntel IT Center
 
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORKZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORKMaganathin Veeraragaloo
 
Security As A Service
Security As A ServiceSecurity As A Service
Security As A Serviceguest536dd0e
 
Rik Ferguson
Rik FergusonRik Ferguson
Rik FergusonCloudExpoEurope
 
Security As A Service
Security As A ServiceSecurity As A Service
Security As A ServiceOlav Tvedt
 
Protect your business with identity and access management in the cloud
Protect your business with identity and access management in the cloudProtect your business with identity and access management in the cloud
Protect your business with identity and access management in the cloudMicrosoft
 
Cloud Security Governance
Cloud Security GovernanceCloud Security Governance
Cloud Security GovernanceShankar Subramaniyan
 
Cloud Security
Cloud Security Cloud Security
Cloud Security Giovanni Mazzeo
 
Cloud security (domain11 14)
Cloud security (domain11 14)Cloud security (domain11 14)
Cloud security (domain11 14)Maganathin Veeraragaloo
 
Security as a Service Model for Cloud Environment
Security as a Service Model for Cloud EnvironmentSecurity as a Service Model for Cloud Environment
Security as a Service Model for Cloud EnvironmentKaashivInfoTech Company
 
How to protect your corporate from advanced attacks
How to protect your corporate from advanced attacksHow to protect your corporate from advanced attacks
How to protect your corporate from advanced attacksMicrosoft
 
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...Amazon Web Services
 
Workshop: Threat Intelligence - Part 1
Workshop: Threat Intelligence - Part 1Workshop: Threat Intelligence - Part 1
Workshop: Threat Intelligence - Part 1Priyanka Aash
 
Azure Security Center
Azure Security CenterAzure Security Center
Azure Security CenterMicrosoft
 
Microsoft Cloud App Security
Microsoft Cloud App SecurityMicrosoft Cloud App Security
Microsoft Cloud App SecurityMicrosoft
 
Implementing zero trust architecture in azure hybrid cloud
Implementing zero trust architecture in azure hybrid cloudImplementing zero trust architecture in azure hybrid cloud
Implementing zero trust architecture in azure hybrid cloudAjit Bhingarkar
 
Security for cloud native workloads
Security for cloud native workloadsSecurity for cloud native workloads
Security for cloud native workloadsRuncy Oommen
 
Cloud Security Top 10 Risk Mitigation Techniques for 2019
Cloud Security Top 10 Risk Mitigation Techniques for 2019Cloud Security Top 10 Risk Mitigation Techniques for 2019
Cloud Security Top 10 Risk Mitigation Techniques for 2019Joseph Holbrook, Chief Learning Officer (CLO)
 
CASB — Your new best friend for safe cloud adoption?
CASB — Your new best friend for safe cloud adoption? CASB — Your new best friend for safe cloud adoption?
CASB — Your new best friend for safe cloud adoption? Digital Transformation EXPO Event Series
 
MCAS High Level Architecture May 2021
MCAS High Level Architecture May 2021MCAS High Level Architecture May 2021
MCAS High Level Architecture May 2021Matt Soseman
 
Security as a Service with Microsoft Presented by Razor Technology
Security as a Service with Microsoft Presented by Razor TechnologySecurity as a Service with Microsoft Presented by Razor Technology
Security as a Service with Microsoft Presented by Razor TechnologyDavid J Rosenthal
 
The Cloud Crossover
The Cloud CrossoverThe Cloud Crossover
The Cloud CrossoverArmor
 
Azure Information Protection
Azure Information ProtectionAzure Information Protection
Azure Information ProtectionMicrosoft
 
Security As A Service
Security As A ServiceSecurity As A Service
Security As A ServiceGeorge Fares
 
IT Security As A Service
IT Security As A ServiceIT Security As A Service
IT Security As A ServiceMichael Davis
 
