This Article 
 Bibliographic References 
 Add to: 
Vulnerability Analysis in SOA-Based Business Processes
July-September 2011 (vol. 4 no. 3)
pp. 230-242
Lutz Lowis, Albert-Ludwig University of Freiburg, Freiburg
Rafael Accorsi, Albert-Ludwig University of Freiburg, Freiburg
Business processes and services can more flexibly be combined when based upon standards. However, such flexible compositions practically always contain vulnerabilities, which imperil the security and dependability of processes. Vulnerability management tools require patterns to find or monitor vulnerabilities. Such patterns have to be derived from vulnerability types. Existing analysis methods such as attack trees and FMEA result in such types, yet require much experience and provide little guidance during the analysis. Our main contribution is ATLIST, a new vulnerability analysis method with improved transferability. Especially in service-oriented architectures, which employ a mix of established web technologies and SOA-specific standards, previously observed vulnerability types and variations thereof can be found. Therefore, we focus on the detection of known vulnerability types by leveraging previous vulnerability research. A further contribution in this respect is the, to the best of our knowledge, most comprehensive compilation of vulnerability information sources to date. We present the method to search for vulnerability types in SOA-based business processes and services. Also, we show how patterns can be derived from these types, so that tools can be employed. An additional contribution is a case study, in which we apply the new method to an SOA-based business process scenario.

[1] A. Avizienis, J.-C. Laprie, B. Randell, and C. Landwehr, "Basic Concepts and Taxonomy of Dependable and Secure Computing," IEEE Trans. Dependable and Secure Computing, vol. 1, no. 1, pp. 11-33, Jan.-Mar. 2004.
[2] Symantec, "Symantec Global Internet Security Threat Report 2008," Apr. 2009.
[3] NIST, "National Vulnerability Database (NVD)," http:/nvd.nist. gov, 2009.
[4] Open Security Foundation (OSF), "Open Source Vulnerability Database (OSVDB)," http:/, 2009.
[5] R. Lemos, "SecurityFocus: TJX Theft Tops 45.6 Million Card Numbers,", Mar. 2007.
[6] P.K. Manadhata, Y. Karabulut, and J.M. Wing, "Measuring the Attack Surfaces of Enterprise Software," Proc. Int'l ESSS Symp., 2009.
[7] W.E. Vesely, F.F. Goldberg, D.F. Haasl, and N.H. Roberts, "Fault Tree Handbook," NUREG-0492, 1981.
[8] B. Schneier, "Attack Trees," Dr. Dobb's J., vol. 24, pp. 21-29, 1999.
[9] US Department of Defense, "Procedures for Performing a Failure Mode, Effects and Criticality Analysis," MIL-STD-1629A, 1980.
[10] P.G. Neumann and D.B. Parker, "A Summary of Computer Misuse Techniques," Proc. 12th Nat'l Computer Security Conf., pp. 396-406, Oct. 1989.
[11] W.A. Arbaugh, W.L. Fithen, and J.M. Hugh, "Windows of Vulnerability: A Case Study Analysis," Computer, vol. 33, no. 12, pp. 52-59, Dec. 2000.
[12] L. Lowis and R. Accorsi, "On a Classification Approach for SOA Vulnerabilities," Proc. IEEE Workshop Security Aspects of Process and Services Eng. (SAPSE '09), 2009.
[13] W.D. Yu, D. Aravind, and P. Supthaweesuk, "Software Vulnerability Analysis for Web Services Software Systems," Proc. 11th IEEE Symp. Computers and Comm., pp. 740-748, 2006.
[14] P. Lindstrom, "Attacking and Defending Web Services," technical report, Spire Security, 2004.
[15] M. Bishop, Introduction to Computer Security. Addison-Wesley, 2004.
[16] V. Gorelik, "One Step Ahead," Proc. ACM Queue, 2007.
[17] M. Martin, B. Livshits, and M.S. Lam, "Finding Application Errors and Security Flaws Using PQL: A Program Query Language," Proc. Ann. ACM SIGPLAN Conf. Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA '05), 2005.
[18] G. Lyon, "Top 100 Network Security Tools," http://sectools.orgindex.html, 2006.
[19] F. Swiderski and W. Snyder, Threat Modeling. Microsoft, 2004.
[20] I.V. Krsul, "Software Vulnerability Analysis," PhD dissertation, Purdue Univ., May 1998.
[21] G. Canfora and M. di Penta, "Service-Oriented Architectures Testing: A Survey," Software Engineering, vol. 1, pp. 78-105, Springer-Verlag, 2009.
[22] B. Livshits, J. Whaley, and M.S. Lam, "Reflection Analysis for Java," Proc. Third Asian Symp. Programming Languages and Systems (APLAS '05), pp. 139-160, 2005.
