Skip to main content
SpringerLink
Log in

Security modeling for service-oriented systems using security pattern refinement approach

  • Theme Section Paper
  • Published:
Software & Systems Modeling Aims and scope Submit manuscript

Abstract

Security is one of the critical aspects of current systems, which are based on loosely coupled and technology-agnostic service-oriented architectures (SOA). Though SOA is the driving force for enterprises to open their ends for global business collaborations, nevertheless it evolves many challenges for modeling and enforcing security. One of the main problems for designing secure systems is the lack of consistent frameworks and methodologies for modeling security concerns. Traditional approaches consider security at the end of system development, which evolves inflexible and un-configurable systems, which are too difficult to maintain and manage. The other major problem with current approaches is that they assume pre-defined and hard-coded security patterns and mechanisms for secure system design. Whereas, the evolving SOA systems require configurable security to realize different security patterns and security policies in a variety of business scenarios. To solve these problems, it is necessary to model security concerns from the beginning of system modeling in a platform-independent way. This paper proposes a pattern refinement approach for security modeling to achieve configurable and declarative security, based on the principles of abstraction, refinement, separation-of-concerns and maintainability to achieve flexible configurations of SOA security. In the proposed approach, a Domain Expert defines abstract policies using common security vocabulary and a Security Expert models security with patterns and refines them for a target architecture in successive systematic refinements. Furthermore, it facilitates the transformation of abstract security models into executable security policies for the target platforms.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15
Fig. 16
Fig. 17
Fig. 18
Fig. 19
Fig. 20
Fig. 21
Fig. 22

Similar content being viewed by others

References

  1. Apache Rampart. http://ws.apache.org/rampart

  2. OpenArchitectureWare 4. http://www.eclipse.org/gmt/oaw

  3. Web Services Business Process Execution Language Version 2.0 (2007)

  4. Adams, C.: RFC 2479, The Internet Engineering Task Force (1998). http://tools.ietf.org/html/rfc2479

  5. Alam, M., Hafner, M., Breu, R.: Model-driven Security Engineering for Trust Management in SECTET. J. Softw. 2(1), 47–59 (2007)

    Article  Google Scholar 

  6. Alam, M., Hafner, M., Breu, R., Unterthiner, S.: A framework for modeling restricted delegation of rights in SECTET. Int. J. Comput. Syst. Sci. Eng. 22(5), 289–305 (2007)

    Google Scholar 

  7. Alam, M.M.: Model Driven Realization of Dynamic Security Requirements in Distributed Systems. PhD thesis, University of Innsbruck (2007)

  8. Basin, D., Doser, J., Lodderstedt, T.: Model driven security: from UML models to access control infrastructures. ACM Trans. Softw. Eng. Methodol. 15(1), 39–91 (2006)

    Article  Google Scholar 

  9. Bauer, B., Mueller, J.P.: MDA Applied: From Sequence Diagrams to Web Service Choreography, pp. 779–779. Web Engineering (2004)

  10. Best, B., Jurjens, J., Nuseibeh, B.: mODEL-based security engineering of distributed information systems using UMLsec. In: ICSE ’07: Proceedings of the 29th International Conference on Software Engineering, pp. 581–590. IEEE Computer Society, Washington, DC (2007)

  11. Cheng, B., Konrad, S., Campbell, L.A., Wassermann, R.: Using security patterns to model and analyze security. In: RHAS ’03: International Workshop on Requirements for High Assurance Systems, pp. 13–22 (2003)

  12. David, R., Carlos, G., Fernandez-Medina, E., Piattini, M.: Security patterns and requirements for internet-based applications. J. Int. Res. 16(5), 519–536 (2006)

    Google Scholar 

  13. Delessy, N., Fernandez, E.B.: A pattern-driven security process for SOA applications. In: ARES ’08: 3rd International Conference on Availability, Reliability and Security, pp. 416–421. IEEE Computer Society, Washington, DC (2008)

  14. Dong, J., Peng, T., Zhao, Y.: Model checking security pattern compositions. In: QSIC ’07: Proceedings of the Seventh International Conference on Quality Software, pp. 80–89. IEEE Computer Society, Washington, DC (2007)

  15. Fernandez, E.B., Delessy, N.: Using patterns to understand and compare web services security products and standards. In: AICT-ICIW ’06: Proceedings of the Advanced Int’l Conference on Telecommunications, pp. 157. IEEE Computer Society, Washington, DC (2006)

  16. Fernandez, E.B., Pan, R.: A pattern language for security models. In: PloP ’01: Conference on Pattern Languages of Programs (2001)