Mobile App Security: Enterprise Checklist
Mobile App Security: Enterprise ChecklistMobile App Security: Enterprise Checklist
Mobile App Security: Enterprise ChecklistJignesh Solanki
 
Detection and Prevention of security vulnerabilities associated with mobile b...
Detection and Prevention of security vulnerabilities associated with mobile b...Detection and Prevention of security vulnerabilities associated with mobile b...
Detection and Prevention of security vulnerabilities associated with mobile b...Clinton DSouza
 
Legal ethics & cloud computing
Legal ethics & cloud computingLegal ethics & cloud computing
Legal ethics & cloud computingPatrick Fowler
 

More Related Content

What's hot

Security as a Service Model for Cloud Environment
Security as a Service Model for Cloud EnvironmentSecurity as a Service Model for Cloud Environment
Security as a Service Model for Cloud EnvironmentKaashivInfoTech Company
 
How to protect your corporate from advanced attacks
How to protect your corporate from advanced attacksHow to protect your corporate from advanced attacks
How to protect your corporate from advanced attacksMicrosoft
 
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...Amazon Web Services
 
Workshop: Threat Intelligence - Part 1
Workshop: Threat Intelligence - Part 1Workshop: Threat Intelligence - Part 1
Workshop: Threat Intelligence - Part 1Priyanka Aash
 
Azure Security Center
Azure Security CenterAzure Security Center
Azure Security CenterMicrosoft
 
Microsoft Cloud App Security
Microsoft Cloud App SecurityMicrosoft Cloud App Security
Microsoft Cloud App SecurityMicrosoft
 
Implementing zero trust architecture in azure hybrid cloud
Implementing zero trust architecture in azure hybrid cloudImplementing zero trust architecture in azure hybrid cloud
Implementing zero trust architecture in azure hybrid cloudAjit Bhingarkar
 
Security for cloud native workloads
Security for cloud native workloadsSecurity for cloud native workloads
Security for cloud native workloadsRuncy Oommen
 
MCAS High Level Architecture May 2021
MCAS High Level Architecture May 2021MCAS High Level Architecture May 2021
MCAS High Level Architecture May 2021Matt Soseman
 
Security as a Service with Microsoft Presented by Razor Technology
Security as a Service with Microsoft Presented by Razor TechnologySecurity as a Service with Microsoft Presented by Razor Technology
Security as a Service with Microsoft Presented by Razor TechnologyDavid J Rosenthal
 
The Cloud Crossover
The Cloud CrossoverThe Cloud Crossover
The Cloud CrossoverArmor
 
Azure Information Protection
Azure Information ProtectionAzure Information Protection
Azure Information ProtectionMicrosoft
 
Security As A Service
Security As A ServiceSecurity As A Service
Security As A ServiceGeorge Fares
 
IT Security As A Service
IT Security As A ServiceIT Security As A Service
IT Security As A ServiceMichael Davis
 
Mobile App Security: Enterprise Checklist
Mobile App Security: Enterprise ChecklistMobile App Security: Enterprise Checklist
Mobile App Security: Enterprise ChecklistJignesh Solanki
 

What's hot (20)

Cloud Security Governance
Cloud Security GovernanceCloud Security Governance
Cloud Security Governance
 
Cloud Security
Cloud Security Cloud Security
Cloud Security
 
Cloud security (domain11 14)
Cloud security (domain11 14)Cloud security (domain11 14)
Cloud security (domain11 14)
 
Security as a Service Model for Cloud Environment
Security as a Service Model for Cloud EnvironmentSecurity as a Service Model for Cloud Environment
Security as a Service Model for Cloud Environment
 
How to protect your corporate from advanced attacks
How to protect your corporate from advanced attacksHow to protect your corporate from advanced attacks
How to protect your corporate from advanced attacks
 
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
 
Workshop: Threat Intelligence - Part 1
Workshop: Threat Intelligence - Part 1Workshop: Threat Intelligence - Part 1
Workshop: Threat Intelligence - Part 1
 
Azure Security Center
Azure Security CenterAzure Security Center
Azure Security Center
 
Microsoft Cloud App Security
Microsoft Cloud App SecurityMicrosoft Cloud App Security
Microsoft Cloud App Security
 
Implementing zero trust architecture in azure hybrid cloud
Implementing zero trust architecture in azure hybrid cloudImplementing zero trust architecture in azure hybrid cloud
Implementing zero trust architecture in azure hybrid cloud
 
Security for cloud native workloads
Security for cloud native workloadsSecurity for cloud native workloads
Security for cloud native workloads
 
Cloud Security Top 10 Risk Mitigation Techniques for 2019
Cloud Security Top 10 Risk Mitigation Techniques for 2019Cloud Security Top 10 Risk Mitigation Techniques for 2019
Cloud Security Top 10 Risk Mitigation Techniques for 2019
 
CASB — Your new best friend for safe cloud adoption?
CASB — Your new best friend for safe cloud adoption? CASB — Your new best friend for safe cloud adoption?
CASB — Your new best friend for safe cloud adoption?
 
MCAS High Level Architecture May 2021
MCAS High Level Architecture May 2021MCAS High Level Architecture May 2021
MCAS High Level Architecture May 2021
 
Security as a Service with Microsoft Presented by Razor Technology
Security as a Service with Microsoft Presented by Razor TechnologySecurity as a Service with Microsoft Presented by Razor Technology
Security as a Service with Microsoft Presented by Razor Technology
 
The Cloud Crossover
The Cloud CrossoverThe Cloud Crossover
The Cloud Crossover
 
Azure Information Protection
Azure Information ProtectionAzure Information Protection
Azure Information Protection
 
Security As A Service
Security As A ServiceSecurity As A Service
Security As A Service
 
IT Security As A Service
IT Security As A ServiceIT Security As A Service
IT Security As A Service
 
Mobile App Security: Enterprise Checklist
Mobile App Security: Enterprise ChecklistMobile App Security: Enterprise Checklist
Mobile App Security: Enterprise Checklist
 

Viewers also liked

Detection and Prevention of security vulnerabilities associated with mobile b...
Detection and Prevention of security vulnerabilities associated with mobile b...Detection and Prevention of security vulnerabilities associated with mobile b...
Detection and Prevention of security vulnerabilities associated with mobile b...Clinton DSouza
 
Legal ethics & cloud computing
Legal ethics & cloud computingLegal ethics & cloud computing
Legal ethics & cloud computingPatrick Fowler
 
Network Centric Warfare - An Introduction
Network Centric Warfare - An IntroductionNetwork Centric Warfare - An Introduction
Network Centric Warfare - An IntroductionD.A. Mohan
 
How to Secure Your IaaS and PaaS Environments
How to Secure Your IaaS and PaaS EnvironmentsHow to Secure Your IaaS and PaaS Environments
How to Secure Your IaaS and PaaS EnvironmentsInfo-Tech Research Group
 
Cloud Computing Security Issues in Infrastructure as a Service” report
Cloud Computing Security Issues in Infrastructure as a Service” reportCloud Computing Security Issues in Infrastructure as a Service” report
Cloud Computing Security Issues in Infrastructure as a Service” reportVivek Maurya
 
Cloud Computing Security Issues in Infrastructure as a Service”
Cloud Computing Security Issues in Infrastructure as a Service”Cloud Computing Security Issues in Infrastructure as a Service”
Cloud Computing Security Issues in Infrastructure as a Service”Vivek Maurya
 
PaaS security challenges and solutions (salesforce vision)
PaaS security challenges and solutions (salesforce vision)PaaS security challenges and solutions (salesforce vision)
PaaS security challenges and solutions (salesforce vision)Olga Lavrentieva
 
Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)
Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)
Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)Kuniyasu Suzaki
 
