Web services enterprise security architecture: a case study

Web Services (WS hereafter) Security is a crucial aspect for technologies based on this paradigm to be completely adopted by the industry. As a consequence, a lot of initiativesof initiatives have arisen during the last years setting as their main purpose the standardization of the security factors related to this paradigm. In fact, over the past years, the most important consortiums ofof Internet Internet, like IETF, W3C or OASIS, are producing a huge number of WS-based security standards. Despite of this growing, there's not exist yet a process that guides developers in the critical task of integrating security within all the stages of the development's life cycle of WS-based software. Such a process should facilitate developers in the activities of web service-specific security requirents specification, web services-based security architecture design and web services security standards selection, integration and deployment. In this article we briefly present the PWSSec (Process for Web Services Security) process that is composed of three stages, WSSecReq (Web Services Security Requirents), WSSecArch (Web Services Security Architecture) and WSSecTech (Web Services Security Technologies) that accomplishes the mentioned activities, respectively. In this article wWe also provide an thorough explanation of the WSSecArch (Web Services Security Stage) stage intended to design the web services-based security architecture. In addition, a real case study where this stage in being applied is also included.

[1]  Fabio Massacci,et al.  An access control framework for business processes for web services , 2003, XMLSEC '03.

[2]  Donald Firesmith,et al.  Common Concepts Underlying Safety, Security, and Survivability Engineering , 2003 .

[3]  Axel van Lamsweerde,et al.  Elaborating security requirements by construction of intentional anti-models , 2004, Proceedings. 26th International Conference on Software Engineering.

[4]  Ruth Breu,et al.  Key Issues of a Formally Based Process Model for Security Engineer-ing , 2003 .

[5]  Daniel Roth,et al.  Web Services Policy Framework (WS- Policy) , 2002 .

[6]  Donald Firesmith,et al.  Engineering Security Requirements , 2003, J. Object Technol..

[7]  Tim Moses,et al.  EXtensible Access Control Markup Language (XACML) version 1 , 2003 .

[8]  Donald Firesmith,et al.  Security Use Cases , 2003, J. Object Technol..

[9]  Joaquín Nicolás,et al.  Requirements Reuse for Improving Information Systems Security: A Practitioner’s Approach , 2002, Requirements Engineering.

[10]  Mario Piattini,et al.  Web Services Security: Is the Problem Solved? , 2004, Inf. Secur. J. A Glob. Perspect..

[11]  Michiaki Tatsubori,et al.  Best-practice patterns and tool support for configuring secure Web services messaging , 2004, Proceedings. IEEE International Conference on Web Services, 2004..

[12]  Jerry Schwarz,et al.  Security Challenges, Threats and Countermeasures Version 1.0 , 2005 .

[13]  Vijay Varadharajan,et al.  Authorization service for Web services and its implementation , 2004, Proceedings. IEEE International Conference on Web Services, 2004..

[14]  Eduardo B. Fernández,et al.  Two Patterns for Web Services Security , 2004, International Conference on Internet Computing.

[15]  Andreas L. Opdahl,et al.  Eliciting security requirements with misuse cases , 2004, Requirements Engineering.

[16]  Ibm Redbooks,et al.  Patterns: Service Oriented Architecture And Web Services , 2004 .

[17]  Andrew P. Moore,et al.  Attack Modeling for Information Security and Survivability , 2001 .

[18]  Mario Piattini,et al.  PWSSec: Process for Web Services Security , 2006, 2006 IEEE International Conference on Web Services (ICWS'06).

[19]  Andreas Matheus,et al.  How to Declare Access Control Policies for XML Structured Information Objects using OASIS' eXtensible Access Control Markup Language (XACML) , 2005, Proceedings of the 38th Annual Hawaii International Conference on System Sciences.

[20]  Mario Piattini,et al.  Towards a Process for Web Services Security , 2006, J. Res. Pract. Inf. Technol..

[21]  Sabrina De Capitani di Vimercati,et al.  A fine-grained access control system for XML documents , 2002, TSEC.

[22]  Bashar Nuseibeh,et al.  A framework for security requirements engineering , 2006, SESS '06.

[23]  Philippe Kruchten,et al.  The Rational Unified Process: An Introduction , 1998 .

[24]  Gary McGraw,et al.  Risk Analysis in Software Design , 2004, IEEE Secur. Priv..

[25]  Bob Atkinson Web Services Security (WS-Security) , 2003 .

[26]  Ian F. Alexander,et al.  Misuse Cases: Use Cases with Hostile Intent , 2003, IEEE Softw..

[27]  Philippe Kruchten,et al.  The Rational Unified Process: An Introduction, Second Edition , 2000 .

[28]  J. Aagedal,et al.  UML Pro?le for Modeling Quality of Service and Fault Tolerance Characteristics and Mechanisms , 2004 .

[29]  Elisa Bertino,et al.  XML-based specification for Web services document security , 2004, Computer.

[30]  Zahir Tari,et al.  A role based access control for Web services , 2004, IEEE International Conference onServices Computing, 2004. (SCC 2004). Proceedings. 2004.