Abstract
Security is one of the critical aspects of current systems, which are based on loosely coupled and technology-agnostic service-oriented architectures (SOA). Though SOA is the driving force for enterprises to open their ends for global business collaborations, nevertheless it evolves many challenges for modeling and enforcing security. One of the main problems for designing secure systems is the lack of consistent frameworks and methodologies for modeling security concerns. Traditional approaches consider security at the end of system development, which evolves inflexible and un-configurable systems, which are too difficult to maintain and manage. The other major problem with current approaches is that they assume pre-defined and hard-coded security patterns and mechanisms for secure system design. Whereas, the evolving SOA systems require configurable security to realize different security patterns and security policies in a variety of business scenarios. To solve these problems, it is necessary to model security concerns from the beginning of system modeling in a platform-independent way. This paper proposes a pattern refinement approach for security modeling to achieve configurable and declarative security, based on the principles of abstraction, refinement, separation-of-concerns and maintainability to achieve flexible configurations of SOA security. In the proposed approach, a Domain Expert defines abstract policies using common security vocabulary and a Security Expert models security with patterns and refines them for a target architecture in successive systematic refinements. Furthermore, it facilitates the transformation of abstract security models into executable security policies for the target platforms.
Similar content being viewed by others
References
Apache Rampart. http://ws.apache.org/rampart
OpenArchitectureWare 4. http://www.eclipse.org/gmt/oaw
Web Services Business Process Execution Language Version 2.0 (2007)
Adams, C.: RFC 2479, The Internet Engineering Task Force (1998). http://tools.ietf.org/html/rfc2479
Alam, M., Hafner, M., Breu, R.: Model-driven Security Engineering for Trust Management in SECTET. J. Softw. 2(1), 47–59 (2007)
Alam, M., Hafner, M., Breu, R., Unterthiner, S.: A framework for modeling restricted delegation of rights in SECTET. Int. J. Comput. Syst. Sci. Eng. 22(5), 289–305 (2007)
Alam, M.M.: Model Driven Realization of Dynamic Security Requirements in Distributed Systems. PhD thesis, University of Innsbruck (2007)
Basin, D., Doser, J., Lodderstedt, T.: Model driven security: from UML models to access control infrastructures. ACM Trans. Softw. Eng. Methodol. 15(1), 39–91 (2006)
Bauer, B., Mueller, J.P.: MDA Applied: From Sequence Diagrams to Web Service Choreography, pp. 779–779. Web Engineering (2004)
Best, B., Jurjens, J., Nuseibeh, B.: mODEL-based security engineering of distributed information systems using UMLsec. In: ICSE ’07: Proceedings of the 29th International Conference on Software Engineering, pp. 581–590. IEEE Computer Society, Washington, DC (2007)
Cheng, B., Konrad, S., Campbell, L.A., Wassermann, R.: Using security patterns to model and analyze security. In: RHAS ’03: International Workshop on Requirements for High Assurance Systems, pp. 13–22 (2003)
David, R., Carlos, G., Fernandez-Medina, E., Piattini, M.: Security patterns and requirements for internet-based applications. J. Int. Res. 16(5), 519–536 (2006)
Delessy, N., Fernandez, E.B.: A pattern-driven security process for SOA applications. In: ARES ’08: 3rd International Conference on Availability, Reliability and Security, pp. 416–421. IEEE Computer Society, Washington, DC (2008)
Dong, J., Peng, T., Zhao, Y.: Model checking security pattern compositions. In: QSIC ’07: Proceedings of the Seventh International Conference on Quality Software, pp. 80–89. IEEE Computer Society, Washington, DC (2007)
Fernandez, E.B., Delessy, N.: Using patterns to understand and compare web services security products and standards. In: AICT-ICIW ’06: Proceedings of the Advanced Int’l Conference on Telecommunications, pp. 157. IEEE Computer Society, Washington, DC (2006)
Fernandez, E.B., Pan, R.: A pattern language for security models. In: PloP ’01: Conference on Pattern Languages of Programs (2001)
Fernandez, E.B., Washizaki, H., Yoshioka, N.: Abstract security patterns. In: SPAQu 08–2nd International Workshop on Software Patterns and Quality (2008)
Gardner, T.: UML modeling of automated business processes with a mapping to BPEL4WS. In: Proceedings of 1st European Workshop on Object Orientation and Web Services at ECOOP, vol. 2003 (2003)
Gutiérrez, C., Fernández-Medina, E., Piattini, M.: Towards a process for web services security. J. Res. Pract. Inf. Technol. 38(1) (2006)
Hafner, M.: SECTET: A Domain Architecture for Model Driven Security. PhD thesis, University of Innsbruck (2006)
Hafner, M., Breu, M., Breu, R., Nowak, A.: Modeling inter-organizational workflow security in a peer-to-peer environment. In: ICWS ’05: Proceedings of the IEEE International Conference on Web Services, pp. 533–540. IEEE Computer Society, Washington, DC (2005)
Hafner, M., Breu, R.: Security Engineering for Service-Oriented Architectures. Springer, Berlin (2008)
Hafner, M., Breu, R., Agreiter, B., Nowak, A.: SECTET: an extensible framework for the realization of secure inter-organizational workflows. Int. Res. 16(5), 491–506 (2006)
Hafner, M., Breu, R., Breu, M.: A security architecture for inter-organizational workflows: putting security standards for web services together. In: ICEIS ’05, 7th International Conference on Enterprise Information Systems, pp. 128–135 (2005)
Hafner, M., Memon, M., Breu, R.: SeAAS—a reference architecture for security services in SOA. J. Univ. Comput. Sci. 15(15), 2916–2936 (2009)
Han, J., Khan, K.M.: Security-oriented service composition and evolution. In: APSEC ’06: 13th Asia Pacific Software Engineering Conference, pp. 71–78. IEEE Computer Society, Washington, DC (2006)
Hinton, H., Hondo, M., Hutchison, B.: Security Patterns within a Service-oriented Architecture. IBM White Paper, November 2005
Juerjens, J.: UMLsec: extending UML for secure systems development. In: UML ’02: 5th International Conference on Model Engineering, Concepts and Tools, pp. 412. Springer, Berlin (2002)
Juerjens, J.: Secure Systems Development with UML. Springer, Berlin (2004)
Juerjens, J., Popp, G., Wimmel, G.: Towards using security patterns in model-based system development. In: EuroPLoP ’02: 7th European Conference on Pattern Languages of Programs (2002)
Kanneganti, R., Chodavarapu, P.: SOA Security in Action. Manning Publications Co., Greenwich (2007)
Korherr, B., List, B.: Extending UML 2 activity diagrams with business intelligence objects. In: DaWaK ’05, 7th International Conference on Data Warehousing and Knowledge Discovery, pp. 53–63. Springer, Berlin (2005)
Kremer, S., Markowitch, O., Zhou, J.: An intensive survey of fair non-repudiation protocols. Comput. Commun. 25(17), 1606–1621 (2002)
Krzysztof, C., Helsen, S.: Classification of model transformation approaches. In: OOPSLA3, workshop on generative techniques in the context of model-driven architecture (2003)
Lang, U., Schreiner, R.: Developing Secure Distributed Systems with CORBA. Artech House, Inc., Norwood (2002)
Lodderstedt, T., Basin, D., Doser, J.: SecureUML: A UML-based modeling language for model-driven security. In: UML ’02: Proceedings of the 5th International Conference on The Unified Modeling Language, pp. 426–441. Springer, London (2002)
Mantell, K.: From UML to BPEL (2005). http://www.ibm.com/developerworks/webservices/library/ws-uml2bpel
McGraw, G., Viega, J.: Ten software security principles (2000). http://www.ibm.com/developerworks/linux/library/s-link.html
Memon, M., Hafner, M., Breu, R.: Security as a service—a reference architecture for SOA security. In: WOSIS ’09: 7th International Workshop on Security in Information Systems at ICEIS ’09 (2009)
Memon, M.: Security pattern refinement: code generation prototype (2011). http://www.sau.edu.pk/faculties/itc/Mukhtiar.Memon.html
Nelly, D., Fernandez, E.B., Petrie, L., Maria, M.: A Pattern language for identity management. In: ICCGI ’07: International Multi-Conference on Computing in the Global Information Technology, p. 31. IEEE Computer Society, Washington, DC (2007)
OASIS. WS-Security Policy (2007). http://docs.oasis-open.org
OSOA. Service Component Architecture (2007). http://www.osoa.org
Reznik, J., Ritter, T., Schreiner, R., Lang, U.: Model driven development of security aspects. Electron. Notes Theor. Comput. Sci. 163(2), 65–79 (2007)
Roehm, A.W., Herrmann, G., Pernul, G.: A language for modeling secure business transactions. In: ACSAC ’99: Proceedings of the 15th Annual Computer Security Applications Conference, Washington, DC, USA, p. 22 (1999)
Rosado, D.G., Fernandez-Medina, E., Piattini, M.: Comparison of security patterns. Int. J. Comput. Sci. Netw. Secur. 6(2B), 139–146 (2006)
Satoh, F., Mukhi, N.K., Nakamura, Y., Hirose, S.: Pattern-based policy configuration for SOA applications. In: SCC ’08: Proceedings of the 2008 IEEE International Conference on Services Computing, pp. 13–20. IEEE Computer Society, Washington, DC (2008)
Satoh, F., Nakamura, Y., Mukhi, N.K., et al.: Methodology and tools for end-to-end SOA security configurations. In: IEEE Congress on Services-Part I, pp. 307–314 (2008)
Satoh, F., Nakamura, Y., Ono, K.: Adding Authentication to model driven security. In: ICWS ’06: Proceedings of the IEEE International Conference on Web Services, Washington, DC, USA, pp. 585–594 (2006)
Satoh, F., Yamaguchi, Y.: Generic security policy transformation framework for WS-security. In: ICWS ’07: IEEE International Conference on Web Services, pp. 513–520 (2007)
Scacchi, W.: Process models in software engineering (2001). http://www.ics.uci.edu/ wscacchi/Papers
Schumacher, M.: Security Engineering with Patterns: Origins, Theoretical Models, and New Applications. Springer, New York (2003)
Vivas, J.L., Montenegro, J.A., Lopez, J.: Towards a business process-driven framework for security engineering with the UML. In: 6th Information Security Conference—ISC’2003, pp. 381–395 (2003)
W3C. Web Services Policy 1.2-Framework (2006). http://www.w3.org/Submission/WS-Policy
Washizaki, H., Kubo, A., Fukazawa, Y.: Measuring abstraction levels of security patterns. In: SPAQu 07—1st International Workshop on Software Patterns and Quality (2007)
Wendehals, L.: Improving design pattern instance recognition by dynamic analysis. In: WODA 2003: ICSE Workshop on D Analysis, p. 29 (2003)
Wolter, C., Menzel, M., Meinel, C.: Modeling security goals in business processes. In: Modellierung’08, pp. 197–212 (2008)
Wolter, C., Menzel, M., Schaad, A., Miseldine, P., Meinel, C.: Model-driven business process security requirement specification. J. Syst. Archit. 55(4), 211–223 (2009)
Zhou, J., Deng, R., Bao, F.: Evolution of fair non-repudiation with TTP. In: ACISP ’99: 4th Australasian Conference on Information Security and Privacy, London, UK, Springer, Berlin (1999)
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by Dr. Juan M. Vara, Mike Papazoglou & Il-Yeol Song.
Rights and permissions
About this article
Cite this article
Memon, M., Menghwar, G.D., Depar, M.H. et al. Security modeling for service-oriented systems using security pattern refinement approach. Softw Syst Model 13, 549–572 (2014). https://doi.org/10.1007/s10270-012-0268-6
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10270-012-0268-6