A business-oriented framework for enhancing web services security for e-business

When considering Web services' (WS) use for online business-to-business (B2B) collaboration between companies, security is a complicated and very topical issue. This is especially true with regard to reaching a level of security beyond the technological layer, that is supported and trusted by all businesses involved. With appreciation of this fact, our research draws from established development methodologies to develop a new, business-oriented framework (BOF4WSS) to guide e-businesses in defining, and achieving agreed security levels across these collaborating enterprises. The approach envisioned is such that it can be used by businesses-in a joint manner-to manage the comprehensive concern that security in the WS environment has become.

[1]  Charles Teddlie,et al.  Mixed Methods Sampling A Typology With Examples , 2016 .

[2]  Minder Chen,et al.  An analysis of the driving forces for Web services adoption , 2005, Inf. Syst. E Bus. Manag..

[3]  Onur Demirörs,et al.  Utilizing business process models for requirements elicitation , 2003, 2003 Proceedings 29th Euromicro Conference.

[4]  Daniel A. Menascé,et al.  Scaling for E-Business: Technologies, Models, Performance, and Capacity Planning , 2000 .

[5]  Karen A. Scarfone,et al.  SP 800-95. Guide to Secure Web Services , 2007 .

[6]  Mario Piattini,et al.  A BPMN Extension for the Modeling of Security Requirements in Business Processes , 2007, IEICE Trans. Inf. Syst..

[7]  Andrew Jones,et al.  Risk Management for Computer Security - Protecting Your Network and Information Assets , 2005 .

[8]  Eric Pulier,et al.  Understanding Enterprise SOA , 2005 .

[9]  Ketil Stølen,et al.  Risk analysis terminology for IT-systems: does it match intuition? , 2005, 2005 International Symposium on Empirical Software Engineering, 2005..

[10]  David C. Chou,et al.  Security development in Web Services environment , 2005, Comput. Stand. Interfaces.

[11]  Jan Jürjens,et al.  Secure systems development with UML , 2004 .

[12]  Mark Curphey,et al.  Web application security assessment tools , 2006, IEEE Security & Privacy.

[13]  C. R. Kothari,et al.  Research Methodology: Methods and Techniques , 2009 .

[14]  Michiaki Tatsubori,et al.  Methodology and Tools for End-to-End SOA Security Configurations , 2008, 2008 IEEE Congress on Services - Part I.

[15]  Sutap Chatterjee,et al.  The waterfall that won't go away , 2010, ACM SIGSOFT Softw. Eng. Notes.

[16]  Jason R. C. Nurse,et al.  Securing e−Businesses that use Web Services − a Guided Tour Through BOF4WSS , 2009 .

[17]  Jason R. C. Nurse,et al.  A Thorough Evaluation of the Compatibility of an E−Business Security Negotiations Support Tool , 2010 .

[18]  Christian Geuer-Pollmann,et al.  Web services and web service security standards , 2005, Inf. Secur. Tech. Rep..

[19]  Siv Hilde Houmb,et al.  Decision Support for Choice of Security Solution: The Aspect-Oriented Risk Driven Development (AORDD)Framework , 2007 .

[20]  F. Zhao Maximize Business Profits Through E-partnerships , 2005 .

[21]  Sara Jones,et al.  Trust requirements in e-business , 2000, CACM.

[22]  G. S. V. Radha Krishna Rao,et al.  Web Services Security in E-Business: Attacks and Countermeasures , 2007 .

[23]  Mathias Weske,et al.  Modeling Service Choreographies Using BPMN and BPEL4Chor , 2008, CAiSE.

[24]  T. Midwinter,et al.  Security risk management in the BT HP alliance , 2006 .

[25]  Justus D. Naumann,et al.  Prototyping: the new paradigm for systems development , 1982 .

[26]  Roy Grønmo,et al.  Web service composition in UML , 2004, Proceedings. Eighth IEEE International Enterprise Distributed Object Computing Conference, 2004. EDOC 2004..

[27]  Mario Piattini,et al.  PWSSec: Process for Web Services Security , 2006, 2006 IEEE International Conference on Web Services (ICWS'06).

[28]  Ketil Stølen,et al.  The CORAS Model-based Method for Security Risk Analysis , 2006 .

