Security modeling for service-oriented systems using security pattern refinement approach

Software and Systems Modeling

Volumn 13, Issue 2, 2014, Pages 549-572

  Memon, Mukhtiar ^a   Menghwar, Gordhan D ^a   Depar, Mansoor H ^a   Jalbani, Akhtar A ^a   Mashwani, Waqar M ^b  

^a SINDH AGRICULTURE UNIVERSITY   (Pakistan)

^b COMSATS Institute of Information Technology ^*  (Pakistan)

Author keywords

Model transformation; Model driven security; Security patterns; SOA security

Indexed keywords

INFORMATION SERVICES; SECURITY SYSTEMS; XML;

CONFIGURABLE SYSTEMS; MODEL DRIVEN SECURITY; MODEL TRANSFORMATION; SECURITY PATTERNS; SEPARATION OF CONCERNS; SERVICE ORIENTED SYSTEMS; SOA SECURITY; TRADITIONAL APPROACHES;

SERVICE ORIENTED ARCHITECTURE (SOA);

EID: 84899994114     PISSN: 16191366     EISSN: 16191374     Source Type: Journal    
DOI: 10.1007/s10270-012-0268-6     Document Type: Article

References (59)

1. Apache Rampart. http://ws. apache. org/rampart.
2. OpenArchitectureWare 4. http://www. eclipse. org/gmt/oaw.
3. Web Services Business Process Execution Language Version 2. 0 (2007).
4. Adams, C.: RFC 2479, The Internet Engineering Task Force (1998). http://tools. ietf. org/html/rfc2479.
5. Alam, M., Hafner, M., Breu, R.: Model-driven Security Engineering for Trust Management in SECTET. J. Softw. 2(1), 47-59 (2007).
6. Alam, M., Hafner, M., Breu, R., Unterthiner, S.: A framework for modeling restricted delegation of rights in SECTET. Int. J. Comput. Syst. Sci. Eng. 22(5), 289-305 (2007).
7. Alam, M. M.: Model Driven Realization of Dynamic Security Requirements in Distributed Systems. PhD thesis, University of Innsbruck (2007).
8. Basin, D., Doser, J., Lodderstedt, T.: Model driven security: from UML models to access control infrastructures. ACM Trans. Softw. Eng. Methodol. 15(1), 39-91 (2006).
9. Bauer, B., Mueller, J. P.: MDA Applied: From Sequence Diagrams to Web Service Choreography, pp. 779-779. Web Engineering (2004).
10. Best, B., Jurjens, J., Nuseibeh, B.: mODEL-based security engineering of distributed information systems using UMLsec. In: ICSE '07: Proceedings of the 29th International Conference on Software Engineering, pp. 581-590. IEEE Computer Society, Washington, DC (2007).
11. Cheng, B., Konrad, S., Campbell, L. A., Wassermann, R.: Using security patterns to model and analyze security. In: RHAS '03: International Workshop on Requirements for High Assurance Systems, pp. 13-22 (2003).
12. David, R., Carlos, G., Fernandez-Medina, E., Piattini, M.: Security patterns and requirements for internet-based applications. J. Int. Res. 16(5), 519-536 (2006).
13. Delessy, N., Fernandez, E. B.: A pattern-driven security process for SOA applications. In: ARES '08: 3rd International Conference on Availability, Reliability and Security, pp. 416-421. IEEE Computer Society, Washington, DC (2008).
14. Dong, J., Peng, T., Zhao, Y.: Model checking security pattern compositions. In: QSIC '07: Proceedings of the Seventh International Conference on Quality Software, pp. 80-89. IEEE Computer Society, Washington, DC (2007).
15. Fernandez, E. B., Delessy, N.: Using patterns to understand and compare web services security products and standards. In: AICT-ICIW '06: Proceedings of the Advanced Int'l Conference on Telecommunications, pp. 157. IEEE Computer Society, Washington, DC (2006).
16. Fernandez, E. B., Pan, R.: A pattern language for security models. In: PloP '01: Conference on Pattern Languages of Programs (2001).
