Web Services-Based Security Requirement Elicitation

Web services (WS, hereafter) paradigm has attained such a relevance in both the academic and the industry world that the vision of the Internet has evolved from being considered as a mere repository of data to become the underlying infrastructure on which organizations' strategic business operations are being deployed [1]. Security is a key aspect if WS are to be generally accepted and adopted. In fact, over the past years, the most important consortiums of the Internet, like IETF, W3C or OASIS, have produced a huge number of WS-based security standards. Despite this spectacular growth, a development process that facilitates the systematic integration of security into all subprocesses of WS-based software development life-cycle does not exist. Eventually, this process should guide WS-based software developers in the specification of WS-based security requirements, the design of WS-based security architectures, and the deployment of the most suitable WS security standards. In this article, we will briefly present a process of this type, named PWSSec (Process for Web Services Security), and the artifacts used during the elicitation activity, which belongs to the subprocess WSSecReq aimed at producing a WS-based security requirement specification.

[1]  Leigh A. Davis,et al.  Designing Secure Integration Architectures , 2003, ICCBSS.

[2]  Jan Jürjens,et al.  Sound development of secure service-based systems , 2004, ICSOC '04.

[3]  Bashar Nuseibeh,et al.  Core Security Requirements Artefacts , 2004 .

[4]  Ibm Redbooks,et al.  Patterns: Service Oriented Architecture And Web Services , 2004 .

[5]  Michiaki Tatsubori,et al.  Model-driven security based on a Web services security architecture , 2005, 2005 IEEE International Conference on Services Computing (SCC'05) Vol-1.

[6]  Giuseppe Lami QuARS: A Tool for Analyzing Requirements , 2005 .

[7]  Mario Piattini,et al.  Security Risk Analysis in Web Services Systems , 2006, SECRYPT.

[8]  Jerry Schwarz,et al.  Security Challenges, Threats and Countermeasures Version 1.0 , 2005 .

[9]  Paolo Giorgini,et al.  Applying the Tropos Methodology for Analysing Web Services Requirements and Reasoning about Qualities of Services , 2004 .

[10]  Andreas L. Opdahl,et al.  Eliciting security requirements with misuse cases , 2004, Requirements Engineering.

[11]  Khaled M. Khan,et al.  A process framework for characterising security properties of component-based software systems , 2004, 2004 Australian Software Engineering Conference. Proceedings..

[12]  Donald Firesmith,et al.  Common Concepts Underlying Safety, Security, and Survivability Engineering , 2003 .

[13]  Jia Zhang,et al.  Trustworthy Web services: actions for now , 2005, IT Professional.

[14]  Ian F. Alexander,et al.  Misuse Cases: Use Cases with Hostile Intent , 2003, IEEE Softw..

[15]  Jan Jürjens,et al.  Secure systems development with UML , 2004 .

[16]  Christian Salzmann,et al.  Towards a model-based and incremental development process for service-based systems , 2004, IASTED Conf. on Software Engineering.

[17]  Mike P. Papazoglou,et al.  Specification and querying of security constraints in the EFSOC framework , 2004, ICSOC '04.

[18]  Robert W. Shirey,et al.  Internet Security Glossary , 2000, RFC.

[19]  Mario Piattini,et al.  PWSSec: Process for Web Services Security , 2006, 2006 IEEE International Conference on Web Services (ICWS'06).

[20]  Michael E. Fagan Advances in software inspections , 1986, IEEE Transactions on Software Engineering.

[21]  Donald Firesmith,et al.  Security Use Cases , 2003, J. Object Technol..

[22]  Joaquín Nicolás,et al.  Requirements Reuse for Improving Information Systems Security: A Practitioner’s Approach , 2002, Requirements Engineering.

[23]  Nancy R. Mead,et al.  Security quality requirements engineering (SQUARE) methodology , 2005, SESS@ICSE.

[24]  Donald Firesmith,et al.  Engineering Security Requirements , 2003, J. Object Technol..

[25]  Mario Piattini,et al.  Developing web services security systems: a case study , 2006, Int. J. Web Eng. Technol..

[26]  Donald Firesmith,et al.  Specifying Reusable Security Requirements , 2004, J. Object Technol..

[27]  Mario Piattini,et al.  Web services enterprise security architecture: a case study , 2005, SWS '05.

[28]  Ruth Breu,et al.  Web Service Engineering - Advancing a New Software Engineering Discipline , 2005, ICWE.

[29]  Michael McIntosh,et al.  Business-driven application security: From modeling to managing secure applications , 2005, IBM Syst. J..