RESTsec: a low-code platform for generating secure by design enterprise services

ABSTRACT In the modern business world it is increasingly often that Enterprises opt to bring their business model online, in their effort to reach out to more end users and increase their customer base. While transitioning to the new model, enterprises consider securing their data of pivotal importance. In fact, many efforts have been introduced to automate this ‘webification’ process; however, they all fall short in some aspect: a) they either generate only the security infrastructure, assigning implementation to the developers, b) they embed mainstream, less powerful authorisation schemes, or c) they disregard the merits of the dominating REST architecture and adopt less suitable approaches. In this paper we present RESTsec, a Low-Code platform that supports rapid security requirements modelling for Enterprise Services, abiding by the state of the art ABAC authorisation scheme. RESTsec enables the developer to seamlessly embed the desired access control policy and generate the service, the security infrastructure and the code. Evaluation shows that our approach is valid and can help developers deliver secure by design enterprise services in a rapid and automated manner.

[1]  Brahim Hamid,et al.  Model-based security and dependability patterns in RCES: the TERESA approach , 2010, S&D4RCES '10.

[2]  Muhammad Ali Babar,et al.  Modeling security for service oriented applications , 2010, ECSA '10.

[3]  Bashar Nuseibeh,et al.  Security Requirements Engineering for Evolving Software Systems: A Survey , 2010, Int. J. Secur. Softw. Eng..

[4]  James R. Cordy,et al.  Automated verification of role-based access control security models recovered from dynamic web applications , 2012, 2012 14th IEEE International Symposium on Web Systems Evolution (WSE).

[5]  Jordi Cabot,et al.  EMF-REST: generation of RESTful APIs from models , 2016, SAC.

[6]  Yves Le Traon,et al.  Security@Runtime: A Flexible MDE Approach to Enforce Fine-grained Security Policies , 2014, ESSoS.

[7]  Thomas Neubauer,et al.  Model-Driven Development Meets Security: An Evaluation of Current Approaches , 2011, 2011 44th Hawaii International Conference on System Sciences.

[8]  Peter F. Linington,et al.  Incorporating Security Behaviour into Business Models Using a Model Driven Approach , 2007, 11th IEEE International Enterprise Distributed Object Computing Conference (EDOC 2007).

[9]  Vlad Trifa,et al.  Building the Web of Things: With examples in Node.js and Raspberry Pi , 2016 .

[10]  Kyriakos C. Chatzidimitriou,et al.  From requirements to source code: a Model-Driven Engineering approach for RESTful web services , 2017, Automated Software Engineering.

[11]  Martin Gilje Jaatun,et al.  Security in Model Driven Development: A Survey , 2011, 2011 Sixth International Conference on Availability, Reliability and Security.

[12]  Lei Yang,et al.  Security and Privacy in the Internet of Things , 2017 .

[13]  Ruth Breu,et al.  Sectet: an extensible framework for the realization of secure inter-organizational workflows , 2006, Internet Res..

[14]  Bernard Coulette,et al.  Secure Component Based Applications through Security Patterns , 2012, 2012 IEEE International Conference on Green Computing and Communications.

[15]  Rick Huhn,et al.  Security Standards for the RFID Market , 2005, IEEE Secur. Priv..

[16]  Ragib Hasan,et al.  Towards an Analysis of Security Issues, Challenges, and Open Problems in the Internet of Things , 2015, 2015 IEEE World Congress on Services.

[17]  Mark Rouncefield,et al.  Empirical assessment of MDE in industry , 2011, 2011 33rd International Conference on Software Engineering (ICSE).

[18]  David A. Basin,et al.  A decade of model-driven security , 2011, SACMAT '11.

[19]  Edgar R. Weippl,et al.  Using Model Driven Security Approaches in Web Application Development , 2014, ICT-EurAsia.

[20]  Vanea Chiprianov,et al.  Semi-automatic Generation of OrBAC Security Rules for Cooperative Organizations using Model-Driven Engineering , 2016, ENASE.

[21]  Jacques Klein,et al.  A Systematic Review of Model-Driven Security , 2013, 2013 20th Asia-Pacific Software Engineering Conference (APSEC).

[22]  Jörgen Hansson,et al.  Assessing the State-of-Practice of Model-Based Engineering in the Embedded Systems Domain , 2014, MoDELS.

[23]  Jan Jürjens,et al.  UMLsec: Extending UML for Secure Systems Development , 2002, UML.

[24]  Anirban Sengupta,et al.  Modelling operations and security of cloud systems using Z-notation and Chinese Wall security policy , 2016, Enterp. Inf. Syst..

[25]  John Grundy,et al.  Adaptable, model-driven security engineering for SaaS cloud-based applications , 2013, Automated Software Engineering.

[26]  Hongming Cai,et al.  An ontology-based semantic configuration approach to constructing Data as a Service for enterprises , 2016, Enterp. Inf. Syst..

[27]  David González,et al.  Towards a Methodological Tool Support for Modeling Security-Oriented Processes , 2016, MEDI.

[28]  N. Kshetri Big data's impact on privacy, security and consumer welfare , 2014 .

[29]  Jin Tong,et al.  Attributed based access control (ABAC) for Web services , 2005, IEEE International Conference on Web Services (ICWS'05).

[30]  Harris Wu,et al.  Managing security risks for inter-organisational information systems: a multiagent collaborative model , 2016, Enterp. Inf. Syst..

[31]  S. Kanmani,et al.  Survey and analysis on Security Requirements Engineering , 2012, Comput. Electr. Eng..

[32]  Runtong Zhang,et al.  Design theory, modelling and the application for the Internet of Things service , 2016, Enterp. Inf. Syst..

[33]  Yves Le Traon,et al.  A Model-Based Framework for Security Policy Specification, Deployment and Testing , 2008, MoDELS.

[34]  Savas Parastatidis,et al.  The role of hypermedia in distributed system development , 2010, WS-REST '10.

[35]  Ruth Breu,et al.  SECTISSIMO: A Platform-Independent Framework for Security Services , 2008, MODSEC@MoDELS.

[36]  Philippe Massonet,et al.  An Integrated Meta-model for Cloud Application Security Modelling , 2016, Cloud Forward.

[37]  Rajeev R. Raje,et al.  Model driven security: unification of authorization models for fine-grain access control , 2003, Seventh IEEE International Enterprise Distributed Object Computing Conference, 2003. Proceedings..

[38]  Sebastian Mödersheim,et al.  The AVISPA Tool for the Automated Validation of Internet Security Protocols and Applications , 2005, CAV.

[39]  David Basin,et al.  Model driven security: From UML models to access control infrastructures , 2006, TSEM.

[40]  Brahim Hamid,et al.  Towards tool support for pattern-based secure and dependable systems development , 2013, ACME@ECOOP.