The practical application of a process for eliciting and designing security in web service systems

Information and Software Technology

Volumn 51, Issue 12, 2009, Pages 1712-1738

  Gutiérrez, Carlos ^a,b   Rosado, David G ^a   Fernández Medina, Eduardo ^a  

^a UNIVERSITY OF CASTILLA LA MANCHA   (Spain)

^b Correos Telecom ^*  (Spain)

Author keywords

Application information security; Design methodology; Software process; Web Services Security

Indexed keywords

BEST PRACTICE; DESIGN METHODOLOGY; DISTRIBUTED SOFTWARE; INTER-ENTERPRISE; INTER-ORGANIZATIONAL INFORMATION SYSTEM; REFERENCE SOLUTION; RISK ANALYSIS AND MANAGEMENT; SECURITY ARCHITECTURE; SECURITY PATTERNS; SECURITY REQUIREMENTS; SECURITY RISK ASSESSMENTS; SECURITY STANDARDS; SOFTWARE PROCESS; WEB SERVICE SECURITY; WEB SERVICE SYSTEMS; WEB SERVICES SECURITY;

COMPUTER SOFTWARE; INFORMATION RETRIEVAL SYSTEMS; INFORMATION SERVICES; INFORMATION SYSTEMS; MOBILE TELECOMMUNICATION SYSTEMS; RISK ANALYSIS; RISK ASSESSMENT; RISK MANAGEMENT; SAFETY FACTOR; SERVICE ORIENTED ARCHITECTURE (SOA); STANDARDIZATION; WEB SERVICES;

SECURITY OF DATA;

EID: 70349473097     PISSN: 09505849     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.infsof.2009.05.004     Document Type: Article

References (55)

