skip to main content
10.1145/1103022.1103025acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
Article

Web services enterprise security architecture: a case study

Published: 11 November 2005 Publication History

Abstract

Web Services (WS hereafter) Security is a crucial aspect for technologies based on this paradigm to be completely adopted by the industry. As a consequence, a lot of initiativesof initiatives have arisen during the last years setting as their main purpose the standardization of the security factors related to this paradigm. In fact, over the past years, the most important consortiums ofof Internet Internet, like IETF, W3C or OASIS, are producing a huge number of WS-based security standards. Despite of this growing, there's not exist yet a process that guides developers in the critical task of integrating security within all the stages of the development's life cycle of WS-based software. Such a process should facilitate developers in the activities of web service-specific security requirents specification, web services-based security architecture design and web services security standards selection, integration and deployment. In this article we briefly present the PWSSec (Process for Web Services Security) process that is composed of three stages, WSSecReq (Web Services Security Requirents), WSSecArch (Web Services Security Architecture) and WSSecTech (Web Services Security Technologies) that accomplishes the mentioned activities, respectively. In this article wWe also provide an thorough explanation of the WSSecArch (Web Services Security Stage) stage intended to design the web services-based security architecture. In addition, a real case study where this stage in being applied is also included.

References

[1]
C. J. Alberts, S. G. Behrens, R. D. Pethia, and W. R. Wilson, "OCTAVE Framework, Version 1.0", Carnegie Mellon. SEI. CMU/SEI-99-TR-017, Septber 1999.
[2]
I. Alexander, "Misuse Cases: Use Cases with Hostile Intent", IEEE Computer Software, vol. 20, pp. 58--66, 2003.
[3]
R. Bhatti, E. Bertino, A. Ghafoor, and J. B. D. Joshi, "XML-Based Specification for Web Services Document Security", IEEE Computer, vol. 37, pp. 41--49, 2004.
[4]
R. Breu, K. Burger, M. Hafner, J. Jürjens, G. Popp, V. Lotz, and G. Wimmel, "Key Issues of a Formally Based Process Model for Security Engineering", Proc. 16th International Conference on Software and Systs Engineering and their Applications (ICSSEA'03), 2003.
[5]
E. Damiani, S. D. C. d. Vimercati, S. Paraboschi, and P. Samarati., "A fine-grained access control syst for XML documents", ACM Transactions on Information and Syst Security (TISSEC), pp. 169--202, 2002.
[6]
M. Endrei, J. Ang, A. Arsanjani, S. Chua, P. Comte, P. Krogdahl, M. Luo, and T. Newling, "Patterns: Service-Oriented Architecture and Web Services", IBM Redbook, 1st ed, 2004, pp. 345.
[7]
E. B. Fernandez, "Two patterns for web services security", Proc. International Symposium on Web Services and Applications (ISWS'04), Las Vegas, NV, 2004.
[8]
D. G. Firesmith, "Security Use Cases", Journal of Object Technology, vol. 2, pp. 53--64, 2003.
[9]
D. G. Firesmith, "Engineering Security Requirents", Journal of Object Technology, vol. 2, pp. 53--68, 2003.
[10]
D. G. Firesmith, "Common Concepts Underlying Safety, Security, and Survivability Engineering", SEI, Technical Note CMU/SEI-2003-TN-033, Decber 2003.
[11]
C. Gutiérrez, E. Fernández-Medina, and M. Piattini, "Web Services Security: is the probl solved?" Information Systs Security, vol. 13, pp. 22--31, 2004.
[12]
C. Gutiérrez, E. Fernández-Medina, and M. Piattini, "PWSSec: Process for Web Services Security", Proc. IEEE International Conference on Web Services 2005, Orlando, Florida, USA, 2005.
[13]
C. Gutiérrez, E. Fernández-Medina, and M. Piattini, "Towards a Process for Web Services Security", Proc. WOSIS'05 en ICEIS'05, Miami, Florida, USA, 2005.
[14]
IDC, 2005. See: http://www.idc.com/getdoc.jsp?containerId=prUS00190705}.
[15]
S. Indrakanti, V. Varadharajan, and M. Hitchens, "Authorization Service for Web Services and its Implentation", Proc. ICWS'04, San Diego, California, USA, 2004.
[16]
H. Koshutanski and F. Massacci, "An Access Control Framework for Business Processes for Web Services", Proc. ACM Workshop on XML Security, 2003.
[17]
P. Kruchten, The Rational Unified Process: An Introduction, 2nd. ed: Addison-Wesley Pub Co., 2000.
[18]
A. v. Lamsweerde, "Elaborating Security Requirents by Construction of Intentional Anti-Models", Proc. 26th International Conference on Software Engineering, Edinburgh, 2004.
[19]
J. D. Moffet and B. A. Nuseibeh, "A Framework for Security Requirents Engineering", Department of Computer Science, University of York, UK, Report YCS 368, August 2003.
[20]
A. P. Moore, R. J. Ellison, and R. C. Linger, "Attack Modelling for Information Security and Survivability", Software Engineering Institute 2001.
[21]
C. Nott, Patterns: Using Business Service Choreography In Conjuction With An Enterprise Service Bus, 2004.
[22]
OASIS, "Web Services Security (WS-Security) - Specification 6 April 2004", 2004.
[23]
OASIS, "eXtensible Access Control Markup Language (XACML) Version 2.0", 2005.
[24]
OMG, "UML Profile for Modeling Quality of Service and Fault Tolerance Characteristics and Mechanisms", 2004.
[25]
B. Schneier, "Attack Trees: Modeling Security Threats", Dr. Dobb's Journal, 1999.
[26]
G. Sindre and A. L. Opdahl, "Eliciting Security Requirents with Misuse Cases", Proc. TOOLS-37'00, Sydney, Australia, 2000.
[27]
IEEE Computer Society, "Software Engineering Body of Knowledge", 2004.
[28]
M. Tatsubori, T. Imamura, and Y. Nakamura, "Best-Practice Patterns and Tool Support for Configuring Secure Web Services Messaging", Proc. 4th International Conference on Web Services (ICWS'04), San Diego, California, USA, 2004.
[29]
A. Toval, J. Nicolás, B. Moros, and F. García, "Requirents Reuse for Improving Information Systs Security: A Practitioner's Approach", Requirents Engineering Journal, vol. 6, pp. 205--219, 2001.
[30]
D. Verdon and G. McGraw, "Risk Analysis in Software Design", in IEEE Security & Privacy, vol. 2, 2004, pp. 79--84.
[31]
VeriSign, Microsoft, SonicSoftware, IBM, BEA, and SAP, "Web Services Policy Framework (WS-Policy)", 2004.
[32]
R. Wonohoesodo and Z. Tari, "A Role based Access Control for Web Services", Proc. ICWS'04, San Diego, California, USA, 2004.
[33]
WS-I, "Security Challenges, Threats and Countermeasures Versión 1.0", vol. 2005: WS-I, 2005.

