Skip to main content
SpringerLink
Log in

Adaptive Security Management in SaaS Applications

  • Chapter
  • First Online:
Security, Privacy and Trust in Cloud Systems

Abstract

Despite the potential benefits, cost savings and revenues that can be gained from adopting the cloud computing model, a downside is that it increases malicious attackers’ interest and ability to find vulnerabilities to exploit in cloud software and/or infrastructure.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Hardcover Book
USD 109.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. European Network and Information Security Agency (ENISA) (2009) Cloud computing: benefits, risks and recommendations for information security. http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment. Accessed on July 2010

  2. International Data Corporation (2010) IDC ranking of issues of cloud computing model. http://blogs.idc.com/ie/?p=210. Accessed on July 2010

  3. Kandukuri BR, Paturi R, Rakshit A (2009) Cloud security issues. In: Proceedings of the (2009) IEEE international conference on services computing, pp 517–520

    Google Scholar 

  4. Chaves SAD, Westphall CB, Lamin FR (2010) SLA perspective in security management for cloud computing. In: Sixth international conference on networking and services, Cancun, Mexico, pp 212–217

    Google Scholar 

  5. National Institute of standards and technology (NIST) The federal information security management act (FISMA), U.S. Government Printing 2002, Washington. http://csrc.nist.gov/drivers/documents/FISMA-final.pdf. Accessed on Aug 2010

  6. International Organization for Standardization (ISO) (2009) ISO/IEC 27000—Information technology, security techniques, information security management systems, overview and vocabulary. ISO/IEC 27001:2005(E). http://webstore.iec.ch/preview/info_isoiec27000%7Bed1.0%7Den.pdf. Accessed on July 2010

  7. Humphreys E (2008) Information security management standards: compliance, governance and risk management. Inf Sec Tech Rep 13:247–255

    Article  Google Scholar 

  8. Tsohou A, Kokolakis S, Lambrinoudakis C, Gritzalis S (2010) Information systems security management: a review and a classification of the ISO standards. In: Sideridis A, Patrikakis C (eds) Next generation society. Technological and legal issues. Springer, Berlin, pp 220–235

    Chapter  Google Scholar 

  9. Chinchani R, Iyer A, Ngo H, Upadhyaya S (2004) A target-centric formal model for insider threat and more. Technical Report 2004–16, University of Buffalo, US2004

    Google Scholar 

  10. Sheyner O, Haines J, Jha S, Lippmann R, Wing JM (2002) Automated generation and analysis of attack graphs. In: Security and privacy, 2002. Proceedings. 2002 IEEE Symposium on, pp 273–284

    Google Scholar 

  11. Hewett R, Kijsanayothin P (2008) Host-centric model checking for network vulnerability analysis. In: Computer security applications conference, (2008) ACSAC 2008. Annual, pp 225–234

    Google Scholar 

  12. Ou X, Govindavajhala S, Appel AW (2005) MulVAL: a logic-based network security analyzer. Presented at the 14th USENIX security symposium, MD, USA, August, Baltimore

    Google Scholar 

  13. Yee G, Xie X, Majumdar S (2010) Automated threat identification for UML. In: Proceedings of the international conference on security and cryptography (SECRYPT), pp 1–7

    Google Scholar 

  14. Manadhata PK, Wing JM (2011) An attack surface metric. IEEE Trans Softw Eng 37:371–386

    Article  Google Scholar 

  15. Abi-Antoun M, Barnes JM (2010) Analyzing security architectures. Presented at the proceedings of the IEEE/ACM international conference on automated software engineering, Antwerp, Belgium

    Google Scholar 

  16. Jimenez W, Mammar A, Cavalli A (2009) Software vulnarabilities, prevention and detection methods: a review. In: Proceedings of European workshop on security in model driven architecture, Enschede, The Netherlands, pp 6–13

    Google Scholar 

  17. NIST (2007) Source code security analysis tool functional specification version 1.1. Accessed on 2011

    Google Scholar 

  18. Halfond WGJ, Orso A, Manolios P (2006) Using positive tainting and syntax-aware evaluation to counter SQL injection attacks. In: Proceedings of 14th ACM SIGSOFT international symposium on Foundations of software engineering, Oregon, USA, pp 175–185

    Google Scholar 

  19. Dasgupta A, Narasayya V, Syamala M, A static analysis framework for database applications. In: Proceedings of (2009) IEEE international conference on data. Engineering, pp 1403–1414

    Google Scholar 

  20. Martin M, Livshits B, Lam MS (2005) Finding application errors and security flaws using PQL: a program query language. In: Proceedings of the 20th annual ACM SIGPLAN conference on object-oriented programming, systems, languages, and applications CA, USA, pp 365–383

    Google Scholar 

  21. Lam MS, Martin M, Livshits B, Whaley J (2008) Securing web applications with static and dynamic information flow tracking. In: Proceedings of (2008) ACM SIGPLAN symposium on partial evaluation and semantics-based program manipulation, California, USA, pp 3–12

    Google Scholar 

  22. Wassermann G, Su Z (2008) Static detection of cross-site scripting vulnerabilities. In: Proceedings of 30th international conference on Software engineering, Leipzig, Germany, pp 171–180

    Google Scholar 

  23. Jovanovic N, Kruegel C, Kirda E (2006) Pixy: a static analysis tool for detecting web application vulnerabilities. In: Proceedings of 2006 IEEE symposium on security and privacy, pp 258–263

    Google Scholar 

  24. Ganesh V, Kieżun A, Artzi S, Guo PJ, Hooimeijer P, Ernst M (2011) HAMPI: a string solver for testing, analysis and vulnerability detection. In: Proceedings of 23rd international conference on Computer aided verification, Snowbird, UT, pp 1–19

    Google Scholar 

  25. Kieyzun A, Guo PJ, Jayaraman K, Ernst MD (2009) Automatic creation of SQL injection and cross-site scripting attacks. In: Proceedings of 31st international conference on, software engineering, pp 199–209

    Google Scholar 

  26. Bau J, Bursztein E, Gupta D, Mitchell J (2010) State of the art: automated black-box web application vulnerability testing. In: Proceedings of 2010 IEEE symposium on security and privacy, pp 332–345

    Google Scholar 

  27. Kals S, Kirda E, Kruegel C, Jovanovic N (2006) SecuBat: a web vulnerability scanner. Presented at the proceedings of 15th international conference on World Wide Web, Edinburgh, Scotland

    Google Scholar 

  28. Balzarotti D, Cova M, Felmetsger V, Jovanovic N, Kirda E, Kruegel C, Vigna G (2008) Saner: composing static and dynamic analysis to validate sanitization in web applications. In: Proceedings of 2008 IEEE symposium on security and privacy, pp 387–401

    Google Scholar 

  29. Anderson R (2001) Security engineering: a guide to building dependable distributed systems. Wiley, New York

    Google Scholar 

  30. Sindre G, Opdahl A (2005) Eliciting security requirements with misuse cases. Requirements Eng 10:34–44

    Article  Google Scholar 

  31. Jürjens J (2001) Towards development of secure systems using UMLsec. In: Fundamental approaches to software engineering, vol 2029. Springer, Berlin, pp 187–200

    Google Scholar 

  32. Lodderstedt T, Basin D, Doser J (2002) SecureUML: a UML-based modeling language for model-driven security. In: The 5th international conference on the Unified Modeling Language, Dresden, Germany, pp 426–441

    Google Scholar 

  33. Hashii B, Malabarba S, Pandey R et al (2000) Supporting reconfigurable security policies for mobile programs. Presented at the proceedings of the 9th international World Wide Web conference on computer networks, Amsterdam, The Netherlands

    Google Scholar 

  34. Scott K, Kumar N, Velusamy S et al (2003) Retargetable and reconfigurable software dynamic translation. Presented at the proceedings of the international symposium on Code generation and optimization, San Francisco, California

    Google Scholar 

  35. Sanchez-Cid F, Mana A (2008) SERENITY pattern-based software development life-cycle. In: 19th international workshop on database and expert systems application, pp 305–309

    Google Scholar 

  36. Morin B, Mouelhi T, Fleurey F, Le Traon Y, Barais O, Jézéquel J (2010) Security-driven model-based dynamic adaptation. Presented at the the 25nd IEEE/ACM international conference on automated software engineering, Antwerp, Belgium

    Google Scholar 

  37. Cai H, Wang N, Zhou MJ (2010) A transparent approach of enabling SaaS multi-tenancy in the cloud. In: 2010 6th World Congress on Services (SERVICES-1), pp 40–47

    Google Scholar 

  38. Guo CJ, Sun W, Huang Y, Wang ZH, Gao B (2007) A framework for native multi-tenancy application development and management. In: E-Commerce technology and the 4th IEEE international conference on enterprise computing, E-Commerce, and E-Services, 2007. CEC/EEE 2007. The 9th IEEE international conference on, pp 551–558

    Google Scholar 

  39. Pervez Z, Lee S, Lee Y-K (2010) Multi-tenant, secure, load disseminated SaaS architecture. In: 12th international conference on advanced communication technology, Gangwon-Do, South Korea, pp 214–219

    Google Scholar 

  40. Menzel M, Warschofsky R, Thomas I, Willems C, Meinel C (2010) The service security lab: a model-driven platform to compose and explore service security in the cloud. In: 2010 6th World Congress on Services (SERVICES-1), pp 115–122

    Google Scholar 

  41. Chew E, Swanson M, Stine K, Bartol N et al (2008) Performance measuremenet guide for information security. National Institute of Standards and Technology

    Google Scholar 

  42. Chandra S, Khan RA (2009) Software security metric identification framework (SSM). Presented at the proceedings of the international conference on advances in computing. Communication and Control, Mumbai, India

    Google Scholar 

  43. Bayuk J (2011) Cloud security metrics. In: 2011 6th international conference on system of systems engineering (SoSE), pp 341–345

    Google Scholar 

  44. NIST Concept of Operations (CONOPS)—FedRAMP NIST2012

    Google Scholar 

  45. Mitre Corporation (2010) Making security measurable. Available at http://measurablesecurity.mitre.org/

  46. National Institute of Standards and Technology–NIST (2010) National vulnerabilities database home. Available at http://nvd.nist.gov/

  47. Salehie M, Tahvildari L (2009) Self-adaptive software: landscape and research challenges. ACM Trans Auton Adapt Syst 4:1–42

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Faculty of Information and Communication Technologies, Swinburne University of Technology, John Street, Hawthorn, Victoria, 3122, Australia

    Mohamed Almorsy, Amani Ibrahim & John Grundy

Authors
  1. Mohamed Almorsy
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Amani Ibrahim
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. John Grundy
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Mohamed Almorsy .

Editor information

Editors and Affiliations

  1. CSIRO ICT Centre, Marsfield, New South Wales, Australia

    Surya Nepal

  2. Telstra Corporation Limited, Melbourne, Victoria, Australia

    Mukaddim Pathan

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer-Verlag Berlin Heidelberg

About this chapter

Cite this chapter

Almorsy, M., Ibrahim, A., Grundy, J. (2014). Adaptive Security Management in SaaS Applications. In: Nepal, S., Pathan, M. (eds) Security, Privacy and Trust in Cloud Systems. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-38586-5_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-38586-5_3

  • Published:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-38585-8

  • Online ISBN: 978-3-642-38586-5

  • eBook Packages: EngineeringEngineering (R0)

Publish with us

Policies and ethics

Search

Navigation