Security Property Lifecycle Management for Secure Service Compositions

  • Shahidul Hoque
  • Aneel Rahim
  • David Llewellyn-Jones
  • Madjid Merabti
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 182)

Abstract

We present an approach to deploying a security property life cycle management mechanism for secure service composition. A Security Property Determination Module component is introduced that forms part of the Aniketos project, in the context of a case study relating to an online payment system that has been developed using real services deployed within the Activiti BPMN service process engine. Both the theory behind the implementation as well as the implementation itself will be discussed, along with the lessons learnt and the potential for future improvements to the lifecycle mechanism. The mechanism integrates tightly with the verification processes of the Aniketos platform. It also allows the security property lifecycle to be managed at run-time without user intervention. The mechanism unifies the verification of imported properties and the digital signing and storage of properties associated with both atomic and composed services. These integrated capabilities form a novel approach discussed and situated in the context of the case study.

References

  1. 1.
    Rios, E. (ed.): Aniketos D1.5: Final Aniketos architecture and requirements specification. Aniketos Project (2013)Google Scholar
  2. 2.
    Neuhaus, S., Zimmermann, T.: Security trend analysis with CVE topic models. In: 2010 IEEE 21st International Symposium on Software Reliability Engineering, pp. 111–120 (2010)Google Scholar
  3. 3.
    Flizikowski, A., Majewski, M., Kowalczyk, Z., Romano, S.P.: Framework: applied security for heterogeneous networks. J. Telecommun. Inf. Technol. (2011)Google Scholar
  4. 4.
    Tian, H., Huang, L., Zhou, Z., Zhang, H.: Common vulnerability markup language. In: Zhou, J., Yung, M., Han, Y. (eds.) ACNS 2003. LNCS, vol. 2846, pp. 228–240. Springer, Heidelberg (2003)Google Scholar
  5. 5.
    Armold, A.D., Hyla, B.M., Rowe, N.C.: Automatically building an information-security vulnerability database workshop on information assurance. In: IEEE Workshop on Information Assurance, pp. 376–377. United States Military Academy, West Point, NY (2006)Google Scholar
  6. 6.
    Dai, L., Cooper, K.: A survey of modelling and analysis approaches for architecting secure software systems. Int. J. Network Secur. 5, 187–198 (2007)Google Scholar
  7. 7.
    Amer, S.H., Humphries, M.J.W., Hamilton, J.A.: Survey: security in the system development life cycle. In: IEEE Workshop on Information Assurance. United States Military Academy, West Point, NY (2005)Google Scholar
  8. 8.
    Anisetti, M., Ardagna, C.A., Damiani, E.: Certifying security and privacy properties in the internet of services. In: Salgarelli, L., Bianchi, G., Blefari-Melazzi, N. (eds.) Trustworthy Internet, pp. 221–234. Springer, Milan (2011)CrossRefGoogle Scholar
  9. 9.
    Anisetti, M., Ardagna, C.A., Damiani, E., Maggesi, J.: Security certification-aware service discovery and selection. In: Fifth IEEE International Conference on Service-Oriented Computing and Applications (SOCA 2012), pp. 1–8. IEEE, Taipei (2012)Google Scholar
  10. 10.
    Rudolph, M., Schwarz, R.: A critical survey of security indicator approaches. In: Seventh International Conference on Availability, Reliability and Security, pp. 291–300. IEEE, Prague (2012)Google Scholar
  11. 11.
    Weyns, D., Iftikhar, M.U., De la Iglesia, D.G., Ahmad, T.: A survey of formal methods in self-adaptive systems. In: Proceedings of the Fifth International C* Conference on Computer Science and Software Engineering - C3S2E’12. pp. 67–79. ACM Press, New York (2012)Google Scholar
  12. 12.
    Han, W., Lei, C.: A survey on policy languages in network and security management. Comput. Netw. 56, 477–489 (2012)CrossRefGoogle Scholar
  13. 13.
    Jiao, D., Liu, L., Ma, S., Wang, X.: Research on security policy and framework. In: Second International Symposium on Networking and Network Security (ISNNS’10), pp. 214–217. Academy Publisher, Jinggangshan (2010)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Shahidul Hoque
    • 1
  • Aneel Rahim
    • 1
  • David Llewellyn-Jones
    • 2
  • Madjid Merabti
    • 2
  1. 1.Telecommunications Software and Systems GroupWaterford Institute of TechnologyWaterfordIreland
  2. 2.School of Computing and Mathematical SciencesLiverpool John Moores UniversityLiverpoolUK

Personalised recommendations