17. Fernandez, E. B., Washizaki, H., Yoshioka, N.: Abstract security patterns. In: SPAQu 08-2nd International Workshop on Software Patterns and Quality (2008).
18. Gardner, T.: UML modeling of automated business processes with a mapping to BPEL4WS. In: Proceedings of 1st European Workshop on Object Orientation and Web Services at ECOOP, vol. 2003 (2003).
19. Gutiérrez, C., Fernández-Medina, E., Piattini, M.: Towards a process for web services security. J. Res. Pract. Inf. Technol. 38(1) (2006).
20. Hafner, M.: SECTET: A Domain Architecture for Model Driven Security. PhD thesis, University of Innsbruck (2006).
21. Hafner, M., Breu, M., Breu, R., Nowak, A.: Modeling inter-organizational workflow security in a peer-to-peer environment. In: ICWS '05: Proceedings of the IEEE International Conference on Web Services, pp. 533-540. IEEE Computer Society, Washington, DC (2005).
22. Hafner, M., Breu, R.: Security Engineering for Service-Oriented Architectures. Springer, Berlin (2008).
23. Hafner, M., Breu, R., Agreiter, B., Nowak, A.: SECTET: an extensible framework for the realization of secure inter-organizational workflows. Int. Res. 16(5), 491-506 (2006).
24. Hafner, M., Breu, R., Breu, M.: A security architecture for inter-organizational workflows: putting security standards for web services together. In: ICEIS '05, 7th International Conference on Enterprise Information Systems, pp. 128-135 (2005).
25. Hafner, M., Memon, M., Breu, R.: SeAAS-a reference architecture for security services in SOA. J. Univ. Comput. Sci. 15(15), 2916-2936 (2009).
26. Han, J., Khan, K. M.: Security-oriented service composition and evolution. In: APSEC '06: 13th Asia Pacific Software Engineering Conference, pp. 71-78. IEEE Computer Society, Washington, DC (2006).
27. Hinton, H., Hondo, M., Hutchison, B.: Security Patterns within a Service-oriented Architecture. IBM White Paper, November 2005.
28. Juerjens, J.: UMLsec: extending UML for secure systems development. In: UML '02: 5th International Conference on Model Engineering, Concepts and Tools, pp. 412. Springer, Berlin (2002).
29. Juerjens, J.: Secure Systems Development with UML. Springer, Berlin (2004).
30. Juerjens, J., Popp, G., Wimmel, G.: Towards using security patterns in model-based system development. In: EuroPLoP '02: 7th European Conference on Pattern Languages of Programs (2002).
31. Kanneganti, R., Chodavarapu, P.: SOA Security in Action. Manning Publications Co., Greenwich (2007).
32. Korherr, B., List, B.: Extending UML 2 activity diagrams with business intelligence objects. In: DaWaK '05, 7th International Conference on Data Warehousing and Knowledge Discovery, pp. 53-63. Springer, Berlin (2005).
33. Kremer, S., Markowitch, O., Zhou, J.: An intensive survey of fair non-repudiation protocols. Comput. Commun. 25(17), 1606-1621 (2002).
34. Krzysztof, C., Helsen, S.: Classification of model transformation approaches. In: OOPSLA3, workshop on generative techniques in the context of model-driven architecture (2003).
35. Lang, U., Schreiner, R.: Developing Secure Distributed Systems with CORBA. Artech House, Inc., Norwood (2002).
36. Lodderstedt, T., Basin, D., Doser, J.: SecureUML: A UML-based modeling language for model-driven security. In: UML '02: Proceedings of the 5th International Conference on The Unified Modeling Language, pp. 426-441. Springer, London (2002).
37. Mantell, K.: From UML to BPEL (2005). http://www. ibm. com/developerworks/webservices/library/ws-uml2bpel.