[29]  Kenneth C. Laudon,et al.  E-commerce: Business, Technology, Society , 2002 .

[30]  Srinivas Padmanabhuni,et al.  Security in Service-Oriented Architecture: Issues, Standards, and Implementations , 2008 .

[31]  Javier Lopez,et al.  Grid Security Architecture: Requirements, Fundamentals, Standards and Models , 2007 .

[32]  Jan Mendling,et al.  From WS-CDL choreography to BPEL process orchestration , 2008, J. Enterp. Inf. Manag..

[33]  Mark Curphey Web services: Developers dream or hackers heaven? , 2005, Inf. Secur. Tech. Rep..

[34]  Andrew D. Gordon,et al.  Secure sessions for web services , 2007, SWS '04.

[35]  C. Mazumdar,et al.  ESRML: a markup language for enterprise security requirement specification , 2004, Proceedings of the IEEE INDICON 2004. First India Annual Conference, 2004..

[36]  Charles H. Davis,et al.  ADOPTION AND USE OF INTERNET TECHNOLOGIES AND E-BUSINESS SOLUTIONS BY CANADIAN MICRO- ENTERPRISES , 2005 .

[37]  Konstantin Beznosov,et al.  Introduction to Web services and their security , 2005, Inf. Secur. Tech. Rep..

[38]  Bret Hartman,et al.  Mastering Web Services Security , 2003 .

[39]  Minder Chen,et al.  Web Services Enabled Procurement in the Extended Enterprise: An Architectural Design and Implementation , 2003, J. Electron. Commer. Res..

[40]  Per Oscarson,et al.  Information Security Fundamentals , 2019, World Conference on Information Security Education.

[41]  David A. Basin,et al.  SecureUML: A UML-Based Modeling Language for Model-Driven Security , 2002, UML.

[42]  Jigang Liu,et al.  A Framework for Enhancing Web Services Security , 2007, 31st Annual International Computer Software and Applications Conference (COMPSAC 2007).

[43]  Thomas Peltier,et al.  Information Security Risk Analysis: A Pedagogic Model Based on a Teaching Hospital , 2006 .

[44]  Lutz Kolbe,et al.  Information Security in the Extended Enterprise: A Research Agenda , 2007, AMCIS.

[45]  Eric Dubois,et al.  Towards a Measurement Framework for Security Risk Management , 2008, MODSEC@MoDELS.

[46]  Robert C. Newman Cybercrime, identity theft, and fraud: practicing safe internet - network security threats and vulnerabilities , 2006, InfoSecCD '06.

[47]  Sharman Lichtenstein,et al.  Developing Internet security policy for organizations , 1997, Proceedings of the Thirtieth Hawaii International Conference on System Sciences.

[48]  Dieter Fensel,et al.  Ontologies: A silver bullet for knowledge management and electronic commerce , 2002 .

[49]  Karen A. Scarfone,et al.  Guide to Secure Web Services | NIST , 2007 .

[50]  Ibrahim Sogukpinar,et al.  ISRAM: information security risk analysis method , 2005, Comput. Secur..

[51]  Gustavo Alonso,et al.  Web Services: Concepts, Architectures and Applications , 2009 .

[52]  A. Clark,et al.  Enterprise Security Architecture: A Business-Driven Approach , 2005 .

[53]  W. Baker,et al.  Information Security Risk in the E-Supply Chain , 2007 .

[54]  June M. Verner,et al.  Drivers for software development method usage , 2000, IEEE Trans. Engineering Management.

[55]  Stefan Fenz,et al.  Ontological Mapping of Information Security Best-Practice Guidelines , 2009, BIS.

[56]  B. S. Sahay Understanding trust in supply chain relationships , 2003, Ind. Manag. Data Syst..

[57]  Jia Zhang,et al.  Trustworthy Web services: actions for now , 2005, IT Professional.

[58]  W. W. Royce,et al.  Managing the development of large software systems: concepts and techniques , 1987, ICSE '87.

[59]  Mike P. Papazoglou,et al.  Business process development life cycle methodology , 2007, CACM.

[60]  Jane Sinclair,et al.  Supporting the Comparison of Business-Level Security Requirements within Cross-Enterprise Service Development , 2009, BIS.

