Syntactic Validation of Web Services Security Policies

Authors:
Yuichi Nakamura;Fumiko Sato;Hyen-Vui Chung
Affiliations:
IBM Research, Tokyo Research Laboratory, 1623-14 Shimo-tsuruma, Yamato, Kanagawa, 242-0001, Japan;IBM Research, Tokyo Research Laboratory, 1623-14 Shimo-tsuruma, Yamato, Kanagawa, 242-0001, Japan;IBM Software Group, Web Service Security Development, 11501 Burnet Road, Austin, TX, 78758-3400, USA
Venue:
ICSOC '07 Proceedings of the 5th international conference on Service-Oriented Computing
Year:
2007

Citing 8
Cited 2

Software engineering for security: a roadmap

Proceedings of the Conference on The Future of Software Engineering
Security Engineering: A Guide to Building Dependable Distributed Systems

Security Engineering: A Guide to Building Dependable Distributed Systems
Symbolic Model Checking

Symbolic Model Checking
SecureUML: A UML-Based Modeling Language for Model-Driven Security

UML '02 Proceedings of the 5th International Conference on The Unified Modeling Language
Best-Practice Patterns and Tool Support for Configuring Secure Web Services Messaging

ICWS '04 Proceedings of the IEEE International Conference on Web Services
Verifying policy-based security for web services

Proceedings of the 11th ACM conference on Computer and communications security
Sound development of secure service-based systems

Proceedings of the 2nd international conference on Service oriented computing
Model-Driven Security Based on a Web Services Security Architecture

SCC '05 Proceedings of the 2005 IEEE International Conference on Services Computing - Volume 01

Validating security policy conformance with WS-security requirements

IWSEC'10 Proceedings of the 5th international conference on Advances in information and computer security
Interoperability and Functionality of WS-* Implementations

International Journal of Web Services Research

Quantified Score

Hi-index	0.00

Visualization

Abstract

The Service-Oriented Architecture (SOA) makes application development flexible in such a way that services are composed in a highly distributed manner. However, because of the flexibility, it is often hard for users to define application configurations properly. Regarding the security concerns we address in this paper, though WS-SecurityPolicy provides a standard way to describe security policies, it is difficult for users to make sure that the defined policies are valid. In this paper, we discuss the validation of WS-SecurityPolicy in the context of Service Component Architecture, and propose a method called syntactic validation. Most enterprises have security guidelines, some of which can be described in the format of Web services security messages. There also exist standard profiles for Web services such as the WS-I Basic Security Profile that also prescribes message formats. Since those guidelines and profiles are based on accepted best practices, the syntactic validation is sufficiently effective for practical use to prevent security vulnerabilities.