Abstract: This book, written by recognized authorities in the tech security world, addresses issues that affect any organization preparing to use cloud computing as an option. Cloud computing has emerged as a popular way for corporations to save money that would otherwise go into their IT infrastructure. However, along with the promise of cloud computing there has also been considerable skepticism about the type and extent of security and privacy that these services provide. Cloud Security and Privacy walks you through the steps you need to take to ensure your web applications are secure and your data is safe, and addresses regulatory issues such as audit and compliance. Ideal for IT personnel who need to deliver and maintain applications in the cloud, business managers looking to cut costs, service providers, and investors, this book provides the detailed information on cloud computing security that has been lacking, until now.

Abstract: This paper describes the design, implementation and evaluation of Native Client, a sandbox for untrusted x86 native code. Native Client aims to give browser-based applications the computational performance of native applications without compromising safety. Native Client uses software fault isolation and a secure runtime to direct system interaction and side effects through interfaces managed by Native Client. Native Client provides operating system portability for binary code while supporting performance-oriented features generally absent from web application programming environments, such as thread support, instruction set extensions such as SSE, and use of compiler intrinsics and hand-coded assembler. We combine these properties in an open architecture that encourages community review and 3rd-party tools.

Abstract: JavaScript is the main scripting language for Web browsers, and it is essential to modern Web applications. Programmers have started using it for writing complex applications, but there is still little tool support available during development. We present a static program analysis infrastructure that can infer detailed and sound type information for JavaScript programs using abstract interpretation. The analysis is designed to support the full language as defined in the ECMAScript standard, including its peculiar object model and all built-in functions. The analysis results can be used to detect common programming errors --- or rather, prove their absence, and for producing type information for program comprehension. Preliminary experiments conducted on real-life JavaScript code indicate that the approach is promising regarding analysis precision on small and medium size programs, which constitute the majority of JavaScript applications. With potential for further improvement, we propose the analysis as a foundation for building tools that can aid JavaScript programmers.

Abstract: Background: Epidemiologists and ecologists often collect data in the field and, on returning to their laboratory, enter their data into a database for further analysis. The recent introduction of mobile phones that utilise the open source Android operating system, and which include (among other features) both GPS and Google Maps, provide new opportunities for developing mobile phone applications, which in conjunction with web applications, allow two-way communication between field workers and their project databases. Methodology: Here we describe a generic framework, consisting of mobile phone software, EpiCollect, and a web application located within www.spatialepidemiology.net. Data collected by multiple field workers can be submitted by phone, together with GPS data, to a common web database and can be displayed and analysed, along with previously collected data, using Google Maps (or Google Earth). Similarly, data from the web database can be requested and displayed on the mobile phone, again using Google Maps. Data filtering options allow the display of data submitted by the individual field workers or, for example, those data within certain values of a measured variable or a time period. Conclusions: Data collection frameworks utilising mobile phones with data submission to and from central databases are widely applicable and can give a field worker similar display and analysis tools on their mobile phone that they would have if viewing the data in their laboratory via the web. We demonstrate their utility for epidemiological data collection and display, and briefly discuss their application in ecological and community data collection. Furthermore, such frameworks offer great potential for recruiting ‘citizen scientists’ to contribute data easily to central databases through their mobile phone.

Abstract: Web-based applications rely on the HTTPS protocol to guarantee privacy and security in transactions ranging from home banking, e-commerce, and e-procurement to those that deal with sensitive data such as career and identity information. Users trust this protocol to prevent unauthorized viewing of their personal, financial, and confidential information over the Web.

Abstract: A system and method for developing, deploying, managing and monitoring a web application in a single environment is disclosed herein. The single environment is preferably an integrated development environment (“IDE”). The system and method preferably allows for deployment to a cloud provider, and preferably allows for use of Web resources from multiple cloud providers. One preferred IDE is the APTANA® STUDIO IDE.

Abstract: While Web 3.0 technologies are difficult to define precisely, the outline of emerging applications has become clear over the past year. We can thus essentially view Web 3.0 as semantic Web technologies integrated into, or powering, large-scale Web applications. The base of Web 3.0 applications resides in the resource description framework (RDF) for providing a means to link data from multiple Web sites or databases. With the SPARQL query language, a SQL-like standard for querying RDF data, applications can use native graph-based RDF stores and extract RDF data from traditional databases.

