A pattern-driven security advisor for service-oriented architectures

Service-oriented Architectures (SOA) provide a flexible infrastructure to allow independently developed software components to communicate in a seamless manner. Increased connectivity entails significant higher security risks. To face these risks, a broad range of specifications e.g. WS-Security and WS-Trust has emerged to ensure security in SOA. These specifications are supported by all major Web Service Frameworks and enforced by security modules provided by these frameworks to apply security to ingoing and outgoing messages. In general, a security module is configured declaratively using a security policy e.g. WS-SecurityPolicy that expresses security goals and related configurations. To support a broad range of use cases, these security policy languages offer a variety of settings and options. However, the complexity of security policy languages leads to an error-prone and tedious creation of security policies. To simplify and support the generation of Web Services, we present an architecture for a security advisor in this paper. This security advisor facilitates the configuration of security modules for service-based systems based on a pattern-driven approach that enables the transformation from general security goals to concrete security configurations. Therefore, we will introduce a security pattern system which is used to resolve concrete protocols and security mechanisms at a technical level.

[1]  Murray Shanahan,et al.  The Event Calculus in Classical Logic - Alternative Axiomatisations , 1999, Electron. Trans. Artif. Intell..

[2]  Claudia Eckert,et al.  IT Sicherheit : Konzepte, Verfahren, Protokolle , 2007 .

[3]  Srinath Perera,et al.  Axis2, Middleware for Next Generation Web Services , 2006, 2006 IEEE International Conference on Web Services (ICWS'06).

[4]  Jan Jürjens,et al.  UMLsec: Extending UML for Secure Systems Development , 2002, UML.

[5]  Peter Sommerlad,et al.  Pattern-Oriented Software Architecture: A System of Patterns: John Wiley & Sons , 1987 .

[6]  Max Jacobson,et al.  A Pattern Language: Towns, Buildings, Construction , 1981 .

[7]  Walter Zimmer,et al.  Relationships between design patterns , 1995 .

[8]  F. Sanchez-Cid,et al.  Patterns for Automated Management of Security and Dependability Solutions , 2007 .

[9]  B. F. Castro Buschmann, Frank; Meunier, Regine; Rohnert, Hans; Sommerlad, Peter; Stal, Michael. Pattern-oriented software architecture: a system of patterns, John Wiley & Sons Ltd, 1996 , 1997 .

[10]  Andrew D. Gordon,et al.  An advisor for web services security policies , 2005, SWS '05.

[11]  Alessandra Russo,et al.  A goal-based approach to policy refinement , 2004, Proceedings. Fifth IEEE International Workshop on Policies for Distributed Systems and Networks, 2004. POLICY 2004..

[12]  Joseph W. Yoder,et al.  Architectural Patterns for Enabling Application Security , 1998 .

[13]  Hironori Washizaki,et al.  A survey on security patterns , 2008 .

[14]  Antonio Maña,et al.  Patterns for Automated Management of Security and Dependability Solutions , 2007, 18th International Workshop on Database and Expert Systems Applications (DEXA 2007).

[15]  Ralph Johnson,et al.  design patterns elements of reusable object oriented software , 2019 .

[16]  Francis G. McCabe,et al.  Reference Model for Service Oriented Architecture 1.0 , 2006 .

[17]  B. J. Ferro Castro,et al.  Pattern-Oriented Software Architecture: A System of Patterns , 2009 .

[18]  Timothy W. Finin,et al.  Security for DAML Web Services: Annotation and Matchmaking , 2003, SEMWEB.

[19]  Markus Schumacher,et al.  Security Engineering with Patterns , 2003, Lecture Notes in Computer Science.

[20]  Antonio Maña,et al.  SERENITY Pattern-Based Software Development Life-Cycle , 2008, 2008 19th International Workshop on Database and Expert Systems Applications.

[21]  Axel van Lamsweerde,et al.  Formal refinement patterns for goal-driven requirements elaboration , 1996, SIGSOFT '96.

[22]  Christoph Meinel,et al.  Modelling Security Goals in Business Processes , 2008, Modellierung.