SlideShare una empresa de Scribd logo

Service Compositions: Curse or Blessing for Security?

Achim D. Brucker
Achim D. Brucker

Building large systems by composing reusable services is not a new idea, it is at least 25 years old. Still, only recently the scenario of dynamic interchangeable services that are consumed via public networks is becoming reality. Following the Software as a Service (Saas) paradigm, an increasing number of complex applications is offered as a service that themselves can be used composed for building even larger and more complex applications. This will lead to situations in which users are likely to unknowingly consume services in a dynamic and ad hoc manner. Leaving the rather static (and mostly on-premise) service composition scenarios of the past 25 years behind us, dynamic service compositions, have not only the potential to transform the software industry from a business perspective, they also requires new approaches for addressing the security, trustworthiness needs of users. The EU FP7 project Aniketos develops new technology, methods, tools and security services that support the design-time creation and run-time dynamic behaviour of dynamic service compositions, addressing service developers, service providers and service end users. In this talk, we will motivate several security and trustworthiness requirements that occur in dynamic service compositions and discuss the solutions developed within the project Aniketos. Based on our experiences, we will discuss open research challenges and potential opportunities for potential opportunities for applying type systems.

TecnologíaEmpresariales
1 de 33
Descargar para leer sin conexión
Service Compositions: Curse or Blessing for Security? Achim D. Brucker achim.brucker@sap.com http://www.brucker.ch/ SAP AG, Products & Innovation, Products and Innovations, Product Security Research Vincenz-Priessnitz-Str. 1, 76131 Karlsruhe, Germany 2nd International Workshop on Behavioural Types September 23-24 2013, Madrid, Spain
Abstract Building large systems by composing reusable services is not a new idea, it is at least 25 years old. Still, only recently the scenario of dynamic interchangeable services that are consumed via public networks is becoming reality. Following the Software as a Service (Saas) paradigm, an increasing number of complex applications is offered as a service that themselves can be used composed for building even larger and more complex applications. This will lead to situations in which users are likely to unknowingly consume services in a dynamic and ad hoc manner. Leaving the rather static (and mostly on-premise) service composition scenarios of the past 25 years behind us, dynamic service compositions, have not only the potential to transform the software industry from a business perspective, they also requires new approaches for addressing the security, trustworthiness needs of users. The EU FP7 project Aniketos develops new technology, methods, tools and security services that support the design-time creation and run-time dynamic behaviour of dynamic service compositions, addressing service developers, service providers and service end users. In this talk, we will motivate several security and trustworthiness requirements that occur in dynamic service compositions and discuss the solutions developed within the project Aniketos. Based on our experiences, we will discuss open research challenges and potential opportunities for potential opportunities for applying type systems. ANIKE OS Service Compositions: Curse or Blessing for Security? 2013-09-24 2
About Me My Employer: SAP AG Vendor of enterprise software systems World’s third largest software vendor More than 25 industries 63% of the world’s transaction revenue touches an SAP system 64 422 employees worldwide Personal Background: Senior Researcher: Security, Formal Methods, Software Engineering Security Expert: supporting all phases of a SDLC ANIKE OS Service Compositions: Curse or Blessing for Security? 2013-09-24 3
The Aniketos Project Enable composite services to establish and maintain security and trustworthiness Goals of the Aniketos platform: Design-time discovery, composition and evaluation, threat awareness Runtime adaptation or change in service configuration Runtime monitoring, detection, notification Two related dimensions: Trustworthiness: Reputation, perception, centralised vs. distributed Security properties: Behaviour, contracts, interfaces, formal verification Aniketos Fact-Sheet: EU Integrated Project (IP), FP7 Call 5 Budget: € 13.9 Mio (€ 9.6 Mio funding) 42 month (Aug. 2010 – Feb. 2014) Coordinator: Sintef (Norway) http://www.aniketos.eu ANIKE OS Service Compositions: Curse or Blessing for Security? 2013-09-24 4
Outline 1 (Secure) Service Composition: Past, Present, and Future 2 The Aniketos Approach: Overview 3 The Aniketos Approach: Exemplary Deep Dive 4 Service Compositions: A Curse or Blessing for Security?
The Past: Service Compositions “ Service: a mechanism to enable access to one or more capabilities, where the access is provided using a prescribed interface . . . with constraints and policies as specified by the service description. OASIS Reference Model for Service Oriented Architecture At least 20 years old: RPCs introduced in 1980s CORBA published in 1991 Motivated by re-useability reliability Used within organisations Frameworks considered to be heavy-weight ANIKE OS Service Compositions: Curse or Blessing for Security? 2013-09-24 6
