Strong non-leak guarantees for workflow models
Proceedings of the 2011 ACM Symposium on Applied Computing
InDico: information flow analysis of business processes for confidentiality requirements
STM'10 Proceedings of the 6th international conference on Security and trust management
Evolving security requirements in multi-layered service-oriented-architectures
DPM'11 Proceedings of the 6th international conference, and 4th international conference on Data Privacy Management and Autonomous Spontaneus Security
Data flow-oriented process mining to support security audits
ICSOC'11 Proceedings of the 2011 international conference on Service-Oriented Computing
Automatic information flow analysis of business process models
BPM'12 Proceedings of the 10th international conference on Business Process Management
On the exploitation of process mining for security audits: the process discovery case
Proceedings of the 28th Annual ACM Symposium on Applied Computing
Information and Software Technology
Hi-index | 0.00 |
Business processes and services can more flexibly be combined when based upon standards. However, such flexible compositions practically always contain vulnerabilities, which imperil the security and dependability of processes. Vulnerability management tools require patterns to find or monitor vulnerabilities. Such patterns have to be derived from vulnerability types. Existing analysis methods such as attack trees and FMEA result in such types, yet require much experience and provide little guidance during the analysis. Our main contribution is ATLIST, a new vulnerability analysis method with improved transferability. Especially in service-oriented architectures, which employ a mix of established web technologies and SOA-specific standards, previously observed vulnerability types and variations thereof can be found. Therefore, we focus on the detection of known vulnerability types by leveraging previous vulnerability research. A further contribution in this respect is the, to the best of our knowledge, most comprehensive compilation of vulnerability information sources to date. We present the method to search for vulnerability types in SOA-based business processes and services. Also, we show how patterns can be derived from these types, so that tools can be employed. An additional contribution is a case study, in which we apply the new method to an SOA-based business process scenario.