Secure scripting based composite application development: Framework, architecture, and implementation

Dynamic scripting languages such as Ruby provide language features that enable developers to express their intent more rapidly and with fewer expressions. Organizations started using these languages in order to add enhancements to their existing applications or create composite applications. Current research has not yet addressed how security specification and enforcement can be done for scripting based application development. To fill this gap, we developed a framework for the design and facilitation of security. Our approach enables a business oriented application developer to add high-level security intentions to his business process model. The framework supports the automatic generation of security configuration and enforcement. As a proof-of-concept, we present an architecture and report the implementation status.

[1]  Peter Sommerlad,et al.  Security Patterns: Integrating Security and Systems Engineering , 2006 .

[2]  Alfons Kemper,et al.  Consolidating the Access Control of Composite Applications and Workflows , 2006, DBSec.

[3]  Joachim Biskup,et al.  Secure Mediation: Requirements, Design, and Architecture , 2003, J. Comput. Secur..

[4]  Nancy R. Mead,et al.  Security quality requirements engineering (SQUARE) methodology , 2005, SESS@ICSE.

[5]  Elisa Bertino,et al.  Access Control and Authorization Constraints for WS-BPEL , 2006, 2006 IEEE International Conference on Web Services (ICWS'06).

[6]  Marianne Winslett,et al.  Automated Trust Negotiation in Open Systems , 2007, Secure Data Management in Decentralized Systems.

[7]  Simon Johnston Modeling security concerns in service-o riented architectures , 2004 .

[8]  Andreas Matheus,et al.  How to Declare Access Control Policies for XML Structured Information Objects using OASIS' eXtensible Access Control Markup Language (XACML) , 2005, Proceedings of the 38th Annual Hawaii International Conference on System Sciences.

[9]  Marlon Dumas,et al.  Service interaction patterns : towards a reference framework for service-based business process interconnection , 2005 .

[10]  Xin Zhou,et al.  Regulations Expressed As Logical Models (REALM) , 2005, JURIX.

[11]  Premkumar T. Devanbu,et al.  Software engineering for security: a roadmap , 2000, ICSE '00.

[12]  Mira Mezini,et al.  Using aspects for security engineering of Web service compositions , 2005, IEEE International Conference on Web Services (ICWS'05).

[13]  Maik Schmidt Enterprise integration with Ruby , 2006 .

[14]  Michael McIntosh,et al.  Business-driven application security: From modeling to managing secure applications , 2005, IBM Syst. J..

[15]  Cristina V. Lopes,et al.  Aspect-oriented programming , 1999, ECOOP Workshops.

[16]  Gregor Kiczales,et al.  Design pattern implementation in Java and aspectJ , 2002, OOPSLA '02.

[17]  Ruth Breu,et al.  Model-Driven Security Engineering for Trust Management in SECTET , 2007, J. Softw..

[18]  Paul King,et al.  Groovy in Action , 2007 .

[19]  Barbara Carminati,et al.  Security Conscious Web Service Composition with Semantic Web Support , 2007, 2007 IEEE 23rd International Conference on Data Engineering Workshop.

[20]  David Basin,et al.  Model driven security: From UML models to access control infrastructures , 2006, TSEM.

[21]  Gregor Kiczales,et al.  Aspect-oriented programming , 2001, ESEC/FSE-9.

[22]  Supratik Mukhopadhyay,et al.  SOLj: A Domain-Specific Language (DSL) for Secure Service-Based Systems , 2007, 11th IEEE International Workshop on Future Trends of Distributed Computing Systems (FTDCS'07).

[23]  Anne H. Anderson An introduction to the Web Services Policy Language (WSPL) , 2004, Proceedings. Fifth IEEE International Workshop on Policies for Distributed Systems and Networks, 2004. POLICY 2004..

[24]  Michiaki Tatsubori,et al.  Model-driven security based on a Web services security architecture , 2005, 2005 IEEE International Conference on Services Computing (SCC'05) Vol-1.