ABSTRACT
The Service-Oriented Architecture paradigm (SOA) is commonly applied for the implementation of complex, distributed business processes. The service-oriented approach promises higher flexibility, interoperability and reusability of the IT infrastructure. However, evaluating the quality attribute security of large and complex SOA configurations is not sufficiently mastered yet. To tackle this complex problem, we developed a method for evaluating the security of existing service-oriented systems on the architectural level. The method is based on recovering security-relevant facts about the system by using reverse engineering techniques and subsequently providing automated support for further interactive security analysis at the structural level. By using generic, system-independent indicators and a knowledge base, the method is not limited to a specific programming language or technology. Therefore, we are able to apply the method to various systems and adapt it to specific evaluation needs. The paper describes the general structure of the method, and presents an instantiation aligned to the Service Component Architecture (SCA) specification.
- H. Peine, M. Jawurek, S. Mandel, "Security Goal Indicator Trees: A Model of Software Features that Supports Efficient Security Inspection", High Assurance Systems Engineering Symposium, HASE, 2008 Google ScholarDigital Library
- S. Laws, M. Combellack, R. Feng, H. Mahbod, S. Nash, Tuscany in Action, MEAP Began: February 2009, Softbound print: July 2010.Google Scholar
- J. Davis, Open Source SOA, Manning Publications; 1 edition, June 2009. Google ScholarDigital Library
- Apache Tuscany, http://tuscany.apache.org/ (accessed April 8th, 2010).Google Scholar
- Service Component Architecture, http://www.oasis-opencsa.org/sca (accessed May 10th, 2010).Google Scholar
- OASIS Web Services Security Specification, http://www.oasis-open.org/specs/index.php#wssv1.0 (accessed May 10th, 2010).Google Scholar
- Eclipse Modeling framework, http://www.eclipse.org/modeling/emf/ (accessed April 8th, 2010).Google Scholar
- S. Duszynski, J. Knodel, M. Lindvall, SAVE: Software Architecture Visualization and Evaluation, 13th European Conference on Software Maintenance and Reengineering (CSMR), 2009. Google ScholarDigital Library
- F. Swiderski, W. Snyder, Threat Modeling, Microsoft Press, Redmond, Washington, 2004 Google ScholarDigital Library
- K. Sohr and B. Berger. Idea: towards Architecture-Centric Security Analysis of Software, Springer Berlin / Heidelberg, 2010.Google ScholarDigital Library
- Y. Liu, I. Traore, A. M. Hoole: A Service-oriented Framework for Quantitative Security Analysis of Software. 2008 IEEE Asia-Pacific Services Computing Conference. Yila, Taiwan. Google ScholarDigital Library
- B. Alshammari, C. Fidge, D. Corney: Security Metrics for Object-Oriented Class Designs, Ninth international Conference on Quality Software QSIC, 2009. Google ScholarDigital Library
- T. Heyman, R. Scandariato, C. Huygens, W. Joosen: Using Security Patterns to Combine Security Metrics. Third international Conference on Availability, Reliability and Security ARES, 2008. Google ScholarDigital Library
- E. Chikofsky, J. Cross: Reverse Engineering and Design Recovery: A Taxonomy. IEEE Software, vol. 7, no. 1, pp. 13--17, 1990. Google ScholarDigital Library
- L. Dobrica, E. Niemelä: A Survey on Software Architecture Analysis Methods. IEEE Transactions on Software Engineering, vol. 28, no. 7, pp. 638--653, July 2002. Google ScholarDigital Library
- R. Kazman, M. Klein, P. Clements: ATAM: Method for Architecture Evaluation. Software Engineering Institute technical report CMU/SEI-2000-TR-004, August 2000.Google Scholar
- P. Bengtsson, J. Bosch: Architecture-Level Prediction of Software Maintenance, 3rd European Conference on Software Maintenance and Reengineering (CSMR), 1999. Google ScholarDigital Library
Index Terms
- Indicator-based architecture-level security evaluation in a service-oriented environment
Recommendations
Functionality-Based Service Matchmaking for Service-Oriented Architecture
ISADS '07: Proceedings of the Eighth International Symposium on Autonomous Decentralized SystemsService matchmaking is a basic feature of Service- Oriented Architecture (SOA). In this paper, a semantic-based flexible service matchmaking approach is presented to efficiently identifying functionalitycompatible services. This approach utilizes SAWOWL-...
Service-oriented architecture (SOA)concepts and implementations
SIGAda '11: Proceedings of the 2011 ACM annual international conference on Special interest group on the ada programming languageThis tutorial explains how to implement a Service-Oriented Architecture (SOA) for reliable systems using Enterprise Service Bus (ESB) technologies. The first half of the tutorial describes terms of Service-Oriented Architectures (SOA) including service, ...
Security Evaluation of Service-Oriented Systems Using the SiSOA Method
The Service-Oriented Architecture paradigm SOA is commonly applied for the implementation of complex, distributed business processes. The service-oriented approach promises higher flexibility, interoperability and reusability of the IT infrastructure. ...
Comments