Abstract: As social networking sites proliferate across the World Wide Web, complex user-created HTML content is rapidly becoming the norm rather than the exception. User-created web content is a notorious vector for cross-site scripting (XSS) attacks that target websites and confidential user data. In this threat climate, mechanisms that render web applications immune to XSS attacks have been of recent research interest.A challenge for these security mechanisms is enabling web applications to accept complex HTML input from users, while disallowing malicious script content. This challenge is made difficult by anomalous web browser behaviors, which are often used as vectors for successful XSS attacks.Motivated by this problem, we present a new XSS defense strategy designed to be effective in widely deployed existing web browsers, despite anomalous browser behavior. Our approach seeks to minimize trust placed on browsers for interpreting untrusted content. We implemented this approach in a tool called Blueprint that was integrated with several popular web applications. We evaluated Blueprint against a barrage of stress tests that demonstrate strong resistance to attacks, excellent compatibility with web browsers and reasonable performance overheads.

Abstract: A software quality model acts as a framework for the evaluation of attributes of an application that contribute to the software quality. In this paper, a quality model is presented for evaluation of B2B applications. First, the most well-known quality models are studied, and reasons for using ISO 9126 quality model as the basis are discussed. This model, then, is customized in accordance with special characteristics of B2B applications. The customization is done by extracting the quality factors from web applications and B2B e-commerce applications, weighting these factors from the viewpoints of both developers and end users, and adding them to the model. Finally, as a case study, ISACO portal is evaluated by the proposed model.

Abstract: Much is said about the advantages and risks of cloud computing, but how do you actually create a web application for this environment or migrate existing applications to it? With this book, you'll learn the programming and system administration skills necessary to build and support applications in the cloud, using transactional apps for customer orders and payments as a practical example If you're involved in planning IT infrastructure as a network or system architect, system administrator, or developer, this book will help you adapt your skills to work with the highly scalable, highly redundant infrastructure services offered by Amazon and other providers With Cloud Application Architectures, you will: Understand the differences between traditional deployment and cloud computing in areas such as reliability, security, and the ability to predict load and capacity Determine whether moving existing applications to the cloud makes technical and business sense Build a transactional web application and set up virtual servers to support it Learn how the cloud helps you better prepare for disaster recovery See how cloud computing changes your perspective on application scaling Cloud Application Architectures provides best practices that apply to every available cloud service Learn how to make the transition to the cloud and prepare your web applications to succeed

Abstract: Resin is a new language runtime that helps prevent security vulnerabilities, by allowing programmers to specify application-level data flow assertions. Resin provides policy objects, which programmers use to specify assertion code and metadata; data tracking, which allows programmers to associate assertions with application data, and to keep track of assertions as the data flow through the application; and filter objects, which programmers use to define data flow boundaries at which assertions are checked. Resin's runtime checks data flow assertions by propagating policy objects along with data, as that data moves through the application, and then invoking filter objects when data crosses a data flow boundary, such as when writing data to the network or a file.Using Resin, Web application programmers can prevent a range of problems, from SQL injection and cross-site scripting, to inadvertent password disclosure and missing access control checks. Adding a Resin assertion to an application requires few changes to the existing application code, and an assertion can reuse existing code and data structures. For instance, 23 lines of code detect and prevent three previously-unknown missing access control vulnerabilities in phpBB, a popular Web forum application. Other assertions comprising tens of lines of code prevent a range of vulnerabilities in Python and PHP applications. A prototype of Resin incurs a 33% CPU overhead running the HotCRP conference management application.