[23] R. Accorsi and T. Stocker, "Automated Privacy Audits Based on Pruning of Log Data," Proc. Int'l Workshop Security and Privacy in Enterprise Computing, 2008.
[24] R. Accorsi and C. Wonnemann, "Auditing Workflow Executions against Dataflow Policies," Proc. Conf. Business Information Systems, Lecture Notes in Business Information Processing, vol. 47, 2010.
[25] Forum of Incident Response and Security Teams (FIRST), "Common Vulnerability Scoring System (CVSS) 2.0," http://www.first.orgcvss, 2007.
[26] M. Dondo, "A Fuzzy Risk Calculations Approach for a Network Vulnerability Ranking System," Technical Report TM 2007-90, Defence Research and Development Canada (DRDC), 2007.
[27] M. Cukier and S. Panjwani, "Prioritizing Vulnerability Remediation by Determining Attacker-Targeted Vulnerabilities," IEEE Security and Privacy, vol. 7, no. 1, pp. 42-48, Jan./Feb. 2009.
[28] M. Roesch, "Snort, Network Intrusion Detection/Prevention System," http:/, 2011.
[29] MITRE Corporation, "Common Attack Pattern Enumeration and Classification (CAPEC)," http:/, 2009.
[30] P. Parrend and S. Frenot, "Java Components Vulnerabilities - An Experimental Classification Targeted at the OSGi Platform," Technical Report INRIA/RR-6231, INRIA, 2007.
[31] M. Howard, D. LeBlanc, and J. Viega, 19 Deadly Sins of Software Security. McGraw-Hill Osborne Media, 2005.
[32] R. Bisbey II and D. Hollingworth, "Protection Analysis: Final Report," Technical Report ISI/SR-78-13, Information Sciences Inst., Univ. of Southern California, 1978.
[33] R.A. Caralli, J.F. Stevens, L.R. Young, and W.R. Wilson, "Introducing Octave Allegro: Improving the Information Security Risk Assessment Process," technical report, SEI/CMU, 2007.
[34] The OWASP Foundation, "Open Web Application Security Project (OWASP)," http:/, 2009.
[35] MITRE Corporation, "Common Weakness Enumeration (CWE)," http:/, 2009.
[36] VUPEN Security (f.k.a. FrSIRT), "Vulnerability Management and Penetration Testing," http://www.vupen.comenglish, 2009.
[37] MITRE and SANS, "2009 CWE/SANS Top 25 Most Dangerous Programming Errors," http://cwe.mitre.orgtop25, 2009.
[38] The OWASP Foundation, "OWASP Top Ten Web Application Vulnerabilities," OWASP_Top_Ten_Project , 2007.
[39] G. Neuman Levine, "Defining Defects, Errors, and Service Degradations," ACM SIGSOFT Software Eng. Notes, vol. 34, no. 2, pp. 1-14, 2009.
[40] A.P. Moore, R.J. Ellison, and R.C. Linger, "Attack Modeling for Information Security and Survivability," technical report, Software Eng. Inst., Carnegie Mellon Univ., 2001.
[41] N. Gruschka, M. Jensen, R. Herkenhöner, and N. Luttenberger, "SOA and Web Services: New Technologies, New Standards - New Attacks," Proc. Fifth IEEE European Conf. Web Services (ECOWS '07), 2007.
[42] R. Abbott, J. Chin, J. Donnelley, W. Konigsford, S. Tokubo, and D. Webb, "Security Analysis and Enhancements of Computer Operating Systems (RISOS Study)," Technical Report NBSIR 76-1041, ICET, Nat'l Bureau of Standards, 1976.
[43] C. Landwehr, A. Bull, J. McDermott, and W. Choi, "A Taxonomy of Computer Program Security Flaws," ACM Computing Surveys, vol. 26, pp. 211-254, 1994.
[44] T. Aslam, "A Taxonomy of Security Faults in the Unix Operating System," PhD dissertation, Purdue Univ., Aug. 1995.
[45] T. Aslam, I. Krsul, and E.H. Spafford, "Use of a Taxonomy of Security Faults," Proc. 19th Nat'l Information Systems Security Conf., pp. 551-560, 1996.
[46] C.B. Hogan, "Protection Imperfect: The Security of Some Computing Environments," ACM SIGOPS Operating Systems Rev., vol. 22, no. 3, pp. 7-27, 1988.
[47] J.H. Saltzer and M.D. Schroeder, "The Protection of Information in Computer Systems," Proc. IEEE, vol. 63, no. 9, pp. 1278-1308, Sept. 1975.
