Service-Oriented Architecture (SOA) is the main architectural style that IT departments are currently adopting to support the aforementioned business requirements owing to its capacity to enable the loose-coupling and dynamic integration of business services and applications, and their possible operations across trust limits.
Just as organizations’ timely response to changes in the business environment is critical to their survival, so is the appropriate protection of their assets. In the field of IT systems, the main assets are information and IT services, which support the implementation of the business services and must, therefore, handle this information in a secure manner. Securing access to information is thus a critical factor for any business, and security is even more critical for IT deployments based on SOA principles.
This book’s main objective is to present some of the key approaches, research lines, and challenges that exist in the field of security in SOA systems.
It is a valuable resource for senior undergraduate or graduate courses in information security which have a special focus on SOA security. It might also be useful for technologists, managers, and developers who are interested in discovering more about this topic. Its authors are noted researchers in the field of IT security engineering, methodologies, Semantic Web, Web services and SOA.
We shall first provide a general picture of security in Web services and then discuss the contents of the book.
As was previously mentioned, the SOA paradigm enables organizations to actually fall into line with the current changing business environment requirements. There has consequently been an increasing adoption of SOA, both in industry and academia, and as a consequence of its main implementation technology: Web services technology.
The security challenges presented by the Web services approach are highly complex and technologically advanced. On the one hand, the security challenges arising from this technology are: Web services-based security standards: an in-depth review of the major international standards related to Web services security will be carried out.
Organization of this book
This book is divided into four parts, each addressing a state-of-the-art topic in Web services security. These are as follows: Web Services Security Engineering, Web Services Security Architectures, Web Services Security Standards and Web Services Security Threats and Policies.
Part I: Web Services Security Engineering
Security engineering integrated into software development is one the major security topics developed during the last few years. Applying security engineering throughout the different steps devised by the different software development methodologies has been a major topic in both scientific and industrial literature.
This part of the book deals with this subject in Chapters 1 and 2.
The first chapter, “Identification of Vulnerability Effects in Web Services using Model-Based Security” by Höhn, Lowis, Accorsi and Jürjens, presents an approach that integrates model-based engineering and vulnerability analysis in order to cope with the security challenges of a service-oriented architecture.
The second chapter, “Security Analysis of Service Oriented Systems– A Methodical Approach and Case Study” by Innerhofer-Oberperfler, Mitterer, Hafnera and Ruth Breu, presents the ProSecO process which is aimed at defining a security model process for security requirement elicitation, security risk evaluation and security control specification, thus providing security analysts with system security state information in both design and production-time.
Part II: Web Services Security Architectures
Web services security architectures should define the highest level organization of the IT security infrastructure necessary to meet the security requirements specified for the systems to be built by articulating the necessary security mechanisms in such a way that reusability, manageability and (internal/external) interoperability is guaranteed.
Part II of the book shows different architectural approaches to different security requirements, and consists of five chapters.
Chapter 3, “Ontology-Based Authorization Model for XML Data in Distributed Systems”, by Jain and Farkas, proposes a framework that preserves authorization permissions on XML data even when its structure changes during transactions. In order for this to occur, the authors define an authorization framework that permits the specification of authorization requirements from the semantic perspective rather than on the syntactic representation of that information.
Chapter 4, “Secure Service Rating in Federated Software Systems based on SOA”, by Brehm and Marx, deals with the establishment of reputation in federated software systems in which trust evaluation management is de-centralized.
Chapter 5, “Forensics over Web Services: The FWS” by Gunestas, Wijesekera and Singhal describes a security Web service whose objective is to store and preserve the evidences yielded from Web services interactions thereby enabling the capability to recreate the composed Web service invocations independent of those parties with a vested interest. This forensic security service would facilitate and base later forensic investigations on a reliable infrastructure that could be used in a court of law.
Chapter 6, “Policy-based Security Engineering of Service Oriented Systems”, by Maña, Pujol and Muñoz, presents a policy-based security engineering process for service oriented applications based on security and dependability patterns. This chapter focuses on the verification of the compliance with security policies, based on the formal specification of security and dependability properties.
Chapter 7, “Security Policies in Web services”, by Parachuri and Mallick, discusses the different approaches developed in the field of security policies in Web services systems giving a brief overview for each one.
Part III: Web Services Security Standards
Undoubtedly, the earliest and greatest effort on the subject of Web services security has been that of the definition of the security standards that accomplish all the security aspects that this type of systems must deal with. The main motivation behind this effort is the particular feature that Web services (and their security) should provide: interoperability. This quality aspect is being achieved thanks to the definition of an overwhelming number of standards generated from a diverse set of standardization bodies, consortiums, organizations, etc.
This aspect is covered by Chapters 8 and 9. Chapter 8, entitled “Web services security: Standards and industrial practice” by Fernandez, Hashizume, Buckley and Larrondo-Petrie, provides an in-depth state-of-the-art review of the existing Web services security standards and their practical implementations.
Chapter 9, entitled “Security in Service Oriented Architectures: Standards and Challenges” by Kayem, reviews current Web services security standards and how they cope with the dynamic nature of the scenarios enabled by Web services technologies.
Part IV: Web Services Security Threats
This last part of the book covers specific threats and policies inherent to Web services technologies. The main security threats and attacks are exemplified and the countermeasures to, fully or partially, mitigate them are shown.
Chapter 10, “A Survey of Attacks in the Web Services World” by Jensen and Gruschka, reviews the main types of security attacks on Web services enabled infrastructures and explains the main countermeasures to allow their mitigation at an acceptable level of risk.
Chapter 11, “Threat Modeling: Securing Web 2.0 based Rich Service Consumers” by Gupta, Mathur and Srivastava, provides an overview of security threats to Web 2.0 systems and explains security best practices to protect them.
Carlos A. Gutiérrez, Correos Telecom, Spain
Eduardo Fernández-Medina, University of Castilla – La Mancha, Spain
Mario Piattini, University of Castilla – La Mancha, Spain