38. McGraw, G., Viega, J.: Ten software security principles (2000). http://www. ibm. com/developerworks/linux/library/s-link. html.
39. Memon, M., Hafner, M., Breu, R.: Security as a service-a reference architecture for SOA security. In: WOSIS '09: 7th International Workshop on Security in Information Systems at ICEIS '09 (2009).
40. Memon, M.: Security pattern refinement: code generation prototype (2011). http://www. sau. edu. pk/faculties/itc/Mukhtiar. Memon. html.
41. Nelly, D., Fernandez, E. B., Petrie, L., Maria, M.: A Pattern language for identity management. In: ICCGI '07: International Multi-Conference on Computing in the Global Information Technology, p. 31. IEEE Computer Society, Washington, DC (2007).
42. OASIS. WS-Security Policy (2007). http://docs. oasis-open. org.
43. OSOA. Service Component Architecture (2007). http://www. osoa. org.
44. Reznik, J., Ritter, T., Schreiner, R., Lang, U.: Model driven development of security aspects. Electron. Notes Theor. Comput. Sci. 163(2), 65-79 (2007).
45. Roehm, A. W., Herrmann, G., Pernul, G.: A language for modeling secure business transactions. In: ACSAC '99: Proceedings of the 15th Annual Computer Security Applications Conference, Washington, DC, USA, p. 22 (1999).
46. Rosado, D. G., Fernandez-Medina, E., Piattini, M.: Comparison of security patterns. Int. J. Comput. Sci. Netw. Secur. 6(2B), 139-146 (2006).
47. Satoh, F., Mukhi, N. K., Nakamura, Y., Hirose, S.: Pattern-based policy configuration for SOA applications. In: SCC '08: Proceedings of the 2008 IEEE International Conference on Services Computing, pp. 13-20. IEEE Computer Society, Washington, DC (2008).
48. Satoh, F., Nakamura, Y., Mukhi, N. K., et al.: Methodology and tools for end-to-end SOA security configurations. In: IEEE Congress on Services-Part I, pp. 307-314 (2008).
49. Satoh, F., Nakamura, Y., Ono, K.: Adding Authentication to model driven security. In: ICWS '06: Proceedings of the IEEE International Conference on Web Services, Washington, DC, USA, pp. 585-594 (2006).
50. Satoh, F., Yamaguchi, Y.: Generic security policy transformation framework for WS-security. In: ICWS '07: IEEE International Conference on Web Services, pp. 513-520 (2007).
51. Scacchi, W.: Process models in software engineering (2001). http://www. ics. uci. edu/ wscacchi/Papers.
52. Schumacher, M.: Security Engineering with Patterns: Origins, Theoretical Models, and New Applications. Springer, New York (2003).
53. Vivas, J. L., Montenegro, J. A., Lopez, J.: Towards a business process-driven framework for security engineering with the UML. In: 6th Information Security Conference-ISC'2003, pp. 381-395 (2003).
54. W3C. Web Services Policy 1. 2-Framework (2006). http://www. w3. org/Submission/WS-Policy.
55. Washizaki, H., Kubo, A., Fukazawa, Y.: Measuring abstraction levels of security patterns. In: SPAQu 07-1st International Workshop on Software Patterns and Quality (2007).
56. Wendehals, L.: Improving design pattern instance recognition by dynamic analysis. In: WODA 2003: ICSE Workshop on D Analysis, p. 29 (2003).
57. Wolter, C., Menzel, M., Meinel, C.: Modeling security goals in business processes. In: Modellierung'08, pp. 197-212 (2008).
58. Wolter, C., Menzel, M., Schaad, A., Miseldine, P., Meinel, C.: Model-driven business process security requirement specification. J. Syst. Archit. 55(4), 211-223 (2009).
59. Zhou, J., Deng, R., Bao, F.: Evolution of fair non-repudiation with TTP. In: ACISP '99: 4th Australasian Conference on Information Security and Privacy, London, UK, Springer, Berlin (1999).