Indicator-based architecture-level security evaluation in a service-oriented environment

The Service-Oriented Architecture paradigm (SOA) is commonly applied for the implementation of complex, distributed business processes. The service-oriented approach promises higher flexibility, interoperability and reusability of the IT infrastructure. However, evaluating the quality attribute security of large and complex SOA configurations is not sufficiently mastered yet. To tackle this complex problem, we developed a method for evaluating the security of existing service-oriented systems on the architectural level. The method is based on recovering security-relevant facts about the system by using reverse engineering techniques and subsequently providing automated support for further interactive security analysis at the structural level. By using generic, system-independent indicators and a knowledge base, the method is not limited to a specific programming language or technology. Therefore, we are able to apply the method to various systems and adapt it to specific evaluation needs. The paper describes the general structure of the method, and presents an instantiation aligned to the Service Component Architecture (SCA) specification.

[1]  James H. Cross,et al.  Reverse engineering and design recovery: a taxonomy , 1990, IEEE Software.

[2]  Issa Traoré,et al.  A Service-Oriented Framework for Quantitative Security Analysis of Software Architectures , 2008, 2008 IEEE Asia-Pacific Services Computing Conference.

[3]  Paul Clements,et al.  ATAM: Method for Architecture Evaluation , 2000 .

[4]  Frank Budinsky,et al.  Eclipse Modeling Framework , 2003 .

[5]  Karsten Sohr,et al.  Idea: Towards Architecture-Centric Security Analysis of Software , 2010, ESSoS.

[6]  Jeff Davis Open Source SOA , 2009 .

[7]  Wouter Joosen,et al.  Using Security Patterns to Combine Security Metrics , 2008, 2008 Third International Conference on Availability, Reliability and Security.

[8]  Colin J. Fidge,et al.  Security Metrics for Object-Oriented Class Designs , 2009, 2009 Ninth International Conference on Quality Software.

[9]  Jens Knodel,et al.  SAVE: Software Architecture Visualization and Evaluation , 2009, 2009 13th European Conference on Software Maintenance and Reengineering.

[10]  Jan Bosch,et al.  Architecture level prediction of software maintenance , 1999, Proceedings of the Third European Conference on Software Maintenance and Reengineering (Cat. No. PR00090).

[11]  Marek Jawurek,et al.  Security Goal Indicator Trees: A Model of Software Features that Supports Efficient Security Inspection , 2008, 2008 11th IEEE High Assurance Systems Engineering Symposium.

[12]  Eila Niemelä,et al.  A Survey on Software Architecture Analysis Methods , 2002, IEEE Trans. Software Eng..

[13]  Frank Swiderski,et al.  Threat Modeling , 2018, Hacking Connected Cars.