SOABSE: An approach to realizing business-oriented security requirements with Web Service security policies

Phan, Truong Khoa; Han, Jun; Mueller, Ingo; Kapuruge, Malinda; Versteeg, Steve

doi:10.1109/soca.2009.5410258

Cited by 3 publications

(4 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Such a requirement is achieved indirectly using LDAP control (3). Moreover, they have specified Formsbased authentication on the GetCustomers method (2). This means that a request to a method in the CustomerBLL class will be authenticated by the caller's Windows identity (LDAP), but a request to the GetCustomers method will be authenticated with a Forms-based identity.…”

Section: Weave System Sdm and Security Ssmmentioning

confidence: 99%

“…-Security specification modeller (2) is developed as a DSVL using Microsoft VS2010 plug-in. It enables application customers, represented by their security engineers, to specify the security attributes and capabilities that must be enforced on the system and/or its operational environment.…”

Section: Architecture and Implementationmentioning

confidence: 99%

“…An example of these documents is shown in Fig 4. This example shows a sample of the Galactic interceptors' document generated from the specified securitysystem mapping. It informs the system container to intercept GetCstomerByName & GetCustomers methods (1); a sample of Swinburne security specification file defining the security controls to be enforced on every intercepted point (2); and a sample of the security enforcement point API that injects the necessary security control calls before and after application code is run (3) -Security Controls Database: is a library of available and registered security patterns and controls. It can be extended by the system providers or by a third party security provider.…”

Section: Architecture and Implementationmentioning

confidence: 99%

“…On the other hand, most current security engineering processes are conducted side by side with the system engineering process [2]. This requires having system engineers deeply involved in engineering security of their systems.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

MDSE@R: Model-Driven Security Engineering at Runtime

Almorsy

Grundy

Ibrahim

2012

Cyberspace Safety and Security

View full text Add to dashboard Cite

New security threats arise frequently and impact on enterprise software security requirements. However, most existing security engineering approaches focus on capturing and enforcing security requirements at design time. Many do not address how a system should be adapted to cope with new unanticipated security requirements that arise at runtime. We describe a new approach -Model Driven Security Engineering at Runtime (MDSE@R)enabling security engineers to dynamically specify and enforce system security requirements based on current needs. We introduce a new domain-specific visual language to model customer security requirements in a given application. Moreover, we introduce a new UML profile to help capturing system architectural characteristics along with security specifications mapped to system entities. Our MDSE@R toolset supports refinement and merger of these visual models and uses model-driven engineering to take the merged model and specify security controls to be enforced on the target system components. A combination of interceptors (via generated configurations) and injected code (using aspect-oriented programming) are used to integrate the specified security controls within the target system. We describe MDSE@R, give an example of using it in securing an ERP system, describe its implementation, and discuss an evaluation of applying MDSE@R on a set of open source applications. Springer.needs as some potential customers may not even be known at design time. Thus the final product will often be incomplete from a security perspective. Moreover, such systems usually have security hardcoded in their source code either as security realization functions [3,4] or as security annotation attributes that are translated at runtime into security controls delivered by an underlying security platform [5]. In either case, unanticipated security requirements are not usually considered. Software maintenance is usually required to address such emerging security vulnerabilities and new security requirements raised by customers. Maintenance may take much more time than acceptable where discovered vulnerabilities can be exploited [6,17]. Moreover, sometimes the system vendor may no longer even exist. Thus postdeployment discovery of security issues or changed application environment security needs are hard to address using existing software security engineering approaches.Existing security engineering efforts focus on how to identify, capture, and model security objectives and requirements and then how to map such requirements to system entities at design time, for example KAOS, UMLSec, secureUML [3,11,12,13,15]. These security engineering approaches typically result in systems with fixed and built-in security, limited integration with third party security controls, and very limited flexibility in terms of adaptation and integration with the software operational environment security management systems. Component-based (CBSE) and serviceoriented (SOA) security engineering approaches generate security code, using Aspectoriente...

show abstract

Section: Weave System Sdm and Security Ssmmentioning

confidence: 99%

Section: Architecture and Implementationmentioning

confidence: 99%

Section: Architecture and Implementationmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations