Security Evaluation of Service-Oriented Systems Using the SiSOA Method

Introduction

Service-oriented software architectures (SOA) promise enhanced reusability, interoperability, and flexibility for the implementation of business processes in information systems. However, this increase in flexibility and versatility comes at a price: it aggravates software quality assurance. The distributed, inhomogeneous, and often non-transparent nature of service building blocks stemming from different organizational domains is a supplementary constraint for the reliable determination of software quality attributes, especially those that are global properties of the overall SOA system, such as safety or security. Although technical standards such as the Web Services Security Specification (OASIS, 2010) exist, SOA systems are still vulnerable to many basic threat types.

Security is an overarching quality concern that requires adequate treatment at a holistic system level. It cannot be handled effectively by analyzing the security issues only at source code level, especially not in a manual manner. To better keep track of the global security characteristics and to survey the logical security design of a system, all security-related information should be assessed in the context of a more abstract, structural level of the fundamental system architecture. Security-related information refers to system characteristics that can have a positive or negative impact on the system’s security, such as code locations where security functions (e.g., authentication, encryption, integrity check) are called or where configuration parameters controlling these functions are defined. We claim that architectural views provide an adequate point of view for the security assessment of complex software systems.

In a SOA, all components have to be analyzed in their current configuration. However, the number of components, their changing orchestration and the distributed nature of SOA systems often renders a manual analysis impracticable.

System behavior, especially the dynamic security characteristics of the system in its entirety, is hard to obtain if the relevant information is scattered across many SOA components and their respective design artifacts.

In an earlier publication (Antonino, Duszynski, Jung, & Rudolph, 2010), we presented SiSOA (»Security in Service-oriented Architectures«), an assessment method for collecting security-related system properties and presenting them in architectural views for efficient evaluation. SiSOA comprises three phases: Extraction, Identification, and Analysis of security properties, as shown in Figure 1. The Extraction phase uses static analysis and standard reverse engineering techniques to gather security-related information from the system under evaluation. This information from source code, configuration, and policy files is abstracted and generalized in the subsequent Identification phase, and displayed in architectural views. Abstraction is based on security rules from a knowledge base. In the final Analysis phase the abstracted and generalized information is interactively assessed, augmented, and evaluated by the human inspector. To this end, the inspector is guided through different views where potentially harmful security issues as well as positive security features are marked. A more detailed description of SiSOA, especially of the Extraction and Identification phases together with technical details, can be found in Antonino, Duszynski, Jung, and Rudolph (2010).

Figure 1.

Overview of the SiSOA approach

In this article, we explain the SiSOA method and show how the knowledge base fits into our SiSOA methodology. In addition, we briefly describe our prototype tool that implements SiSOA including the knowledge base and provides support for semi-automatic security evaluation of SOA systems. This includes the description of our security estimation values: severity and credibility.