End-to-End Web Application Security
نویسندگان
چکیده
Web applications are important, ubiquitous distributed systems whose current security relies primarily on server-side mechanisms. This paper makes the end-toend argument that the client and server must collaborate to achieve security goals, to eliminate common security exploits, and to secure the emerging class of rich, crossdomain Web applications referred to as Web 2.0. In order to support end-to-end security, Web clients must be enhanced. We introduce Mutation-Event Transforms: an easy-to-use client-side mechanism that can enforce even fine-grained, application-specific security policies, and whose implementation requires only straightforward changes to existing Web browsers. We give numerous examples of attractive, new security policies that demonstrate the advantages of end-to-end Web application security and of our proposed mechanism.
منابع مشابه
On Estimating the Security Risks of Composite Software Services
With the rapid adoption of the Service Oriented Architecture (SOA), sophisticated software systems are increasingly built by composing coarse-grained service components offered by different organizations through standard web service interfaces. The ability to quantify end-to-end security risks of composite software services is extremely valuable to businesses that increasingly rely on web appli...
متن کاملSIF: Enforcing Confidentiality and Integrity in Web Applications
SIF (Servlet Information Flow) is a novel software framework for building high-assurance web applications, using language-based information-flow control to enforce security. Explicit, end-to-end confidentiality and integrity policies can be given either as compile-time program annotations, or as run-time user requirements. Compile-time and run-time checking efficiently enforce these policies. I...
متن کاملMiddleware Support for Complex and Distributed Security Services in Multi-tier Web Applications
The security requirements of complex multi-tier web applications have shifted from simple localized needs, such as authentication or authorization, to physically distributed but actually aggregated services, such as end-to-end data protection, non-repudiation or patient consent management. Currently, there is no support for integrating complex security services in web architectures, nor are app...
متن کاملMaster ’ s Thesis End - To - End Application Security Using Trusted Computing
This thesis describes the implementation of Trusted Computing in end-toend application security. It focuses on the services that are provided by application layer protocols in end-to-end communication. There are many security issues related to application layer protocols and some of these are explored. Application layer firewalls are often used to protect against these security issues. Unfortun...
متن کاملIntegrated Transport Layer Security: End-to-End Security Model between WTLS and TLS
WAP is a set of protocols that optimizes standard TCP/IP/HTTP/HTML protocols, for use under the low bandwidth, high latency conditions often found in wireless networks. But, end-to-end security is not supported unless a WAP gateway is operated by the content provider. We propose ITLS mechanism to solve the WAP security problem. The goal of ITLS is to prohibit the WAP gateway from having the pla...
متن کامل