Security Evaluation of Service-Oriented Systems Using the SiSOA Method

Authors:
Christian Jung;Manuel Rudolph;Reinhard Schwarz
Affiliations:
Fraunhofer Institute for Experimental Software Engineering, Germany;Fraunhofer Institute for Experimental Software Engineering, Germany;Fraunhofer Institute for Experimental Software Engineering, Germany
Venue:
International Journal of Secure Software Engineering
Year:
2011

Citing 13
Cited 0

ITS4: A static vulnerability scanner for C and C++ code

ACSAC '00 Proceedings of the 16th Annual Computer Security Applications Conference
Finding bugs is easy

OOPSLA '04 Companion to the 19th annual ACM SIGPLAN conference on Object-oriented programming systems, languages, and applications
EMF: Eclipse Modeling Framework 2.0

EMF: Eclipse Modeling Framework 2.0
Statically detecting likely buffer overflow vulnerabilities

SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Detecting Security Vulnerabilities with Software Architecture Analysis Tools

ICSTW '08 Proceedings of the 2008 IEEE International Conference on Software Testing Verification and Validation Workshop
Security Goal Indicator Trees: A Model of Software Features that Supports Efficient Security Inspection

HASE '08 Proceedings of the 2008 11th IEEE High Assurance Systems Engineering Symposium
SAVE: Software Architecture Visualization and Evaluation

CSMR '09 Proceedings of the 2009 European Conference on Software Maintenance and Reengineering
Open Source Soa

Open Source Soa
Security Metrics for Object-Oriented Class Designs

QSIC '09 Proceedings of the 2009 Ninth International Conference on Quality Software
Unified modeling of attacks, vulnerabilities and security activities

Proceedings of the 2010 ICSE Workshop on Software Engineering for Secure Systems
Indicator-based architecture-level security evaluation in a service-oriented environment

Proceedings of the Fourth European Conference on Software Architecture: Companion Volume
Tuscany SCA in Action

Tuscany SCA in Action
Idea: towards architecture-centric security analysis of software

ESSoS'10 Proceedings of the Second international conference on Engineering Secure Software and Systems

Quantified Score

Hi-index	0.00

Visualization

Abstract

The Service-Oriented Architecture paradigm SOA is commonly applied for the implementation of complex, distributed business processes. The service-oriented approach promises higher flexibility, interoperability and reusability of the IT infrastructure. However, evaluating the quality attribute security of such complex SOA configurations is not sufficiently mastered yet. To tackle this complex problem, the authors developed a method for evaluating the security of existing service-oriented systems on the architectural level. The method is based on recovering security-relevant facts about the system by using reverse engineering techniques and subsequently providing automated support for further interactive security analysis at the structural level. By using generic, system-independent indicators and a knowledge base, the method is not limited to a specific programming language or technology. Therefore, the method can be applied to various systems and adapt it to specific evaluation needs. The paper describes the general structure of the method, the knowledge base, and presents an instantiation aligned to the Service Component Architecture SCA specification.