Cited By

View all
  • (2013)HARM: Hacker Attack Representation MethodSoftware and Data Technologies10.1007/978-3-642-29578-2_10(156-175)Online publication date: 2013
  • (2011)Model-Driven Approach for End-to-End SOA Security ConfigurationsNon-Functional Properties in Service Oriented Architecture10.4018/978-1-60566-794-2.ch012(268-298)Online publication date: 2011
  • (2011)Enterprise information security, a review of architectures and frameworks from interoperability perspectiveProcedia Computer Science10.1016/j.procs.2010.12.0893(537-543)Online publication date: 2011
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
SWS '05: Proceedings of the 2005 workshop on Secure web services
November 2005
98 pages
ISBN:1595932348
DOI:10.1145/1103022
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 11 November 2005

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. security
  2. software architecture
  3. software development process
  4. web services

Qualifiers

  • Article

Conference

CCS05
Sponsor:

Upcoming Conference

CCS '25

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)5
  • Downloads (Last 6 weeks)0
Reflects downloads up to 20 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2013)HARM: Hacker Attack Representation MethodSoftware and Data Technologies10.1007/978-3-642-29578-2_10(156-175)Online publication date: 2013
  • (2011)Model-Driven Approach for End-to-End SOA Security ConfigurationsNon-Functional Properties in Service Oriented Architecture10.4018/978-1-60566-794-2.ch012(268-298)Online publication date: 2011
  • (2011)Enterprise information security, a review of architectures and frameworks from interoperability perspectiveProcedia Computer Science10.1016/j.procs.2010.12.0893(537-543)Online publication date: 2011
  • (2011)Authentication and Authorization in Web ServicesNetworked Digital Technologies10.1007/978-3-642-22185-9_2(13-23)Online publication date: 2011
  • (2010)Utilizing the interactive techniques to achieve automated service composition for Web ServicesJournal of High Speed Networks10.5555/1971866.197187117:4(219-236)Online publication date: 1-Dec-2010
  • (2009)The practical application of a process for eliciting and designing security in web service systemsInformation and Software Technology10.1016/j.infsof.2009.05.00451:12(1712-1738)Online publication date: 1-Dec-2009
  • (2008)Incorporating Web services Into E-business SystemsE-Business Models, Services and Communications10.4018/978-1-59904-831-4.ch009(182-207)Online publication date: 2008
  • (2008)Safeguard gaps and their managerial issuesIndustrial Management & Data Systems10.1108/02635570810876787108:5(669-676)Online publication date: 23-May-2008
  • (2007)Incorporating Web services Into E-business Systems:E-Business Models, Services and Communications10.4018/978-1-599904-831-4.ch009(0-0)Online publication date: 30-Nov-2007
  • (2007)Toward Situational Secure Web Services Design MethodsIEEE International Conference on Web Services (ICWS 2007)10.1109/ICWS.2007.175(1179-1180)Online publication date: Jul-2007
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media