Goal Modelling for Security Problem Matching and Pattern Enforcement

Earlier detection of security problems and implementation of solutions would be a cost- effective approach for developing secure software systems. Developing, gathering and sharing similar repeatable programming knowledge and solutions has led to the introduction of Patterns in the 90’s. The same concept has been adopted to realise recurring security knowledge and hence security patterns. Detecting a security problem using the patterns in requirements models may lead to its early prevention. In this paper, we have provided an overview of security patterns in the past two decades, followed by a summary of i*/Tropos goal modelling framework. Section 2 outlines model-driven development, meta-models and model transformation, within the context of requirements engineering. We have summarised security access control types, and formally described role-based access control (RBAC) in particular as a pattern that may occur in the stakeholder requirements models. Then we have used the i* modelling language and some elements from its constructs - model-driven queries and transformations - to describe the pattern enforcement. Applied to a number of requirements models within literature, the pattern-based transformation tool we designed has automated the detection and resolution of this security pattern in several goal-oriented stakeholder requirements. Finally, the paper also reflects on a variety of existing applications and future work

Privacy-aware web service composition and ranking

Service selection is a key issue in the Future Internet, where applications are built by composing services and content offered by different service providers. Most existing service selection schemas only focus on QoS properties of services such as throughput, latency and response time, or on their trust and reputation level. By contrast, the risk of privacy breaches arising from the selection of component services whose privacy policy is not compliant with customers' privacy preferences is largely ignored. In this paper, we propose a novel privacy-preserving Web service composition and selection approach which (i) makes it possible to verify the compliance between users' privacy requirements and providers' privacy policies and (ii) ranks the composite Web services with respect to the privacy level they offer. We demonstrate our approach using a travel agency Web service as an example of service composition

Privacy-aware web service composition and ranking

Service selection is a key issue in the Future Internet, where applications are built by composing services and content offered by different service providers. Most existing service selection schemas only focus on QoS properties of services such as throughput, latency and response time, or on their trust and reputation level. By contrast, the risk of privacy breaches arising from the selection of component services whose privacy policy is not compliant with customers' privacy preferences is largely ignored. In this paper, the authors propose a novel privacy-preserving Web service composition and selection approach which (i) makes it possible to verify the compliance between users' privacy requirements and providers' privacy policies and (ii) ranks the composite Web services with respect to the privacy level they offer. The authors illustrate their approach using an eCommerce Web service as an example of service composition. Moreover, the authors present a possible Java-based implementation of the proposed approach and present an extension to WS-Policy standard to specify privacy related assertions