Abstract: Cross-site scripting (or XSS) has been the most dominant class of web vulnerabilities in 2007. The main underlying reason for XSS vulnerabilities is that web markup and client-side languages do not provide principled mechanisms to ensure secure, ground-up isolation of user-generated data in web application code. In this paper, we develop a new approach that combines randomization of web application code and runtime tracking of untrusted data both on the server and the browser to combat XSS attacks. Our technique ensures a fundamental integrity property that prevents untrusted data from altering the structure of trusted code throughout the execution lifetime of the web application. We call this property document structure integrity (or DSI). Similar to prepared statements in SQL, DSI enforcement ensures automatic syntactic isolation of inline usergenerated data at the parser-level. This forms the basis for confinement of untrusted data in the web browser based on a server-specified policy. We propose a client-server architecture that enforces document structure integrity in a way that can be implemented in current browsers with a minimal impact to compatibility and that requires minimal effort from the web developer. We implemented a proof-of-concept and demonstrated that such DSI enforcement with a simple default policy is sufficient to defeat over 98% of 5,328 real-world reflected XSS vulnerabilities documented in 2007, with very low performance overhead both on the client and server.

Abstract: Cross-site scripting (XSS) vulnerabilities are among the most common and serious web application vulnerabilities. Eliminating XSS is challenging because it is difficult for web applications to sanitize all user inputs appropriately. We present Noncespaces, a technique that enables web clients to distinguish between trusted and untrusted content to prevent exploitation of XSS vulnerabilities. Using Noncespaces, a web application randomizes the XML namespace prefixes of tags in each document before delivering it to the client. As long as the attacker is unable to predict the randomized prefixes, the client can distinguish between trusted content created by the web application and untrusted content provided by an attacker. To implement Noncespaces with minimal changes to web applications, we leverage a popular web application architecture to automatically apply Noncespaces to static content processed through a popular PHP template engine. We show that with simple policies Noncespaces thwarts popular XSS attack vectors.

Abstract: In embodiments, the present invention may be a computer program product embodied in a computer readable medium that, when executing on one or more computers, may select a software application for monitoring, where the selection may be based at least in part on the basis that the software application controls confidential information, and where the software application may be an end-point application, a web application, a cloud application, and the like. The present invention may monitor the software application by determining an output data quantity that may be written from the software application. The output data may then be compared with a predetermined quantity, where the predetermined quantity may be indicative of confidential information being written from the software application.

Abstract: This latest edition of The Definitive Guide to Django is updated for Django 1.1, and, with the forwardcompatibility guarantee that Django now provides, should serve as the ultimate tutorial and reference for this popular framework for years to come. Django, the Pythonbased equivalent to Rubys Rails web development framework, is one of the hottest topics in web development today. Lead developer Jacob KaplanMoss and Django creator Adrian Holovaty show you how they use this framework to create awardwinning web sites by guiding you through the creation of a web application reminiscent of www.chicagocrime.org. Django: Web Development Done Right is broken into three parts, with the first introducing Django fundamentals such as installation and configuration, and creating the components that together power a Djangodriven web site. The second part delves into the more sophisticated features of Django, including outputting nonHTML content such as RSS feeds and PDFs, caching, and user management. The appendixes serve as a detailed reference to Djangos many configuration options and commands. What youll learn The first half of this book explains in depth how to build web applications using Django including the basics of dynamic web pages, the Django templating system interacting with databases, and web forms. The second half of this book discusses higher-level concepts such as caching, security, and how to deploy Django. The appendixes form a reference for the commands and configurations available in Django. Who is this book for? Anyone who wants to use the powerful Django framework to build dynamic web sites quickly and easily

Abstract: Understanding the structure and evolution of web-based user-object networks is a significant task since they play a crucial role in e-commerce nowadays. This Letter reports the empirical analysis on two large-scale web sites, audioscrobbler.com and del.icio.us, where users are connected with music groups and bookmarks, respectively. The degree distributions and degree-degree correlations for both users and objects are reported. We propose a new index, named collaborative clustering coefficient, to quantify the clustering behavior based on the collaborative selection. Accordingly, the clustering properties and clustering-degree correlations are investigated. We report some novel phenomena well characterizing the selection mechanism of web users and outline the relevance of these phenomena to the information recommendation problem.

Abstract: Methods and systems for electronic financial management integrate many aspects of the typical banking system with exciting educational and social tools to engage users to participate in and learn about the value of fiscal management. A web application for a network site may be employed to allow users to establish accounts. Joint accounts may be established for teens or other users without the capacity or experience to independently manage money, providing custodians control over the joint account and opportunities to interactively engage the user via effective fiscal management tools. Aspects of the methods and systems for financial management may provide interactive opportunities for users to, for example, manage money, set goals, track finances, pay bills, shop savvy, solicit advice from friends and family, and obtain answers to financial questions. Web applications may provide users mobile and on line access to financial information, financial management tools, and vendor products and services.

Abstract: Information integration, application integration and component-based software development have been among the most important research areas for decades The last years have been characterized by a particular focus on web services, the very recent years by the advent of web mashups, a new and user-centric form of integration on the Web However, while service composition approaches lack support for user interfaces, web mashups still lack well engineered development approaches and mature technological foundations In this paper, we aim to overcome both these shortcomings and propose what we call a universal composition approach that naturally brings together data and application services with user interfaces We propose a unified component model and a universal, event-based composition model, both able to abstract from low-level implementation details and technology specifics Via the mashArt platform, we then provide universal composition as a service in form of an easy-to-use graphical development tool equipped with an execution environment for fast deployment and execution of composite Web applications

Abstract: In recent years, there is a growing need for computer technology to be used in a real school environment and/or higher education classrooms. However, educational software has often been criticized as it has not been specifically designed to meet the needs of real classrooms. In this study, we have tried to develop the system, what we have called as ''ZOSMAT'' that will respond almost every needs of a real classroom. ZOSMAT can be used for the purpose of either individual learning or real classroom environment with the guidance of a human tutor during a formal education process. This characteristic of ZOSMAT distinguishes itself from other intelligent tutoring systems. ZOSMAT follows a student in each stage of the learning process and guides him/her about what he/she will need to do. ZOSMAT with a web-based feature presents an equal opportunity of education for both the student in the classroom and the student in the far end of the world. This system is a student-centered one and the progress in student's learning process depends on his/her effort.

Abstract: Tools and techniques are described for web-based multiuser collaboration. These tools may provide methods that enable users to collaborate remotely on documents using respective browsers. These methods may send representations of portions of a given document to the browsers, and associate portions of the documents with particular users. The browsers may receive representations of commands as provided by the users, and may determine whether to execute the commands at the browser. The methods may also include receiving from the browsers revisions to the portions of the document, and storing these portions of the document in storage areas that are configured for storing content that has changed relatively recently.

Abstract: With the gradual adoption of “Web 2.0” technologies, one of key Web 2.0 technologies, blog, has become a popular and wide-accepted Web application. Although mobile device users can access the Web whenever or wherever the need arises, there is not an easy way to publish their thoughts and experiences via blog articles. In this study, we offer a solution by designing a mobile blogging system which enables mobile bloggers to publish their comments in authentic context anytime and anywhere. We show that with the help of the mobile blogging system, we can establish a collaborative learning model for students in virtual classrooms. The results revealed from the learning outcome are positive and encouraging regarding the effectiveness of the supported collaborative learning model. In the conclusions, we discuss the findings and applications of the proposed system in collaborative learning.

Abstract: WikiPathways is a platform for creating, updating, and sharing biological pathways [1] Pathways can be edited and downloaded using the wiki-style website Here we present a SOAP web service that provides programmatic access to WikiPathways that is complementary to the website We describe the functionality that this web service offers and discuss several use cases in detail Exposing WikiPathways through a web service opens up new ways of utilizing pathway information and assisting the community curation process

Abstract: The purpose of Twitter API: Up and Running is to provide an introduction to using the Twitter API--the means to get at the rich Twitter data--to build web applications. This book has three main parts: an overview of the Twitter ecosystem and culture; background information on the languages and environment you need to create your applications; and working code for a suite of sample applications meant to get you started on your programming adventure. As Twitter lowers barriers to publication through its simplicity, so this book will provide easy access to the skills and resources you'll need to build web applications for its API. From Author Kevin Makice One of the strengths of Twitter is its flexibility. Every information stream is unique and can be customized in the way that best fits the individual at that moment. Are you getting too much information? Unfollow some people. Do you not have time to tweet? Dont. Want to chat with your two best buds for an hour and chase away all your other followers? Feel free. Because of this versatility, there are no universal rules for how to behave on Twitter; each user can control his own experience. Meet the Sample Apps This small suite of sample web applications is offered to you as a way to illustrate use of the Twitter API, the collection of web service methods that bring Twitter data into third-party programming. These applications explore some common reasons to access the API: Administration Tool A master account is needed to do things like send direct messages and conduct data mining on the backend. Unlike most of the user-driven tools, the master account must be available even when the account holder (you) isnt around to log in. This simple tool allows the master accounts password to be saved to the database in a safe way. Only you will use this tool. In fact, without knowing the password attached to the master Twitter account, others shouldnt be able to do anything with this application. Tweet Publisher This application is a straightforward status updater. To publish to your own timeline, enter your Twitter account information and a short 140-character message. After doing so, you will see a link to the new tweet. Auto Tweet Each member account can be associated with a single RSS or Atom feed, from which a new tweet will be automatically generated. There is an automated task associated with this application that checks each registered feed for new content in six-hour cycles and posts the most recent article. Tweet Broadcast This is an aggregation tool, where you can collect daily tweets from a handful of other Twitter members into a single RSS item. An RSS feed is generated that contains information for up to 20 days of activity, collected by an automated task that checks for new tweets once a day. Each member account can have one aggregation feed. Tweet Alert Tracking tweets based on keywords is made easy with the Twitter search API. Each member can list a few keywords in Tweet Alert and receive a notification when any of those terms appears in a public tweet. The content scans are performed every 15 minutes. If a match is foundand the member is following your master Twitter accounta direct message is sent to that member with a link to the search results. Network Viewer Probably the most useful among the suite of tools, this web application allows Twitter members to see the profile images of all the people theyre following. Private accounts are outlined in red, and (in most modern browsers) mousing over each picture reveals additional detail about that member.

Abstract: Cross-site scripting defenses often focus on HTML documents, neglecting attacks involving the browser's content-sniffing algorithm, which can treat non-HTML content as HTML. Web applications, such as the one that manages this conference, must defend themselves against these attacks or risk authors uploading malicious papers that automatically submit stellar self-reviews. In this paper, we formulate content-sniffing XSS attacks and defenses. We study content-sniffing XSS attacks systematically by constructing high-fidelity models of the content-sniffing algorithms used by four major browsers. We compare these models with Web site content filtering policies to construct attacks. To defend against these attacks, we propose and implement a principled content-sniffing algorithm that provides security while maintaining compatibility. Our principles have been adopted, in part, by Internet Explorer 8 and, in full, by Google Chrome and the HTML 5 working group.

Abstract: With the increase of the number of food images on the Internet, we have been developing a food-logging system which has an automated analysis function as a Web application. It can distinguish food images from other images, analyze the food balance, and visualize the log. In this paper, we demonstrate how the performance can be improved by the personalized models. Because our Web application has an interface to review and correct the food analysis results, the generation of the personalized models can be done on-line. Experimental results using two hundred images showed that the extracted image feature vectors differ from user to user but on the other hand the feature vectors and the food balance of each user have a strong correlation. Therefore, the accuracy of the food balance estimation was improved from 37% to 42% on average by the personalized classifier.

Abstract: A mashup is a Web application that integrates data, computation and UI elements provided by several components into a single tool. The concept originated from the understanding that there is an increasing number of applications available on the Web and a growing need to combine them in order to meet user requirements. This paper presents MatchUp, a system that supports rapid, on-demand, intuitive development of mashups, based on a novel autocompletion mechanism. The key observation guiding the development of MatchUp is that mashups developed by different users typically share common characteristics; they use similar classes of mashup components and glue them together in a similar manner. MatchUp exploits these similarities to recommend useful completions (missing components and connections between them) for a user's partial mashup specification. The user is presented with a ranking of the recommendations from which she can choose and refine according to her needs. This paper presents the data model and ranking metric underlying our novel autocompletion mechanism. It introduces an efficient top-k ranking algorithm that is at the core of the MatchUp system and that is formally proved to be optimal in some natural sense. We also experimentally demonstrate the efficiency of our algorithm and the effectiveness of our proposal for rapid mashup construction.