SECURITY RISK ANALYSIS IN WEB SERVICES SYSTEMS

Carlos Gutiérrez, Eduardo Fernández-Medina, Mario Piattini

Abstract

Nowadays, best practices dictate that security requirements of distributed software-intensive systems should be based on security risk assessments. Web services-based systems supporting network alliances among organizations through Internet are such type of systems. In this article we present how we’ve adopted the risk analysis and management methodology of the Spanish Public Administration, which conforms to ISO 15408 Common Criteria Framework (CCF), to the Process for Web Services Security (PWSSec) developed by the authors. In addition, a real case study where this adaptation was applied is shown.

References

  1. Alexander, I. (2003). "Misuse Cases: Use Cases with Hostile Intent." IEEE Computer Software 20(1): 58- 66.
  2. Butler, S. A. and P. Fischbeck (2005). Multi-Attribute Risk Assessment. SREIS'05 in conjuntction with RE'05, Paris, France.
  3. Christopher Steel, R. N., Ray Lai (2005). Core Security Patterns: Best Practices and Strategies for J2EE™, Web Services, and Identity Management, Prentice Hall PTR / Sun Microsystems.
  4. Crespo, F. L., M. Á. A. Gómez, et al. (2005). MAGERIT - Versión 2. Metodologías de Análisis y Gestión de Riesgos de los Sistemas de Información. III - Guía de Técnicas. Madrid, Ministerio de Administraciones Públicas: 154.
  5. Endrei, M., J. Ang, et al. (2004). Patterns: ServiceOriented Architecture and Web Services: 345.
  6. Firesmith, D. G. (2003). "Engineering Security Requirements." Journal of Object Technology 2(1): 53-68.
  7. Firesmith, D. G. (2003). "Security Use Cases." Journal of Object Technology 2(3): 53-64.
  8. Gutiérrez, C., E. Fernández-Medina, et al. (2005). PWSSec: Process for Web Services Security. IEEE International Conference on Web Services 2005, Orlando, Florida, USA.
  9. Gutiérrez, C., E. Fernández-Medina, et al. (2005). Security Requirements for Web Services based on SIREN. Symposium on Requirements Engineering for Information Security, Paris, France.
  10. Gutiérrez, C., E. Fernández-Medina, et al. (2005). Web Services Enterprise Security Architecture: a Case Study. ACM Workshop on Security on Web Services, Fairfax, Virginia, USA, ACM Press.
  11. Gutiérrez, C., E. Fernández-Medina, et al. (2005). Web Services-based Security Requirement Elicitation. 1st International Workshop on Service-Oriented Computing: Consequences for Engineering Requirements (SOCCER'05) in conjunction with IEEE RE'05, Paris, France.
  12. Moore, A. P., R. J. Ellison, et al. (2001). Attack Modelling for Information Security and Survivability. Survivable Systems, Software Engineering Institute.
  13. OMG (2004). UML Profile for Modeling Quality of Service and Fault Tolerance Characteristics and Mechanisms.
  14. Schneier, B. (1999). "Attack Trees: Modeling Security Threats." Dr. Dobb's Journal.
  15. Sindre, G. and A. L. Opdahl (2005). "Eliciting Security Requirements with Misuse Cases." Requirements Engineering Journal 10(1): 34-44.
  16. Toval, A., J. Nicolás, et al. (2001). "Requirements Reuse for Improving Information Systems Security: A Practitioner's Approach." Requirements Engineering Journal 6(4): 205-219.
  17. Verdon, D. and G. McGraw (2004). Risk Analysis in Software Design. IEEE Security & Privacy. 2: 79-84.
  18. WS-I (2005). Security Challenges, Threats and Countermeasures Versión 1.0, WS-I. 2005.
Download


Paper Citation


in Harvard Style

Gutiérrez C., Fernández-Medina E. and Piattini M. (2006). SECURITY RISK ANALYSIS IN WEB SERVICES SYSTEMS . In Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2006) ISBN 978-972-8865-63-4, pages 425-430. DOI: 10.5220/0002105004250430


in Bibtex Style

@conference{secrypt06,
author={Carlos Gutiérrez and Eduardo Fernández-Medina and Mario Piattini},
title={SECURITY RISK ANALYSIS IN WEB SERVICES SYSTEMS},
booktitle={Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2006)},
year={2006},
pages={425-430},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0002105004250430},
isbn={978-972-8865-63-4},
}


in EndNote Style

TY - CONF
JO - Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2006)
TI - SECURITY RISK ANALYSIS IN WEB SERVICES SYSTEMS
SN - 978-972-8865-63-4
AU - Gutiérrez C.
AU - Fernández-Medina E.
AU - Piattini M.
PY - 2006
SP - 425
EP - 430
DO - 10.5220/0002105004250430