Journal of Software, Vol 6, No 4 (2011), 595-603, Apr 2011
doi:10.4304/jsw.6.4.595-603

A Security Evaluation Method Based on Threat Classification for Web Service

Li Jiang, Hao Chen, Fei Deng, Qiusheng Zhong

Abstract


Web service is a distributed computing model constructed on the basis of open standard technology with the characteristics of loose coupling, language neutrality, platform-independence, etc., how to efficiently evaluate the security of Web service is a challenging research topic. Current researches concern more about the testing of Web service and rarely about the issue of service security evaluation. On the basis of analyzing the current Web services in terms of security threats, a Web service security evaluation method based on threat classification is proposed, which can process security evaluation to Web service from different angles of view, such as spoofing, tampering, repudiation, message disclosure, denial of service and elevation of privilege, and can provide a referential evaluation index of Web service security for the users through the threat modeling and evaluating the degree of security. Finally, a case study on SOA application is discussed in detail, experimental results show that the proposed model works efficiently, it can provide valuable reference to check out security vulnerabilities of Web service and help to optimize the system’s security design.


Keywords


web service; security classification; security evaluation model; security abilities property

References


[1]     Tsai W T,Paul R,Y Wang,et al1. Extending WSDL to Facilitate Web Services Testing// Proceedings of 7th IEEE International Symposium on High Assurance Systems Engineering.Tokyo,Japan,2002:171-172

[2]     Tsai W T, Paul R, Cao Z. Verification of Web services using an enhanced UDDI server 2003,131-138

[3]     Heckel R.Mariani L. Automatic conformance testing of web services 2005:2-10

[4]     Run S. A model for Web services discovery with QoS. ACMSIGecom Exchanges,2003.4(1): 1-10

[5]     Carroll J J,Bizer C,Hayes P,et al1.Named graphs,provenance and trust//Proceedings of the 14th International Conference on World Wide Web.Chiba,Japan,2005:613-622

[6]     ZHANG Liang, ZHU Leiming, WANG Kang. A Website Security Analyzing Technology Based on Web Vulnerability Threat Model. Microcomputer Applications. 2008.24(5):56-58

[7]     WU Lei, LI Xinke, WANG Hong. Research on the Reliability Testing of Web Services Based on Fault Injection Technology [J]. Mini-Micro Systems, 2007, 28(1): 127-131

[8]     LIU Zhenpeng, CHANG Xiaomeng. A Safe ID Authentication Policy in Web Service. Computer Research and Developmeng.2006.43:551-555

[9]     SHI Yinsheng, DENG Shiwei, GU Tianyang. Research on the Web Services Security Testing Technology. Computer Engineering and Science. 2007. 29[10]

[10]  Michale Howard,David Leblanc.Writing Secure Code[M].Microsoft Press.2002

[11]   Anonymous et al. Maximum Security [M]. Translated by ZHU Luhua et al. Beijing: China Machine Press, 2003

[12]  Heather Kreger. Web Services Conceptual Architecture (WSCA1.0)[EB/OL].April 2002.http://www-128.ibm.com/developerworks/cn/webservices/ws-wsca/part3/index.html.

[13]  Myung-Hee Kang, Kyung-Nam Kim, Hwang-Bin Ryon. An authorization mechanism for Web Services using an attribute certificate. Proceedings IEEE 37th Annual 2003 International Carnahan Conference on Security Technology, 14-16 Oct. 2003, 144~150

[14]  Rui WANG, Ning HUANG, Requirement Model-Based Mutation Testing For Web Service, 4th International Conference on Next Generation Web Services Practices,2008:71-76

[15]  DAI Changying, ZHANG Guangzhi. Trust Evaluation Model in Web Services. Computer Engineering.2009.5:139-141

[16]  LI Haihua, DU Xiaoyong, TIAN Xuan. A Capability Enhanced Trust Evaluation Model For Web Service. Chinese Journal of Computers. 2008.31(8):1471-1477


Full Text: PDF


Journal of Software (JSW, ISSN 1796-217X)

Copyright @ 2006-2012 by ACADEMY PUBLISHER – All rights reserved.