SOA-Security Lab

1st Place of the 2010 IEEE International Services Cup

Our Motivation

Creating secure Web Service-based composed applications is challanging due to the complexity of the WS-* specifications and the multitude of security specifications. On a technical layer, security services requires

  • Plenty of configurations
  • Strong security knowledge
  • Complex Security Configurations

Our Solution

The SOA Security Lab is designed as a virtualused testing environment for service-related security concepts. Our platform comprises several layers as shown in Figure 1.

Figure 1. Layers of the SOA Security Lab

Composed applications (provided as Software as a Service) can be created using a visual modeller and are executed in virtual machines (Infrastructure as a Service). Users can integrate external services (e.g. Amazon services), use the cloud platform to execute constom services (Platform as a Service) or compose predefined services (Component as a Service).

Figure 2 shows the main components of our platform:


Scenario Management:Visual creation of components
2.Policy Management:

Generationof security configurations

3.Deployment Service:Deployment and Execution of applications
4.Security Analysis:Monitoring and analysis of security mechanisms
Figure 2. SOA Security Lab Architecture


1. Visual Creation of Composed Application

Composed applications based on Web Services can be created by modelling the structure of the desired system as shown in Figure 3. In order to secure the system, security requirements such as the protection of exchanged messages, the authentication of users, or the necessary trust relationships can be modelled as well. In addition, this model is verified to ensure a proper transformation to service configuration files and policies.

Figure 3. Modeling of a securecomposed application. The services require the authentication of users as well as a confidential exchange of messages.

2. Generation of Security Configurations

The Policy Management performes the transformation of the model to service configuration files and security policies (e.g WS-SecurityPolicy) that can be deployed and enforced at services and frontends used in the composed application. This information is based on security configuration patterns that provide expert knowledge to transform simple security intentions to complex security configurations. The different layers in the transformation process are shown in Figure 4.

Figure 4. Model-driven Generation of Configuration Files

Modelling Layer: This layer is the foundation for a pattern-based transformation. System design models are enhanced with security intentions to specify security requirements.

Platform Independent Model: This layer represents a platform-independent model that describes security policies in a platform independent language.

Configuration Files: This is the technical layer which states security requirements in a deployable notation, e.g. WS-SecurityPolicy.

3. Deployment and Execution of Applications

Services, frontends and related metadata are stored in the service repository. On demand a virtual machine is created for the user to execute a modelled use case. The Scenario Management component (see Figure 5) deploys all components and configuration files related to the modelled use case. Finally, each user can eecute, analyse and test composed applications in its own isolated environment.

Figure 5. Deployment of composed applications
Figure 6. Visualising the structure of exchanged messages

4. Monitoring and Analysis of Security Mechanisms

Our platform enables users to gain insight into services and the security modules used to enforce security policies. For each service, the security modules can be visualised. The messages that passed these modules can be inspected as well. Figure 6 shows the visualisation in our platform that depicts a chain of security modules and a service request that passed this chain. The message security protocols and mechanisms used to secure this message are analysed and highlighted.


Related Publications



Other Links

... to our Research
              Security Engineering - Learning & Knowledge Tech - Design Thinking - former
... to our Teaching
              Tele-Lectures - MOOCs - Labs - Systems 
... to our Publications
              Books - Journals - Conference-Papers - Patents
... and to our Annual Reports.