Saudi cloud infrastructure: a security analysis

Abstract

The growing demand and dependence upon cloud services have garnered an increasing level of threat to user data and security. Some of such critical web and cloud platforms have become constant targets for persistent malicious attacks that attempt to breach security protocol and access user data and information in an unauthorized manner. While some of such security compromises may result from insider data and access leaks, a substantial proportion continues to remain attributed to security flaws that may exist within the core web technologies with which such critical infrastructure and services are developed. This paper explores the direct impact and significance of security in the Software Development Life Cycle (SDLC) through a case study that covers some 70 public domain web and cloud platforms within Saudi Arabia. Additionally, the major sources of security vulnerabilities within the target platforms as well as the major factors that drive and influence them are presented and discussed through experimental evaluation. The paper reports some of the core sources of security flaws within such critical infrastructure by implementation with automated security auditing and manual static code analysis. The work also proposes some effective approaches, both automated and manual, through which security can be ensured through-out the SDLC and safeguard user data integrity within the cloud.

This is a preview of subscription content, access via your institution.

References

  1. 1

    Awoleye O, Blessing V, Ilori A. Web application vulnerability assessment and policy direction towards a secure smart government. Government Inf Quarterly, 2014, 31: 118–125

    Article  Google Scholar 

  2. 2

    Garber L. Security, privacy, and policy roundup. IEEE Secur Priv, 2012, 10: 15–17

    Article  Google Scholar 

  3. 3

    James T, Khansa L, Cook D, et al. Using network-based text analysis to analyze trends in Microsoft’s security innovations. Comput Secur, 2013, 36: 49–67

    Article  Google Scholar 

  4. 4

    Razzaq A, Anwar Z, Ahmad F, et al. Ontology for attack detection: an intelligent approach to web application security. Comput Secur, 2014, 45: 124–146

    Article  Google Scholar 

  5. 5

    Zhu Z, Zulkernine M. A model-based aspect-oriented framework for building intrusion-aware software systems. Inf Softw Tech, 2009, 51: 865–875

    Article  Google Scholar 

  6. 6

    Armbrust M, Fox A, Griffith R, et al. A view of cloud computing. ACM Commun, 2010, 53: 50–58

    Article  Google Scholar 

  7. 7

    Ludinard R, Totel E, Tronel F, et al. Detecting attacks against data in web applications. In: Proceedings of the 7th International Conference on Risk and Security of Internet ans System, Cork, 2012. 1–8

    Google Scholar 

  8. 8

    Zhang H G, Han W B, Lai X J, et al. Survey on cyberspace security. Sci China Inf Sci, 2015, 58: 110101

    MathSciNet  Google Scholar 

  9. 9

    Ramachandran M, Chang V. Recommendations and best practices for cloud enterprise security. In: Proceedings of IEEE 6th International Conference on Cloud Computing Technology and Science (CloudCom), Singapore, 2014. 983–988

    Google Scholar 

  10. 10

    Chess B, McGraw G. Static analysis for security. IEEE Secur Priv, 2004, 2: 76–79

    Article  Google Scholar 

  11. 11

    Zhuan Y, Gessiou E, Portzer S, et al. Netcheck: network diagnoses from blackbox traces. In: Proceedings of the 11th USENIX Symposium on Networked Systems Design and Implementation (NSDI 14), Seattle, 2014. 115–128

    Google Scholar 

  12. 12

    Dukes L, Yuan X, Akowuah F. A case study on web application security testing with tools and manual testing. In: Proceedings of IEEE Southeastcon, Jacksonville, 2013. 1–6

    Google Scholar 

  13. 13

    Mei J J. An approach for sql injection vulnerability detection. In: Proceedings of the 6th International Conference on Information Technology: New Generations, Las Vegas, 2009. 1411–1414

    Google Scholar 

  14. 14

    Patel S, Rathod V, Prajapati J. Comparative analysis of web security in open source content management system. In: Proceedings of International Conference on Intelligent System and Signal Processing, Gujarat, 2013. 344–349

    Google Scholar 

  15. 15

    Zhang Y, Liu Q, Luo Q, et al. XAS: cross-API scripting attacks in social ecosystems. Sci China Inf Sci, 2014, 58: 012101

    Google Scholar 

  16. 16

    Hashizume K, Rosado D, Fernández E, et al. An analysis of security issues for cloud computing. J Int Serv Appl, 2013, 4: 1–13

    Article  Google Scholar 

  17. 17

    Behl A. Emerging security challenges in cloud computing: an insight to cloud security challenges and their mitigation. In: Proceedings of World Congress on Information and Communication Technologies (WICT), Mumbai, 2011. 217–222

    Google Scholar 

  18. 18

    Muscat I. Web vulnerabilities: identifying patterns and remedies. Netw Secur, 2016, 2016: 5–10

    Article  Google Scholar 

  19. 19

    Davies P, Tryfonas T. A lightweight web-based vulnerability scanner for small-scale computer network security assessment. J Netw Comput Appl, 2009, 32: 78–95

    Article  Google Scholar 

  20. 20

    Saleh A, Rozali N, Buja A, et al. A method for web application vulnerabilities detection by using boyer-moore string matching algorithm. Procedia Comput Sci, 2015, 72: 112–121

    Article  Google Scholar 

  21. 21

    Antunes N, Vieira M. Penetration testing for web services. Computer, 2014, 47: 30–36

    Article  Google Scholar 

Download references

Acknowledgements

This work was supported by Ministry of Higher Education in Saudi Arabia and National Basic Research Program of China (Grant No. 2014CB340600). Many thanks to the team from Cluster and Grid Computing Lab at Huazhong University and the staff from the Saudi Culture Mission in China for their immense support towards this research work.

Author information

Affiliations

Authors

Corresponding author

Correspondence to Hai Jin.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Rajeh, W., Jin, H. & Zou, D. Saudi cloud infrastructure: a security analysis. Sci. China Inf. Sci. 60, 122102 (2017). https://doi.org/10.1007/s11432-016-0322-7

Download citation

Keywords

  • cloud security
  • vulnerability detection
  • web security
  • Saudi infrastructure
  • cloud service