Skip to main content
SpringerLink
Log in

Container-Level Security Certification of Services

  • Chapter
Business System Management and Engineering

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 7350))

Abstract

The increasing success of the Service-Oriented Architecture (SOA) paradigm has fostered the implementation of complex services, including business processes, via dynamic selection and composition of remote services providing single functionality. Run-time selection and composition of services require the deployment of high-level security standards for the SOA infrastructure, to increase the confidence of both service consumers and providers that the services satisfy their security requirements and behave as expected. In this context, certification can play a fundamental role and provide the evidence that a set of properties hold for a given service. Security certification of services can involve two different aspects: i) the evaluation of the container in which the service is deployed, in terms of compliance with web service security standards and policies; ii) the verification and validation of the service implementation. In this chapter, we focus on the first aspect and we propose an overview of container-level certification of services.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 49.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Banerji, A., et al.: Web Services Conversation Language (WSCL) version 1.0. World Wide Web Consortium (W3C) (March 2002), http://www.w3.org/TR/wscl10/

  2. Anisetti, M., Ardagna, C., Damiani, E.: Fine-grained modeling of web services for test-based security certification. In: Proc. of the 8th International Conference on Service Computing (SCC 2011), Washington, DC, USA (July 2011)

    Google Scholar 

  3. Anisetti, M., Ardagna, C., Damiani, E.: Certifying security and privacy properties in the internet of services. In: Bianchi, G., Blefari, N., Salgarelli, L. (eds.) Trustworthy Internet. Springer, Berlin (2011)

    Google Scholar 

  4. Ardagna, C., De Capitani di Vimercati, S.: A comparison of modeling strategies in defining XML-based access control language. Computer Systems Science & Engineering Journal 19(3), 141–149 (2004)

    Google Scholar 

  5. Baresi, L., Di Nitto, E.: Test and Analysis of Web Services. Springer, New York (2007)

    Book  Google Scholar 

  6. Bhargavan, K., Fournet, C., Gordon, A.: Verifying policy-based security for Web services. In: Proc. of the 11th ACM Conference on Computer and Communications Security (CCS 2004), Washington, DC, USA (October 2004)

    Google Scholar 

  7. Canfora, G., Di Penta, M.: Service-Oriented Architectures Testing: A Survey. In: De Lucia, A., Ferrucci, F. (eds.) ISSSE 2006-2008. LNCS, vol. 5413, pp. 78–105. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  8. Chinnici, R., Moreau, J., Ryman, A., Weerawarana, S.: Web Services Description Language (WSDL) version 2.0. World Wide Web Consortium (W3C) (June 2007), http://www.w3.org/TR/wsdl20/

  9. Damiani, E.: Web service security. In: van Tilborg, H., Jajodia, S. (eds.) Encyclopedia of Cryptography and Security, 2nd edn. Springer (2011)

    Google Scholar 

  10. Damiani, E., Ardagna, C., Ioini, N.E.: Open source systems security certification. Springer, New York (2009)

    Book  Google Scholar 

  11. Damiani, E., De Capitani di Vimercati, S., Paraboschi, S., Samarati, P.: Fine grained access control for SOAP e-services. In: Proc. of the 10th International World Wide Web Conference (WWW 2001), Hong Kong, China (May 2001)

    Google Scholar 

  12. Damiani, E., El Ioini, N., Sillitti, A., Succi, G.: Ws-certificate. In: Proc. of the IEEE Congress on Services, Part I (SERVICES I 2009), Los Angeles, CA, USA (July 2009)

    Google Scholar 

  13. Dong, W.L., Yu, H.: Web service testing method based on fault-coverage. In: Proc. of the 10th IEEE International Enterprise Distributed Object Computing Conference Workshops (EDOCW 2006), Hong Kong, China (October 2006)

    Google Scholar 

  14. Erl, T.: Service-Oriented Architecture: Concepts, Technology, and Design. Prentice Hall PTR, Upper Saddle River (2005)

    Google Scholar 

  15. Fernandez, E., Delessy, N.: Using patterns to understand and compare web services security products and standards. In: Proc. of the International Conference on Advanced International Conference on Telecommunications/Internet and Web Applications and Services (AICT-ICIW 2006), Guadeloupe, French Caribbean (February 2006)

