Software-as-a-Service (SaaS) is typically defined as a rental model for using a complex software product, running on a centralized computing platform, using a thin client (most frequently a web browser). As such, it is one of the major categories of Cloud Computing, besides IaaS and PaaS.While there are many economic benefits in using SaaS, each company must nevertheless enforce control over its own data processed in the Cloud. One of the most important building blocks of such an enforcement scheme is Identity Management (IdM), whereat the industry standard for IdM is SAML, the Security Assertion Markup Language.In this paper, we study the security of the SAML implementations of 22 SaaS Cloud Providers (SaaS-CPs) and show that 90% of them can be broken, resulting in company data exposure to attackers on the Internet. The detected vulnerabilities are exploited by a wide variety of attack techniques, ranging from classical web attacks to problems specific to XML processing.
The properties of hot-dip galvanised and electroplated zinc coatings on steel have been widely studied, but the corrosion mechanisms of zinc flake coatings have not yet been investigated in similar detail. Here, we investigate the protective effect of inorganic lamellar zinc coatings, comparing the metallic dissolution rates of different zinc, aluminium and alloyed flakes using an inductively coupled plasma mass spectrometry (ICP-MS) flow cell. These experiments were carried out on both intact and predamaged coatings with different electrolytes. Data were also compared to accelerated laboratory corrosion tests and outdoor weathering results. The chloride concentration, and its effect on the passive oxide film, appears to be a key aspect moderating the dissolution rate and hence sacrificial zinc dissolution under various conditions. The complementary use of accelerated tests and ICP-MS flow cell analysis provides new insights into both the influence of the corrosive environment and the impact of the zinc flake (alloy) used. Based on this approach, tailored coating solutions using zinc flake coatings can be developed.
Several European countries currently introduce highly sophisticated eID functionality in their national identity cards. This functionality typically has no direct relation to web security standards, but will be integrated with web technologies to enable browser-based access to critical resources. The research challenge to combine eID protocols and web standards like TLS in a secure way proves extremely challenging: The security of many of the proposed systems boils down to HTTP session cookies and TLS server certificates. Therefore, the overall security is not improved and does not justify the additional costs. In this paper, we investigate this security challenge for the German national identity card and its eID functionality. We show that the solution currently standardized by the German government does not offer any additional security, by giving an in-depth analysis of the complete software system. We discuss several possible paths to an enhanced solution based on T LS channel bindings. Finally, we describe a system setup based on the SAML Holder-of-Key Web Browser Profile, which also mitigates interoperability problems
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.