Paula Austel

XML signature element wrapping attacks and countermeasures

Naive use of XML Signature may result in signed documents remainingvulnerable to undetected modification by an adversary. In thetypical usage of XML Signature to protect SOAP messages, anadversary may be capable of modifying valid messages in order togain unauthorized access to protected resources.This paperdescribes the general vulnerability and several related exploits,and proposes appropriate countermeasures. While the attacksdescribed herein may se obvious to security experts once they areexplained, effective countermeasures require careful securitypolicy specification and correct implentation by signed messageproviders and consumers. Since these implenters are not alwayssecurity experts, this paper provides the guidance necessary toprevent these attacks.

Business-driven application security: from modeling to managing secure applications

Business-driven development and management of secure applications and solutions is emerging as a key requirement in the realization of an on demand enterprise. In a given enterprise, individuals acting in various roles contribute to the modeling, development, deployment, and management of the security aspects of a business application. We look at the business-application life cycle and propose a policy-driven approach overlaid on a model-driven paradigm for addressing security requirements. Our approach suggests that security policies are to be modeled using policies and rule templates associated with business processes and models, designed and implemented through infrastructure-managed or application-managed environments based on modeled artifacts, deployed into an infrastructure and potentially customized to meet the security requirements of the consumer, and monitored and managed to reflect a consistent set of policies across the enterprise and all layers of its application infrastructure. We use a pragmatic approach to identify intersection points between the platform-independent modeling of security policies and their concrete articulation and enforcement. This approach offers a way to manage and monitor systems behavior for adherence and compliance to policies. Monitoring may be enabled through both information technology (IT) and business dashboards. Systematic approaches to connect business artifacts to implementation artifacts help implement business policies in system implementations. Best practices and security usage patterns influence the design of reusable and customizable templates. Because interoperability and portability are important in service-oriented architecture (SOA) environments, we list enhancements to standards (e.g., Business Process Execution Language [BPEL], Unified Modeling LanguageTM [UML®]) that must be addressed to achieve an effective life cycle.

End-to-End Security for Enterprise Mashups

Mashups are gaining momentum as a means to develop situational Web applications by combining different resources (services, data feeds) and user interfaces. In enterprise environments, mashups are recently used for implementing Web-based business processes, however, security is a major concern. Current approaches do not allow the mashup to securely consume services with diverse security requirements without sharing the credentials or hard-coding them in the mashup definition. In this paper, we present a solution to integrate security concerns into an existing enterprise mashup platform. We provide an extension to the language and runtime and propose a Secure Authentication Service (SAS) to seamlessly facilitate secure authentication and authorization of end-users with the services consumed in the mashup.

Continuous Delivery of Composite Solutions: A Case for Collaborative Software Defined PaaS Environments

To help drive top line growth of their businesses, the development and IT organizations are under increasing pressure to create and deliver applications at ever faster paces. The advent of Cloud Computing has not only lowered the cost of IT operations but also enabled the notion of continuous delivery, which promises to radically reduce frictions in DevOps processes and speed up the product delivery cycle. With increased demand on functionality and feature, we have also seen these applications becoming more sophisticated, often integrating multiple modern programming models and techniques with the traditional n-tier web application into a composite application. This paper proposes an architectural blueprint for improved continuous delivery of these complex composite applications. It treats a solution as a holistic entity comprised of application logic and software-defined environment that the logic relies on. It also proposes a collaborative approach to software-defined Platform-as-a-Service environment building. This being an ongoing research project, this paper also briefly describes prototype, work-in-progress and thoughts on future directions.

A PaaS for composite analytics solutions

In their pursuit of market competitiveness and sustainable top line growth, enterprises are increasingly turning to sophisticated analytics solutions to derive insights and value from the deluge of data that are being generated from all sources. Leading practitioners of Big Data analytics have already moved past the stage of using single analytics modalities on siloed data sources. They are starting to create composite analytics solutions that take advantage of multiple analytics programming models and are also integrating them into their existing enterprise IT systems. At the same time, the CIOs have wholeheartedly embraced cloud computing as a means of reducing the capital and operational cost of their IT systems and streamlining their DevOps processes. Platform-as-a-Service (PaaS) as a cloud computing consumption model has seen wide acceptance by developers and IT administrators. Although there are PaaS platforms for individual workload types involved in these advanced composite analytics solutions, the composition aspect is not addressed by any of these individual PaaS platforms. Further, there is no lifecycle management support for the solution as a single logical entity. This paper argues for the need of a true PaaS for composite analytics solutions in order to accelerate their adoption by the industry and foster the creation of a healthy ecosystem. We present the design and prototype implementation of such a platform and our early experience of using it to deploy a Telco Fraud Detection solution.