    Google Scholar 

  16. Frantzen, L., Tretmans, J., de Vries, R.: Towards model-based testing of web services. In: Proc. of the International Workshop on Web Services - Modeling and Testing (WS-MaTe 2006), Palermo, Italy, pp. 67–82 (June 2006)

    Google Scholar 

  17. Frantzen, L., Tretmans, J., Willemse, T.A.C.: Test Generation Based on Symbolic Specifications. In: Grabowski, J., Nielsen, B. (eds.) FATES 2004. LNCS, vol. 3395, pp. 1–15. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  18. Galbraith, B., Hankinson, W., Hiotis, A., Janakiraman, M., Prasad, D.V., Trivedi, R., Whitney, D.: Professional Web Services Security. Wrox Press Ltd. (December 2002)

    Google Scholar 

  19. Goodner, M., Nadalin, A.: Web Services Federation Language (WS-Federation) Version 1.2. OASIS (May 2009), http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html

  20. Gudgin, M., Hadley, M., Mendelsohnand, N., Moreau, J.J., Nielsen, H., Karmarkar, A., Lafon, Y.: Simple Object Access Protocol (SOAP) 1.2. World Wide Web Consortium (W3C) (April 2007), http://www.w3.org/TR/soap12-part1/

  21. Han, J., Kowalczyk, R., Khan, K.: Security-oriented service composition and evolution. In: Proc. of the 13th Asia Pacific Software Engineering Conference (APSEC 2006), Bangalore, India (December 2006)

    Google Scholar 

  22. Hanna, S., Munro, M.: An approach for specification-based test case generation for web services. In: Proc. of the IEEE/ACS International Conference on Computer Systems and Applications (AICCSA 2007), Amman, Jordan (May 2007)

    Google Scholar 

  23. Hashizume, K., Fernandez, E., Huang, S.: The ws-security pattern. In: Proc. of the First IEEE International Workshop on Security Engineering Environments (IWSEE 2009), Shanghai, China (December 2009)

    Google Scholar 

  24. Heckel, R., Lohmann, M.: Towards contract-based testing of web services. In: Proc. of the International Workshop on Test and Analysis of Component Based Systems (TACoS 2004), Barcelona, Spain (March 2004)

    Google Scholar 

  25. Herrmann, D.: Using the Common Criteria for IT security evaluation. Auerbach Publications (2002)

    Google Scholar 

  26. IBM, Microsoft: Security in a Web Services World: A Proposed Architecture and Roadmap (April 2002), http://www.ibm.com/developerworks/library/specification/ws-secmap/

  27. Jensen, M., Gruschka, N., Herkenhöner, R.: A survey of attacks on Web services. Computer Science - R&D 24(4), 185–197 (2009)

    Google Scholar 

  28. Jokhio, M., Dobbie, G., Sun, J.: Towards specification based testing for semantic web services. In: Proc. of the 20th Australian Software Engineering Conference (ASWEC 2009), Gold Coast, Australia (April 2009)

    Google Scholar 

  29. Keum, C., Kang, S., Ko, I.-Y., Baik, J., Choi, Y.-I.: Generating Test Cases for Web Services Using Extended Finite State Machine. In: Uyar, M.Ü., Duale, A.Y., Fecko, M.A. (eds.) TestCom 2006. LNCS, vol. 3964, pp. 103–117. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  30. Kim, A., Luo, J., Kang, M.: Security ontology for annotating resources. In: Proc. of the 4th International Conference on Ontologies, Databases, and Applications of Semantics (ODBASE 2005), Agia Napa, Cyprus (November 2005)

    Google Scholar 

  31. Kourtesis, D., Ramollari, E., Dranidis, D., Paraskakis, I.: Discovery and selection of certified web services through registry-based testing and verification. In: Camarinha-Matos, L., Picard, W. (eds.) Pervasive Collaborative Networks. IFIP, vol. 283, pp. 473–482. Springer, Boston (2008)

    Chapter  Google Scholar 

  32. Mao, C.: Towards a hierarchical testing and evaluation strategy for web services system. In: Proc. of the 7th ACIS International Conference on Software Engineering Research, Management and Applications (SERA 2009), Haikou, China (December 2009)

    Google Scholar 

  33. Microsoft: Web Service Security: Scenarios, Patterns, and Implementation Guidance for Web Services Enhancements (WSE) 3.0 (December 2005), http://msdn.microsoft.com/en-us/library/aa480545.aspx

  34. Microsoft: Web Services Security Specifications (October 2007), http://msdn.microsoft.com/en-us/library/ms951273.aspx

