Model-Driven Approach for End-to-End SOA Security Configurations

The configuration of non-functional requirements, such as security, has become important for SOA applications, but the configuration process has not been discussed comprehensively. In current development processes, the security requirements are not considered in upstream phases and a developer at a downstream phase is responsible for writing the security configuration. However, configuring security requirements properly is quite difficult for developers because the SOA security is cross-domain and all required information is not available in the downstream phase. To resolve this problem, this chapter clarifies how to configure security in the SOA application development process and defines the developer’s roles in each phase. Additionally, it proposes a supporting technology to generate security configurations: Model-Driven Security. The authors propose a methodology for end-to-end security configuration for SOA applications and tools for generating detailed security configurations from the requirements specified in upstream phases model transformations, making it possible to configure security properly without increasing developers’ workloads. DOI: 10.4018/978-1-60566-794-2.ch012

[1]  Peter Herrmann,et al.  Security requirement analysis of business processes , 2006, Electron. Commer. Res..

[2]  Jan Jürjens,et al.  UMLsec: Extending UML for Secure Systems Development , 2002, UML.

[3]  Virpi Kristiina Tuunainen,et al.  Critical Business Model Issues in Deploying NFC Technology for Mobile Services: Case Mobile Ticketing , 2012, Int. J. E Serv. Mob. Appl..

[4]  Mario Piattini,et al.  PWSSec: Process for Web Services Security , 2006, 2006 IEEE International Conference on Web Services (ICWS'06).

[5]  David A. Basin,et al.  Model driven security for process-oriented systems , 2003, SACMAT '03.

[6]  David A. Basin,et al.  SecureUML: A UML-Based Modeling Language for Model-Driven Security , 2002, UML.

[7]  Jan Jürjens,et al.  Tools for model-based security engineering , 2006, ICSE.

[8]  Mario Piattini,et al.  Web services enterprise security architecture: a case study , 2005, SWS '05.

[9]  Guadalupe Ortiz,et al.  Toward UML Profiles for Web Services and their Extra-Functional Properties , 2006, 2006 IEEE International Conference on Web Services (ICWS'06).

[10]  Eduardo B. Fernández,et al.  Two Patterns for Web Services Security , 2004, International Conference on Internet Computing.

[11]  Rajeev R. Raje,et al.  Model driven security: unification of authorization models for fine-grain access control , 2003, Seventh IEEE International Enterprise Distributed Object Computing Conference, 2003. Proceedings..

[12]  Alexander Chatzigeorgiou,et al.  A qualitative analysis of software security patterns , 2006, Comput. Secur..

[13]  Torsten Fink,et al.  An MDA approach to Access Control Specifications Using MOF and UML Profiles , 2004, VODCA@FOSAD.

[14]  Mario Piattini,et al.  Towards a UML 2.0 Extension for the Modeling of Security Requirements in Business Processes , 2006, TrustBus.

[15]  J.E.Y. Rosseboe,et al.  Towards a framework of authentication and authorization patterns for ensuring availability in service composition , 2006 .

[16]  M. Breu,et al.  Model driven security for Web services (MDS4WS) , 2004, 8th International Multitopic Conference, 2004. Proceedings of INMIC 2004..

[17]  Andreas L. Opdahl,et al.  Eliciting security requirements with misuse cases , 2004, Requirements Engineering.

[18]  Fumiko Satoh,et al.  Generic Security Policy Transformation Framework for WS-Security , 2007, IEEE International Conference on Web Services (ICWS 2007).

[19]  Dong Huang Semantic Policy-based Security Framework for Business Processes , 2005 .

[20]  Mario Piattini,et al.  M-BPSec: A Method for Security Requirement Elicitation from a UML 2.0 Business Process Specification , 2007, ER Workshops.

[21]  Mike P. Papazoglou,et al.  EFSOC: A Layered Framework for Developing Secure Interactions between Web-Services , 2005, Distributed and Parallel Databases.

[22]  Yuichi Nakamura,et al.  Adding Authentication to Model Driven Security , 2006, 2006 IEEE International Conference on Web Services (ICWS'06).

[23]  Yuichi Nakamura,et al.  Pattern-based Policy Configuration for SOA Applications , 2008, 2008 IEEE International Conference on Services Computing.

[24]  Betty H. C. Cheng,et al.  Using Security Patterns to Model and Analyze Security Requirements , 2012 .

[25]  Dianne Hall,et al.  The trend toward online banking services by brick-and-mortar institutions: the last five years , 2002 .

[26]  George Yee Privacy Protection for E-Services , 2006 .

[27]  Jan Jürjens Sound methods and effective tools for model-based security engineering with UML , 2005, ICSE '05.

[28]  Deborah A. Cronau,et al.  Internet Management Issues: A Global Perspective , 2003 .

[29]  Jaime Muñoz Arteaga,et al.  A classification of security patterns for the transactions between a requester, an intermediary, and a web-service , 2006, Communication, Network, and Information Security.