Abstract
The increasing success of the Service-Oriented Architecture (SOA) paradigm has fostered the implementation of complex services, including business processes, via dynamic selection and composition of remote services providing single functionality. Run-time selection and composition of services require the deployment of high-level security standards for the SOA infrastructure, to increase the confidence of both service consumers and providers that the services satisfy their security requirements and behave as expected. In this context, certification can play a fundamental role and provide the evidence that a set of properties hold for a given service. Security certification of services can involve two different aspects: i) the evaluation of the container in which the service is deployed, in terms of compliance with web service security standards and policies; ii) the verification and validation of the service implementation. In this chapter, we focus on the first aspect and we propose an overview of container-level certification of services.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Banerji, A., et al.: Web Services Conversation Language (WSCL) version 1.0. World Wide Web Consortium (W3C) (March 2002), http://www.w3.org/TR/wscl10/
Anisetti, M., Ardagna, C., Damiani, E.: Fine-grained modeling of web services for test-based security certification. In: Proc. of the 8th International Conference on Service Computing (SCC 2011), Washington, DC, USA (July 2011)
Anisetti, M., Ardagna, C., Damiani, E.: Certifying security and privacy properties in the internet of services. In: Bianchi, G., Blefari, N., Salgarelli, L. (eds.) Trustworthy Internet. Springer, Berlin (2011)
Ardagna, C., De Capitani di Vimercati, S.: A comparison of modeling strategies in defining XML-based access control language. Computer Systems Science & Engineering Journal 19(3), 141–149 (2004)
Baresi, L., Di Nitto, E.: Test and Analysis of Web Services. Springer, New York (2007)
Bhargavan, K., Fournet, C., Gordon, A.: Verifying policy-based security for Web services. In: Proc. of the 11th ACM Conference on Computer and Communications Security (CCS 2004), Washington, DC, USA (October 2004)
Canfora, G., Di Penta, M.: Service-Oriented Architectures Testing: A Survey. In: De Lucia, A., Ferrucci, F. (eds.) ISSSE 2006-2008. LNCS, vol. 5413, pp. 78–105. Springer, Heidelberg (2009)
Chinnici, R., Moreau, J., Ryman, A., Weerawarana, S.: Web Services Description Language (WSDL) version 2.0. World Wide Web Consortium (W3C) (June 2007), http://www.w3.org/TR/wsdl20/
Damiani, E.: Web service security. In: van Tilborg, H., Jajodia, S. (eds.) Encyclopedia of Cryptography and Security, 2nd edn. Springer (2011)
Damiani, E., Ardagna, C., Ioini, N.E.: Open source systems security certification. Springer, New York (2009)
Damiani, E., De Capitani di Vimercati, S., Paraboschi, S., Samarati, P.: Fine grained access control for SOAP e-services. In: Proc. of the 10th International World Wide Web Conference (WWW 2001), Hong Kong, China (May 2001)
Damiani, E., El Ioini, N., Sillitti, A., Succi, G.: Ws-certificate. In: Proc. of the IEEE Congress on Services, Part I (SERVICES I 2009), Los Angeles, CA, USA (July 2009)
Dong, W.L., Yu, H.: Web service testing method based on fault-coverage. In: Proc. of the 10th IEEE International Enterprise Distributed Object Computing Conference Workshops (EDOCW 2006), Hong Kong, China (October 2006)
Erl, T.: Service-Oriented Architecture: Concepts, Technology, and Design. Prentice Hall PTR, Upper Saddle River (2005)
Fernandez, E., Delessy, N.: Using patterns to understand and compare web services security products and standards. In: Proc. of the International Conference on Advanced International Conference on Telecommunications/Internet and Web Applications and Services (AICT-ICIW 2006), Guadeloupe, French Caribbean (February 2006)
Frantzen, L., Tretmans, J., de Vries, R.: Towards model-based testing of web services. In: Proc. of the International Workshop on Web Services - Modeling and Testing (WS-MaTe 2006), Palermo, Italy, pp. 67–82 (June 2006)
Frantzen, L., Tretmans, J., Willemse, T.A.C.: Test Generation Based on Symbolic Specifications. In: Grabowski, J., Nielsen, B. (eds.) FATES 2004. LNCS, vol. 3395, pp. 1–15. Springer, Heidelberg (2005)
Galbraith, B., Hankinson, W., Hiotis, A., Janakiraman, M., Prasad, D.V., Trivedi, R., Whitney, D.: Professional Web Services Security. Wrox Press Ltd. (December 2002)
Goodner, M., Nadalin, A.: Web Services Federation Language (WS-Federation) Version 1.2. OASIS (May 2009), http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html
Gudgin, M., Hadley, M., Mendelsohnand, N., Moreau, J.J., Nielsen, H., Karmarkar, A., Lafon, Y.: Simple Object Access Protocol (SOAP) 1.2. World Wide Web Consortium (W3C) (April 2007), http://www.w3.org/TR/soap12-part1/
Han, J., Kowalczyk, R., Khan, K.: Security-oriented service composition and evolution. In: Proc. of the 13th Asia Pacific Software Engineering Conference (APSEC 2006), Bangalore, India (December 2006)
Hanna, S., Munro, M.: An approach for specification-based test case generation for web services. In: Proc. of the IEEE/ACS International Conference on Computer Systems and Applications (AICCSA 2007), Amman, Jordan (May 2007)
Hashizume, K., Fernandez, E., Huang, S.: The ws-security pattern. In: Proc. of the First IEEE International Workshop on Security Engineering Environments (IWSEE 2009), Shanghai, China (December 2009)
Heckel, R., Lohmann, M.: Towards contract-based testing of web services. In: Proc. of the International Workshop on Test and Analysis of Component Based Systems (TACoS 2004), Barcelona, Spain (March 2004)
Herrmann, D.: Using the Common Criteria for IT security evaluation. Auerbach Publications (2002)
IBM, Microsoft: Security in a Web Services World: A Proposed Architecture and Roadmap (April 2002), http://www.ibm.com/developerworks/library/specification/ws-secmap/
Jensen, M., Gruschka, N., Herkenhöner, R.: A survey of attacks on Web services. Computer Science - R&D 24(4), 185–197 (2009)
Jokhio, M., Dobbie, G., Sun, J.: Towards specification based testing for semantic web services. In: Proc. of the 20th Australian Software Engineering Conference (ASWEC 2009), Gold Coast, Australia (April 2009)
Keum, C., Kang, S., Ko, I.-Y., Baik, J., Choi, Y.-I.: Generating Test Cases for Web Services Using Extended Finite State Machine. In: Uyar, M.Ü., Duale, A.Y., Fecko, M.A. (eds.) TestCom 2006. LNCS, vol. 3964, pp. 103–117. Springer, Heidelberg (2006)
Kim, A., Luo, J., Kang, M.: Security ontology for annotating resources. In: Proc. of the 4th International Conference on Ontologies, Databases, and Applications of Semantics (ODBASE 2005), Agia Napa, Cyprus (November 2005)
Kourtesis, D., Ramollari, E., Dranidis, D., Paraskakis, I.: Discovery and selection of certified web services through registry-based testing and verification. In: Camarinha-Matos, L., Picard, W. (eds.) Pervasive Collaborative Networks. IFIP, vol. 283, pp. 473–482. Springer, Boston (2008)
Mao, C.: Towards a hierarchical testing and evaluation strategy for web services system. In: Proc. of the 7th ACIS International Conference on Software Engineering Research, Management and Applications (SERA 2009), Haikou, China (December 2009)
Microsoft: Web Service Security: Scenarios, Patterns, and Implementation Guidance for Web Services Enhancements (WSE) 3.0 (December 2005), http://msdn.microsoft.com/en-us/library/aa480545.aspx
Microsoft: Web Services Security Specifications (October 2007), http://msdn.microsoft.com/en-us/library/ms951273.aspx
Nadalin, A., Goodner, M., Gudgin, M., Barbir, A., Granqvist, H.: WS-SecureConversation 1.3. OASIS (March 2007), http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/ws-secureconversation-1.3-os.html
Nadalin, A., Goodner, M., Gudgin, M., Barbir, A., Granqvist, H.: WS-SecurityPolicy 1.2. OASIS (July 2007), http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html
Nadalin, A., Goodner, M., Gudgin, M., Barbir, A., Granqvist, H.: WS-Trust 1.3. OASIS (March 2007), http://docs.oasis-open.org/ws-sx/ws-trust/200512/ws-trust-1.3-os.html
Newcomer, E.: Understanding Web Services: XML, WSDL, SOAP, and UDDI. Addison Wesley (2002)
Papazoglou, M.: Web services and business transactions. World Wide Web 6(1), 49–91 (2003)
Rahaman, M.A., Schaad, A., Rits, M.: Towards secure SOAP message exchange in a SOA. In: Proc. of the 3rd ACM Workshop On Secure Web Services (SWS 2006), Alexandria, VA, USA (November 2006)
Salva, S., Rabhi, I.: Automatic web service robustness testing from WSDL descriptions. In: Proc. of the 12th European Workshop on Dependable Computing (EWDC 2009), Toulouse, France (May 2009)
Securing Web services for army SOA, http://www.sei.cmu.edu/solutions/softwaredev/securing-web-services.cfm
Sinha, S., Benameur, A.: A formal solution to rewriting attacks on SOAP messages. In: Proc. of the 5th ACM Workshop On Secure Web Services (SWS 2008), Alexandria, VA, USA (October 2008)
Tsai, W., Paul, R., Cao, Z., Yu, L., Saimi, A., Xiao, B.: Verification of Web services using an enhanced UDDI server. In: Proc. of the 8th IEEE International Workshop on Object-Oriented Real-Time Dependable Systems (WORDS 2003), Guadalajara, Mexico (January 2003)
Tsai, W., Paul, R., Yamin, W., Chun, F., Dong, W.: Extending WSDL to facilitate web services testing. In: Proc. of the 7th IEEE International Symposium on High Assurance Systems Engineering, Tokyo, Japan (October 2002)
USA Department of Defence: Department Of Defense Trusted Computer System Evaluation Criteria (December 1985), http://csrc.nist.gov/publications/secpubs/rainbow/std001.txt
Xu, W., Venkatakrishnan, V., Sekar, R., Ramakrishnan, I.: A framework for building privacy-conscious composite Web services. In: Proc. of the 2006 IEEE International Conference on Web Services (ICWS 2006), Chicago, IL, USA (September 2006)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this chapter
Cite this chapter
Anisetti, M., Ardagna, C.A., Damiani, E. (2012). Container-Level Security Certification of Services. In: Ardagna, C.A., Damiani, E., Maciaszek, L.A., Missikoff, M., Parkin, M. (eds) Business System Management and Engineering. Lecture Notes in Computer Science, vol 7350. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-32439-0_6
Download citation
DOI: https://doi.org/10.1007/978-3-642-32439-0_6
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-32438-3
Online ISBN: 978-3-642-32439-0
eBook Packages: Computer ScienceComputer Science (R0)