  35. Nadalin, A., Goodner, M., Gudgin, M., Barbir, A., Granqvist, H.: WS-SecureConversation 1.3. OASIS (March 2007), http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/ws-secureconversation-1.3-os.html

  36. Nadalin, A., Goodner, M., Gudgin, M., Barbir, A., Granqvist, H.: WS-SecurityPolicy 1.2. OASIS (July 2007), http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html

  37. Nadalin, A., Goodner, M., Gudgin, M., Barbir, A., Granqvist, H.: WS-Trust 1.3. OASIS (March 2007), http://docs.oasis-open.org/ws-sx/ws-trust/200512/ws-trust-1.3-os.html

  38. Newcomer, E.: Understanding Web Services: XML, WSDL, SOAP, and UDDI. Addison Wesley (2002)

    Google Scholar 

  39. Papazoglou, M.: Web services and business transactions. World Wide Web 6(1), 49–91 (2003)

    Article  Google Scholar 

  40. Rahaman, M.A., Schaad, A., Rits, M.: Towards secure SOAP message exchange in a SOA. In: Proc. of the 3rd ACM Workshop On Secure Web Services (SWS 2006), Alexandria, VA, USA (November 2006)

    Google Scholar 

  41. Salva, S., Rabhi, I.: Automatic web service robustness testing from WSDL descriptions. In: Proc. of the 12th European Workshop on Dependable Computing (EWDC 2009), Toulouse, France (May 2009)

    Google Scholar 

  42. Securing Web services for army SOA, http://www.sei.cmu.edu/solutions/softwaredev/securing-web-services.cfm

  43. Sinha, S., Benameur, A.: A formal solution to rewriting attacks on SOAP messages. In: Proc. of the 5th ACM Workshop On Secure Web Services (SWS 2008), Alexandria, VA, USA (October 2008)

    Google Scholar 

  44. Tsai, W., Paul, R., Cao, Z., Yu, L., Saimi, A., Xiao, B.: Verification of Web services using an enhanced UDDI server. In: Proc. of the 8th IEEE International Workshop on Object-Oriented Real-Time Dependable Systems (WORDS 2003), Guadalajara, Mexico (January 2003)

    Google Scholar 

  45. Tsai, W., Paul, R., Yamin, W., Chun, F., Dong, W.: Extending WSDL to facilitate web services testing. In: Proc. of the 7th IEEE International Symposium on High Assurance Systems Engineering, Tokyo, Japan (October 2002)

    Google Scholar 

  46. USA Department of Defence: Department Of Defense Trusted Computer System Evaluation Criteria (December 1985), http://csrc.nist.gov/publications/secpubs/rainbow/std001.txt

  47. Xu, W., Venkatakrishnan, V., Sekar, R., Ramakrishnan, I.: A framework for building privacy-conscious composite Web services. In: Proc. of the 2006 IEEE International Conference on Web Services (ICWS 2006), Chicago, IL, USA (September 2006)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Dipartimento di Tecnologie dell’Informazione, Università degli Studi di Milano, Via Bramante 65, 26013, Crema, CR, Italia

    Marco Anisetti, Claudio A. Ardagna & Ernesto Damiani

Authors
  1. Marco Anisetti
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Claudio A. Ardagna
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Ernesto Damiani
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Dipartimento di Tecnologie dell’Informazione, Università degli Studi di Milano, Via Bramante 65, 26013, Crema, CR, Italy

    Claudio A. Ardagna  & Ernesto Damiani  & 

  2. Institute of Business Informatics, Wroclaw University of Economics, Komandorsk 118/120, 53-345, Wroclaw, Poland

    Leszek A. Maciaszek

  3. CNR-IASI, Viale Manzoni 30, 00185, Rome, Italy

    Michele Missikoff

  4. European Research Institute for Service Science, Tilburg University, The Netherlands

    Michael Parkin

Rights and permissions

Reprints and permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this chapter

Cite this chapter

Anisetti, M., Ardagna, C.A., Damiani, E. (2012). Container-Level Security Certification of Services. In: Ardagna, C.A., Damiani, E., Maciaszek, L.A., Missikoff, M., Parkin, M. (eds) Business System Management and Engineering. Lecture Notes in Computer Science, vol 7350. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-32439-0_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-32439-0_6

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-32438-3

  • Online ISBN: 978-3-642-32439-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation