Service-oriented architectures (SOA) constitute a major architectural style for large-scale infrastructures and applications built from loosely-coupled services and subject to dynamic configuration, operation and evolution. They are the structuring principle of a multitude of applications and the enabling technology for recent software paradigms like Mashup or SaaS. Assessing the trustworthiness of such complex and continuously evolving systems is a challenging task since a) methodologies - mainly based on certification processes - developed for assessing conventional static systems can hardly handle the dynamicity and variety of SOA based systems, b) few artifacts can be used to support and automate the assessment of the trustworthiness of a stand-alone service, and no means exist to assess the trustworthiness of composite applications, c) there is no mechanism to express and confront claimed security properties. To address these issues and to realize our vision of bringing Certification-based Assurance to Service-based Systems, ASSERT4SOA has 3 main objectives: 1) to develop methods and tools to support certification of SOA based software by providing abstract models for these systems that capture their peculiarities and the security properties they satisfy; 2) to develop schemes for expressing certification claims in the SOA lifecycle and mechanisms for handling them; 3) to provide mechanisms and tools enabling to reason about ASSERTs (Advanced Security Service cERTificates) in order to assess the trustworthiness of service based systems at runtime. ASSERTs, to be issued by trusted authorities, will contain the specification of security properties and of other information relevant for assessing a service's trustworthyness. ASSERTs will be bound to the service to ensure their own trustworthiness. They will enable service consumers to assure application level security properties during service orchestration and to achieve composite application certification.
Advanced security service certificate for SOA : certified services go digital! / J.C. Pazzaglia, V. Lotz, V. Campos Cerda, E. Damiani, C.A. Ardagna, S. Guergens, A. Mana, C. Pandolfo, G. Spanoudakis, F. Guida, R. Menicocci - In: ISSE 2010 : securing electronic business processes : highlights of the information security solutions Europe 2010 conference / [a cura di] N. Pohlmann, H. Reimer, W. Schneider. - Wiesbaden : Vieweg + Teubner, 2011. - ISBN 9783834814388. - pp. 151-160 (( convegno Information Security Solutions Europe (ISSE) tenutosi a Berlin nel 2010 [10.1007/978-3-8348-9788-6-15].
Advanced security service certificate for SOA : certified services go digital!
E. Damiani;C.A. Ardagna;
2011
Abstract
Service-oriented architectures (SOA) constitute a major architectural style for large-scale infrastructures and applications built from loosely-coupled services and subject to dynamic configuration, operation and evolution. They are the structuring principle of a multitude of applications and the enabling technology for recent software paradigms like Mashup or SaaS. Assessing the trustworthiness of such complex and continuously evolving systems is a challenging task since a) methodologies - mainly based on certification processes - developed for assessing conventional static systems can hardly handle the dynamicity and variety of SOA based systems, b) few artifacts can be used to support and automate the assessment of the trustworthiness of a stand-alone service, and no means exist to assess the trustworthiness of composite applications, c) there is no mechanism to express and confront claimed security properties. To address these issues and to realize our vision of bringing Certification-based Assurance to Service-based Systems, ASSERT4SOA has 3 main objectives: 1) to develop methods and tools to support certification of SOA based software by providing abstract models for these systems that capture their peculiarities and the security properties they satisfy; 2) to develop schemes for expressing certification claims in the SOA lifecycle and mechanisms for handling them; 3) to provide mechanisms and tools enabling to reason about ASSERTs (Advanced Security Service cERTificates) in order to assess the trustworthiness of service based systems at runtime. ASSERTs, to be issued by trusted authorities, will contain the specification of security properties and of other information relevant for assessing a service's trustworthyness. ASSERTs will be bound to the service to ensure their own trustworthiness. They will enable service consumers to assure application level security properties during service orchestration and to achieve composite application certification.
Pubblicazioni consigliate
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
