Abstract
Open Source software is increasingly used in a wide spectrum of applications. While the benefits of the open source components are unquestionable now, there is a great concern over security assurance provided by such components. Often open source software is a subject of frequent updates. The updates might introduce or remove a diverse range of features and hence violate security properties of the previous releases. Obviously, a manual inspection of security would be prohibitively slow and inefficient. Therefore, there is a great demand for the techniques that would allow the developers to automate the process of security assurance in the presence of frequent releases. The problem of security assurance is especially challenging because to ensure scalability, such main open source initiatives, as OpenStack adopt RESTful architecture. This requires new security assurance techniques to cater to stateless nature of the system. In this paper, we propose a model-driven framework that would allow the designers to model the security concerns and facilitate verification and validation of them in an automated manner. It enables a regular monitoring of the security features even in the presence of frequent updates. We exemplify our approach with the Keystone component of OpenStack.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
API Examples using Curl. https://docs.openstack.org/developer/keystone/devref/api_curl_examples.html. Accessed June 2017
cURL. http://curl.haxx.se/. Accessed 20 May 2017
HTTP Authentication. http://www.httpwatch.com/httpgallery/authentication/. Accessed 20 Aug 2013
KeyStone Security and Architecture Review. https://www.openstack.org/summit/openstack-summit-atlanta-2014/session-videos/presentation/keystone-security-and-architecture-review. Accessed June 2017
SOAP Request and CURL. http://dasunhegoda.com/make-soap-request-command-line-curl/596/. Accessed June 2017
Web services resources framework (wsrf 1.2). https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wsrf. Accessed 01 Nov 2013
Abramov, J., Anson, O., Dahan, M., Shoval, P., Sturm, A.: A methodology for integrating access control policies within database development. Comput. Secur. 31(3), 299–314 (2012)
Alam, M.M., Breu, R., Breu, M.: Model driven security for web services (MDS4WS). In: Proceedings of INMIC 2004 - 8th International Multitopic Conference, pp. 498–505. IEEE (2004)
Almorsy, M., Grundy, J., Ibrahim, A.S.: Adaptable, model-driven security engineering for SaaS cloud-based applications. Autom. Softw. Eng. 21(2), 187–224 (2014)
Atkinson, B., Della-Libera, G., Hada, S., Hondo, M., Hallam-Baker, P., Klein, J., LaMacchia, B., Leach, P., Manferdelli, J., Maruyama, H., et al.: Web services security (WS-Security). Specification, Microsoft Corporation (2002)
Berners-Lee, T., Fielding, R., Frystyk, H.: Hypertext transfer protocol-HTTP/1.0 (1996)
Davis, D., Malhotra, A., Warr, O.K., Chou, W.: Web services transfer (WS-Transfer). World Wide Web Consortium, Recommendation REC-ws-transfer-20111213 (2011)
Demuth, B., Wilke, C.: Model and object verification by using Dresden OCL. In: Proceedings of the Russian-German Workshop Innovation Information Technologies: Theory and Practice, pp. 81–89 (2009)
Garcia, M., Shidqie, A.J.: OCL compiler for EMF. In: Eclipse Modeling Symposium at Eclipse Summit Europe (2007)
Georg, G., Ray, I., Anastasakis, K., Bordbar, B., Toahchoodee, M., Houmb, S.H.: An aspect-oriented methodology for designing secure applications. Inf. Softw. Technol. 51(5), 846–864 (2009)
Jürjens, J.: Towards development of secure systems using UMLsec. In: Hussmann, H. (ed.) FASE 2001. LNCS, vol. 2029, pp. 187–200. Springer, Heidelberg (2001). doi:10.1007/3-540-45314-8_14
Jürjens, J., Shabalin, P.: Tools for secure systems development with UML. Int. J. Softw. Tools Technol. Transf. 9(5–6), 527–544 (2007)
Meyer, B.: Applying ‘design by contract’. Computer 25(10), 40–51 (1992)
Nguyen, H.P., Kramer, M., Klein, J., Traon, Y.L.: An extensive systematic review on the model-driven development of secure systems. Inf. Softw. Technol. 68, 62–81 (2015)
OMG: OCL, OMG Available Specification, Version 2.0 (2006)
Pepple, K.: Deploying OpenStack. O’Reilly Media Inc., Sebastopol (2011)
Porres, I., Rauf, I.: From nondeterministic UML protocol statemachines to class contracts. In: 2010 Third International Conference on Software Testing, Verification and Validation (ICST), pp. 107–116. IEEE (2010)
Porres, I., Rauf, I.: Modeling behavioral restful web service interfaces in UML. In: Proceedings of the 2011 ACM Symposium on Applied Computing, pp. 1598–1605. ACM (2011)
Rauf, I., Porres, I.: REST: from research to practice. In: Wilde, E., Pautasso, C. (eds.) Beyond CRUD, vol. 2029, pp. 117–135. Springer, New York (2011). doi:10.1007/978-1-4419-8303-9_5
Rauf, I., Ruokonen, A., Systa, T., Porres, I.: Modeling a composite restful web service with UML. In: Proceedings of the Fourth European Conference on Software Architecture: Companion Volume, pp. 253–260. ACM (2010)
Rauf, I., Siavashi, F., Truscan, D., Porres, I.: Scenario-based design and validation of REST web service compositions. In: Monfort, V., Krempels, K.-H. (eds.) WEBIST 2014. LNBIP, vol. 226, pp. 145–160. Springer, Cham (2015). doi:10.1007/978-3-319-27030-2_10
Sefraoui, O., Aissaoui, M., Eleuldj, M.: Openstack: toward an open-source solution for cloud computing. Int. J. Comput. Appl. 55(3) (2012)
OMG Uml. 2.0 superstructure specification. OMG, Needham (2004)
Webber, J., Parastatidis, S., Robinson, I.: REST in Practice: Hypermedia and Systems Architecture. O’Reilly Media Inc., Sebastopol (2010)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Rauf, I., Troubitsyna, E. (2017). Towards a Model-Driven Security Assurance of Open Source Components. In: Romanovsky, A., Troubitsyna, E. (eds) Software Engineering for Resilient Systems. SERENE 2017. Lecture Notes in Computer Science(), vol 10479. Springer, Cham. https://doi.org/10.1007/978-3-319-65948-0_5
Download citation
DOI: https://doi.org/10.1007/978-3-319-65948-0_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-65947-3
Online ISBN: 978-3-319-65948-0
eBook Packages: Computer ScienceComputer Science (R0)