nach oben

Automated Software Engineering

Erschienen in:

01.04.2014

Adaptable, model-driven security engineering for SaaS cloud-based applications

verfasst von: Mohamed Almorsy, John Grundy, Amani S. Ibrahim

Erschienen in: Automated Software Engineering | Ausgabe 2/2014

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Software-as-a-service (SaaS) multi-tenancy in cloud-based applications helps service providers to save cost, improve resource utilization, and reduce service customization and maintenance time. This is achieved by sharing of resources and service instances among multiple “tenants” of the cloud-hosted application. However, supporting multi-tenancy adds more complexity to SaaS applications required capabilities. Security is one of these key requirements that must be addressed when engineering multi-tenant SaaS applications. The sharing of resources among tenants—i.e. multi-tenancy—increases tenants’ concerns about the security of their cloud-hosted assets. Compounding this, existing traditional security engineering approaches do not fit well with the multi-tenancy application model where tenants and their security requirements often emerge after the applications and services were first developed. The resultant applications do not usually support diverse security capabilities based on different tenants’ needs, some of which may change at run-time i.e. after cloud application deployment. We introduce a novel model-driven security engineering approach for multi-tenant, cloud-hosted SaaS applications. Our approach is based on externalizing security from the underlying SaaS application, allowing both application/service and security to evolve at runtime. Multiple security sets can be enforced on the same application instance based on different tenants’ security requirements. We use abstract models to capture service provider and multiple tenants’ security requirements and then generate security integration and configurations at runtime. We use dependency injection and dynamic weaving via Aspect-Oriented Programming (AOP) to integrate security within critical application/service entities at runtime. We explain our approach, architecture and implementation details, discuss a usage example, and present an evaluation of our approach on a set of open source web applications.

Vorheriger Artikel Model-driven reverse engineering of legacy graphical user interfaces

Nächster Artikel Counterexample-guided abstraction refinement for linear programs with arrays

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

http://shibboleth.net/.

https://sourceforge.net/projects/mdse-r.

http://www.ict.swin.edu.au/personal/malmorsy/Pubs/TR002.pdf.

https://www.owasp.org/index.php.

http://pnp.azurewebsites.net/en-us/.

http://www.nunit.org/.

Akai, S., Chiba, S.: Extending AspectJ for Separating Regions. ACM, New York (2009)

Almorsy, M., Grundy, J., Mueller, I.: An analysis of the cloud computing security problem. In: Proc. of 2010 Asia Pacific Cloud Workshop, Colocated with APSEC, Sydney, Australia (2010)

Almorsy, M., Grundy, J., Ibrahim, A.S.: Supporting automated software re-engineering using re-aspects. In: Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering ASE 2012, New York, NY, USA, 2012, pp. 230–233. ACM, New York (2012)

Anderson, R.: Security Engineering: A Guide to Building Dependable Distributed Systems. Wiley, New York (2001)

Bauer, A., Jürjens, J.: Security protocols, properties, and their monitoring. In: Proceedings of the Fourth International Workshop on Software Engineering for Secure Systems, SESS ’08. New York, NY, USA, 2008. pp. 33–40. ACM, New York (2008) CrossRef

Blair, G., Bencomo, N., Frame, R.B.: Models@run.time. IEEE Comput., 22–27 (2009)

Brock, M., Goscinski, A.: Toward a framework for cloud security algorithms and architectures for parallel processing. In: Lecture Notes in Computer Science, vol. 6082, pp. 254–263. Springer, Berlin (2010)

Cai, H., Zhang, K., Zhou, M.J., Gong, W., Cai, J.J., Mao, X.S.: An end-to-end methodology and toolkit for fine granularity SaaS-ization. In: 2009 IEEE International Conference on Cloud Computing, 21–25 Sept. 2009, pp. 101–108 (2009) CrossRef

Cai, H., Wang, N., Zhou, M.J.: A transparent approach of enabling SaaS multi-tenancy in the cloud. In: 2010 6th World Congress on Services, 5–10 July 2010, pp. 40–47 (2010) CrossRef

Chinchani, R., Iyer, A., Ngo, H., Upadhyaya, S.: A target-centric formal model for insider threat and more. Technical Report 2004-16, University of Buffalo, US (2004)

Elkhodary, A., Whittle, J.: A survey of approaches to adaptive application security. In: International Workshop on Software Engineering for Adaptive and Self-Managing Systems, pp. 1–16 (2007)

Guo, C.J., Sun, W., Huang, Y., Wang, Z.H., Gao, B.: A framework for native multi-tenancy application development and management. In: The 9th IEEE International Conference on E-Commerce Technology and 4th IEEE International Conference on Enterprise Computing, E-Commerce, and E-Services, 2007. CEC/EEE 2007, 23–26 July 2007, pp. 551–558 (2007)

Hafner, M., Memon, M., Breu, R.: Seaas—a reference architecture for security services in soa. J. Univers. Comput. Sci. 15, 2916–2936 (2009)

Hashii, B., Malabarba, S., Pandey, R., Bishop, M.: Supporting Reconfigurable Security Policies for Mobile Programs. North-Holland Publishing Co., Amsterdam (2000)

Jin, X., Krishnan, R., Sandhu, R.: A unified attribute-based access control model covering dac, mac and rbac. In: Proceedings of the 26th Annual IFIP WG 11.3 Conference on Data and Applications Security and Privacy, pp. 41–55 (2012)

Johansen, R., Stephan, S., Peter, S.: Yiihaw .net aspect weaver usage guide. http://www.itu.dk/~sestoft/papers/yiihaw-usage-guide.pdf (2007)

Jürjens, J.: Towards development of secure systems using UMLsec. In: Fundamental Approaches to Software Engineering. Lecture Notes in Computer Science, vol. 2029, pp. 187–200. Springer, Berlin (2001) CrossRef

Jürjens, J., Wimmel, G.: Formally testing fail-safety of electronic purse protocols. In: Proceedings. 16th Annual International Conference on Automated Software Engineering, Nov. 2001, pp. 408–411 (2001) CrossRef

Lamsweerde, A., Brohez, S., et al.: System goals to intruder anti-goals: attack generation and resolution for security requirements engineering. In: Proc. of the 3rd Workshop on Requirements for High Assurance Systems, Monterey, 2003, pp. 49–56. ACM, New York (2003)

Liu, L., Yu, E., Mylopoulos, J.: Secure i^∗: engineering secure software systems through social analysis. Int. J. Softw. Inf. 3, 89–120 (2009) CrossRef

Lodderstedt, T., Basin, D., Doser, J.: Secureuml: a uml-based modeling language for model-driven security. In: The 5th International Conference on the Unified Modeling Language, Dresden, Germany, 2002, vol. 2460, pp. 426–441. Springer, Berlin (2002)

Mead, N., Stehney, T.: Security Quality Requirements Engineering (Square) Methodology. ACM, New York (2005)

Mellado, D., Fernández-Medina, E., Piattini, M.: Applying a security requirements engineering process. In: Gollmann, D., Meier, J., Sabelfeld, A. (eds.) Computer Security—ESORICS 2006. Lecture Notes in Computer Science, vol. 4189, pp. 192–206. Springer, Berlin (2006) CrossRef

Menzel, M., Warschofsky, R., Thomas, I., Willems, C., Meinel, C.: The service security lab: a model-driven platform to compose and explore service security in the cloud. In: 2010 6th World Congress on Services, 5–10 July 2010, pp. 115–122 (2010) CrossRef

Mietzner, R., Leymann, F., Papazoglou, M.P.: Defining composite configurable SaaS application packages using sca, variability descriptors and multi-tenancy patterns. In: Third International Conference on Internet and Web Applications and Services, 2008. ICIW ’08, 8–13 June 2008, pp. 156–161 (2008) CrossRef

Montrieux, L., Jürjens, J., Haley, C.B., Yu, Y., Schobbens, P.-Y., Toussaint, H.: Tool support for code generation from a UMLsec property. In: Proceedings of the IEEE/ACM International Conference on Automated Software Engineering, ASE ’10, New York, NY, USA, 2010, pp. 357–358. ACM, New York (2010) CrossRef

Morin, B., Barais, O., Nain, G., et al.: Taming dynamically adaptive systems using models and aspects. In: IEEE 31st Int. Conf. on Software Engineering, Vancouver, BC, 2009, pp. 122–132. IEEE Computer Society, Washington (2009)

Morin, B., Mouelhi, T., Fleurey, F., Traon, Y., Barais, O., Jézéquelet, J.: Security-Driven Model-Based Dynamic Adaptation. ACM, New York (2010)

Mouelhi, T., Fleurey, F., Baudry, B., Traon, Y.: A model-based framework for security policy specification, deployment and testing. In: Proceedings of the 11th Int. Conf. on Model Driven Engineering Languages and Systems, France, 2008. Springer, Berlin (2008)

Mouratidis, H., Giorgini, P.: Secure tropos: a security-oriented extension of the tropos methodology. Int. J. Softw. Eng. Knowl. Eng. (2007)

Pervez, Z., Lee, S., Lee, Y.-K.: Multi-tenant, secure, load disseminated SaaS architecture. In: 2010 the 12th International Conference on Advanced Communication Technology, 7–10 Feb. 2010, vol. 1, pp. 214–219 (2010)

Pervez, Z., Lee, S., Lee, Y.-K.: Multi-tenant, secure, load disseminated SaaS architecture. In: Proceedings of the 12th International Conference on Advanced Communication Technology, Gangwon-Do, South Korea, pp. 214–219. IEEE Press, New York (2010)

Sanchez-Cid, F., Mana, A.: Serenity pattern-based software development life-cycle. In: 19th International Workshop on Database and Expert Systems Application, pp. 305–309 (2008)

Scott, K., Kumar, N., Velusamy, S., et al.: Retargetable and Reconfigurable Software Dynamic Translation. IEEE Computer Society, Washington (2003)

Sindre, G., Opdahl, A.: Eliciting security requirements with misuse cases. Requir. Eng. 10(1), 34–44 (2005) CrossRef

Vogel, T., Seibel, A., Giese, H.: The role of models and megamodels at runtime. In: Proceedings of the 2010 International Conference on Models in Software Engineering, pp. 224–238 (2010)

Wang, D., Zhang, Y., Zhang, B., Liu, Y.: Research and implementation of a new SaaS service execution mechanism with multi-tenancy support. In: Proceedings of the 2009 First IEEE International Conference on Information Science and Engineering, pp. 336–339. IEEE Computer Society, Washington (2009) CrossRef

Xu, J., Jinglei, T., Dongjian, H., Linsen, Z., Lin, C., Fang, N.: Research and implementation on access control of management-type SaaS. In: 2010 the 2nd IEEE International Conference on Information Management and Engineering (ICIME), 16–18 April 2010, pp. 388–392 (2010) CrossRef

Zhang, X., Shen, B., Tang, X., Chen, W.: From isolated tenancy hosted application to multi-tenancy: toward a systematic migration method for web application. In: 2010 IEEE International Conference on Software Engineering and Service Sciences (ICSESS), 16–18 July 2010, pp. 209–212 (2010) CrossRef

Zhong, C., Zhang, J., Xia, Y., Yu, H.: Construction of a trusted SaaS platform. In: 2010 Fifth IEEE International Symposium on Service Oriented System Engineering (SOSE), 4–5 June 2010, pp. 244–251 (2010) CrossRef

Titel: Adaptable, model-driven security engineering for SaaS cloud-based applications
verfasst von: Mohamed Almorsy
John Grundy
Amani S. Ibrahim
Publikationsdatum: 01.04.2014
Verlag: Springer US
Erschienen in: Automated Software Engineering / Ausgabe 2/2014
Print ISSN: 0928-8910
Elektronische ISSN: 1573-7535
DOI: https://doi.org/10.1007/s10515-013-0133-z

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Weitere Artikel der Ausgabe 2/2014

Counterexample-guided abstraction refinement for linear programs with arrays

Model-driven reverse engineering of legacy graphical user interfaces

Editorial introduction

DConfusion: a technique to allow cross study performance evaluation of fault prediction studies

Premium Partner