SCIENCE CHINA Information Sciences, Volume 60, Issue 12: 122102(2017) https://doi.org/10.1007/s11432-016-0322-7

Saudi cloud infrastructure: a security analysis

More info
  • ReceivedSep 18, 2016
  • AcceptedNov 17, 2016
  • PublishedApr 1, 2017


The growing demand and dependence upon cloud services have garnered an increasing level of threat to user data and security. Some of such critical web and cloud platforms have become constant targets for persistent malicious attacks that attempt to breach security protocol and access user data and information in an unauthorized manner. While some of such security compromises may result from insider data and access leaks, a substantial proportion continues to remain attributed to security flaws that may exist within the core web technologies with which such critical infrastructure and services are developed. This paper explores the direct impact and significance of security in the Software Development Life Cycle (SDLC) through a case study that covers some 70 public domain web and cloud platforms within Saudi Arabia. Additionally, the major sources of security vulnerabilities within the target platforms as well as the major factors that drive and influence them are presented and discussed through experimental evaluation. The paper reports some of the core sources of security flaws within such critical infrastructure by implementation with automated security auditing and manual static code analysis. The work also proposes some effective approaches, both automated and manual, through which security can be ensured through-out the SDLC and safeguard user data integrity within the cloud.


This work was supported by Ministry of Higher Education in Saudi Arabia and National Basic Research Program of China (Grant No. 2014CB340600). Many thanks to the team from Cluster and Grid Computing Lab at Huazhong University and the staff from the Saudi Culture Mission in China for their immense support towards this research work.


[1] Awoleye O M, Ojuloge B, Ilori M O. Web application vulnerability assessment and policy direction towards a secure smart government. Government Inf Q, 2014, 31: S118-S125 CrossRef Google Scholar

[2] Garber L. Security, privacy, and policy roundup. IEEE Secur Privacy Mag, 2012, 10: 15-17 CrossRef Google Scholar

[3] James T L, Khansa L, Cook D F. Using network-based text analysis to analyze trends in Microsofts security innovations. Comp Security, 2013, 36: 49-67 CrossRef Google Scholar

[4] Razzaq A, Anwar Z, Ahmad H F. Ontology for attack detection: An intelligent approach to web application security. Comp Security, 2014, 45: 124-146 CrossRef Google Scholar

[5] Zhu Z J, Zulkernine M. A model-based aspect-oriented framework for building intrusion-aware software systems. Inf Software Tech, 2009, 51: 865-875 CrossRef Google Scholar

[6] Armbrust M, Fox A, Griffith R, et al. A view of cloud computing. ACM Commun, 2010, 53: 50--58. Google Scholar

[7] Ludinard R, Totel E, Tronel F, et al. Detecting attacks against data in web applications. In: Proceedings of the 7th International Conference on Risk and Security of Internet ans System, Cork, 2012. 1--8. Google Scholar

[8] Zhang H G, Han W B, Lai X J, et al. Survey on cyberspace security. Sci China Inf Sci, 2015, 58: 110101. Google Scholar

[9] Ramachandran M, Chang V. Recommendations and best practices for cloud enterprise security. In: Proceedings of IEEE 6th International Conference on Cloud Computing Technology and Science (CloudCom), Singapore, 2014. 983--988. Google Scholar

[10] Chess B, McGraw G. Static analysis for security. IEEE Secur Priv, 2004, 2: 76--79. Google Scholar

[11] Zhuan Y, Gessiou E, Portzer S, et al. Netcheck: network diagnoses from blackbox traces. In: Proceedings of the 11th USENIX Symposium on Networked Systems Design and Implementation (NSDI 14), Seattle, 2014. 115--128. Google Scholar

[12] Dukes L, Yuan X, Akowuah F. A case study on web application security testing with tools and manual testing. In: Proceedings of IEEE Southeastcon, Jacksonville, 2013. 1--6. Google Scholar

[13] Mei J J. An approach for sql injection vulnerability detection. In: Proceedings of the 6th International Conference on Information Technology: New Generations, Las Vegas, 2009. 1411--1414. Google Scholar

