A View-based Approach for Service-Oriented Security Architecture Specification

Developing secure software is still a software engineering challenge because of the complexity of software security. Yet integrating security engineering and software engineering is increasingly important, especially for service- oriented applications, as they are exposed to new security challenges due to their open nature. Current security engineering approaches do not consider existing security architectures, leading to redundant development of security artifacts. Further, present security architecture approaches do not provide relevant information to a security engineering process. Using a service-oriented and security architecture- centric approach for security engineering supports the development of secure service-oriented applications, as existing security solutions can be reused. In this paper, a model for service-oriented security architectures is presented, which provides apt information to different consumers, such as security engineering processes and business services, in the form of views to assist the consumers security goals. The architecture model is exemplified by specifying different views of a web service-based security architecture.

[1]  Thomas Usländer,et al.  SoaML-basierter Entwurf eines dienstorientierten Überwachungssystems , 2010, GI Jahrestagung.

[2]  Nicolai M. Josuttis,et al.  SOA in der Praxis - System-Design für verteilte Geschäftsprozesse , 2008 .

[3]  Shihong Huang,et al.  Defining Security Requirements Through Misuse Actions , 2006, IFIP Workshop on Advanced Software Engineering.

[4]  Premkumar T. Devanbu,et al.  Software engineering for security: a roadmap , 2000, ICSE '00.

[5]  Bashar Nuseibeh,et al.  Security Requirements Engineering: A Framework for Representation and Analysis , 2008, IEEE Transactions on Software Engineering.

[6]  Eduardo B. Fernández,et al.  A Pattern-Driven Security Process for SOA Applications , 2008, 2008 Third International Conference on Availability, Reliability and Security.

[7]  Dirk Krafzig,et al.  Enterprise SOA: Service-Oriented Architecture Best Practices , 2004 .

[8]  A. Opdahl,et al.  A Reuse-Based Approach to Determining Secur ity Requirements , 2003 .

[9]  Mark O'Neill,et al.  Web Services Security , 2003 .

[10]  Eduardo B. Fernandez,et al.  A Methodology to Develop Secure Systems Using Patterns , 2006 .

[11]  Eduardo B. Fernández,et al.  A Methodology for Secure Software Design , 2004, Software Engineering Research and Practice.

[12]  Ian F. Alexander,et al.  Misuse Cases: Use Cases with Hostile Intent , 2003, IEEE Softw..

[13]  Ruth Breu,et al.  Security engineering for service-oriented architectures , 2008 .

[14]  Christian Emig,et al.  SOA-Aware Authorization Control , 2006, 2006 International Conference on Software Engineering Advances (ICSEA'06).

[15]  Johannes Sametinger,et al.  Software Security , 2013, 2013 20th IEEE International Conference and Workshops on Engineering of Computer Based Systems (ECBS).

[16]  Peter Fettke Unified modeling language 2.0 , 2007 .

[17]  Maritta Heisel,et al.  Analysis and Component-based Realization of Security Requirements , 2008, 2008 Third International Conference on Availability, Reliability and Security.

[18]  Mario Piattini,et al.  PWSSec: Process for Web Services Security , 2006, 2006 IEEE International Conference on Web Services (ICWS'06).

[19]  Elisa Bertino,et al.  A Service-Oriented Approach to Security--Concepts and Issues , 2007, 11th IEEE International Workshop on Future Trends of Distributed Computing Systems (FTDCS'07).

[20]  Gregor Engels,et al.  Quasar Enterprise - Anwendungslandschaften serviceorientiert gestalten , 2008, Software Engineering.

[21]  Helen M. Edwards,et al.  Problem frames: analyzing and structuring software development problems , 2002, Softw. Test. Verification Reliab..

[22]  Gruia-Catalin Roman,et al.  Advanced Software Engineering: Expanding the Frontiers of Software Technology: IFIP 19th World Computer Congress, First International Workshop on Advanced ... Federation for Information Processing) , 2006 .

[23]  Ross J. Anderson Security engineering - a guide to building dependable distributed systems (2. ed.) , 2001 .

[24]  Martin Gilje Jaatun,et al.  Security Requirements for the Rest of Us: A Survey , 2008, IEEE Software.

[25]  Stephen A. White,et al.  Business Process Modeling Notation (BPMN), Version 1.0 , 2004 .

[26]  Phillip Hallam-Baker,et al.  Web services security: soap message security , 2003 .

[27]  Andreas L. Opdahl,et al.  Eliciting security requirements with misuse cases , 2004, Requirements Engineering.

[28]  Gary McGraw,et al.  Software security and SOA: danger, Will Robinson! , 2006, IEEE Security & Privacy Magazine.

[29]  Jin Tong,et al.  Attributed based access control (ABAC) for Web services , 2005, IEEE International Conference on Web Services (ICWS'05).

[30]  Ramesh Nagappan,et al.  Core Security Patterns: Best Practices and Strategies for J2EE, Web Services, and Identity Management , 2005 .

[31]  Ravi S. Sandhu,et al.  A model for attribute-based user-role assignment , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[32]  Gary McGraw,et al.  Software Security: Building Security In , 2006, 2006 17th International Symposium on Software Reliability Engineering.

[33]  Peter Sommerlad,et al.  Security Patterns: Integrating Security and Systems Engineering , 2006 .

[34]  Christian Emig,et al.  Identity as a Service - Towards a Service-Oriented Identity Management Architecture , 2007, EUNICE.

[35]  Joaquín Nicolás,et al.  Requirements Reuse for Improving Information Systems Security: A Practitioner’s Approach , 2002, Requirements Engineering.

[36]  Dirk Krafzig,et al.  Enterprise SOA: Service-Oriented Architecture Best Practices (The Coad Series) , 2004 .

[37]  Christian Emig,et al.  Integration of a Security Product in Service-Oriented Architecture , 2009, 2009 Third International Conference on Emerging Security Information, Systems and Technologies.

[38]  Rudolf Schmid,et al.  Organization for the advancement of structured information standards , 2002 .

[39]  Eduardo B. Fernández,et al.  Eliciting Security Requirements through Misuse Activities , 2008, 2008 19th International Workshop on Database and Expert Systems Applications.