See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/26594202

Detection of the Security Vulnerabilities in Web Applications

Article · January 2009

Source: DOAJ

CITATIONS READS

12 944

1 author:

Popa Marius
Bucharest Academy of Economic Studies
165 PUBLICATIONS 490 CITATIONS

SEE PROFILE

All content following this page was uploaded by Popa Marius on 01 June 2014.

The user has requested enhancement of the downloaded file.

Informatica Economică vol. 13, no. 1/2009 127

Detection of the Security Vulnerabilities in Web Applications

Marius POPA
Economic Informatics Department,
Academy of Economic Studies, Bucharest, Romania
marius.popa@ase.ro

The contemporary organizations develop business processes in a very complex environment.

The IT&C technologies are used by organizations to improve their competitive advantages.
But, the IT&C technologies are not perfect. They are developed in an iterative process and
their quality is the result of the lifecycle activities. The audit and evaluation processes are re-
quired by the increased complexity of the business processes supported by IT&C technolo-
gies. In order to organize and develop a high-quality audit process, the evaluation team must
analyze the risks, threats and vulnerabilities of the information system. The paper highlights
the security vulnerabilities in web applications and the processes of their detection. The web
applications are used as IT&C tools to support the distributed information processes. They
are a major component of the distributed information systems. The audit and evaluation
processes are carried out in accordance with the international standards developed for in-
formation system security assurance.
Keywords: security, vulnerability, web application, audit.

can be seen at a global economic level as be-

1 Information Systems
A system represents a set of dependent
elements forming a single unitary entity. A
ing complex economic systems [16].
An economic system receives an input of
particular type of system is the economic one production factors. This input is processed
which defines economic components and and an output is provided in the shape of
mechanisms such as a company, an industry, products and services provided to the market.
a field of the national economy and so on. The accurate transformation of the input into
Even the national and worldwide economies output is made by a feedback loop, figure 1.

input output
transformation
process

Fig. 1. Economic System

The transformation process takes place into a - operating system;

dynamic way that makes the system to - information system.
progress according with to a specific route. The decision system is composed by special-
The state of the system describes the system ists that are using specific methods and tech-
degree of evolution. niques to plan, forecast, decide, organize,
A system can be defined by the following coordinate and control the operating system
elements: functioning in order to successfully achieve
- inputs; its goals.
- outputs; The operating system represents the technical
- transformation process; and functional mechanisms together with the
- system structure and its state. human, material and financial resources used
A complex economic system is made by the to achieve the objectives determined by the
following components, figure 2: decisions transmitted from the decision sys-
- decision system; tem level.
128 Informatica Economică vol. 13, no. 1/2009

In [4] many definitions of the informational information technology, organized in order to

system and the informatics system are pre- fulfill the organization purpose;
sented: - the informatics system is an application of
- informational system represents the dynam- the information and communication technol-
ic side of the managerial system, making the ogy which responds to a defined need;
link between the leading system and the - the informatics system is a system that util-
leaded system inside the firm, and also be- ize formalized procedures in order to provide
tween the firm and the business environment; the right information to all the management
the information system allows comprehen- levels and to all the function levels, the in-
sion of the past and present situation of the formation is based on internal and external
organization, and the forecasts of its evolu- sources in order to allow the decisions for
tion, contributing at the objectives elabora- planning, leadership and activity control, to
tion and fulfill; throughout the system, it is be taken quick and effective;
obtained the necessary information for con- - the informatics system includes people,
ceiving and implementation of the decision, computer, application and interaction be-
and also the one necessary for the company tween them, within an environment which
system to adapt to the internal and external includes the working space, physical, social
changes; and the organizational medium;
- the informational system represents an or- - the informatics system is an aggregate of
dered aggregate of information related to the automatic means for information collection,
activity, to the resources utilization and to production, storage, transmission and disse-
the performances of organization, allowing mination.
optimization of the business administration; The information system resides in all the in-
- the economics informational system is an formational flows and circuits and all the me-
aggregate technical-organizational to con- thods, techniques used to process the data
ceive and obtain the necessary information needed by the decision system. The informa-
for decision fundament in the economic ac- tion system is the middle layer between the
tivities management; decision and information systems and the
- the informatics system is part of the infor- communication between these layers is made
mational system that utilize automatic me- in all possible directions. Thus, the informa-
thods and means for data collecting, trans- tion system is processing and transmitting
mission, storage and processing, also for in- data from the decision to the operating sys-
formation capitalization in the organization tem. Also, it records, processes and transmits
management process; the information from the operating system to
- the informatics system is any combination the decision one.
of work practices, information, people and