[61]  John Benamati,et al.  E-Commerce Basics: Technology Foundations and E-Business Applications , 2002 .

[62]  Gregorio Díaz,et al.  RT-UML for modeling Real-Time Web Services , 2006, 2006 IEEE Services Computing Workshops.

[63]  Olaf Zimmermann,et al.  Perspectives on Web Services-Applying SOAP, WSDL and UDDIto Real-World Projects , 2013, Comput. J..

[64]  Karen A. Forcht,et al.  SECURITY AT THE EDGE: RETHINKING SECURITY IN LIGHT OF WEB SERVICES , 2005 .

[65]  Mike P. Papazoglou,et al.  Web Services - Principles and Technology , 2007 .

[66]  Donald Firesmith,et al.  Engineering Security Requirements , 2003, J. Object Technol..

[67]  J. Anttila,et al.  Information Security Standards and Global Business , 2006, 2006 IEEE International Conference on Industrial Technology.

[68]  D. Chaffey E-Business and E-Commerce Management: Strategy, Implementation and Practice , 2001 .

[69]  Weider D. Yu,et al.  Software Vulnerability Analysis for Web Services Software Systems , 2006, 11th IEEE Symposium on Computers and Communications (ISCC'06).

[70]  Sherif El-Kassas,et al.  Nedgty: Web services firewall , 2005, IEEE International Conference on Web Services (ICWS'05).

[71]  T. TSIAKIS,et al.  Identification of trust requirements in an e-business framework , 2004 .

[72]  Javier López,et al.  Trust, Privacy and Security in E-Business: Requirements and Solutions , 2005, Panhellenic Conference on Informatics.

[73]  Les Labuschagne,et al.  A new comparison framework for information security risk analysis methodologies , 2006, South Afr. Comput. J..

[74]  Christian Werner,et al.  Towards Service-Oriented Architectures , 2007 .

[75]  Nora Koch,et al.  A Model-Driven Approach to Service Orchestration , 2008, 2008 IEEE International Conference on Services Computing.

[76]  Weider D. Yu,et al.  Modeling the Measurements of QoS Requirements in Web Service Systems , 2007, Simul..

[77]  Stefan Fenz,et al.  Formalizing information security knowledge , 2009, ASIACCS '09.

[78]  Bruce Schneier,et al.  Secrets and Lies: Digital Security in a Networked World , 2000 .

[79]  James S. Tiller,et al.  The Ethical Hack: A Framework for Business Value Penetration Testing , 2004 .

[80]  Liang Xue,et al.  Context Aware Service Policy Orchestration , 2007, IEEE International Conference on Web Services (ICWS 2007).

[81]  Mary T. Mock,et al.  A proposed object-oriented development methodology , 1992, Softw. Eng. J..

[82]  Henry M. Franken,et al.  Information security embedded in the design of telematics systems , 1997, Comput. Secur..

[83]  George M. Giaglis,et al.  A Taxonomy of Business Process Modeling and Information Systems Modeling Techniques , 2001 .

[84]  Ethan Cerami,et al.  Web Services Essentials , 2002 .

[85]  Su Cleyle Finding the Concept, Not Just the Word: A Librarian's Guide to Ontologies and Semantics , 2009 .

[86]  M. Bohanec,et al.  The Analytic Hierarchy Process , 2004 .

[87]  Herbert Snyder,et al.  Qualitative interviewing: The art of hearing data , 1996 .

[88]  M. Eric Johnson,et al.  Information Security in the Extended Enterprise: Some Initial Results From a Field Study of an Industrial Firm , 2005, WEIS.

[89]  Mike P. Papazoglou,et al.  EFSOC: A Layered Framework for Developing Secure Interactions between Web-Services , 2005, Distributed and Parallel Databases.

[90]  Ricardo de Almeida Falbo,et al.  Learning How to Manage Risks Using Organizational Knowledge , 2004, LSO.

[91]  Tyrone Grandison,et al.  Conceptions of Trust: Definition, Constructs, and Models , 2007 .

[92]  I. Hogganvik,et al.  Model-based security analysis in seven steps — a guided tour to the CORAS method , 2007 .

[93]  B. Berg Qualitative Research Methods for the Social Sciences , 1989 .

[94]  B. Srinivasan,et al.  An Evaluation of Web Services in the Design of a B2B Application , 2004, ACSC.