[48] D.L. Brinkley and R.R. Schell, "What Is There to Worry About? An Introduction to the Computer Security Problem," Proc. Information Security: An Integrated Collection of Essays, pp. 11-39, 1995.
[49] F. Cohen, "Information System Attacks: A Preliminary Classification Scheme," Computers and Security, vol. 16, no. 1, pp. 29-46, 1997.
[50] U. Lindqvist and E. Jonsson, "How to Systematically Classify Computer Security Intrusions," Proc. IEEE Symp. Security and Privacy, pp. 154-163, May 1997.
[51] W. Du and A.P. Mathur, "Categorization of Software Errors that Led to Security Breaches," Proc. 21st Nat'l Information Systems Security Conf., pp. 392-407, 1997.
[52] J.D. Howard and T.A. Longstaff, "A Common Language for Computer Security Incidents," Technical Report SAND98-8667, Sandia Nat'l Laboratories, 1998.
[53] F. Piessens, B. De Decker, and B. De Win, "Developing Secure Software - A Survey and Classification of Common Software Vulnerabilities," Proc. IFIP TC11/WG11.5 Fourth Working Conf. Integrity, Internal Control and Security in Information Systems: Connecting Governance and Technology (IICIS), pp. 27-40, 2001.
[54] K. Jiwnani and M. Zelkowitz, "Maintaining Software with a Security Perspective," Proc. Int'l Conf. Software Maintenance (ICSM '02), pp. 194-203, 2002.
[55] G. Álvarez and S. Petrovic, "A New Taxonomy of Web Attacks Suitable for Efficient Encoding," Computers and Security, vol. 22, no. 5, pp. 435-449, 2003.
[56] Web Application Security Consortium, "Web Application Security Consortium Threat Classification,", 2009.
[57] H. Langweg and E. Snekkenes, "A Classification of Malicious Software Attacks," Proc. IEEE Int'l Conf. Performance, Computing, and Comm. (PCC '04), 2004.
[58] J.A. Whittaker and H.H. Thompson, How to Break Software Security. Addison-Wesley, 2004.
[59] H.H. Thompson and S.G. Chase, The Software Vulnerability Guide. Charles River Media, 2005.
[60] M. Howard, D. LeBlanc, and J. Viega, 24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them. McGraw-Hill Osborne Media, 2009.
[61] K. Tsipenyuk, B. Chess, and G. McGraw, "Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors," IEEE Security and Privacy, vol. 3, no. 6, pp. 81-84, Nov./Dec. 2005.
[62] R.C. Seacord and A.D. Householder, "A Structured Approach to Classifying Security Vulnerabilities," technical report, Software Eng. Inst., Carnegie Mellon Univ., 2005.
[63] S. Weber, P.A. Karger, and A. Paradkar, "A Software Flaw Taxonomy: Aiming Tools at Security," Proc. Workshop Software Eng. for Secure Systems, 2005.
[64] C. Vanden Berghe, J. Riordan, and F. Piessens, "A Vulnerability Taxonomy Methodology Applied to Web Services," Proc. 10th Nordic Workshop Secure IT Systems (NordSec '05), 2005.
[65] SecurityFocus, "SecurityFocus Vulnerability Database," http://www.securityfocus.comvulnerabilities , 2009.
[66] M. Dowd, J. McDonald, and J. Schuh, The Art of Software Security Assessment. Addison-Wesley, 2007.
[67] S. Christey, "Preliminary List of Vulnerability Examples for Researchers (PLOVER)," html, 2006.
[68] SANS, "SANS Top 20 Security Risks," http://www.sans.orgtop20, 2007.
[69] P. Parrend and S. Frénot, "Classification of Component Vulnerabilities in Java Service Oriented Programming (SOP) Platforms," Proc. Int'l Symp. Component-Based Software Eng. (CBSE '08), 2008.
[70] MITRE Corporation, "Open Vulnerability and Assessment Language (OVAL)," http:/, 2007.
[71] NIST, "National Vulnerability Database RSS Feed," http://nvd.nist.govdownload.cfm, 2008.
[72] S. Engle, S. Whalen, D. Howard, and M. Bishop, "Tree Approach to Vulnerability Classification," Technical Report CSE-2006-10, Dept. of Computer Science, Univ. of California, Davis, 2006.
[73] IBM Internet Security Systems X-Force, "Alerts and Advisories,", 2009.
[74], http:/, 2009.
[75] Microsoft, "Security Bulletins," technet/security current.aspx, 2009.
[76], "Search Portal," http:/, 2009.
[77] SANS, "Newsletter," http://www.sans.orgnewsletters, 2009.
[78] Milw0rm, http:/, 2009.
