Abstract
Despite the potential benefits, cost savings and revenues that can be gained from adopting the cloud computing model, a downside is that it increases malicious attackers’ interest and ability to find vulnerabilities to exploit in cloud software and/or infrastructure.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
European Network and Information Security Agency (ENISA) (2009) Cloud computing: benefits, risks and recommendations for information security. http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment. Accessed on July 2010
International Data Corporation (2010) IDC ranking of issues of cloud computing model. http://blogs.idc.com/ie/?p=210. Accessed on July 2010
Kandukuri BR, Paturi R, Rakshit A (2009) Cloud security issues. In: Proceedings of the (2009) IEEE international conference on services computing, pp 517–520
Chaves SAD, Westphall CB, Lamin FR (2010) SLA perspective in security management for cloud computing. In: Sixth international conference on networking and services, Cancun, Mexico, pp 212–217
National Institute of standards and technology (NIST) The federal information security management act (FISMA), U.S. Government Printing 2002, Washington. http://csrc.nist.gov/drivers/documents/FISMA-final.pdf. Accessed on Aug 2010
International Organization for Standardization (ISO) (2009) ISO/IEC 27000—Information technology, security techniques, information security management systems, overview and vocabulary. ISO/IEC 27001:2005(E). http://webstore.iec.ch/preview/info_isoiec27000%7Bed1.0%7Den.pdf. Accessed on July 2010
Humphreys E (2008) Information security management standards: compliance, governance and risk management. Inf Sec Tech Rep 13:247–255
Tsohou A, Kokolakis S, Lambrinoudakis C, Gritzalis S (2010) Information systems security management: a review and a classification of the ISO standards. In: Sideridis A, Patrikakis C (eds) Next generation society. Technological and legal issues. Springer, Berlin, pp 220–235
Chinchani R, Iyer A, Ngo H, Upadhyaya S (2004) A target-centric formal model for insider threat and more. Technical Report 2004–16, University of Buffalo, US2004
Sheyner O, Haines J, Jha S, Lippmann R, Wing JM (2002) Automated generation and analysis of attack graphs. In: Security and privacy, 2002. Proceedings. 2002 IEEE Symposium on, pp 273–284
Hewett R, Kijsanayothin P (2008) Host-centric model checking for network vulnerability analysis. In: Computer security applications conference, (2008) ACSAC 2008. Annual, pp 225–234
Ou X, Govindavajhala S, Appel AW (2005) MulVAL: a logic-based network security analyzer. Presented at the 14th USENIX security symposium, MD, USA, August, Baltimore
Yee G, Xie X, Majumdar S (2010) Automated threat identification for UML. In: Proceedings of the international conference on security and cryptography (SECRYPT), pp 1–7
Manadhata PK, Wing JM (2011) An attack surface metric. IEEE Trans Softw Eng 37:371–386
Abi-Antoun M, Barnes JM (2010) Analyzing security architectures. Presented at the proceedings of the IEEE/ACM international conference on automated software engineering, Antwerp, Belgium
Jimenez W, Mammar A, Cavalli A (2009) Software vulnarabilities, prevention and detection methods: a review. In: Proceedings of European workshop on security in model driven architecture, Enschede, The Netherlands, pp 6–13
NIST (2007) Source code security analysis tool functional specification version 1.1. Accessed on 2011
Halfond WGJ, Orso A, Manolios P (2006) Using positive tainting and syntax-aware evaluation to counter SQL injection attacks. In: Proceedings of 14th ACM SIGSOFT international symposium on Foundations of software engineering, Oregon, USA, pp 175–185
Dasgupta A, Narasayya V, Syamala M, A static analysis framework for database applications. In: Proceedings of (2009) IEEE international conference on data. Engineering, pp 1403–1414
Martin M, Livshits B, Lam MS (2005) Finding application errors and security flaws using PQL: a program query language. In: Proceedings of the 20th annual ACM SIGPLAN conference on object-oriented programming, systems, languages, and applications CA, USA, pp 365–383
Lam MS, Martin M, Livshits B, Whaley J (2008) Securing web applications with static and dynamic information flow tracking. In: Proceedings of (2008) ACM SIGPLAN symposium on partial evaluation and semantics-based program manipulation, California, USA, pp 3–12
Wassermann G, Su Z (2008) Static detection of cross-site scripting vulnerabilities. In: Proceedings of 30th international conference on Software engineering, Leipzig, Germany, pp 171–180
Jovanovic N, Kruegel C, Kirda E (2006) Pixy: a static analysis tool for detecting web application vulnerabilities. In: Proceedings of 2006 IEEE symposium on security and privacy, pp 258–263
Ganesh V, Kieżun A, Artzi S, Guo PJ, Hooimeijer P, Ernst M (2011) HAMPI: a string solver for testing, analysis and vulnerability detection. In: Proceedings of 23rd international conference on Computer aided verification, Snowbird, UT, pp 1–19
Kieyzun A, Guo PJ, Jayaraman K, Ernst MD (2009) Automatic creation of SQL injection and cross-site scripting attacks. In: Proceedings of 31st international conference on, software engineering, pp 199–209
Bau J, Bursztein E, Gupta D, Mitchell J (2010) State of the art: automated black-box web application vulnerability testing. In: Proceedings of 2010 IEEE symposium on security and privacy, pp 332–345
Kals S, Kirda E, Kruegel C, Jovanovic N (2006) SecuBat: a web vulnerability scanner. Presented at the proceedings of 15th international conference on World Wide Web, Edinburgh, Scotland
Balzarotti D, Cova M, Felmetsger V, Jovanovic N, Kirda E, Kruegel C, Vigna G (2008) Saner: composing static and dynamic analysis to validate sanitization in web applications. In: Proceedings of 2008 IEEE symposium on security and privacy, pp 387–401
Anderson R (2001) Security engineering: a guide to building dependable distributed systems. Wiley, New York
Sindre G, Opdahl A (2005) Eliciting security requirements with misuse cases. Requirements Eng 10:34–44
Jürjens J (2001) Towards development of secure systems using UMLsec. In: Fundamental approaches to software engineering, vol 2029. Springer, Berlin, pp 187–200
Lodderstedt T, Basin D, Doser J (2002) SecureUML: a UML-based modeling language for model-driven security. In: The 5th international conference on the Unified Modeling Language, Dresden, Germany, pp 426–441
Hashii B, Malabarba S, Pandey R et al (2000) Supporting reconfigurable security policies for mobile programs. Presented at the proceedings of the 9th international World Wide Web conference on computer networks, Amsterdam, The Netherlands
Scott K, Kumar N, Velusamy S et al (2003) Retargetable and reconfigurable software dynamic translation. Presented at the proceedings of the international symposium on Code generation and optimization, San Francisco, California
Sanchez-Cid F, Mana A (2008) SERENITY pattern-based software development life-cycle. In: 19th international workshop on database and expert systems application, pp 305–309
Morin B, Mouelhi T, Fleurey F, Le Traon Y, Barais O, Jézéquel J (2010) Security-driven model-based dynamic adaptation. Presented at the the 25nd IEEE/ACM international conference on automated software engineering, Antwerp, Belgium
Cai H, Wang N, Zhou MJ (2010) A transparent approach of enabling SaaS multi-tenancy in the cloud. In: 2010 6th World Congress on Services (SERVICES-1), pp 40–47
Guo CJ, Sun W, Huang Y, Wang ZH, Gao B (2007) A framework for native multi-tenancy application development and management. In: E-Commerce technology and the 4th IEEE international conference on enterprise computing, E-Commerce, and E-Services, 2007. CEC/EEE 2007. The 9th IEEE international conference on, pp 551–558
Pervez Z, Lee S, Lee Y-K (2010) Multi-tenant, secure, load disseminated SaaS architecture. In: 12th international conference on advanced communication technology, Gangwon-Do, South Korea, pp 214–219
Menzel M, Warschofsky R, Thomas I, Willems C, Meinel C (2010) The service security lab: a model-driven platform to compose and explore service security in the cloud. In: 2010 6th World Congress on Services (SERVICES-1), pp 115–122
Chew E, Swanson M, Stine K, Bartol N et al (2008) Performance measuremenet guide for information security. National Institute of Standards and Technology
Chandra S, Khan RA (2009) Software security metric identification framework (SSM). Presented at the proceedings of the international conference on advances in computing. Communication and Control, Mumbai, India
Bayuk J (2011) Cloud security metrics. In: 2011 6th international conference on system of systems engineering (SoSE), pp 341–345
NIST Concept of Operations (CONOPS)—FedRAMP NIST2012
Mitre Corporation (2010) Making security measurable. Available at http://measurablesecurity.mitre.org/
National Institute of Standards and Technology–NIST (2010) National vulnerabilities database home. Available at http://nvd.nist.gov/
Salehie M, Tahvildari L (2009) Self-adaptive software: landscape and research challenges. ACM Trans Auton Adapt Syst 4:1–42
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer-Verlag Berlin Heidelberg
About this chapter
Cite this chapter
Almorsy, M., Ibrahim, A., Grundy, J. (2014). Adaptive Security Management in SaaS Applications. In: Nepal, S., Pathan, M. (eds) Security, Privacy and Trust in Cloud Systems. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-38586-5_3
Download citation
DOI: https://doi.org/10.1007/978-3-642-38586-5_3
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-38585-8
Online ISBN: 978-3-642-38586-5
eBook Packages: EngineeringEngineering (R0)