МТС лайф - корпоративная социальная сеть
МТС лайф - корпоративная социальная сетьМТС лайф - корпоративная социальная сеть
МТС лайф - корпоративная социальная сетьDaOffice
 
Top challenges in cloud computing
Top challenges in cloud computingTop challenges in cloud computing
Top challenges in cloud computingTISEE
 
SaaS Companies: What Costs Should Be Capitalized?
SaaS Companies: What Costs Should Be Capitalized?SaaS Companies: What Costs Should Be Capitalized?
SaaS Companies: What Costs Should Be Capitalized?Armanino LLP
 
Data Mining and Intrusion Detection
Data Mining and Intrusion Detection Data Mining and Intrusion Detection
Data Mining and Intrusion Detection amiable_indian
 
Intrusion detection system ppt
Intrusion detection system pptIntrusion detection system ppt
Intrusion detection system pptSheetal Verma
 
Cloud computing security issues and challenges
Cloud computing security issues and challengesCloud computing security issues and challenges
Cloud computing security issues and challengesDheeraj Negi
 
Intrusion detection system
Intrusion detection system Intrusion detection system
Intrusion detection system gaurav koriya
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing SecurityNinh Nguyen
 

Viewers also liked (20)

Detection and Prevention of security vulnerabilities associated with mobile b...
Detection and Prevention of security vulnerabilities associated with mobile b...Detection and Prevention of security vulnerabilities associated with mobile b...
Detection and Prevention of security vulnerabilities associated with mobile b...
 
Legal ethics & cloud computing
Legal ethics & cloud computingLegal ethics & cloud computing
Legal ethics & cloud computing
 
OWASP Cloud Top 10
OWASP Cloud Top 10OWASP Cloud Top 10
OWASP Cloud Top 10
 
Network Centric Warfare - An Introduction
Network Centric Warfare - An IntroductionNetwork Centric Warfare - An Introduction
Network Centric Warfare - An Introduction
 
How to Secure Your IaaS and PaaS Environments
How to Secure Your IaaS and PaaS EnvironmentsHow to Secure Your IaaS and PaaS Environments
How to Secure Your IaaS and PaaS Environments
 
Cloud Computing Security Issues in Infrastructure as a Service” report
Cloud Computing Security Issues in Infrastructure as a Service” reportCloud Computing Security Issues in Infrastructure as a Service” report
Cloud Computing Security Issues in Infrastructure as a Service” report
 
Cloud Computing Security Issues in Infrastructure as a Service”
Cloud Computing Security Issues in Infrastructure as a Service”Cloud Computing Security Issues in Infrastructure as a Service”
Cloud Computing Security Issues in Infrastructure as a Service”
 
PaaS security challenges and solutions (salesforce vision)
PaaS security challenges and solutions (salesforce vision)PaaS security challenges and solutions (salesforce vision)
PaaS security challenges and solutions (salesforce vision)
 
IaaS Security - Back to the Drawing Board
IaaS Security - Back to the Drawing BoardIaaS Security - Back to the Drawing Board
IaaS Security - Back to the Drawing Board
 
Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)
Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)
Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)
 
P2p Peer To Peer Introduction
P2p Peer To Peer IntroductionP2p Peer To Peer Introduction
P2p Peer To Peer Introduction
 
МТС лайф - корпоративная социальная сеть
МТС лайф - корпоративная социальная сетьМТС лайф - корпоративная социальная сеть
МТС лайф - корпоративная социальная сеть
 
Top challenges in cloud computing
Top challenges in cloud computingTop challenges in cloud computing
Top challenges in cloud computing
 
SaaS Companies: What Costs Should Be Capitalized?
SaaS Companies: What Costs Should Be Capitalized?SaaS Companies: What Costs Should Be Capitalized?
SaaS Companies: What Costs Should Be Capitalized?
 
Data Mining and Intrusion Detection
Data Mining and Intrusion Detection Data Mining and Intrusion Detection
Data Mining and Intrusion Detection
 
Cloud security ppt
Cloud security pptCloud security ppt
Cloud security ppt
 
Intrusion detection system ppt
Intrusion detection system pptIntrusion detection system ppt
Intrusion detection system ppt
 
Cloud computing security issues and challenges
Cloud computing security issues and challengesCloud computing security issues and challenges
Cloud computing security issues and challenges
 
Intrusion detection system
Intrusion detection system Intrusion detection system
Intrusion detection system
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing Security
 

Similar to Vulnerabilities in SaaS layer of cloud computing

EISA Considerations for Web Application Security
EISA Considerations for Web Application SecurityEISA Considerations for Web Application Security
EISA Considerations for Web Application SecurityLarry Ball
 
DevSecCon Tel Aviv 2018 - Serverless Security
DevSecCon Tel Aviv 2018 - Serverless SecurityDevSecCon Tel Aviv 2018 - Serverless Security
DevSecCon Tel Aviv 2018 - Serverless SecurityAvi Shulman
 
Brighttalk Challenges In Cloud Security
Brighttalk Challenges In Cloud SecurityBrighttalk Challenges In Cloud Security
Brighttalk Challenges In Cloud Securityguestc416cd26
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsCenzic
 
The Top 10 Most Common Weaknesses in Serverless Applications 2018
The Top 10 Most Common Weaknesses in Serverless Applications 2018The Top 10 Most Common Weaknesses in Serverless Applications 2018
The Top 10 Most Common Weaknesses in Serverless Applications 2018PureSec
 
An Introduction of SQL Injection, Buffer Overflow & Wireless Attack
An Introduction of SQL Injection, Buffer Overflow & Wireless AttackAn Introduction of SQL Injection, Buffer Overflow & Wireless Attack
An Introduction of SQL Injection, Buffer Overflow & Wireless AttackTechSecIT
 
A Comparative Review on Data Security Challenges in Cloud Computing
A Comparative Review on Data Security Challenges in Cloud ComputingA Comparative Review on Data Security Challenges in Cloud Computing
A Comparative Review on Data Security Challenges in Cloud ComputingIRJET Journal
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSebastien Deleersnyder
 
Cloud Security_Module2.ppt
Cloud Security_Module2.pptCloud Security_Module2.ppt
Cloud Security_Module2.pptArunKumbi1
 
Cloud Security - Made simple
Cloud Security - Made simpleCloud Security - Made simple
Cloud Security - Made simpleSameer Paradia
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the CloudAlert Logic
 
talk6securingcloudamarprusty-191030091632.pptx
talk6securingcloudamarprusty-191030091632.pptxtalk6securingcloudamarprusty-191030091632.pptx
talk6securingcloudamarprusty-191030091632.pptxTrongMinhHoang1
 
Cloudop security
Cloudop securityCloudop security
Cloudop securitywardspan
 
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.Scalar Decisions
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...IBM Security
 
McAfee Skyhigh: Elevating Your AWS Security Posture (SEC307-S) - AWS re:Inven...
McAfee Skyhigh: Elevating Your AWS Security Posture (SEC307-S) - AWS re:Inven...McAfee Skyhigh: Elevating Your AWS Security Posture (SEC307-S) - AWS re:Inven...
McAfee Skyhigh: Elevating Your AWS Security Posture (SEC307-S) - AWS re:Inven...Amazon Web Services
 
CMST&210 Pillow talk Position 1 Why do you think you may.docx
CMST&210 Pillow talk Position 1 Why do you think you may.docxCMST&210 Pillow talk Position 1 Why do you think you may.docx
CMST&210 Pillow talk Position 1 Why do you think you may.docxmccormicknadine86
 
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...Amazon Web Services
 

Similar to Vulnerabilities in SaaS layer of cloud computing (20)

EISA Considerations for Web Application Security
EISA Considerations for Web Application SecurityEISA Considerations for Web Application Security
EISA Considerations for Web Application Security
 
DevSecCon Tel Aviv 2018 - Serverless Security
DevSecCon Tel Aviv 2018 - Serverless SecurityDevSecCon Tel Aviv 2018 - Serverless Security
DevSecCon Tel Aviv 2018 - Serverless Security
 
Brighttalk Challenges In Cloud Security
Brighttalk Challenges In Cloud SecurityBrighttalk Challenges In Cloud Security
Brighttalk Challenges In Cloud Security
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud apps
 
The Top 10 Most Common Weaknesses in Serverless Applications 2018
The Top 10 Most Common Weaknesses in Serverless Applications 2018The Top 10 Most Common Weaknesses in Serverless Applications 2018
The Top 10 Most Common Weaknesses in Serverless Applications 2018
 
An Introduction of SQL Injection, Buffer Overflow & Wireless Attack
An Introduction of SQL Injection, Buffer Overflow & Wireless AttackAn Introduction of SQL Injection, Buffer Overflow & Wireless Attack
An Introduction of SQL Injection, Buffer Overflow & Wireless Attack
 
A Comparative Review on Data Security Challenges in Cloud Computing
A Comparative Review on Data Security Challenges in Cloud ComputingA Comparative Review on Data Security Challenges in Cloud Computing
A Comparative Review on Data Security Challenges in Cloud Computing
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
 
Cloud Security_Module2.ppt
Cloud Security_Module2.pptCloud Security_Module2.ppt
Cloud Security_Module2.ppt
 
Cloud Security - Made simple
Cloud Security - Made simpleCloud Security - Made simple
Cloud Security - Made simple
 
Novinky F5
Novinky F5Novinky F5
Novinky F5
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
 
talk6securingcloudamarprusty-191030091632.pptx
talk6securingcloudamarprusty-191030091632.pptxtalk6securingcloudamarprusty-191030091632.pptx
talk6securingcloudamarprusty-191030091632.pptx
 
Cloudop security
Cloudop securityCloudop security
Cloudop security
 
Presd1 10
Presd1 10Presd1 10
Presd1 10
 
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
 
McAfee Skyhigh: Elevating Your AWS Security Posture (SEC307-S) - AWS re:Inven...
McAfee Skyhigh: Elevating Your AWS Security Posture (SEC307-S) - AWS re:Inven...McAfee Skyhigh: Elevating Your AWS Security Posture (SEC307-S) - AWS re:Inven...
McAfee Skyhigh: Elevating Your AWS Security Posture (SEC307-S) - AWS re:Inven...
 
CMST&210 Pillow talk Position 1 Why do you think you may.docx
CMST&210 Pillow talk Position 1 Why do you think you may.docxCMST&210 Pillow talk Position 1 Why do you think you may.docx
CMST&210 Pillow talk Position 1 Why do you think you may.docx
 
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
 

Vulnerabilities in SaaS layer of cloud computing

  • 1. Vulnerabilities in SaaS Layer of Cloud Computing Clinton D Souza Rafael Santana Arizona State University
  • 2. Overview  Introduction  Cloud Computing Overview  Research  Results  Conclusion  Discussion  Future work  Q&A
  • 3. Introduction  Research funded by Fulton Undergraduate Research Initiative (FURI).  Co-Author: Dr. Partha Dasgupta.  Purpose of research is bring to attention, existent vulnerabilities in Software as a Service layer of cloud computing.
  • 4. Cloud Computing Overview  Cloud Computing architecture is divided into three layers:  Infrastructure as a Service (IaaS)  Platform as a Service (Paas)  Software as a Service (SaaS) http://lh6.ggpht.com/-t0mXLnfOQnM/ThMyEzI34LI/AAAAAAAAALU/6OLqERfVAu8/cloud-delivery- models_thumb%25255B4%25255D.png
  • 5. Cloud Computing Models  Most common cloud computing models:  Public Cloud  Private Cloud  Hybrid Cloud
  • 7. Research  Two main points of entry into SaaS layer:  User Point of Entry o Most common point of attack in a SaaS model  Provider Point of Entry  An example query that exploits the vulnerability in most database servers like PostgresSQL and MySQL, which will grant the attacker administrator privileges could be: <?php // $uid: ' or uid like '%admin% $query = "UPDATE usertable SET pwd='...' WHERE uid='' or uid like '%a dmin%';"; // $pwd: hehehe', trusted=100, admin='yes $query = "UPDATE usertable SET pwd='hehehe', trusted=100, admin='yes' WHERE ...;"; ?>
  • 8. Research  To connect to the uploaded SaaS application, user will have to use a client/user portal which uses a web service interface that is vulnerable to a variety of attacks, some of which include:  Buffer Overflow  Cross Site Scripting  SQL Injection  Denial of Service
  • 9. Result w  The most common •Denial of Service Availability •Account lockout attacks associated with •Buffer-over-flo SaaS model in a public •Cross-site scrip ng cloud infrastructure. Data Security •Access control weakness •Privilege escala on  They are divided into the •Network Penetra on Network Security •Session Hijacking following four groups: •Data Packet Intercep on Iden ty Management •Authen ca on Weakness •Insecure Trust SaaS (Software as a Service) vulnerabilities
  • 10. Discussion  Zero-Day Vulnerability Found in McAfee’s SaaS Products ( April 2011)  Attacker can execute arbitrary code by exploiting the flaw if victim visits a malicious page or open the file.  Common Vulnerability Scoring System score it to be 9 out of 10 maximum.  Method will accept commands that are passed to a function that simply executes them without authentication.  McAfee SaaS includes:  Email Protection (Protection against viruses and spam)  McAfee Integrated Suites (Protection against viruses, web threats, etc…)  Patch released in August 2011. http://news.softpedia.com/news/Zero-Day-Vulnerability-Found-in-McAfee-s-SaaS-Products-247051.shtml
  • 11. Conclusion  Two main points of entry into SaaS layer:  User Point of Entry o Most common point of attack in a SaaS model  Provider Point of Entry w •Denial of Service Availability •Account lockout •Buffer-over-flo •Cross-site scrip ng Data Security •Access control weakness •Privilege escala on •Network Penetra on Network Security •Session Hijacking •Data Packet Intercep on Iden ty Management •Authen ca on Weakness •Insecure Trust SaaS (Software as a Service) vulnerabilities
  • 12. Future Work  Next approach is to design test cases of a security breach common to the SaaS structure including the web-services involved.  Propose a suitable solution for how to minimize the intensity of the penetration attack.  Document resultant effects and extent of the exploit and compare with other research projects/paper results.  Document and explore the extent to which data can be exploited.
  • 13. Q&A
  • 14. References:  [1] GoGrid Cloud Hosting, “Cloud Infrastructure”, http://pyramid.gogrid.com/#/, 2010  [2] Tipton,Harold F. ; Nozaki, Micki Krause , Information Security Management Handbook. 6th ed. USA: CRS Press. 2012  [3] Verizon Bussiness, “2012 Data Breach Investigations Report” http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report- 2012_en_xg.pdf, 2012  [4] The PHP Group,”SQL Injection”, http://php.net/manual/en/security.database.sql- injection.php, 2001-2012  http://www.butyoudontlooksick.com/wpress/wp-content/uploads/2010/09/cloudy-question.jpg

Editor's Notes

  1. Distribution model in which the applications are hosted by the vendor and made available to the customer over a network either through a web or mobile interface.
  2. To change the admin&apos;s password: &apos;%admin% to $uid Or Simply sets: $pwd to hehehe&apos;, trusted=100, admin=&apos;yes