objectives reports
decision
system
information decisions

information system

resources Services, goods

operating
system
information information

Fig. 2. The components of an economic system

We can conclude that the information system nomic system level by using specific me-
manages all the information existing at eco- thods and techniques.
Informatica Economică vol. 13, no. 1/2009 129

The information technology system is a com- large organizations.

ponent of the information system that is in The information systems are complex struc-
charge with collecting, processing, transmit- tures and they suppose the development of
ting, storing and presenting the data by using the following activities in order to accom-
computing systems. In other words, it is re- plish them [7]:
sponsible for automatic processing of the da- - allocation of important financial resources;
ta by using various methods and techniques. - complex and stable team building formed
The resources involved by an information by analysts, designers, code programmers
technology system can be divided into the and personnel;
following groups: - objective establishment;
- the activity that is subject of the system and - definition of a strategy for development,
the primary data from inside; exploitation and maintenance;
- the methods and techniques used to devel- - acquisition of equipments, tools necessary
op the IT system; for processing, connections and external flow
- the hardware that is implicated in collect- development;
ing, processing, transmitting, storing and pre- - human resource training for a correct and
senting the final results; efficient system use.
- the software applications are responsible An information system is a system, auto-
for the efficient use of the hardware re- mated or manual, that comprises people, ma-
sources by finding the solutions for the spe- chines, and/or methods organized to collect,
cific problems; process, transmit, and disseminate data that
- the human resources are very important for represent user information [19].
the health of the system. Other statement defines the information sys-
The automatic data processing covers the tem as any telecommunications and computer
collecting, transmitting, processing and stor- related equipment, interconnected system or
ing operations: subsystems of equipment that is used in the
- collecting data – takes place at the location acquisition, storage, manipulation, manage-
where the primary data are generated. All the ment, movement, control, display, switching,
collected elements are stored in a proper interchange, transmission, or reception of
manner to be used to automatic processing; voice and/or data, and includes software,
- processing data – the primary data are firmware, and hardware [2].
transformed into final results by following a In computer security, an information system
predefined sequence of operations adapted to is described by the following objects:
the user requirements, hardware specifica- - repositories, which hold data permanent or
tions and processing technique. temporarily;
- transmitting data – from the primary loca- - interfaces, which exchange information
tions to the automatic processing systems. with the non-digital world;
Also, it is responsible for delivering the final - channels, which connect repositories;
results to the consumers; - services, which provide value;
- storing data – is responsible for data arc- - messages, which carries a meaning.
hiving on specific medium in order to be The repositories, interfaces and channels
possible to access and process the content in represent the structure, and the services and
the future. messages represent the behavior of the in-
In our days, the computer networks are ex- formation systems.
tensively used as hardware support and the In [7], the information system is defined as a
database management systems are widely set of hardware and software components in-
exploited as the software component of the terconnected in networks, the organizational
IT system. The rapid growth of the Internet and administrative framework in which these
made possible the use of the distributed data- components are working. The interconnec-
base systems to manage the resources inside tion of these components is made on two le-
130 Informatica Economică vol. 13, no. 1/2009

