Abstract
The Service-Oriented Architecture (SOA) paradigm is giving rise to a new generation of applications built by dynamically composing loosely coupled autonomous services. Clients (i.e., software agents acting on behalf of human users or service providers) implementing such complex applications typically search and integrate services on the basis of their functional requirements and of their trust in the service suppliers. A major issue in this scenario relates to the definition of an assurance technique allowing clients to select services on the basis of their nonfunctional requirements and increasing their confidence that the selected services will satisfy such requirements. In this article, we first present an assurance solution that focuses on security and supports a test-based security certification scheme for Web services. The certification scheme is driven by the security properties to be certified and relies upon a formal definition of the service model. The evidence supporting a certified property is computed using a model-based testing approach that, starting from the service model, automatically generates the test cases to be used in the service certification. We also define a set of indexes and metrics that evaluate the assurance level and the quality of the certification process. Finally, we present our evaluation toolkit and experimental results obtained applying our certification solution to a financial service implementing the Interactive Financial eXchange (IFX) standard.
- Al-Moayed, A. and Hollunder, B. 2010. Quality of service attributes in web services. In Proceedings of the 5th International Conference on Software Engineering Advances (ICSEA'10). Google ScholarDigital Library
- Anisetti, M., Ardagna, C. A., and Damiani, E. 2011a. Certifying security and privacy properties in the Internet of services. In Trustworthy Internet, G. Bianchi, N. Blefari, and L. Salgarelli, Eds., Springer.Google Scholar
- Anisetti, M., Ardagna, C. A. and Damiani, E.2011b. Fine-grained modeling of web services for test-based security certification. In Proceedings of the 8th International Conference on Service Computing (SCC'11). Google ScholarDigital Library
- Baresi, L. and Di Nitto, E. 2007. Test and Analysis of Web Services. Springer. Google ScholarDigital Library
- Belinfante, A. and Frantzen, L. 2012. JTorX -- A tool for model-based testing. http://fmt.cs.utwente.nl/redmine/projects/jtorx.Google Scholar
- Bentakouk, L., Poizat, P., and Zaidi, F. 2011. Checking the behavioral conformance of web services with symbolic testing and an SMT solver. In Proceedings of the 5th International Conference on Tests and Proofs (TAP'11). Google ScholarDigital Library
- Bozkurt, M., Harman, M., and Hassoun, Y. 2010. Testing web services: A survey. Tech. rep. TR-10-01. Department of Computer Science, King's College London.Google Scholar
- Canfora, G. and Di Penta, M. 2009. Service-oriented architectures testing: A survey. Softw. Engin Int. Summer Schools 1, 78--105. Google ScholarDigital Library
- Chandramouli, R. and Blackburn, M. 2004. Automated testing of security functions using a combined model and interface-driven approach. In Proceedings of the 37th Annual Hawaii International Conference on System Sciences (HICSS'04). Google ScholarDigital Library
- Chowdhurya, I. and Zulkernine, M.2011. Using complexity, coupling, and cohesion metrics as early indicators of vulnerabilities. J. Syst. Archit. 57, 3, 294--313. Google ScholarDigital Library
- Chung, L. and Leite, J. C. P. 2009. Non-functional requirements in software engineering. In Conceptual Modeling: Foundations and Applications. Springer, 363--379.Google Scholar
- Chung, L. and Nixon, B. A. 1995. Dealing with non-functional requirements: Three experimental studies of a process-oriented approach. In Proceedings of the 17th International Conference on Software Engineering (ICSE'95). Google ScholarDigital Library
- Chung, L., Nixon, B. A., Yu, E., and Mylopoulos, J. 2000. Non-functional Requirements in Software Engineering, vol. 5, Springer.Google Scholar
- Damiani, E., Ardagna, C. A., and El Ioini, N. 2009a. Open Source Systems Security Certification. Springer. Google ScholarDigital Library
- Damiani, E., De Capitani Di Vimercati, S., Paraboschi, S., and Samarati, P. 2001. Fine grained access control for SOAP, e-services. In Proceedings of the 10th International Conference on World Wide Web (WWW'01). Google ScholarDigital Library
- Damiani, E., El Ioini, N., Sillitti, A., and Succi, G. 2009b. WS-certificate. In Proceedings of the IEEE Congress on Services (SERVICESI'09). Part 1. Google ScholarDigital Library
- Damiani, E. and Mana, A. 2009. Toward WS-certificate. In Proceedings of the ACM Workshop on SecureWeb Services (SWS'09). Google ScholarDigital Library
- Endo, A. T. and Simao, A. 2011. Model-based testing of service-oriented applications via state models. In Proceedings of the 8th IEEE International Conference of Service Computing (SCC'11). Google ScholarDigital Library
- Falkenberg, A., Jensen, M., and Schwenk, J. 2012. WS-attacks.org. http://clawslab.nds.rub.de/wiki/index.php/.Google Scholar
- Focardi, R., Gorrieri, R., and Martinelli, F. 2004. Classification of security properties (Part II: Network security). In Foundations of Security Analysis and Design II - Tutorial Lectures, R. Focardi and R. Gorrieri, Eds., Springer.Google Scholar
- Frantzen, L., Las Nieves Huerta, M., Kiss, Z. G., and Wallet, T. 2008. On-the-fly model-based testing of web services with jambition. In Proceedings of the 5th International Workshop on Web Services and Formal Methods (WS-FM'08).Google Scholar
- Frantzen, L., Tretmans, J., and De Vries, R. 2006a. Towards model-based testing of web services. In Proceedings of the International Workshop on Web Services - Modeling and Testing (WS-MaTe'06).Google Scholar
- Frantzen, L., Tretmans, J., and Willemse, T. A. C. 2004. Test generation based on symbolic specifications. In Proceedings of the 4th International Workshop on Formal Approaches to Software Testing (FATES'04). Lecture Notes in Computer Science, vol. 3395, Springer, 1--15. Google ScholarDigital Library
- Frantzen, L., Tretmans, J., and Willemse, T. A. C. 2006b. A symbolic framework for model-based testing. In Proceedings of the 6th International Workshop on Formal Approaches to Testing and Runtime Verification (FATES/RV'06). Google ScholarDigital Library
- Gao, J. Z., Tsao, J., Wu, Y., and Jacob, T. 2003. Testing and Quality Assurance for Component-Based Software. Artech House, Norwood, MA. Google ScholarDigital Library
- Hanna, S. and Munro, M. 2007. An approach for specification-based test case generation for web services. In Proceedings of the IEEE/ACS International Conference on Computer Systems and Applications (AICCSA'07).Google Scholar
- Hao, Y., Zhang, Y., and Cao, J. 2012. A novel QoS model and computation framework in web service selection. World Wide Web 15, 5-6, 663--684.Google ScholarCross Ref
- Heckel, R. and Lohmann, M. 2004. Towards contract-based testing of web services. In Proceedings of the International Workshop on Test and Analysis of Component Based Systems (TACoS'04).Google Scholar
- Herrmann, D. S. 2002. Using the Common Criteria for IT Security Evaluation. Auerbach Publications. Google ScholarDigital Library
- Irvine, C. and Levin, T. 1999. Toward a taxonomy and costing method for security services. In Proceedings of the 15th Annual Conference on Computer Security Applications (ACSAC'99). Google ScholarDigital Library
- Jensen, M. 2011. Analysis of Attacks and Defenses in the Context of Web Services. Ph.D. thesis, Ruhr-Universit at Bochum, Bochum, Germany.Google Scholar
- Jensen, M., Gruschka, N., and Herkenhoner, R. 2009. A survey of attacks on web services: Classification and countermeasures. Comput. Sci. Res. Devel. 24, 4, 185--197.Google ScholarCross Ref
- Jokhio, M. S., Dobbie, G., and Sun, J. 2009. Towards specification based testing for semantic web services. In Proceedings of the 20th Australian Software Engineering Conference (ASWEC'09). Google ScholarDigital Library
- Jurjens, J. 2008. Model-based security testing using UMLsec: A case study. Electron. Not. Theor. Comput. Sci. 220, 1, 93--104. Google ScholarDigital Library
- Keum, C. S., Kang, S., Ko, I.-Y., Baik, J., and Choi, Y.-I. 2006. Generating test cases for web services using extended finite state machine. In Proceedings of the 18th IFIP International Conference on Testing Communicating Systems (TestCom'06). Google ScholarDigital Library
- Kim, A., Luo, J., and Kang, M. 2005. Security ontology for annotating resources. In Proceedings of the 4th International Conference on Ontologies, Databases, and Applications of Semantics (ODBASE'05). Google ScholarDigital Library
- Kourtesis, D., Ramollari, E., Dranidis, D., and Paraskakis, I. 2010. Increased reliability in SOA environments through registry-based conformance testing of web services. Product. Plan. Control 21, 2, 130--144.Google ScholarCross Ref
- Lowis, L. and Accorsi, R. 2009. On a classification approach for SOA vulnerabilities. In Proceedings of the 33rd Annual IEEE International Computer Software and Applications Conference (COMPSAC'09). Google ScholarDigital Library
- Mao, C. 2009a. A specification-based testing framework for web service-based software. In Proceedings of the IEEE International Conference on Granular Computing (GRC'09).Google ScholarCross Ref
- Mao, C. 2009b. Towards a hierarchical testing and evaluation strategy for web services system. In Proceedings of the 7th ACIS International Conference on Software Engineering Research, Management and Applications (SERA'09). Google ScholarDigital Library
- Mccabe, T. J. 1976. A complexity measure. IEEE Trans. Softw. Engin. SE-2, 4, 308--320. Google ScholarDigital Library
- Mens, T. and Van Gorp, P. 2005. A taxonomy of model transformation. In Proceedings of the International Workshop on Graph and Model Transformation (GraMoT'05).Google Scholar
- Microsoft 2007. Web services security specifications. Microsoft. http://msdn.microsoft.com/en-us/library/ms951273.aspx.Google Scholar
- Muccini, H. 2008. Software testing: Testing new software paradigms and new artifacts. In Wiley Encyclopedia of Computer Science and Engineering, Wiley, 117.Google Scholar
- Myers, G. J. 2004. The Art of Software Testing 2nd Ed. John Wiley and Sons, Hoboken, NJ. Google ScholarDigital Library
- Nadalin, A., Goodner, M., Gudgin, M., Barbir, A., and Granqvist, H. 2007. WS-secure conversation 1.3. OASIS. http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/ws-secureconversation-1.3-os.html.Google Scholar
- Nadalin, A., Kaler, C., Monzillo, R., and Hallam-Baker, P. 2006. Web services security: SOAP message security 1.1. OASIS. http://www.oasis-open.org/committees/download.php/16790/wss-v1.1-spec-os-SOAPMessageSecurity.pdf.Google Scholar
- Noorian, Z., Fleming, M., and Marsh, S. 2012. Preference-oriented QoS-based service discovery with dynamic trust and reputation management. In Proceedings of the ACM Symposium on Applied Computing (SAC'12). Google ScholarDigital Library
- Papazoglou, M. P. 2003. Web services and business transactions. World Wide Web 6, 1, 49--91. Google ScholarDigital Library
- Papazoglou, M. P., Andrikopoulos, V., and Benbernou, S. 2011. Managing evolving services. IEEE Softw. 28, 3, 49--55. Google ScholarDigital Library
- Papazoglou, M. P., Traverso, P., Dustdar, S., and Leymann, F. 2007. Service-oriented computing: State of the art and research challenges. Comput. 40, 11, 38--45. Google ScholarDigital Library
- Rajendran, T., Balasubramanie, P., and Cherian, R. 2010. An efficient WS-QoS broker based architecture for web services selection. Int. J. Comput. Appl. 1, 9, 79--84.Google Scholar
- Ran, S. 2003. A model for web services discovery with QoS. ACM SIGecom Exchanges 4, 1, 1--10. Google ScholarDigital Library
- Ryu, S. H., Casati, F., Skogsrud, H., Betanallah, B., and Saint-Paul, R. 2008. Supporting the dynamic evolution of web service protocols in service-oriented architectures. ACM Trans. Web 2, 2, 13:1--13:46. Google ScholarDigital Library
- Salva, S. and Rabhi, I. 2009. Automatic web service robustness testing from WSDL descriptions. In Proceedings of the 12th European Workshop on Dependable Computing (EWDC'09).Google Scholar
- Schroth, C. and Janner, T. 2007. Web 2.0 and SOA: Converging concepts enabling the Internet of services. IT Professional 9, 3, 36--41. Google ScholarDigital Library
- Sei. 2011. Securing web services for army SOA. http://www.sei.cmu.edu/solutions/softwaredev/securingweb-services.cfm.Google Scholar
- Serhani, M. A., Dssouli, R., Hafid, A., and Sahraoui, H. 2005. A QoS broker based architecture for efficient web services selection. In Proceedings of the IEEE International Conference on Web Services (ICWS'05). Google ScholarDigital Library
- Tarhini, A., Fouchal, H., and Mansour, N. 2005. A simple approach for testing web service based applications. In Proceedings of the 5th International Workshop on Innovative Internet Community Systems (IICS'05). Google ScholarDigital Library
- Tretmans, J. 2011. Model-based testing and some steps towards test-based modelling. In Proceedings of the 11th International School on Formal Methods for Eternal Networked Software Systems (SFM'11).Google ScholarCross Ref
- Tsai, W. T., Paul, R., Cao, Z., Yu, L., Saimi, A., and Xiao, B. 2003. Verification of web services using an enhanced UDDI server. In Proceedings of the 8th IEEE International Workshop on Object-Oriented Real-Time Dependable Systems (WORDS'03).Google Scholar
- Tsai, W. T., Paul, R., Yamin, W., Chun, F., and Dong, W. 2002. Extending WSDL to facilitate web services testing. In Proceedings of the 7th IEEE International Symposium on High Assurance Systems Engineering (HASE'02). Google ScholarDigital Library
- Tsai, W. T., Zhou, X., Paul, R. A., Chen, Y., and Bai, X. 2007. A coverage relationship model for test case selection and ranking for multi-version software. In Proceedings of the 10th IEEE International Symposium on High Assurance Systems Engineering (HASE'07). Google ScholarDigital Library
- Usa Department of Defence. 1985. Department Of Defense Trusted Computer System Evaluation Criteria. USA Department of Defence. http://csrc.nist.gov/publications/secpubs/rainbow/std001.txt.Google Scholar
- Van Veenendaal, E. 2012. Standard glossary of terms used in software testing version 2.2. International Software Testing Qualifications Board. http://www.astqb.org/documents/ISTQB_glossary_of_testing_terms_2.2.pdf.Google Scholar
- Vecellio, G. and Thomas, W. M. 2001. Issues in the Assurance of Component-Based Software. Mitre. http://www.mitre.org/news/edge_perspectives/march 01/vecellio.html.Google Scholar
- Vedamuthu, A. S., Orchard, D., Hirsch, F., Hondo, M., Yendluri, P., Boubez, T., and Yalcinalp, U. 2007. Web services policy 1.5 - Framework. World Wide Web Consortium (W3C). http://www.w3.org/TR/ws-policy/.Google Scholar
- Web Services Working Group. 2012. IFX web services. Web Services Working Group (WSWG). http://www.ifxforum.org/standards/wswg.Google Scholar
- Zulkernine, M., Raihan, M. F., and Uddin, M. G. 2009. Towards model-based automatic testing of attack scenarios. In Proceedings of the 28th International Conference on Computer Safety, Reliability and Security (SAFECOMP'09). Google ScholarDigital Library
Index Terms
- A test-based security certification scheme for web services
Recommendations
Test-Based Security Certification of Composite Services
The diffusion of service-based and cloud-based systems has created a scenario where software is often made available as services, offered as commodities over corporate networks or the global net. This scenario supports the definition of business ...
Security Certification of Composite Services: A Test-Based Approach
ICWS '13: Proceedings of the 2013 IEEE 20th International Conference on Web ServicesAccurate and lightweight evaluation of web service security properties is a key problem, especially when business processes are dynamically built by composing atomic services provided by different suppliers at runtime. In this paper, we tackle this ...
A Low-Cost Security Certification Scheme for Evolving Services
ICWS '12: Proceedings of the 2012 IEEE 19th International Conference on Web ServicesSecurity certification schemes for Service-Oriented Architecture~(SOA) extend service specifications with the evidence that a service supports a set of security properties and provides a given level of assurance. However, services are subject to ...
Comments