Development of a Secure Web Service Using RUPSec
Subject Areas : electrical and computer engineeringS. M. Hosseininezhad 1 * , G. Elahi 2 , P. Jaferian 3
1 -
2 -
3 -
Keywords: Secure systemsweb serviceRUPSecsoftware development methodologysoftware engineering,
Abstract :
Security issues are considered as major hurdles in extensive utilization of web services in enterprise. There has been work on standards, protocols, and technologies to answer some of these concerns. Nevertheless, problems arise and the issues remain. One needs to recognize security needs before he can tackle the task of selecting the right standard and mechanism to provide a secure system. In this paper, a case study is followed and thru that an approach for utilizing RUPSec for development of a secure web service is offered. The major objective has been to provide a way to discover and extract security needs of web services based on threats against them. Furthermore, RUPSec’s strength in pinpointing threats and security requirements is tested.
[1] H. M. Deitel, P. J. Deitel, B. DuWaldt, and L. K. Trees, Web Services, A Technical Introduction, Prentice Hall, New Jersey, US, 2003.
[2] D. S. Frankel, Model Driven Architecture, Applying MDA to Enterprise Computing, Wiley, US, 2003.
[3] M. Bishop, Computer Security, Art & Science, Addison-Wesley, 1st Ed., 2002.
[4] Security in a Web Services World: A Proposed Architecture and Roadmap, A Joint Security Whitepaper from IBM Corporation and Microsoft Corporation, Version 1.0, Apr. 2002.
[5] W. Negm, Anatomy of a Web Services Attack: A Guide to Threats and Preventative Countermeasures, White Paper Forum Systems Inc., 2004.
[6] J. Thelin and P. J. Murray, "A public web services security framework based on current and future usage scenarios," in Proc. of Int. Conf. on Internet Computing, pp. 825-833, Las Vegas, Nevada, US, Jun. 2002.
[7] P. Jaferian, G. Elahi, M. R. Shirazi, and B. Sadeghian, "RUPSec: extending business modeling and requirements disciplines of RUP for developing secure systems," in Proc. of the 31st EuoroMicro Conf. on Software Engineering and Advanced Applications, IEEE Computer Society, pp. 232- 239, Porto, Portugal, 2005.
[8] M. R. A. Shirazi, P. Jaferian, G. Elahi, H. Baghi, and B. Sadeghian, "RUPSec: an extension on RUP for developing secure systems-requirements discipline," in Proc. of the 2nd World Enformatika Congress (WEC'05), pp. 232-239, 2005.
[9] ح. باقي، پ. جافريان، گ. الهي، م. ر. آيتالله زاده شيرازي و ب. صادقيان، "گسترشي بر RUP براي توسعه سيستمهاي امن،" مجموعه مقالات دهمين کنفرانس انجمن کامپيوتر ايران، صص. 108-97، 1383.
[10] D. G. Firesmith, "Security use cases," J. of Object Technology, Online at www.jot.fm. Published by ETH Zurich, vol. 2, no. 3, pp. 53-64, May/Jun. 2003.
[11] P. Lindstrom, Attcaing and Defending Web Services, A Spire Research Report, Jan. 2004. [12] O. Shehory and A. Sturm, "Evaluation of modeling techniques for agent-based systems," in Proc. of the 5th Int. Conf. on Autonomous Agents, pp. 624-631, Montreal, Canada, 2001.