vels: There are some projects developed to docu-

- the physical one – it supposes the connec- ment and avoid the security problems of the
tion through different devices of the equip- web applications. Such projects are WASC –
ments in order to build the system; Web Application Security Consortium and
- the functional one – it is made on the soft- OWASP – Open Web Application Security
ware level as to assure the system functional- Project. Specialized software for detecting
ity through software modules collaboration. security problems in web application is web
The objective for the development and im- application security scanner. This kind of
plementation of an information system is to software is an automated tool to check web
process, to transfer and to store the informa- applications for security problems.
tion. The aim of the information system security
An information system includes hardware, compliance is to assure protection of the
software, information, data, applications, physical and logical components and of the
communications, and people. The security data stored in system towards the threats that
assurance of the information system assumes exploit the vulnerabilities of the system, [17].
the development of engineering activities for
information system security as follows: 2. Security Vulnerabilities
- discovering the information protection Information systems are complex construc-
needs; tions developed for resolving of the problems
- definition the system security requirements; in companies and resulted from the business
- design system security architecture; relationships with third parties: clients, sup-
- development the detailed security design; pliers and partners.
- applying the system security; The audit is the process through which a per-
- assessment the information protection ef- son or a group of persons, independent and
fectiveness. qualified, called auditor, makes an objective
A special kind of information system is En- evaluation of the informatics system, usually
terprise Resource Planning – ERP. An ERP in relation with a standard or a proposed ob-
is a back office system that uses various jective. Also we have the internal audit
software and hardware computer components process by which it is ensured a continuous
in order to integrate in a single unified sys- conformity with the internal standards, [3],
tem all processes and data of a company. Due [5], [6], [8].
to these facts, an ERP system provides bene- During an audit mission of an informatics
fits in terms of standardization and lower system the most frequent operations are: ve-
maintenance costs and it does not need at all rifications, evaluation and testing of the in-
external interfaces between components, formational means, thus [3]:
[15]. - risk identification and evaluation in the sys-
All the components of an ERP system are us- tem;
ing a single database used to store data and - control evaluation and testing in the sys-
run queries for all the applications. In our tem;
days, the monolithic ERP systems from the - physical verification and evaluation of the
beginning become oriented on components informational environment;
using different architectures. - verification and evaluation of the informat-
In software engineering, the web application ics system administration;
is a software application that is accessed - verification and evaluation of informatics
through a web browser application over a applications;
computer network such as Internet or Intra- - verification and evaluation of the comput-
net. The web application is coded in a lan- ers network security;
guage understood by the web browser appli- - verification and evaluation of the disaster
cation such as HTML, Java, JavaScript, ASP, and recovery plans and procedures and the
PHP etc. business continuity plans and procedures;
Informatica Economică vol. 13, no. 1/2009 131

- data integrity testing. - Buffer Overflows/Native Code;

In [7], [9], [18], [10], [11], [12], the infor- - Web Services;
matics audit is presented as a broad domain - Malicious Code;
which includes all the auditing activities for: - Custom Cookies/Hidden Fields.
specifications, projects, software, databases, The most common tools for application secu-
specific processes from the life cycle of a rity environment in an organization are:
program, of an informatics application, of a - Web Application Firewalls (WAF);
management informatics system and of a - Web Application Scanners (WAS);
portal of maximum complexity, associated to - Source Code Analyzers (SCA).
a virtual organization. The organization can use each tool to elimi-
The informatics system audit developed as nate the security threats to data through ap-
result of technological system penetration in plications. Each organization can mix the
the most part of financial and accounting op- above tools to address the critical threats in
erations. At the beginning, it was about a co- the way in which it has sense for business
pying of the manual operations, the inputs processes.
and outputs being audited. The next Cross Site Scripting (XSS). It is the most
achievements in technological systems, pro- predominant attacks against web applica-
gramming languages, programming tech- tions. It is relatively easy to implement. The
niques and data management systems deter- browser application executes client-side
mined o big change regarding the conception. scripting code controlled by the attacker. The
Thus, the auditing is made through computer. goal of a XSS attack is to hijack the user’s
The security of web applications is compro- application session and/or perform a phishing
mised when web applications are targeted to attack.
sensitive customer and business data. In Injection Flaws. It is one of the predominant
many cases, organization management levels attacks carried on against web applications.
decided to purchase and deploy software that The web application takes in data and treats
did not meet the security requirement. this data as a form of code. The attacker “in-
All organizations are exposed to risk from in- jects” his malicious code when data is passed
secure web application if they deploy appli- to web application. The malicious code is ex-
cation running in Internet. A weak web ap- ecuted and the attacker achieves his aim. The
plication security results from a significant aim is to obtain or destructs the private data.
control deficiency of compliance with laws, There are many types of injection flaws. One
regulations and policies applicable to the or- of the most common is SQL injection. SQL
ganization and its data. injection is a technique to inject SQL com-
The security vulnerabilities of the web appli- mands in the input fields by the attacker. If
cations are classified in the following catego- the web application allows user controllable
ries [1], [14]: input and does not validate then that applica-
- Cross Site Scripting (XSS); tion is vulnerable to some king of injection.
- Injection Flaws; If the SQL commands “injected” in the input
- Malicious File Execution; fields by the attacker are executed by web
- Insecure Direct Object Reference; application then the attacker can get informa-
- Cross Site Request Forgery (CSRF); tion to tune his attack and finally to access
- Information Leakage and Improper Error private data stored in database.
Handling; XML injection is becoming more prevalent
- Broken Authentication and Session Man- with the increased use of Web Services. This
agement; technique consists of query XML documents
- Insecure Cryptographic Storage; provided by XPath and XQuery. The tech-
- Insecure Communications; nique is the same with SQL injection, being
- Failure to Restrict URL Access; more difficult to automatically discover it.
- Application Runtime Configuration; LDAP – Lightweight Directory Access Pro-
132 Informatica Economică vol. 13, no. 1/2009

tocol is used for account management, au- Malicious File Execution. It is a very com-
thentication and authorization. LDAP injec- mon pattern to attack PHP applications. The
tion is a technique for use the invalidated da- attacker can upload the malicious content
ta in the construction of LDAP queries/filter. that will be executed by the hosting applica-
For instance, if a web application uses the tion. The web server can be caused to run ar-
following search filter, [14]: bitrary code controlled by the attacker by
changing the hidden fields from the PHP ex-
searchfilter="(cn="+user+")" pressions.
For instance, a common vulnerable construct
which it is instantiated by a HTTP request: is:
include $_REQUEST['filename’];
http://www.testldapinjection.com/ldapsea
rch?user=Popa
The above construct can be used to access
local file server.
If the value Popa is replaced with a “*”, then
Another form of the attack is, [1]:
the request will look like:
<?php include($hidden_user_skin).
http://www.testldapinjection.com/ldapsea ”skins”.”php”); ?>
rch?user=*

in which the attacker can modify the hidden

and the filter is becoming:
field $hidden_user_skin to be an URL that
searchfilter="(cn=*)" will exploit that vulnerability.
Insecure Direct Object Reference. The data
Another form of flaws injection is command are exposed if the application exposes access
injection. It is one of the serious types of in- to the internal object handles. The attacker
jection vulnerabilities. The attacker can run can directly refer the object. For instance,
arbitrary system commands, having an ele- this vulnerability is detected when the data-
vated privilege level. The success of an at- base exposes the primary keys.
tack is difficult to determine because the There are many applications that expose their
feedback to the user has a low level. internal object to the users. For instance, if
AJAX injection is a new type of attack. The the web application permits to input file-
vulnerability is given by the tendency to store names or paths then the attacker can jump
more sensitive data on the client size. So, this out of application’s directory and he can
data and functionality is accessible to the ma- access other resources [14]:
licious users.

<select name="language"><option value="fr">Français</option></select>

…
require_once ($_REQUEST['language’]."lang.php");

Using a string like trusted account can be performed by mali-

"../../../../etc/passwd%00", the attacker can cious site. Thus, the malicious site can send
access any file on server’s file system. requests instead of victim computer.
Cross Site Request Forgery (CSRF). It is For instance, the following tag [14]:
based on an application’s trust of a client. For
instance, the victim computer logs in a new <img
src="http://www.example.com/logout.php">
account and without logging out visits a ma-
licious site. This site can take over the trust
will generate a request to log out the victim.
relationship between the victim computer and
The attacks against an on-line banking appli-
trusted account. Whenever the victim com-
cation process requests like:
puter visits the malicious site, the access to
Informatica Economică vol. 13, no. 1/2009 133

<img src="http://www.testCSRF.com/transfer.do?frmAcct=document.form.
frmAcct& toAcct=535363&toSWIFTid=414112&amount=5000.00">

Information Leakage and Improper Error - Only the absolutely and necessary infor-
Handling. It is a big issue known and un- mation;
derstood by many organizations. An error - Public methods that have not open vulne-
message can give the attacker the informa- rabilities;
tion needed for refining the attack. The au- - Unnecessary data never store.
tomated tools cannot detect this vulnerability. Insecure Communications. The sensitive
The vulnerability can be remediated through data transmitting can be done in clear or en-
source code analysis. crypted. The web application vulnerability
For instance, in Computer Associates eSCC appears when data are not encrypted.
and eTrust Audit the remote attackers can OWASP refers to the use SSL to encrypt
read or delete files, or can execute replay at- sensitive data between the web browser and
tacks. The vulnerabilities consist of: web application running on server.
- Discover the web server path on Win- For instance, some applications that use Web
dows platform; Services do not require HTTPS. This fact al-
- Read and delete arbitrary files from the lows the remote users to obtain sensitive in-
host server with the permission of the service formation by sniffing the unencrypted HTTP
account; traffic.
- Execute external replay attacks. Failure to Restrict URL Access. The access
Broken Authentication and Session Man- to some pages of the web application is fil-
agement. These may lead to severe vulnera- tered through authorization to the protected
bilities such as session hijack and privilege links. Users performing manual attempts can
escalation. In web application, the user can pass the filter. Thus, a presentation layer au-
access the application area of another one thorization is not enough, and a programmat-
with a higher privilege level if the second ic business layer authorization layer must be
one is not validated through the session. implemented.
In the main authentication, the flaws are For instance, an attacker can access the ad-
weak regarding functions like logout, pass- min file when the folder restrictions are im-
word management, timeout, remember me, plemented badly. The attack request may be:
secret question and account update. For in-
stance, a server can store LDAP credentials https://[SERVER URL]/admin/admin.html
in a path which has insecure permissions and
any local user can get the credentials. when the attacker know the possible structure
Insecure Cryptographic Storage. The sen- of the web application:
sitive data can be stored cryptographically.
[WEB ROOT]
Serious information disclosure appears due /admin
the weak data encryption routine or a routine admin.html
against organization policy. /products
/sales
To protect the sensitive information in web ...
applications, it must do a reliable encryption index.html
process based on the following characteris- login.html
...
tics:
- Reasonable and appropriate encryption;
and he follows the following standards:
- Strong encryption algorithms;

/admin/[index.html | index.jsp | index.asp | index.php]

/backup/
/logs/
/vulnerable.cgi
134 Informatica Economică vol. 13, no. 1/2009

Application Runtime Configuration. An nerable to attacks caused by insertion and in-

improper configuration for the runtime envi- validated input.
ronment can lead to many serious risks. The Malicious input can be inserted into URLs,
risks can be internal or external runtime envi- query strings, headers, cookies, form fields
ronment. and hidden fields which are interpreted by
Buffer Overflows/Native Code. The vulne- server application. As result, the attacker can
rability appears when today’s web applica- obtain sensitive information, modify data in
tions interface with systems developed in databases or he can crash the application.
older programming languages. The older sys- Validation attacks regard the following is-
tems crash because they have not the me- sues [13]:
chanisms implemented in newer web applica- - Invalidated source of input: URL parame-
tion. The buffer overflow has the same style ters, form fields, cookies, HTTP headers, da-
with flaws injection. tabase queries;
Web Services. The vulnerabilities of the web - Use of invalidated input: invalidated user
application due to web services are the result request passed to the server-side application;
of moving to SOA – Service Oriented Archi- - Invalidated output streams: malicious con-
tecture. tent passed back to the user.
Malicious Code. There are two classes of Regarding the design flaws, the vulnerabili-
malicious code: ties are the result of improper implementa-
- Dead, hidden or debugging code that can tion of the following issues [13]:
be used as malicious code; - Flawed authorization and access control:
- Code intentionally inserted into application improper use of access control and its defin-
to get malicious outcome. ing in formal policy;
Source code analyzers identify malicious - Flawed authorization and session manage-
code. ment: weak, exposed or unencrypted creden-
Custom Cookies/Hidden Fields. They are a tials for authentication;
common occurrence in all major web appli- - Native code and buffer overflows: security
cations. The risk is that the cookies are stored risks introduced by another programming
on client side and the malicious user can ma- languages;
nipulate these data. The state or control in- - Dynamic code: use of dynamic libraries by
formation supposes to use the hidden fields. malicious code;
The vulnerability classes described above are - Weak encryption: non-standard cryptogra-
presented in [1]. phy and poor entropy or randomness;
The level of organizational risk is reduced by - Application configuration: access to confi-
analyzing the source code of web applica- guration details, property files or XML data;
tions for the most common security vulnera- - Denial of service: extraneous exit calls;
bilities. Also, the costs to patch and fix vul- - Network communications: CORBA, ser-
nerabilities are significantly reduced when vlets, email, RMI – Remote Method Invoca-
the application is deployed [13]. tion;
The web vulnerabilities are classified in: - Unsupported application interfaces: appli-
- Coding errors – input validation, un- cations that call directly the lower level ap-
bounded parameters and encoding; plication interfaces;
- Design flaws – security model, improper - Improper administrative and exception
logging, error handling and unsupported handling: improper error messages provide
APIs. critical information to the attacker: stack
The web applications perform actions based traces, database dumps, error codes.
on user requests. The application accepts and Application security is a critical component
returns data to the user. Such kind of distri- of the security practice in any organization.
buted architecture does web application vul- The access to the critical resources of an or-
Informatica Economică vol. 13, no. 1/2009 135

ganization is controlled by software. In order tional Scientific Symposium of METRA,

to evaluate the application security, it must Military Equipment and Technologies
use the three kinds of tools to get information Research Agency, Bucharest, May 25 –
from system: Web Application Firewalls, 26, 2006
Web Application Scanners and Source Code [5] S. Capisizu, G. Noşca and M. Popa, “The
Analyzers. These tools are used in evaluation Informatics Audit – Basic Concepts”, in
and testing the vulnerabilities in different Information Systems & Operations Man-
mixes depending to class of vulnerability. agement, March 1-2, 2006, Universul Ju-
ridic Publishing House Bucharest, pp.
3. Conclusions 350 – 357
In the Knowledge Society, the organizations [6] I. Ivan, C. Boja and M. Popa, “The In-
use Information Technology to process their formatics Audit Development Strategy”,
information in order to accomplish better in Information Systems and Operations
their mission. The audit process development Management, Bucharest, November 29 –
plays a critical role to assure a high level of 30, 2004, Editura Print Grup, pp. 279 –
information system quality. 285
The organizations want to carry out audit [7] I. Ivan, G. Noşca and S. Capisizu, Auditul
processes because they need to assure a high sistemelor informatice, ASE Printing
level of the information systems, to know House, Bucharest, 2005
what and where are their vulnerabilities, to [8] I. Ivan, M. Popa, G. Noşca and S. Capisi-
develop security policies and risk manage- zu, “Data Audit for SMEs”, Information
ment plans and to implement measures with Systems & Operations Management, Bu-
positive effects on their information systems. charest, March 1-2, 2006, Universul Ju-
The audit results must correct some aspects ridic Publishing House Bucharest, pp.
concerning the information systems security. 306 – 315
Detection of the security vulnerabilities in an [9] I. Ivan, M. Popa and S. Capisizu, “Quali-
information system based on web application ty Management through Informatics Au-
is a critical activity to give the confidence in dit”, in Proceedings of the 6th Interna-
that system and, also, to assure a high-level tional Economic Symposium, Transilva-
quality of the system to prevent the system nia University of Braşov, May 19-20,
crashes and sensitive data theft. If the vulne- 2006
rabilities are exploited by external users, this [10] J. Kramer, The CISA Prep Guide:
thing may cause big loses for all partners that Mastering the Certified Information Sys-
use the information system. tems Auditor Exam, Wiley Publishing
Inc., 2003
References [11] R.K. Mautz and H.A. Sharaf, The
[1] R. Berg, “The Right Tool for the Right Philosophy of Auditing, American Ac-
Job: An Application Security Tools Re- counting Association, 1996
port Card”, in An Ounce Security Topics [12] M. Mazer, “Auditing Databases for
White Paper, 2008 Compliance and Risk Management”, in A
[2] S. Buchanan and F. Gibb, “The informa- Supplement to DM Review—SQL Server
tion audit: an integrated strategic ap- Executive, March 2006, pp. 18 – 19
proach”, International Journal of Infor- [13] Ounce Labs, “The Dirty Dozen: The
mation Management, 18(1), 1998, pp. 29 Top Web Application Vulnerabilities and
– 47 How to Hunt Them Down at the Source”,
[3] S. Capisizu, “Modele şi tehnici de reali- in A Security Topics White Paper, 2008
zare a auditului informaţiei economice”, [14] http://www.owasp.org/index.php/Top
ASE Bucharest, 2006, PhD Thesis _10_2007
[4] S. Capisizu, G. Noşca and M. Popa, “In- [15] M. Popa and F. Alecu, “ERP Infor-
formatics Audit”, in The 37th Interna- matics System Audit”, in Knowledge
 136 Informatica Economică vol. 13, no. 1/2009

Management – Projects, Systems and racteristics for Information System Secu-

Technologies, vol. II Reinforcement and rity”, in The Proceedings of the Eight
Extension of Universities & Business ternational Conference on Informatics in
Community Partnerships in the Know- Economy, Academy of Economic Studies
ledge Era, Bucharest, November 9 – 10, of Bucharest, May 17-18, 2007, pp. 938 –
2006, pp. 109 – 116 943
[16] M. Popa, F. Alecu and C. Amancei, [18] M. Popa, M. Florescu and C. Bodea,
“Characteristics of the Audit Process for “Information System Quality Evaluation
Information Systems”, in The Proceed- Based on Audit Processes”, in Proceed-
ings of the International Conference ings of the 2008 International Conference
Competitiveness and European Integra- of Information Engineering, Imperial
tion – Business Information Systems & College London, London, Great Britain,
Collaborative Support Systems in Busi- July 2 – 4, 2008, Newswood Limited, In-
ness, Cluj-Napoca, October 26 – 27, ternational Association of Engineers,
2007, Risoprint Printing House, Cluj- 2008, pp. 494 - 496
Napoca, pp. 295 – 299 [19] http://en.wikipedia.org/wiki/Informatio
[17] M. Popa and M. Doinea, “Audit Cha- n_systems

Marius POPA has graduated the Faculty of Cybernetics, Statistics and Eco-
nomic Informatics in 2002. He holds a PhD diploma in Economic Cybernet-
ics and Statistics. He joined the staff of Academy of Economic Studies,
teaching assistant in 2002 and senior lecturer in 2006. Currently, he is lectur-
er in Economic Informatics field and branches within Department of Eco-
nomic Informatics at faculty of Cybernetics, Statistics and Economic Infor-
matics from Academy of Economic Studies. He is the author and co-author
of 6 books and over 100 articles in journal and proceedings of national and
international conferences, symposiums, workshops in the fields of data quality, software qual-
ity, informatics security, collaborative information systems, IT project management, software
engineering. From 2009, he is a member of the editorial team for the Informatica Economică
Journal and between 2003 and 2008 he was a member of the editorial team for the journal
Economic Computation and Economic Cybernetics Studies and Research.

View publication stats