[14] Patel S, Rathod V, Prajapati J. Comparative analysis of web security in open source content management system. In: Proceedings of International Conference on Intelligent System and Signal Processing, Gujarat, 2013. 344--349. Google Scholar

[15] Zhang Y, Liu Q, Luo Q, et al. XAS: cross-API scripting attacks in social ecosystems. Sci China Inf Sci, 2014, 58: 012101. Google Scholar

[16] Riedel M, Wittenburg P, Reetz J. A data infrastructure reference model with applications: towards realization of a ScienceTube vision with a data replication service. J Internet Serv Appl, 2013, 4: 1-13 CrossRef Google Scholar

[17] Behl A. Emerging security challenges in cloud computing: an insight to cloud security challenges and their mitigation. In: Proceedings of World Congress on Information and Communication Technologies (WICT), Mumbai, 2011. 217--222. Google Scholar

[18] Muscat I. Web vulnerabilities: identifying patterns and remedies. Netw Secur, 2016, 2016: 5--10. Google Scholar

[19] Davies P, Tryfonas T. A lightweight web-based vulnerability scanner for small-scale computer network security assessment. J Network Comp Appl, 2009, 32: 78-95 CrossRef Google Scholar

[20] Saleh A Z M, Rozali N A, Buja A G. A Method for Web Application Vulnerabilities Detection by Using Boyer-Moore String Matching Algorithm. Procedia Comp Sci, 2015, 72: 112-121 CrossRef Google Scholar

[21] Antunes N, Vieira M. Penetration testing for web services. Computer, 2014, 47: 30--36. Google Scholar

  • Figure 1

    A generalized structure of cloud/web services.

  • Figure 2

    A direct setup toward vulnerability assessment.

  • Figure 3

    An indirect setup toward vulnerability assessment.

  • Figure 4

    An overall illustration of Saudi platforms vs. vulnerabilities.

  • Figure 5

    An illustration of the most vulnerable (blue) and least vulnerable (red) platforms. All values are off-set with 10 points for clarity of illustration.

  • Figure 6

    A straight-forward approach to security-oriented SDLC. Green components represent proposed additional operations.

  • Table 1   Operation parameters of Acunetix vulnerability scanner
    Parameter Details
    1. Profile Default
    2. Vulnerability scanner Enabled
    a. Site crawler
    b. Subdomain scanner
    c. Blind SQL injection
    3. Additional tools d. HTTP editor
    e. HTTP sniffer
    f. HTTP fuzzer
    g. Authentication tester
  • Table 2   Operation parameters of Netsparker vulnerability scanner
    Parameter Details
    1. Scan policy All security checks
    2. Crawling Enabled
    3. Crawl properties a. Find and follow new links
    b. Enable crawl and attack at the same time
  • Table 3   Operation parameters of Nikto vulnerability scanner
    Parameter Details
    1. Evasion technique 147AB
    2. Pause duration 1
    3. Timeout 10
    4. Configuration profile Default
  • Table 4   An illustration of the target platforms and their associated vulnerability prevalence
    Target Vulnerability
    Primary Tgt1 102 1 55 6 3
    Tgt2 2 3 1 5 2 2
    Secondary Tgt1 4 1 3 3 1 2
    Tgt2 3 2 7 1 3 1
    Tertiary Tgt1 1 1 1
    Tgt2 1 3 2 1 7 6
    Quantery Tgt1 2 1 1 1 3 1 2
    Tgt2 2 1 2 0 1 3 6
    Quinary Tgt1 18 1 4 3 2 1 3 10
    Tgt2 2 5 8 2 1 2
  • Table 5   The prevalence ($p$) of each security vulnerability across all target platforms
    Vulnerability $p$
    CSRF 0.6
    SQLi 0.5
    SDE 2.1
    XSS 7.6
    SM 10.3
    UCKV 0.5
    BASM 5.6
    IDOR 0.5
    URF 1.3
    MFLAC 0.6

Copyright 2020 Science China Press Co., Ltd. 《中国科学》杂志社有限责任公司 版权所有

京ICP备18024590号-1       京公网安备11010102003388号