Abstract
Currently most of the enterprises are using SOA and Web Services technologies to build their web information system. MDA principles are used to develop web service and they used UML as a modelling language for business process modelling. Along with the increased connectivity in SOA environment, security risks rise exponentially. Security is not defined during the early phases of development and left onto developer. Properly configuring security requirements in SOA applications is quite difficult for developers because they are not security experts. Furthermore SOA security is cross-domain and all required information are not available at downstream phases. General purpose modelling language like UML lacks the model elements to define the security requirements of the business processes. As a result, business process expert either ignore the security intents in their model or indicate them in textual way. A security intents DSL is presented as a UML profile where security intents can be modelled as stereotypes on UML modelling elements during the business process modelling. Aim is to facilitate the business process expert in modelling the security requirements along the business process modelling. This security annotated business process model will facilitate the security expert in specifying the concrete security implementation. As a proof of work we apply our approach to a typical on-line flight booking system business process.
Access provided by Autonomous University of Puebla. Download to read the full chapter text
Chapter PDF
Similar content being viewed by others
Keywords
References
Menzel, M.T., Meinel, I.C.: Security Requirements Specification in Service-Oriented Business Process Management. In: International Conference on Availability, Reliability and Security, 2009. ARES (2009)
Rodriguez, A., Piattini, E.F.-M.M.: A BPMN Extension for the Modeling of Security Requirements in Business Processes. IEICE - Trans. Inf. Syst. E90-D(4), 745–752 (2007)
Nakamura, Y.T., Imamura, M., Ono, T. K.: Model-driven security based on a Web services security architecture. In: IEEE International Conference on Services Computing (2005)
Satoh, F.N., Mukhi, Y., Tatsubori, N.K., Ono, M.K.: Methodology and Tools for End-to-End SOA Security Configurations. In: IEEE Congress on Services - Part I (2008)
David Basin, J.D., Lodderstedt, T.: Model driven security: From UML models to access control infrastructures. ACM Trans. Softw. Eng. Methodol. 15(1), 39–91 (2006)
Christian Wolter, M.M., Meinel, C., Schaad, A., Miseldine, P.: Model-driven business process security requirement specification. J. Syst. Archit. 55(4), 211–223 (2009)
Alam, M.: Model Driven Security Engineering for the Realization of Dynamic Security Requirements in Collaborative Systems. In: Models in Software Engineering, pp. 278–287 (2007)
Rodríguez, A., Fernández-Medina, E., Piattini, M.: Towards a UML 2.0 Extension for the Modeling of Security Requirements in Business Processes, in Trust and Privacy in Digital Business, p. 51-61 (2006)
Menzel, M.M.: A Security Meta-model for Service-Oriented Architectures. In: IEEE International Conference on Services Computing, SCC 2009 (2009)
Jurjens, J.: UMLsec: Extending UML for Secure Systems Development- Tutorial. In: Proceedings of the 5th International Conference on The Unified Modeling Language. Springer, Heidelberg (2002)
Torsten Lodderstedt, D.A.B., Doser, J.: SecureUML: A UML-Based Modeling Language for Model-Driven Security. In: Proceedings of the 5th International Conference on The Unified Modeling Language. Springer, Heidelberg (2002)
Michal Hafner, R.B., Agreiter, B.: SECTET: an extensible framework for the realization of secure inter-organizational workflows. Emeral Internet Research 16(5), 491–506 (2006)
Mukhtiar Memom, M.H., Breu, R.: SECTISSIMO: A Platform-independent Framework for Security Services. In: MODSEC 2008 Modeling Security Workshop (2008)
Wolter, C., Menzel, M., Meinel, C.: Modelling Security Goals in Business Processes. In: Proc. GI Modellierung 2008, March 2008, GI LNI 127, pp. 197–212. Berlin, Germany (2008)
Baresi, L., et al.: Incorporating Security Requirements into Service Composition: From Modelling to Execution. In: Service-Oriented Computing, pp. 373–388. Springer, Heidelberg (2009)
Johnston, S.: Modeling security concerns in service-oriented architectures. IBM developerWorks (2004)
Jurjens, J.: Developing Secure System with UMLsec From business process to implementation. Computing Laboratory University of Oxford GB (2001)
Achim, D., Brucker, J.u.D.: Metamodel-based UML Notations for Domain-specific Languages. In: 4th International Workshop on Language Engineering (atem 2007), p. 1 (2007)
Mikael Åkerholm, I.C.: Goran Mustapić Introduction for using UML (2004)
Jürjens, J.: UMLsec: Extending UML for Secure Systems Development. In: UML — The Unified Modeling Language, pp. 1–9 (2002)
Lewis, G., Morris, A., Simanta, E., Wrage, S.: Common Misconceptions about Service-Oriented Architecture. In: Sixth International IEEE Conference on Commercial-off-the-Shelf (COTS)-Based Software Systems, ICCBSS 2007 (2007)
Asit Dan, P.N.: Dependable Service-Oriented Computing. IEEE Internet Computing 2009, 11–15 (March/April 2009)
Philip Bianco, R.K., Merson, P.: Evaluation of Service-Oriented Architecture. Software Engineering Institute/ Carnegie Mellon, 2007. Technical Report, CMU/SEI-2007-TR-015 (September 2007)
O’Brien, L., Bass, L., Merson, P.: Quality Attributes and Service-Oriented Architectures Software Engineering Institute/ Carnegie Mellon, Technical Note: CMU/SEI-2005-TN-014 (September 2005)
Bucchiarone, A., Gnesi, S.: A Survey on Services Composition Languages and Models. In: International Workshop on Web Services Modeling and Testing, WS-MaTe 2006 (2006)
van der Aalst, W.M.P., Dumas, M., ter Hofstede, A.H.M.: Web service composition languages: old wine in New bottles? In: Proceedings of The Euromicro Conference (2003)
Damij, N.: Business process modelling using diagrammatic and tabular Techniques. Business Process Management Journal 13(1), 70–90 (2007)
Rodríguez, A., Fernández-Medina, E., Piattini, M.: Towards CIM to PIM Transformation: From Secure Business Processes Defined in BPMN to Use-Cases. Business Process Management, 408–415 (2007)
Passerone, R.D., Ben Hafaiedh, W., Graf, I., Ferrari, S., Mangeruca, A., Benveniste, L., Josko, A., Peikenkamp, B., Cancila, T., Cuccuru, D., Gerard, A., Terrier, S., Sangiovanni-Vincentelli, F.: Metamodels in Europe: Languages, Tools, and Applications, vol. 26(3), pp. 38–53. Copublished by the IEEE CS and the IEEE CASS (2009)
Michal Hafner, R.B.: Security Engineering for Service-Oriented Architectures. Springer, Heidelberg (2009)
Luján-Mora, S., Trujillo, J., Song, I.-Y.: Extending the UML for Multidimensional Modeling. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 265–276. Springer, Heidelberg (2002)
Stefanov, V., List, B., Korherr, B.: Extending UML 2 Activity Diagrams with Business Intelligence Objects, In: Data Warehousing and Knowledge Discovery, p. 53-63 (2005)
Menzel, M., Meinel, C.: SecureSOA Modelling Security Requirements for Service-Oriented Architectures. In: IEEE International Conference on Services Computing (SCC) (2010)
Saleem, M.Q., Jaafar, J., Hassan, M.F.: Model Driven Security Frameworks for Addressing Security Problems of Service Oriented Architecture. In: International Symposium in Information Technology, ITSim (2010)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Saleem, M.Q., Jaafar, J., Hassan, M.F. (2011). Security Modeling of SOA System Using Security Intent DSL. In: Zain, J.M., Wan Mohd, W.M.b., El-Qawasmeh, E. (eds) Software Engineering and Computer Systems. ICSECS 2011. Communications in Computer and Information Science, vol 181. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-22203-0_16
Download citation
DOI: https://doi.org/10.1007/978-3-642-22203-0_16
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-22202-3
Online ISBN: 978-3-642-22203-0
eBook Packages: Computer ScienceComputer Science (R0)