  17. Fernandez, E.B., Washizaki, H., Yoshioka, N.: Abstract security patterns. In: SPAQu 08–2nd International Workshop on Software Patterns and Quality (2008)

  18. Gardner, T.: UML modeling of automated business processes with a mapping to BPEL4WS. In: Proceedings of 1st European Workshop on Object Orientation and Web Services at ECOOP, vol. 2003 (2003)

  19. Gutiérrez, C., Fernández-Medina, E., Piattini, M.: Towards a process for web services security. J. Res. Pract. Inf. Technol. 38(1) (2006)

  20. Hafner, M.: SECTET: A Domain Architecture for Model Driven Security. PhD thesis, University of Innsbruck (2006)

  21. Hafner, M., Breu, M., Breu, R., Nowak, A.: Modeling inter-organizational workflow security in a peer-to-peer environment. In: ICWS ’05: Proceedings of the IEEE International Conference on Web Services, pp. 533–540. IEEE Computer Society, Washington, DC (2005)

  22. Hafner, M., Breu, R.: Security Engineering for Service-Oriented Architectures. Springer, Berlin (2008)

    Google Scholar 

  23. Hafner, M., Breu, R., Agreiter, B., Nowak, A.: SECTET: an extensible framework for the realization of secure inter-organizational workflows. Int. Res. 16(5), 491–506 (2006)

    Google Scholar 

  24. Hafner, M., Breu, R., Breu, M.: A security architecture for inter-organizational workflows: putting security standards for web services together. In: ICEIS ’05, 7th International Conference on Enterprise Information Systems, pp. 128–135 (2005)

  25. Hafner, M., Memon, M., Breu, R.: SeAAS—a reference architecture for security services in SOA. J. Univ. Comput. Sci. 15(15), 2916–2936 (2009)

    Google Scholar 

  26. Han, J., Khan, K.M.: Security-oriented service composition and evolution. In: APSEC ’06: 13th Asia Pacific Software Engineering Conference, pp. 71–78. IEEE Computer Society, Washington, DC (2006)

  27. Hinton, H., Hondo, M., Hutchison, B.: Security Patterns within a Service-oriented Architecture. IBM White Paper, November 2005

  28. Juerjens, J.: UMLsec: extending UML for secure systems development. In: UML ’02: 5th International Conference on Model Engineering, Concepts and Tools, pp. 412. Springer, Berlin (2002)

  29. Juerjens, J.: Secure Systems Development with UML. Springer, Berlin (2004)

    Google Scholar 

  30. Juerjens, J., Popp, G., Wimmel, G.: Towards using security patterns in model-based system development. In: EuroPLoP ’02: 7th European Conference on Pattern Languages of Programs (2002)

  31. Kanneganti, R., Chodavarapu, P.: SOA Security in Action. Manning Publications Co., Greenwich (2007)

    Google Scholar 

  32. Korherr, B., List, B.: Extending UML 2 activity diagrams with business intelligence objects. In: DaWaK ’05, 7th International Conference on Data Warehousing and Knowledge Discovery, pp. 53–63. Springer, Berlin (2005)

  33. Kremer, S., Markowitch, O., Zhou, J.: An intensive survey of fair non-repudiation protocols. Comput. Commun. 25(17), 1606–1621 (2002)

    Article  Google Scholar 

  34. Krzysztof, C., Helsen, S.: Classification of model transformation approaches. In: OOPSLA3, workshop on generative techniques in the context of model-driven architecture (2003)

  35. Lang, U., Schreiner, R.: Developing Secure Distributed Systems with CORBA. Artech House, Inc., Norwood (2002)

    MATH  Google Scholar 

  36. Lodderstedt, T., Basin, D., Doser, J.: SecureUML: A UML-based modeling language for model-driven security. In: UML ’02: Proceedings of the 5th International Conference on The Unified Modeling Language, pp. 426–441. Springer, London (2002)

  37. Mantell, K.: From UML to BPEL (2005). http://www.ibm.com/developerworks/webservices/library/ws-uml2bpel

  38. McGraw, G., Viega, J.: Ten software security principles (2000). http://www.ibm.com/developerworks/linux/library/s-link.html

  39. Memon, M., Hafner, M., Breu, R.: Security as a service—a reference architecture for SOA security. In: WOSIS ’09: 7th International Workshop on Security in Information Systems at ICEIS ’09 (2009)

  40. Memon, M.: Security pattern refinement: code generation prototype (2011). http://www.sau.edu.pk/faculties/itc/Mukhtiar.Memon.html

