Top

Published in:

2014 | OriginalPaper | Chapter

7. A Certification-Aware Service-Oriented Architecture

Authors : Marco Anisetti, Claudio A. Ardagna, Michele Bezzi, Ernesto Damiani, Samuel Paul Kaluvuri, Antonino Sabetta

Published in: Advanced Web Services

Publisher: Springer New York

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

The widespread development of Service-Oriented Architecture (SOA) and web services is changing the traditional view of information technology. Today, software applications are increasingly distributed and consumed as a service, and business processes are implemented by selecting and composing services provided by different suppliers at run-time and with a minimal human intervention. In this scenario, where services are usually selected on the basis of clients’ functional preferences, the risk of providing powerful but insecure applications raises, and the problem of guaranteeing and preserving the security of services and business processes becomes stringent. To this aim, we put forward the idea that security certification techniques can be adopted to provide the evidence that a service system has some security properties and behaves as expected. However, existing security certification techniques are not well-suited to the service scenario, since they are designed for static and monolithic software and then cannot support the intrinsic SOA dynamics. In this chapter, we discuss recent developments in the area of extending security certifications to web services. In particular, we first review current certification approaches, and highlight requirements and challenges for applying them to the service ecosystem. We then present an advanced methodology for security certification based on testing, as a crucial part of a novel approach for security certification developed in the context of the FP7 EU project Advanced Security Service cERTificate for SOA (Assert4Soa).

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter Web Service Contracts: Specification and Matchmaking

next chapter A Test Automation Framework for Collaborative Testing of Web Service Dynamic Compositions

We note that in the Assert4Soa terminology the certification-aware matchmaking process refers to the matching and comparison processes in Sect. 7.4.2.

This could sound contradictory from the software engineering point of view since service \(s.v1.1\) is an updated version of \(s.v1.0\) and thus it should be “better” than the previous version. From the certification point of view, however, if we do not have the evidence that \(s.v1.1\) is “better” than \(s.v1.0\), we should not claim it in the certificate.

We note that the patterns can be certified themselves increasing the trust in the composition.

A. Alves et al.: Web Services Business Process Execution Language Version 2.0. OASIS (2007). http://docs.oasis-open.org/wsbpel/2.0/OS/wsbpel-v2.0-OS.html, Accessed in date September 2012

A. Banerji et al.: Web Services Conversation Language (WSCL) version 1.0. World Wide Web Consortium (W3C) (2002). http://www.w3.org/TR/wscl10/, Accessed in date September 2012

Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI): Certificat de Sécurité de Premier Niveau. http://www.ssi.gouv.fr/fr/certification-qualification/cspn/, Accessed in date September 2012

Ammann, P., Offutt, J.: Introduction to Software Testing. Cambridge University Press, New York, NY, USA (2008)

Andrikopoulos, V., S., Benbernou, Papazoglou, M.: On the evolution of services. IEEE Transactions on Software Engineering PP(99) (2011)

Anisetti, M., Ardagna, C., Damiani, E.: Certifying security and privacy properties in the internet of services. In: L. Salgarelli, G. Bianchi, N. Blefari-Melazzi (eds.) Trustworthy Internet. Springer (2011)

Anisetti, M., Ardagna, C., Damiani, E.: Fine-grained modeling of web services for test-based security certification. In: Proc. of the 8th International Conference on Service Computing (SCC 2011). Washington, DC, USA (2011)

Anisetti, M., Ardagna, C., Damiani, E.: A low-cost security certification scheme for evolving services. In: Proc. of the 19th IEEE International Conference on Web Services (ICWS 2012). Honolulu, HI, USA (2012)

Baresi, L., Di Nitto, E.: Test and Analysis of Web Services. Springer, New York, USA (2007)

10.

Bentakouk, L., Poizat, P., Zaïdi, F.: Checking the behavioral conformance of web services with symbolic testing and an SMT solver. In: Proc. of the 5th International Conference on Tests & Proofs (TAP 2011). Zürich, Switzerland (2011)

11.

Bezzi, M., Kaluvuri, S., Sabetta, A.: Ensuring trust in service consumption through security certification. In: Proc. of the International Workshop on Quality Assurance for Service-Based Applications (QASBA 2011). Lugano, Switzerland (2011)

12.

