An Approach for Intentional Modeling of Web Services Security Risk Assessment

In this chapter, we provide a conceptual modeling approach for Web services security risk assessment that is based on the identification and analysis of stakeholder intentions. There are no similar approaches for modeling Web services security risk assessment in the existing pieces of literature. The approach is, thus, novel in this domain. The approach is helpful for performing means-end analysis, thereby, uncovering the structural origin of security risks in WS, and how the root-causes of such risks can be controlled from the early stages of the projects. The approach addresses “why” the process is the way it is by exploring the strategic dependencies between the actors of a security system, and analyzing the motivations, intents, and rationales behind the different entities and activities in constituting the system.

Obtaining Security Requirements for a Mobile Grid System

Mobile Grid includes the characteristics of the Grid systems together with the peculiarities of Mobile Computing, with the additional feature of supporting mobile users and resources in a seamless, transparent, secure and efficient way. Security of these systems, due to their distributed and open nature, is considered a topic of great interest. In this article we present the practical results of applying a secured methodology to a real case, specifically the approach that define, identify and specify the security requirements. This methodology will help the building of a secured grid application in a systematic and iterative way.

An MDA Compliant Approach for Designing Secure Data Warehouses

This chapter presents an approach for designing secure Data Warehouses (DWs) that accomplish the conceptual modeling of secure DWs independently from the target platform where the DW has to be implemented, because our complete approach follows the Model Driven Architecture (MDA) and the Model Driven Security (MDS). In most of real world DW projects, the security aspects are issues that usually rely on the DBMS administrators. We argue that the design of these security aspects should be considered together with the conceptual modeling of DWs from the early stages of a DW project, and being able to attach user security information to the basic structures of a Multidimensional (MD) model. In this way, we would be able to generate this information in a semi or automatic way into a target platform and the final DW will better suits the user security requirements.

IPSec Overhead in Dual Stack IPv4/IPv6 Transition Mechanisms

Internet protocol version 6 (IPv6) is the next generation Internet protocol proposed by the Internet Engineering Task Force (IETF) to supplant the current Internet protocol version 4 (IPv4). Lack of security below the application layer in IPv4 is one of the reasons why there is a need for a new IP. IPv6 has built-in support for the Internet protocol security protocol (IPSec). This chapter reports work done to evaluate implications of compulsory use of IPSec on dual stack IPv4/IPv6 environment.

Threat Modeling

This research work proposes a threat modeling approach for Web 2.0 applications. The authors’ approach is based on applying informal method of threat modeling for Web 2.0 applications. Traditional enterprises are skeptical in adopting Web 2.0 applications for internal and commercial use in public-facing situations, with customers and partners. One of the prime concerns for this is lack of security over public networks. Threat modeling is a technique for complete analysis and review of security aspects of application. The authors will show why existing threat modeling approaches cannot be applied to Web 2.0 applications, and how their new approach is a simple way of applying threat modeling to Web 2.0 applications.

A Survey of Attacks in the Web Services World

In the modern electronic business world, services offered to business partners as well as to customers have become an important company asset. This again produces interests for attacking those services either to paralyze the availability or to gain unauthorized access. Though founding on decades of networking experience, Web Services are not more resistant to security attacks than other open network systems. Quite the opposite is true: Web Services are exposed to attacks well-known from common Internet protocols and additionally to new kinds of attacks targeting Web Services in particular. This chapter presents a survey of different types of such Web Service specific attacks. For each attack a description of the attack execution, the effect on the target and partly the results of practical experiments are given. Additionally, general countermeasures for fending Web Service attacks are shown.

Security in Service Oriented Architectures

Service Oriented Architectures (SOAs) have become the defacto standard for defining interoperable architectures on the web with the most common implementation of this concept being in the form of web services. Information exchange is an integral part of SOAs, so designing effective security architectures that ensure data confidentiality and integrity is important. However, selecting a security standard for the architecture is challenging because existing solutions are geared toward access control in relatively static scenarios rather than dynamic scenarios where some form of adaptability is needed. Moreover, when services interact across different domains interoperability becomes a problem because of the lack a consistent security model to handle service interactions. This chapter presents a comparative analysis of SOA security standards. The authors discuss the challenges SOA security architecture designers face, in relation to an example travel agent web services scenario, and outline potential mitigation strategies.

Web Services Security

This chapter surveys the context for web services security and discusses the issues and standards at every level of architectural. The authors attempt to evaluate the status of industrial practice with respect to the security of web services. They look at commercial products and their supporting levels, and end with some conclusions. They see a problem in the proliferation of overlapping and possibly incompatible standards. Reliability is also an important aspect. They discuss some of its issues and consider its effect on security. A basic principle of security is the need to secure all levels of architecture; any weak levels will permit attackers to penetrate the system. These levels include: Business workflow level, catalog and description of web services level, communications level (typically SOAP), and storage of XML documents. There is a variety of standards for web services security and reliability and the authors will look at most of them.

Forensics over Web Services

Web services are currently a preferred way to architect and provide complex services. This complexity arises due to the composition of new services by choreographing, orchestrating and dynamically invoking existing services. These compositions create service inter-dependencies that can be misused for monetary or other gains. When a misuse is reported, investigators have to navigate through a collection of logs to recreate the attack. In order to facilitate that task, the authors propose creating forensic web services (FWS), a specialized web service that when used would securely maintain transactional records between other web services. These secure records can be re-linked to reproduce the transactional history by an independent agency. Although their work is ongoing, they show the necessary components of a forensic framework for web services and its success through a case study.

Security Policies in Web Services

Security is of fundamental concern in computing systems. This chapter covers the role of security policies in Web services. First, it examines the importance of policies in web services and explains the WS-Policy standard. It also highlights the relation of WS-Policy with other WS-* specifications. Next, it covers different facets of security requirements in SOA implementations. Later, it examines the importance of security policies in web services. It also presents the basic concepts of WS-Security policy language. WS-Security policy specification specifies a standard way to define and publish security requirements in an extensible and interoperable way. A service provider makes use of security policy to publish the security measures implemented to protect the service. Security policies can also be made customizable to meet the security preferences of different consumers. Towards the end, it discusses about the governance of security polices and also future trends in security policies for web services.