1. Zhang J. Trustworthy web services: actions for now. IEEE IT Pro 7 1 (2005) 32-36
2. C. Gutiérrez, E. Fernández-Medina, M. Piattini, A survey of web services security, in: Workshop on Internet Communications Security 2004 (WICS 2004), in Conjunction with the 2004 International Conference on Computational Science and Its Applications (ICCSA 2004), Springer-Verlag, Assisi (PG), Italy, 2004.
3. Vinoski S. WS-NonexistentStandards. IEEE Internet Comput. 8 6 (2004) 94-96
4. C. Gutiérrez, E. Fernández-Medina, M. Piattini, PWSSec: Process for Web Services Security, in: IEEE International Conference on Web Services 2006, Chicago, USA, 2006.
5. M. Endrei et al., Patterns: Service-Oriented Architecture and Web Services, 2004, p. 345.
6. C. Gutiérrez, E. Fernández-Medina, M. Piattini, Web services enterprise security architecture: a case study, in: ACM Workshop on Security on Web Services, ACM Press, Fairfax, Virginia, USA, 2005.
7. D. Remy, J. Rosenberg, Securing web services with WS-Security: demystifying WS-Security, WS-Policy, SAML, XML Signature, and XML Encryption, SAMS, 2004, p. 408.
8. M. Aiello, P. Giorgini, Applying the tropos methodology for analysing web services requirements and reasoning about qualities of services, UPGRADE 5(4) (2004) 20-26.
9. K. Leune, M. Papazaglou, Specification and querying of security constraints in the EFSOC framework, in: International Conference on Service Oriented Computing, Willem-Jan van den Heuvel, New York City, USA.
10. Deubler M., et al. Sound development of secure service-based systems. 2nd International Conference on Service Oriented Computing (ICSOC'04) (2004), ACM Press, New York, USA
11. M. Deubler et al., Towards a model-based and incremental development process for service-based systems, in: The IASTED Conference on Software Engineering (IASTED SE 2004), Innsbruck, Austria, 2004.
12. Nakamura Y., et al. Model-driven security based on a web services security architecture. IEEE International Conference on Services Computing (SCC'05) (2005), IEEE Computer Society, Orlando, Florida, USA
13. Nagaratnam N., et al. Business-driven application security: from modeling to managing secure applications. IBM Syst. J. 44 4 (2005) 847-867
14. Breu M., et al. Web service engineering - advancing a new software engineering. 5th International Conference on Web Engineering (ICWE'05) (2005), Springer, Sydney, Australia
15. Hafner M., and Breu R. Security Engineering for Service-Oriented Architectures (2009), Springer p. 248
16. IEEE, IEEE Std 1471-2000, IEEE Recommended Practice for Architectural Description of Software-Intensive Systems - Description, 2000.
17. Fernandez E.B., Cholmondeley P., and Zimmermann O. Extending a secure system development methodology to SOA. DEXA '07: Proceedings of the 18th International Conference on Database and Expert (2007), IEEE Computer Society, Regensburg, Germany
18. N.A. Delessy, E.B. Fernandez, A pattern-driven security process for SOA applications, in: SAC '08: Proceedings of the 2008 ACM Symposium on Applied Computing, ACM press, Fortaleza, Ceara, Brazil, 2008.
19. A. Buecker et al., Understanding SOA Security Design and Implementation, in: IBM Redbooks, IBM, 2007.
20. A. Singhal, T. Winograd, K. Scarfone, Guide to secure web services, in: Recommendations of the National Institute of Standards and Technology, National Institute of Standards and Technology (NIST), 2007.
21. Gutierrez C., Piattini M., and Fernandez-Medina E. Web services security. In: Ferrari E., and Thuraisingham B. (Eds). Web and Information Security (2005), IRM Press 318
22. O'Neill M., et al. Web Services Security (2003), McGraw-Hill, Berkeley, California
23. Ferrari E., and Thuraisingham B. Security and privacy for web databases and services. Extending Database Technology (EDBT'04) (2004), Springer-Verlag, Heraklion, Crete, Greece
24. Bhatti R., et al. XML-Based Specification for Web Services Document Security. IEEE Comput. 37 4 (2004) 41-49
25. E. Bertino, S. Castano, E. Ferrari, On specifying security policies for web documents with an XML-based language, in: Sixth ACM Symposium on Access Control Models and Technologies (SACMAT'01), ACM Press, Chantilly, Virginia, USA, 2001.
26. L.-J. Zhang, J. Zhang, J.-Y. Chung, An Approach to help select trustworthy web services, in: E-Commerce Technology for Dynamic Business, IEEE International Conference on CEC-East'04, Beijing, China, 2004.
27. S. Chang, Q. Chen, M. Hsu, Managing security policy in large distributed web services environment, in: 27th Annual International Computer Software and Applications Conference (COMPSAC'03), Dallas, Texas, 2003.
28. IBM and Microsoft, Security in a Web Services World: A Proposed Architecture and Roadmap, 2002.
29. WS-I, Basic Security Profile Version 1.0, Working Group Draft, 2004.
30. LibertyAllianceProject, Liberty ID-FF Architecture, Overview, v1.2, 2003.
31. W3C, Web Services Architecture, 2004.
32. R.T. Fielding, Architectural styles and the design of network-based software architectures, in: Software Research Group, University of California, Irvine, 2000.
33. T. Erl, SOA Principles of Service Design, Prentice Hall/PearsonPTR, 2007, p. 573.
34. Boehm B.W. A spiral model of software development and enhancement. IEEE Comput. (1988) 61-72
35. F. López et al., MAGERIT - Versión 2, Metodologías de Análisis y Gestión de Riesgos de los Sistemas de Información, I-Método, Ministerio de Administraciones Públicas, Madrid, 2005, p. 154.
36. CCN-CERT, Últimos avances en ciberseguridad (9th NATO cyberdefense workshop), Revista auditoria y Seguridad, 2008 (23), pp. 70-71.
37. OECD, The promotion of a culture of security for information systems and networks in OECD countries, Organisation for Economic Co-operation and Development, 2005.
38. Krutchen P. The 4 + 1 view model of software architecture. IEEE Softw. (1995) 42-50
39. S.H. Houmb, J. Jürjens, Developing secure networked web-based systems using model-based risk assessment and UMLSec, in: 10th Asian-Pacific Software Engineering Conference (APSEC'03), IEEE Computer Society, Chiangmai, Thailand, 2003.
40. OMG, UML Profile for Modeling Quality of Service and Fault Tolerance Characteristics and Mechanisms, 2004.
41. WS-I, Security Challenges, Threats and Countermeasures, Versión 1.0, 2005, WS-I.
42. A.P. Moore, R.J. Ellison, R.C. Linger, Attack modelling for information security and survivability, in: Survivable Systems, Software Engineering Institute, 2001.
43. C. Gutiérrez et al., Security requirements for web services based on SIREN, in: Symposium on Requirements Engineering for Information Security, Paris, France, 2005.
44. Toval A., et al. Requirements reuse for improving information systems security: a practitioner's approach. Require. Eng. J. 6 4 (2001) 205-219
45. Rosado G., et al. Security patterns and security requirements for web services. Internet Res. 16 5 (2006)
46. VeriSign et al., Web Services Policy Framework (WS-Policy), 2004.
47. K. Bhargavan et al., An advisor for web services security policies, in: 2005 Workshop on Secure Web Services, ACM Press, Fairfax, VA, USA, 2005, pp. 1-9.
48. H.L. Levinson, L. O'Brien, Acquiring evolving technologies: web services standards, in: Acquisition Support Program, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA, 2006, p. 64.
49. C.J. Alberts et al., OCTAVE Framework, Version 1.0, in: Networked Systems Survivability Program, Carnegie Mellon, SEI, 1999, p. 84.
50. McTaggart R. Principles of participatory action research. Adult Educ. Quart. 41 3 (1991)
51. N. Kock, F. Lau, Information systems action research: serving two demanding masters, Inform. Technol. People (special issue on Action Research in Information Systems) 14(1) (2001) 6-11.
52. Avison D., et al. Action research. Commun. ACM 42 1 (1999) 94-97
53. N. Padak, G. Padak, Guidelines for Planning Action Research Projects, 1994.
54. Wadsworth Y. What is participatory action research?. Action Res. Int. 2 (1998)
55. F. López et al., MAGERIT - Versión 2, Metodologías de Análisis y Gestión de Riesgos de los Sistemas de Información, III -Guía de Técnicas, Ministerio de Administraciones Públicas, Madrid, 2005, p. 154.