Bezzi, M., Sabetta, A., Spanoudakis, G.: An architecture for certification-aware service discovery. In: Proc. of the 1st IEEE International Workshop on Securing Services on the Cloud (IWSSC 2011). Milan, Italy (2011)

13.

Bozkurt, M., Harman, M., Hassoun, Y.: Testing web services: A survey. In: Technical Report TR-10-01. Department of Computer Science, King’s College London (2010)

14.

Canfora, G., di Penta, M.: Service-oriented architectures testing: A survey. Software Engineering: International Summer Schools, ISSSE 2006–2008 1, 78–105 (2009)

15.

CCHIT: Certification Commission for Healthcare Information Technology. http://www.cchit.org/, Accessed in date September 2012

16.

Chang, E., Hussain, F., Dillon, T.: Trust and Reputation for Service-Oriented Environments: Technologies For Building Business Intelligence And Consumer Confidence. John Wiley & Sons, Ltd (2006)

17.

Chinnici, R., Moreau, J., Ryman, A., Weerawarana, S.: Web Services Description Language (WSDL) version 2.0. World Wide Web Consortium (W3C) (2007). http://www.w3.org/TR/wsdl20/, Accessed in date September 2012

18.

Damiani, E., Ardagna, C., El Ioini, N.: Open source systems security certification. Springer, New York, NY, USA (2009)

19.

Damiani, E., De Capitani di Vimercati, S., Paraboschi, S., Samarati, P.: Securing SOAP e-services. International Journal of Information Security (IJIS) 1(2), 100–115 (2002)

20.

Endo, A., Simao, A.: Model-based testing of service-oriented applications via state models. In: Proc. of the 8th IEEE International Conference of Service Computing (SCC 2011). Washington, DC, USA (2011)

21.

Focardi, R., Gorrieri, R., Martinelli, F.: Classification of security properties (Part II: Network security). In: R. Focardi, R. Gorrieri (eds.) Foundations of Security Analysis and Design II - Tutorial Lectures. Springer Berlin / Heidelberg (2004)

22.

Frantzen, L., Tretmans, J., de Vries, R.: Towards model-based testing of web services. In: Proc. of the International Workshop on Web Services - Modeling and Testing (WS-MaTe 2006). Palermo, Italy (2006)

23.

Frantzen, L., Tretmans, J., Willemse, T.: Test generation based on symbolic specifications. In: Proc. of the 4th International Workshop on Formal Approaches to Software Testing (FATES 2004). Linz, Austria (2004)

24.

Herrmann, D.: Using the Common Criteria for IT security evaluation. Auerbach Publications (2002)

25.

Irvine, C., Levin, T.: Toward a taxonomy and costing method for security services. In: Proc. of the 15th Annual Conference on Computer Security Applications (ACSAC 1999). Phoenix, AZ, USA (1999)

26.

Jahl, C.: The information technology security evaluation criteria. In: Proc. of the 13th International Conference on Software Engineering (ICSE 1991). Austin, TX, USA (1991)

27.

Jeong, B., Cho, H., Lee, C.: On the functional quality of service (FQoS) to discover and compose interoperable web services. Expert Systems with Applications 36(3, Part 1), 5411–5418 (2009)

28.

Jokhio, M., Dobbie, G., Sun, J.: Towards specification based testing for semantic web services. In: Proc. of the 20th Australian Software Engineering Conference (ASWEC 2009). Gold Coast, Australia (2009)

29.

Jürjens, J.: Model-based security testing using UMLsec: A case study. Electronic Notes in Theoretical Computer Science 220(1), 93–104 (2008)

30.

Keum, C., Kang, S., Ko, I.Y., Baik, J., Choi, Y.I.: Generating test cases for web services using extended finite state machine. In: Proc. of the 18th IFIP International Conference on Testing Communicating Systems (TestCom 2006). New York, NY, USA (2006)

31.

Kim, A., Luo, J., Kang, M.: Security ontology for annotating resources. In: Proc. of the 4th International Conference on Ontologies, Databases, and Applications of Semantics (ODBASE 2005). Agia Napa, Cyprus (2005)

32.

Kourtesis, D., Ramollari, E., Dranidis, D., Paraskakis, I.: Increased reliability in SOA environments through registry-based conformance testing of web services. Production Planning & Control 21(2), 130–144 (2010)

33.

Mao, C.: Towards a hierarchical testing and evaluation strategy for web services system. In: Proc. of the 7th ACIS International Conference on Software Engineering Research, Management and Applications (SERA 2009). Haikou, China (2009)

34.

Myers, G.: The Art of Software Testing, Second Edition. John Wiley & Sons, Inc., Hoboken, NJ, USA (2004)

35.

Paliwal, A., Shafiq, B., Vaidya, J., Xiong, H., Adam, N.: Semantics-based automated service discovery. IEEE Transactions on Services Computing 5(2), 260–275 (2012)

36.

Pezzè, M., Young, M.: Software Testing and Analysis: Process, Principles, and Techniques. John Wiley & Sons, New York, NY, USA (2008)

37.

Rajendran, T., Balasubramanie, P.: An optimal broker-based architecture for web service discovery with QoS characteristics. International Journal of Web Services Practices 5(1), 32–40 (2010)

38.

Ryu, S., Casati, F., Skogsrud, H., Betanallah, B., Saint-Paul, R.: Supporting the dynamic evolution of web service protocols in service-oriented architectures. ACM Transactions on the Web 2(2), 13:1–13:46 (2008)

39.

Salva, S., Rabhi, I.: Automatic web service robustness testing from WSDL descriptions. In: Proc. of the 12th European Workshop on Dependable Computing (EWDC 2009). Toulouse, France (2009)

40.

Schroth, C., Janner, T.: Web 2.0 and SOA: Converging concepts enabling the internet of services. IT Professional 9(3), 36–41 (2007)

41.

seekda! http://webservices.seekda.com/browse, Accessed in date September 2012

42.

Securing Web services for army SOA. http://www.sei.cmu.edu/solutions/softwaredev/securing-web-services.cfm, Accessed in date September 2012

43.

Serhani, M., Dssouli, R., Hafid, A., Sahraoui, H.: A QoS broker based architecture for efficient web services selection. In: Proc. of the IEEE International Conference on Web Services (ICWS 2005). Orlando, FL, USA (2005)

44.

Thakar, U., Dagdee, N., Agrawal, A.: A methodology to compose web services using compatible components based on QoS and security requirements of the users. International Journal of Computer Applications 46(10), 30–37 (2012)

45.

Tsai, W., Paul, R., Yamin, W., Chun, F., Dong, W.: Extending WSDL to facilitate web services testing. In: Proc. of the 7th IEEE International Symposium on High Assurance Systems Engineering (HASE 2002). Tokyo, Japan (2002)

46.

USA Department of Defence: Department Of Defense Trusted Computer System Evaluation Criteria (1985)

47.

van Veenendaal, E.: Standard glossary of terms used in Software Testing. International Software Testing Qualifications Board (ISTQB) (2010). http://www.astqb.org/documents/ISTQB_Glossary_of_Testing_Terms_2.1.pdf, Accessed in date September 2012

48.

Yu, H., Reiff-Marganiec, S.: Non-functional property based service selection: A survey and classification of approaches. In: Proc. of Non Functional Properties and Service Level Agreements in Service Oriented Computing Workshop (NFPSLAM-SOC) 2008. Dublin, Ireland (2008)

49.

Zulkernine, M., Raihan, M.F., Uddin, M.G.: Towards model-based automatic testing of attack scenarios. In: Proc. of the 28th International Conference on Computer Safety, Reliability and Security (SAFECOMP 2009). Hamburg, Germany (2009)

Title: A Certification-Aware Service-Oriented Architecture
Authors: Marco Anisetti
Claudio A. Ardagna
Michele Bezzi
Ernesto Damiani
Samuel Paul Kaluvuri
Antonino Sabetta
Publisher: Springer New York
Book: Advanced Web Services
Print ISBN: 978-1-4614-7534-7

Electronic ISBN: 978-1-4614-7535-4

Copyright Year: 2014
DOI: https://doi.org/10.1007/978-1-4614-7535-4_7

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner