Many web-based programming environments, such as Hypertext Markup Language (HTML), Business Process Execution Language (BPEL), and Business Process Markup Notation 2.0 (BPMN 2.0), provide fields that accept a set of expressions or script written with a scripting language such as JavaScript™ (Oracle Corporation, Redwood Shores, Calif.) or an expression language such as XPATH. A “script,” therefore, is a program or sequence of instructions (e.g., software code) that is said to be, or considered to be, executed or carried out by another program rather than by a computer processor (cf., a compiled program).
Those programming environments that allow scripting languages provide a potential for any kind of program to run within their execution (runtime) environment. Unfortunately, this might include undesirable or malicious programs.
For example, cloud computing environments include shared resources open to subscribers or registered users. Thus, a “cloud” is generally known to be a shared computing environment. The National Institute of Standards and Technology (NIST) provides an illustrative definition (version 15 dated October 2009) of “cloud computing” as a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.
It is known that services available for deploying business processes in the cloud allow users to create and deploy their own programs. Such programs are capable of having undesirable or even malicious effects on the computing environment in which they are executed.
For example, such programs may intentionally or unintentionally contain infinite loops and other logic errors that prevent termination. Users billed for the service by usage might have an unpleasant surprise after deploying a process that has an infinite loop error. A malicious user could test the boundaries of system usage with a denial of service attack, consuming resources that would otherwise be available for legitimate users. The combination of business processes and cloud deployment creates risk from both legitimate and malicious users. First, non-technical people may create business processes and may be more likely than technical professionals to inadvertently inject undesirable behavior. Second, the runtime environment is accessible to many with more or less stringent controls.