Saudi cloud infrastructure: a security analysis

The growing demand and dependence upon cloud services have garnered an increasing level of threat to user data and security. Some of such critical web and cloud platforms have become constant targets for persistent malicious attacks that attempt to breach security protocol and access user data and information in an unauthorized manner. While some of such security compromises may result from insider data and access leaks, a substantial proportion continues to remain attributed to security flaws that may exist within the core web technologies with which such critical infrastructure and services are developed. This paper explores the direct impact and significance of security in the Software Development Life Cycle (SDLC) through a case study that covers some 70 public domain web and cloud platforms within Saudi Arabia. Additionally, the major sources of security vulnerabilities within the target platforms as well as the major factors that drive and influence them are presented and discussed through experimental evaluation. The paper reports some of the core sources of security flaws within such critical infrastructure by implementation with automated security auditing and manual static code analysis. The work also proposes some effective approaches, both automated and manual, through which security can be ensured through-out the SDLC and safeguard user data integrity within the cloud.

[1]  Muthu Ramachandran,et al.  Recommendations and Best Practices for Cloud Enterprise Security , 2014, 2014 IEEE 6th International Conference on Cloud Computing Technology and Science.

[2]  Blessing Ojuloge,et al.  Web application vulnerability assessment and policy direction towards a secure smart government , 2014, Gov. Inf. Q..

[3]  Daan Broeder,et al.  A data infrastructure reference model with applications: towards realization of a ScienceTube vision with a data replication service , 2013, Journal of Internet Services and Applications.

[4]  Ian Muscat Web vulnerabilities: identifying patterns and remedies , 2016, Netw. Secur..

[5]  Gary McGraw,et al.  Static Analysis for Security , 2004, IEEE Secur. Priv..

[6]  Lee Garber Security, Privacy, and Policy Roundup , 2012, IEEE Security & Privacy.

[7]  Dongdai Lin,et al.  Survey on cyberspace security , 2015, Science China Information Sciences.

[8]  Romaric Ludinard,et al.  Detecting attacks against data in web applications , 2012, 2012 7th International Conference on Risks and Security of Internet and Systems (CRiSIS).

[9]  Mei Junjin,et al.  An Approach for SQL Injection Vulnerability Detection , 2009, 2009 Sixth International Conference on Information Technology: New Generations.

[10]  Theodore Tryfonas,et al.  A lightweight web-based vulnerability scanner for small-scale computer network security assessment , 2009, J. Netw. Comput. Appl..

[11]  Randy H. Katz,et al.  A view of cloud computing , 2010, CACM.

[12]  Zahid Anwar,et al.  Ontology for attack detection: An intelligent approach to web application security , 2014, Comput. Secur..

[13]  Xiaohong Yuan,et al.  A case study on web application security testing with tools and manual testing , 2013, 2013 Proceedings of IEEE Southeastcon.

[14]  S. K. Patel,et al.  Comparative analysis of web security in open source content management system , 2013, 2013 International Conference on Intelligent Systems and Signal Processing (ISSP).

[15]  Marco Vieira,et al.  Penetration Testing for Web Services , 2014, Computer.

[16]  Kamarularifin Abd Jalil,et al.  A Method for Web Application Vulnerabilities Detection by Using Boyer-Moore String Matching Algorithm☆ , 2015 .

[17]  Yuqing Zhang,et al.  XAS: Cross-API scripting attacks in social ecosystems , 2014, Science China Information Sciences.

[18]  Lara Khansa,et al.  Using network-based text analysis to analyze trends in Microsoft's security innovations , 2013, Comput. Secur..

[19]  Akhil Behl Emerging security challenges in cloud computing: An insight to cloud security challenges and their mitigation , 2011, 2011 World Congress on Information and Communication Technologies.

[20]  Mohammad Zulkernine,et al.  A model-based aspect-oriented framework for building intrusion-aware software systems , 2009, Inf. Softw. Technol..

[21]  Eduardo B. Fernández,et al.  An analysis of security issues for cloud computing , 2013, Journal of Internet Services and Applications.

[22]  Ivan Beschastnikh,et al.  NetCheck: Network Diagnoses from Blackbox Traces , 2014, NSDI.