Security in the web services framework

The Web Services Framework provides techniques to enable the application-to-application use of the Web. It has the potential of becoming the core of a new Web-based middleware platform, providing interoperability between computational services using Web- and Internet-technologies. Security is of course of major importance in this context. We introduce here extensions to two major building blocks of the Web Services Framework – the Web Services Description Language WSDL and the Universal Description, Discovery, and Integration Service UDDI. We add description mechanisms and matching techniques that support the retrieval of Web Services from repositories

Selecting Web Services with Security Compliances: A Managerial Perspective

This paper proposes a framework of a decision support system (DSS) for the assessment process of selecting Web services with security compliances consistent with the enterprise business goal. The proposed DSS framework is a systematic assessment model which could aid IS managers in making decision on which Web services would most likely meet the security requirements of their information systems. The proposed process is based on the standard ISO/IEC 15408, the Common Criteria for Information Technology Security Evaluation. The framework consists of five components: (i) Identification of security objectives; (ii) Formulation of criteria; (iii) Selection of candidate Web services; (iv) Security profiling of Web services; and (v) Variance analysis engine. The framework is presented with a running example to demonstrate the applicability of the approach

The Conceptual Design and Implementing Web Services Security Framework for Ministry of Information and Communication Technology in Thailand

This research aims to present a Web Services Security Framework for Ministry of Information and Communication Technology (MICT) in Thailand as referred to international standard BS7799 on information security management. With a pilot development of web services which based on e-government, the researcher used Ministry of Information and Communication Technology as a case study. In order to understand the developmental pilot, it’s crucial to realize particularly in web services security and to determine proposed or existing system. Finally, it can be as standard guideline for Thai public organization for developing web services security framework

Engineering Secure Adaptable Web Services Compositions

Service-oriented architecture defines a paradigm for building applications by assembling autonomous components such as web services to create web service compositions. Web services are executed in complex contexts where unforeseen events may compromise the security of the web services composition. If such compositions perform critical functions, prompt action may be required as new security threats may arise at runtime. Manual interventions may not be ideal or feasible. To automatically decide on valid security changes to make at runtime, the composition needs to make use of current security context information. Such security changes are referred to as dynamic adaptation. This research proposes a framework to develop web services compositions that can dynamically adapt to maintain the same level of security when unforeseen security events occur at runtime. The framework is supported by mechanisms that map revised security requirements arising at runtime to a new security configuration plan that is used to adapt the web services composition

Decoupling security concerns in web services using aspects

This paper discusses the Aspect-oriented Framework for Web services (AoF4WS) that supports on-demand context-sensitive security in Web services. Flexible security schemes are needed in many Web services applications where authentication, authorization, etc., can no longer be used in their current form. Security mechanisms are to be customized to the continuously changing requirements of Web services. Examples of this customization concern cryptographic protocol for a specific situation and timeout for user credentials. The AoF4WS uses aspect-oriented programming and frames. Aspects provide flexibility to the framework, and frames adjust aspects to specific requirements. © 2006 IEEE

Security for Grid Services

Grid computing is concerned with the sharing and coordinated use of diverse resources in distributed "virtual organizations." The dynamic and multi-institutional nature of these environments introduces challenging security issues that demand new technical approaches. In particular, one must deal with diverse local mechanisms, support dynamic creation of services, and enable dynamic creation of trust domains. We describe how these issues are addressed in two generations of the Globus Toolkit. First, we review the Globus Toolkit version 2 (GT2) approach; then, we describe new approaches developed to support the Globus Toolkit version 3 (GT3) implementation of the Open Grid Services Architecture, an initiative that is recasting Grid concepts within a service oriented framework based on Web services. GT3's security implementation uses Web services security mechanisms for credential exchange and other purposes, and introduces a tight least-privilege model that avoids the need for any privileged network service.Comment: 10 pages; 4 figure

Advanced eGovernment Information Service Bus (eGov-Bus)

