Vulnerability Analysis in SOA-Based Business Processes

Authors:
Lutz Lowis;Rafael Accorsi
Affiliations:
Albert-Ludwig University of Freiburg, Freiburg;Albert-Ludwig University of Freiburg, Freiburg
Venue:
IEEE Transactions on Services Computing
Year:
2011

Citing 0
Cited 7

Strong non-leak guarantees for workflow models

Proceedings of the 2011 ACM Symposium on Applied Computing
InDico: information flow analysis of business processes for confidentiality requirements

STM'10 Proceedings of the 6th international conference on Security and trust management
Evolving security requirements in multi-layered service-oriented-architectures

DPM'11 Proceedings of the 6th international conference, and 4th international conference on Data Privacy Management and Autonomous Spontaneus Security
Data flow-oriented process mining to support security audits

ICSOC'11 Proceedings of the 2011 international conference on Service-Oriented Computing
Automatic information flow analysis of business process models

BPM'12 Proceedings of the 10th international conference on Business Process Management
On the exploitation of process mining for security audits: the process discovery case

Proceedings of the 28th Annual ACM Symposium on Applied Computing
A systematic review on security in Process-Aware Information Systems - Constitution, challenges, and future directions

Information and Software Technology

Quantified Score

Hi-index	0.00

Visualization

Abstract

Business processes and services can more flexibly be combined when based upon standards. However, such flexible compositions practically always contain vulnerabilities, which imperil the security and dependability of processes. Vulnerability management tools require patterns to find or monitor vulnerabilities. Such patterns have to be derived from vulnerability types. Existing analysis methods such as attack trees and FMEA result in such types, yet require much experience and provide little guidance during the analysis. Our main contribution is ATLIST, a new vulnerability analysis method with improved transferability. Especially in service-oriented architectures, which employ a mix of established web technologies and SOA-specific standards, previously observed vulnerability types and variations thereof can be found. Therefore, we focus on the detection of known vulnerability types by leveraging previous vulnerability research. A further contribution in this respect is the, to the best of our knowledge, most comprehensive compilation of vulnerability information sources to date. We present the method to search for vulnerability types in SOA-based business processes and services. Also, we show how patterns can be derived from these types, so that tools can be employed. An additional contribution is a case study, in which we apply the new method to an SOA-based business process scenario.