A Framework for Secure Service Composition

Modern applications are inherently heterogeneous: they are built by composing loosely coupled services that are, usually, offered and operated by different service providers. While this approach increases the flexibility of the composed applications, it makes the implementation of security and trustworthiness requirements difficult. As the number of security requirements is increasing dramatically, there is a need for new approaches that integrate security requirements right from the beginning while composing service-based applications. In this paper, we present a framework for secure service composition using a model-based approach for specifying, building, and executing composed services. As a unique feature, this framework integrates security requirements as a first class citizen and, thus, avoids the ``security as an afterthought'' paradigm.

[1]  Jan Mendling,et al.  Correctness-Preserving Configuration of Business Process Models , 2008, FASE.

[2]  Achim D. Brucker,et al.  Business Process Compliance via Security Validation as a Service , 2013, 2013 IEEE Sixth International Conference on Software Testing, Verification and Validation.

[3]  Madjid Merabti,et al.  Data Flow Security Analysis for System-of-Systems in a Public Security Incident , 2008 .

[4]  Achim D. Brucker,et al.  Metamodel-based UML Notations for Domain-specific Languages , 2007 .

[5]  Pierluigi Roberti,et al.  Modelling Security Requirements in Socio-Technical Systems with STS-Tool , 2012, CAiSE Forum.

[6]  Mario Piattini,et al.  A BPMN Extension for the Modeling of Security Requirements in Business Processes , 2007, IEICE Trans. Inf. Syst..

[7]  Remco M. Dijkman,et al.  Semantics and analysis of business process models in BPMN , 2008, Inf. Softw. Technol..

[8]  Rafael Accorsi,et al.  InDico: Information Flow Analysis of Business Processes for Confidentiality Requirements , 2010, STM.

[9]  Rudy Hirschheim,et al.  Service-Oriented Architecture Maturity , 2011, Computer.

[10]  Achim D. Brucker,et al.  An approach to modular and testable security models of real-world health-care applications , 2011, SACMAT '11.

[11]  Achim D. Brucker,et al.  Extending access control models with break-glass , 2009, SACMAT '09.

[12]  Luca Compagna,et al.  Security Validation of Business Processes via Model-Checking , 2011, ESSoS.

[13]  J Jürjens,et al.  Model-based Security Analysis of the German Health Card Architecture , 2008, Methods of Information in Medicine.

[14]  Jimmy McGibney,et al.  Trustworthiness monitoring and prediction of composite services , 2012, 2012 IEEE Symposium on Computers and Communications (ISCC).

[15]  Achim D. Brucker,et al.  A model transformation semantics and analysis methodology for SecureUML , 2006, MoDELS'06.

[16]  David A. Basin,et al.  Automated analysis of security-design models , 2009, Inf. Softw. Technol..

[17]  Stephen Dawson,et al.  Service Levels, Security, and Trust , 2012, Handbook of Service Description.

[18]  Rudolf Schmid,et al.  Organization for the advancement of structured information standards , 2002 .

[19]  Qi Shi,et al.  System-of-systems boundary check in a public event scenario , 2010, 2010 5th International Conference on System of Systems Engineering.

[20]  David A. Basin,et al.  Separation of duties as a service , 2011, ASIACCS '11.

[21]  Achim D. Brucker,et al.  Secure and Compliant Implementation of Business Process-Driven Systems , 2012, Business Process Management Workshops.

[22]  David A. Basin,et al.  SecureUML: A UML-Based Modeling Language for Model-Driven Security , 2002, UML.

[23]  Christoph Meinel,et al.  An approach to capture authorisation requirements in business processes , 2010, Requirements Engineering.