[95]  Ruth Sara Aguilar-Savén,et al.  Business process modelling: Review and framework , 2004 .

[96]  Jason R. C. Nurse,et al.  An Evaluation of BOF4WSS and the Security Negotiations Model and Tool used to Support it , 2010 .

[97]  Douglas J. Landoll,et al.  The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments , 2005 .

[98]  Pauline Ratnasingam,et al.  Inter-Organizational Trust for Business-to-Business E-commerce , 2003 .

[99]  R. Perloff The Dynamics of Persuasion: Communication and Attitudes in the 21st Century , 1993 .

[100]  Bo Luo,et al.  Adaptive Information: Improving Business through Semantic Interoperability, Grid Computing, and Enterprise Integration , 2005, Inf. Process. Manag..

[101]  Ron Craig E-Com Supply Chain and SMEs , 2007 .

[102]  Titus Faupel,et al.  Chapter 11 – Web services as an enabler for virtual organizations , 2007 .

[103]  Konstantin Knorr,et al.  Security Analysis of Electronic Business Processes , 2004, Electron. Commer. Res..

[104]  Jason R. C. Nurse,et al.  A Solution Model and Tool for Supporting the Negotiation of Security Decisions in E-Business Collaborations , 2010, 2010 Fifth International Conference on Internet and Web Applications and Services.

[105]  Mira Mezini,et al.  Using aspects for security engineering of Web service compositions , 2005, IEEE International Conference on Web Services (ICWS'05).

[106]  Ramesh Nagappan,et al.  Core Security Patterns: Best Practices and Strategies for J2EE, Web Services, and Identity Management , 2005 .

[107]  Karen A. Scarfone,et al.  Guide to Secure Web Services , 2007 .

[108]  Jason R. C. Nurse,et al.  Evaluating the compatibility of a tool to support e-businesses' security negotiations , 2010 .

[109]  Christopher J. Alberts,et al.  Managing Information Security Risks: The OCTAVE Approach , 2002 .

[110]  Trevor Price,et al.  Securing e-business , 2002 .

[111]  Donald Firesmith,et al.  Specifying Reusable Security Requirements , 2004, J. Object Technol..

[112]  Mario Piattini,et al.  Security requirement with a UML 2.0 profile , 2006, First International Conference on Availability, Reliability and Security (ARES'06).

[113]  P. Schurr,et al.  Influences on exchange processes: Buyers' preconceptions of a seller's trustworthiness and bargaining toughness. , 1985 .

[114]  Mike P. Papazoglou,et al.  Service-oriented computing: concepts, characteristics and directions , 2003, Proceedings of the Fourth International Conference on Web Information Systems Engineering, 2003. WISE 2003..

[115]  Mario Piattini,et al.  Web services enterprise security architecture: a case study , 2005, SWS '05.

[116]  Dimitris Gritzalis,et al.  Towards an Ontology-based Security Management , 2006, 20th International Conference on Advanced Information Networking and Applications - Volume 1 (AINA'06).

[117]  T. Meiren,et al.  Service engineering—methodical development of new service products , 2003 .

[118]  Michiaki Tatsubori,et al.  Best-practice patterns and tool support for configuring secure Web services messaging , 2004, Proceedings. IEEE International Conference on Web Services, 2004..

[119]  Heiko Ludwig,et al.  The WSLA Framework: Specifying and Monitoring Service Level Agreements for Web Services , 2003, Journal of Network and Systems Management.

[120]  Elisa Bertino,et al.  Challenges of Testing Web Services and Security in SOA Implementations , 2007, Test and Analysis of Web Services.

[121]  Hans van Vliet,et al.  Software engineering - principles and practice , 1993 .

[122]  P. Keen,et al.  Electronic Commerce Relationships: Trust by Design , 1999 .

[123]  Wil M. P. van der Aalst,et al.  From BPMN Process Models to BPEL Web Services , 2006, 2006 IEEE International Conference on Web Services (ICWS'06).

[124]  Jeff Misrahi Validating Your Business Partners , 2007, Information Security Management Handbook, 6th ed..

[125]  Ken Lunn,et al.  Software Development with UML , 2002, Macmillan Education UK.

[126]  June M. Verner,et al.  Prototyping: some new results , 1996, Inf. Softw. Technol..

[127]  Paul Kearney,et al.  A model-based approach to trust, security and assurance , 2006 .

[128]  Mary J. Meixell Quantifying the value of web services in supplier networks , 2006, Ind. Manag. Data Syst..

[129]  Jason R. C. Nurse,et al.  A case study analysis of an e-business security negotiations support tool , 2011 .

[130]  Bashar Nuseibeh,et al.  A framework for security requirements engineering , 2006, SESS '06.

[131]  Nils Gruschka,et al.  SOA and Web Services: New Technologies, New Standards - New Attacks , 2007, Fifth European Conference on Web Services (ECOWS'07).

[132]  Sandeep Chatterjee,et al.  Developing Enterprise Web Services: An Architect's Guide , 2003 .

[133]  Thomas L. Saaty,et al.  DECISION MAKING WITH THE ANALYTIC HIERARCHY PROCESS , 2008 .

[134]  Robert Boncella,et al.  Web Services and Web Services Security , 2004, AMCIS.

[135]  Barry W. Boehm,et al.  A spiral model of software development and enhancement , 1986, Computer.

[136]  Chung-Huang Yang,et al.  CORAS for the Research of ISAC , 2008, 2008 International Conference on Convergence and Hybrid Information Technology.

[137]  Evangelos Triantaphyllou,et al.  Multi-criteria Decision Making Methods: A Comparative Study , 2000 .

[138]  Frank G. Goethals,et al.  Different Types of Business-to-Business Integration: Extended Enterprise Integration vs Market B2B Integration , 2008 .

[139]  Valentín Valero,et al.  Using UML Diagrams to Model Real-Time Web Services , 2007, Second International Conference on Internet and Web Applications and Services (ICIW'07).

[140]  Mike P. Papazoglou,et al.  e-Business: Organizational and Technical Foundations , 2006 .

[141]  Ingoo Han,et al.  The IS risk analysis based on a business model , 2003, Inf. Manag..

[142]  Francis T. Hartman,et al.  Project Management in the Information Systems and Information Technologies Industries , 2002 .

[143]  Chi-Chun Lo,et al.  A fuzzy outranking approach in risk analysis of web service security , 2007, Cluster Computing.

[144]  Chris J. Mitchell,et al.  Modelling E-Business Security Using Business Processes , 2006, SECRYPT.

[145]  Daniel L. Sherrell,et al.  Communications of the Association for Information Systems , 1999 .

[146]  Stephen S. Yau,et al.  A Framework for Specifying and Managing Security Requirements in Collaborative Systems , 2006, ATC.

[147]  Donald Firesmith,et al.  Security Use Cases , 2003, J. Object Technol..

[148]  E. Chang,et al.  Ontology Modelling Notations for Software Engineering Knowledge Representation , 2007, 2007 Inaugural IEEE-IES Digital EcoSystems and Technologies Conference.

[149]  Markus Schumacher,et al.  Security Engineering with Patterns , 2003, Lecture Notes in Computer Science.

[150]  Jesse Liberty,et al.  Programming .Net Windows Applications , 2003 .

[151]  Craig Van Slyke E-business technologies : supporting the net-enhanced organization , 2003 .

[152]  Rossouw von Solms,et al.  From Risk Analysis to Security Requirements , 2001, Comput. Secur..

[153]  Maria Beatriz Felgar de Toledo,et al.  A Policy-based Web Service Infrastructure for Autonomic Service Integration , 2006 .

[154]  Theodor J. Stewart,et al.  Multiple criteria decision analysis - an integrated approach , 2001 .

[155]  Jason R. C. Nurse,et al.  Cross-Enterprise Policy Model for e-Business Web Services Security , 2009, ISDF.

[156]  Edward W. Davis,et al.  Extended enterprise, the: gaining competitive advantage through collaborative supply chains , 2003 .

[157]  A. Munteanu Information Security Risk Assessment: The Qualitative Versus Quantitative Dilemma , 2006 .

[158]  Sudhanshu Kairab,et al.  A practical guide to security assessments , 2004 .

[159]  Mathias Weske,et al.  BPEL4Chor: Extending BPEL for Modeling Choreographies , 2007, IEEE International Conference on Web Services (ICWS 2007).