  41. Nelly, D., Fernandez, E.B., Petrie, L., Maria, M.: A Pattern language for identity management. In: ICCGI ’07: International Multi-Conference on Computing in the Global Information Technology, p. 31. IEEE Computer Society, Washington, DC (2007)

  42. OASIS. WS-Security Policy (2007). http://docs.oasis-open.org

  43. OSOA. Service Component Architecture (2007). http://www.osoa.org

  44. Reznik, J., Ritter, T., Schreiner, R., Lang, U.: Model driven development of security aspects. Electron. Notes Theor. Comput. Sci. 163(2), 65–79 (2007)

    Article  Google Scholar 

  45. Roehm, A.W., Herrmann, G., Pernul, G.: A language for modeling secure business transactions. In: ACSAC ’99: Proceedings of the 15th Annual Computer Security Applications Conference, Washington, DC, USA, p. 22 (1999)

  46. Rosado, D.G., Fernandez-Medina, E., Piattini, M.: Comparison of security patterns. Int. J. Comput. Sci. Netw. Secur. 6(2B), 139–146 (2006)

    Google Scholar 

  47. Satoh, F., Mukhi, N.K., Nakamura, Y., Hirose, S.: Pattern-based policy configuration for SOA applications. In: SCC ’08: Proceedings of the 2008 IEEE International Conference on Services Computing, pp. 13–20. IEEE Computer Society, Washington, DC (2008)

  48. Satoh, F., Nakamura, Y., Mukhi, N.K., et al.: Methodology and tools for end-to-end SOA security configurations. In: IEEE Congress on Services-Part I, pp. 307–314 (2008)

  49. Satoh, F., Nakamura, Y., Ono, K.: Adding Authentication to model driven security. In: ICWS ’06: Proceedings of the IEEE International Conference on Web Services, Washington, DC, USA, pp. 585–594 (2006)

  50. Satoh, F., Yamaguchi, Y.: Generic security policy transformation framework for WS-security. In: ICWS ’07: IEEE International Conference on Web Services, pp. 513–520 (2007)

  51. Scacchi, W.: Process models in software engineering (2001). http://www.ics.uci.edu/ wscacchi/Papers

  52. Schumacher, M.: Security Engineering with Patterns: Origins, Theoretical Models, and New Applications. Springer, New York (2003)

    Book  Google Scholar 

  53. Vivas, J.L., Montenegro, J.A., Lopez, J.: Towards a business process-driven framework for security engineering with the UML. In: 6th Information Security Conference—ISC’2003, pp. 381–395 (2003)

  54. W3C. Web Services Policy 1.2-Framework (2006). http://www.w3.org/Submission/WS-Policy

  55. Washizaki, H., Kubo, A., Fukazawa, Y.: Measuring abstraction levels of security patterns. In: SPAQu 07—1st International Workshop on Software Patterns and Quality (2007)

  56. Wendehals, L.: Improving design pattern instance recognition by dynamic analysis. In: WODA 2003: ICSE Workshop on D Analysis, p. 29 (2003)

  57. Wolter, C., Menzel, M., Meinel, C.: Modeling security goals in business processes. In: Modellierung’08, pp. 197–212 (2008)

  58. Wolter, C., Menzel, M., Schaad, A., Miseldine, P., Meinel, C.: Model-driven business process security requirement specification. J. Syst. Archit. 55(4), 211–223 (2009)

    Article  Google Scholar 

  59. Zhou, J., Deng, R., Bao, F.: Evolution of fair non-repudiation with TTP. In: ACISP ’99: 4th Australasian Conference on Information Security and Privacy, London, UK, Springer, Berlin (1999)

Download references

Author information

Authors and Affiliations

  1. Information Technology Center, Sindh Agriculture University, Tandojam, Pakistan

    Mukhtiar Memon, Gordhan D. Menghwar, Mansoor H. Depar & Akhtar A. Jalbani

  2. COMSATS Institute of Information Technology, Wah Campus, Wah, Pakistan

    Waqar M. Mashwani

Authors
  1. Mukhtiar Memon
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Gordhan D. Menghwar
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Mansoor H. Depar
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Akhtar A. Jalbani
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Waqar M. Mashwani
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Mukhtiar Memon.

Additional information

Communicated by Dr. Juan M. Vara, Mike Papazoglou & Il-Yeol Song.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Memon, M., Menghwar, G.D., Depar, M.H. et al. Security modeling for service-oriented systems using security pattern refinement approach. Softw Syst Model 13, 549–572 (2014). https://doi.org/10.1007/s10270-012-0268-6

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10270-012-0268-6

Keywords

Search

Navigation