The eGov-Bus project provides citizens and businesses with improved access to virtual public services, which are based on existing national eGovernment Web services and which support cross-border life events. Requirements and specific rules of these life events are considered, and personalization of user preferences is supported. eGov-Bus is based on adaptable process management technologies, allowing for virtual services which are dynamically combined from existing national eGovernment services. In this way, a comprehensive workflow process is set up, allowing for service-level agreements, an audit trail and explanation of the process to the end user. The eGov-Bus process engine operates on top of a virtual repository, providing a high-level semantic view of information retrieved from heterogeneous information sources, such as eGovernment Web services. Further, eGov-Bus relies on a security framework to ensure all high-level security requirements are met. The eGov-Bus architecture is business oriented, it focuses on Service Oriented Architecture (SOA) concepts, asynchronously combining Web services and providing a Service Bus.Frameworks and Guidelines, eGovernment Ontologies, Admininistrative Process Design, Life Events, Web Services, Service Bus Integration

E-commerce Systems and E-shop Web Sites Security

Fruitfulnes of contemporary companies rests on new business model development, elimination of communication obstacles, simplification of industrial processes, possibilities of responding in real-time and above all meeting the floating custom needs. Quite a number of company activities and transactions are realized within the framework of e-business. Business transactions are supported by e-commerce systems. One of the e-commerce system part is web interface (web sites). Present trend is putting the accent on security. E-commerce system security and web sites security is the most overlooked aspect of securing data. E-commerce system security depends on technologies and its correct exploitation and proceedings. If we want e-commerce system and e-shops web sites with all services to be safety, it is necessary to know all possible risks, use up to date technologies, follow conventions of web sites development and have good security management system. The article deals with definition and description of risk areas refer to e-commerce systems and e-shop web sites and show fundamental principles of e-commerce systems and e-shop web sites security.E-commerce system, e-shop web sites, security, security proceedings, web technologies

Towards secure web services: Performance analysis, decision making and steganography approaches

This thesis was submitted for the degree of Doctor of Philosophy and awarded by Brunel University.Web services provide a platform neutral and programming language independent technology that supports interoperable machine-to-machine interaction over a network. Clients and other systems interact with Web services using a standardised XML messaging system, such as the Simple Object Access Protocol (SOAP), typically conveyed using HTTP with an XML serialisation in conjunction with other related Web standards. Nevertheless, the idea of applications from different parties communicating together raises a security threat. The challenge of Web services security is to understand and consider the risks of securing a Web-based service depending on the existing security techniques and simultaneously follow evolving standards in order to fill the gap in Web services security. However, the performance of the security mechanisms is fraught with concerns due to additional security contents in SOAP messages, the higher number of message exchanges to establish trust, as well as the extra CPU time to process these additions. As the interaction between service providers and requesters occurs via XML-based SOAP messages, securing Web services tends to make these messages longer than they would be otherwise and consequently requires interpretation by XML parsers on both sides, which reduces the performance of Web services. The work described in this thesis can be broadly divided into three parts, the first of which is studying and comparing the performance of various security profiles applied on a Web service tested with different initial message sizes. The second part proposes a multi-criteria decision making framework to aid Web services developers and architects in selecting the best suited security profile that satisfies the different requirements of a given application during the development process in a systematic, manageable, and effective way. The proposed framework, based on the Analytical Hierarchy Process (AHP) approach, incorporates not only the security requirements, but also the performance considerations as well as the configuration constraints of these security profiles. The framework is then validated and evaluated using a scenario-driven approach to demonstrate situations where the decision making framework is used to make informed decisions to rank various security profiles in order to select the most suitable one for each scenario. Finally, the last part of this thesis develops a novel steganography method to be used for SOAP messages within Web services environments. This method is based on changing the order of XML elements according to a secret message. This method has a high imperceptibility; it leaves almost no trail because it uses the communication protocol as a cover medium, and keeps the structure and size of the SOAP message intact. The method is empirically validated using a feasible scenario so as to indicate its utility and value