[79] Beyond Security, "SecuriTeam," http:/, 2009.
[80] H.H. Thompson, "Application Penetration Testing," IEEE Security and Privacy, pp. 66-69, Jan./Feb. 2005.
[81] H. Ray, R. Vemuri, and H. Kantubhukta, "Toward an Automated Attack Model for Red Teams," IEEE Security and Privacy, vol. 3, no. 4, pp. 18-25, July/Aug. 2005.
[82] Perl, "Perl Programming Documentation," http://perldoc.perl. orgperlsec.html, 2011.
[83] B. Livshits, "Improving Software Security with Precise Static and Runtime Analysis," PhD dissertation, Stanford Univ., Dec. 2006.
[84] O.M. Sheyner, "Scenario Graphs and Attack Graphs," PhD dissertation, School of Computer Science, Computer Science Dept., Carnegie Mellon Univ., 2004.
[85] S.J. Templeton and K. Levitt, "A Requires/Provides Model for Computer Attacks," Proc. Workshop New Security Paradigms (NSPW '00), pp. 31-38, 2000.
[86] S. Noel and S. Jajodia, "Optimal IDS Sensor Placement and Alert Prioritization Using Attack Graphs," J. Network and Systems Management, vol. 16, no. 3, pp. 259-275, 2008.
[87] MITRE Corporation, "Making Security Measurable," http:/, 2009.
[88] US-Cert, "Dranzer: Vulnerability Detection in Activex Controls through Automated Fuzz Testing," , 2009.
[89] S. Sparks, S. Embleton, R. Cunningham, and C. Zou, "Automated Vulnerability Analysis: Leveraging Control Flow for Evolutionary Input Crafting," Proc. 23rd Ann. Computer Security Applications Conf. (ACSAC '07), pp. 477-486, Dec. 2007.
[90] D. Brumley, J. Newsome, D. Song, H. Wang, and S. Jha, "Towards Automatic Generation of Vulnerability-Based Signatures," Proc. IEEE Symp. Security and Privacy, pp. 2-16, 2006.
[91] B. Livshits and S. Guarnieri, "GATEKEEPER: Mostly Static Enforcement of Security and Reliability Policies for Javascript Code," Technical Report MSR-TR-2009-43, Microsoft, 2009.
[92] OASIS, "Reference Model and Architecture for Service Oriented Architecture v1.0," home.php?wg_abbrev=soa-rm , 2008.
[93] D. Krafzig, K. Banke, and D. Slama, Enterprise SOA. Prentice Hall, 2004.
[94] A. Arsanjani, L.-J. Zhang, M. Ellis, A. Allam, and K. Channabasavaiah, "IBM Developer Works: Design an SOA Solution Using a Reference Architecture," works/architecture/ library/ar-archtempindex.html?S_TACT= 105AGX20&S_CMP=EDU , 2007.
[95] A. Turing, "On Computable Numbers, with an Application to the Entscheidungsproblem," Proc. London Math. Soc., vol. 42, no. 7, pp. 230-265, 1936.
[96] E. Nisley, "The Halting Problem," Dr. Dobb's J., http://www., 2003.
[97] A. Bessey, K. Block, B. Chelf, A. Chou, B. Fulton, S. Hallem, C. Henri-Gros, A. Kamsky, S. McPeak, and D. Engler, "A Few Billion Lines of Code Later: Using Static Analysis to Find Bugs in the Real World," Comm. ACM, vol. 53, no. 2, pp. 66-75, 2010.
[98] S. Höhn, J. Jürjens, L. Lowis, and R. Accorsi, "Identification of Vulnerabilities in Web Services Using Model-Based Security," Web Services Security Development and Architecture: Theoretical and Practical Issues, pp. 1-32, 2010.
[99] S. Sackmann, L. Lowis, and K. Kittel, "Selecting Services in Business Process Execution: A Risk-Based Approach," Proc. Wirtschaftsinformatik, pp. 357-366, 2009.
[100] C. Hammer, "Experiences with PDG-Based IFC," Proc. Int'l Symp. Eng. Secure Software and Systems (ESSoS '10), pp. 44-60, 2010.
[101] B.W. Lampson, "A Note on the Confinement Problem," Comm. ACM, vol. 16, no. 10, pp. 613-615, 1973.

Index Terms:
Service security and dependability, vulnerability analysis, SOA-based business processes, vulnerability classification.
Lutz Lowis, Rafael Accorsi, "Vulnerability Analysis in SOA-Based Business Processes," IEEE Transactions on Services Computing, vol. 4, no. 3, pp. 230-242, July-Sept. 2011, doi:10.1109/TSC.2010.37
Usage of this product signifies your acceptance of the Terms of Use.