Offering security diagnosis as a service for cloud SaaS applications

Abstract

With the maturity of service-oriented architecture (SOA), microservices architecture, and Web technologies, web services have become critical components of Software as a Service (SaaS) applications in cloud ecosystem environments. Although these technologies promise impressive benefits, they put SaaS applications at risk against novel as well as prevalent attack vectors. This security risk is further magnified by the loss of control and lack of security enforcement over sensitive data manipulated by SaaS applications. We present our solution as Security Diagnosis as a Service (SDaaS) to analyze the security status of SaaS applications and detect potential information flow vulnerabilities. We evaluate the detection accuracy, performance, and scalability of our framework. The experiments are conducted over benchmark applications for assessing vulnerability detection tools and services. We contrast our solution with several tools comprising static code analyzers, penetration testers, and an anomaly detector. The experiments show that the framework is a viable solution to protect against data integrity and confidentiality violations. The evaluation results demonstrate that SDaaS reveals information flow vulnerabilities with not only high accuracy, performance and scalability, but also lightweight footprint on resource utilization.