The Past: Secure Service Compositions Photo: Holger Weinandt Recall the past: networks were expensive (and slow) only a few people had access to networked systems Security model: non-technical trust small numbers of users allowing a personal relationship system operators trust their users security perimeter limited access firewalls controlled system access ANIKE OS Service Compositions: Curse or Blessing for Security? 2013-09-24 7
The Present: Service Composition Motivated by business needs: cost-savings flexibility Used across organisations Environment fast networks many users relatively static compositions ANIKE OS Service Compositions: Curse or Blessing for Security? 2013-09-24 8
The Present: Secure Service Composition Access Control Photo: Syohei Arai Goal: Control access to services, resources (data), . . . The core: Usually: users, roles, access rights, . . . In special cases: data labelling or information flow On top: Separation of Duty Binding of Duty Delegation ANIKE OS Service Compositions: Curse or Blessing for Security? 2013-09-24 9
The Present: Secure Service Composition Protecting Data (and Physical Goods) Photo: Bundesarchiv, Bild 183-R0117-0003 / CC-BY-SA Goal: Ensure confidentiality integrity (safety) of data (and goods) The core: Need-to-Know Fingerprints Encryption Sensors ANIKE OS Service Compositions: Curse or Blessing for Security? 2013-09-24 10
The Present: Secure Service Composition Compliance and Additional Requirements Photo: Ralf Roletschek Many regulated markets Basel II/III, SoX, PCI HIPAA Many customer-specific regulations Own governance to mitigate risks Own business code of conduct Fraud detection/prevention Non-observability Customers are individually audited No “one certificate fits all” solution Security should not hinder business ANIKE OS Service Compositions: Curse or Blessing for Security? 2013-09-24 11
The Future: Service Composition Human Resources (e.g., SuccessFactors) CRM (e.g., Salesforce) Expense Management (e.g., Concur) Log Log Log Customer On Premise Log Software as a service complex components updates controlled by provider Many external services No central orchestrator Complex data flows ANIKE OS Service Compositions: Curse or Blessing for Security? 2013-09-24 12
The Future: Secure Service Composition We need to ensure the already discussed requirements. Many additional challenges, e.g., Customer ensure compliance in a changing environment Developer provide secure, scalable services Provider provide secure offerings protect own infrastructure protect data of customers ANIKE OS Service Compositions: Curse or Blessing for Security? 2013-09-24 13
Outline 1 (Secure) Service Composition: Past, Present, and Future 2 The Aniketos Approach: Overview 3 The Aniketos Approach: Exemplary Deep Dive 4 Service Compositions: A Curse or Blessing for Security?
The Aniketos Process Runtime Design-time Service providers Service developers Compose Service end users Invoke Component change Change of threats Change of environment Adapt/recompose Provide • Discovery and composition support based on trustworthiness, security properties and metrics • Relevant threat awareness • Trust and security monitoring • Threat notification •Self-protection •Trust evaluation •Security validation • End user trust assurance and acceptance • Identification of responsible party ANIKE OS Service Compositions: Curse or Blessing for Security? 2013-09-24 15
Modeling Composition Plans using BPMN Human-centric tasks Automated tasks (services) Orchestration of services Start/end states Logical control flow (if/and/or) Error states ANIKE OS Service Compositions: Curse or Blessing for Security? 2013-09-24 16
Security by Contract Atomic Services //service implementation import javax.servlet.http.*; public class Service { protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException { ... Service Provider Security Contract Service Security Agreement Service Customer Security Policy Service Provider/Developer Service Customer fullfills Implementation Certifi matches matches Contract Matching ANIKE OS Service Compositions: Curse or Blessing for Security? 2013-09-24 17
Security by Contract Composed Services S0 contract S0 policy S0 S1 contract S1 policy S1 S2 contract S2 policy S2 Sn contract Sn policy Sn Service Provider Security Contract Composed Service fullfills Implementation Certification ANIKE OS Service Compositions: Curse or Blessing for Security? 2013-09-24 18
Outline 1 (Secure) Service Composition: Past, Present, and Future 2 The Aniketos Approach: Overview 3 The Aniketos Approach: Exemplary Deep Dive 4 Service Compositions: A Curse or Blessing for Security?
Secure Implementation of Atomic Services Check the compliance of atomic service implementations. Human tasks: Define the user interface (e.g., HTML, Java) Create, read, or update of process variables Service tasks: Define the business logic (e.g, Java, Web service specific configuration) Create, read, or update of process variables ANIKE OS Service Compositions: Curse or Blessing for Security? 2013-09-24 20
Implementing “Contact Travel Service Company” package corp.acme; public class SendOrderToTravelAgency implements JavaDelegate { @Override public void execute(DelegateExecution ex) throws Exception { String lastname = (String) ex.getVariable("user_lastname"); String firstname = (String) ex.getVariable("user_firstname"); String email = (String) ex.getVariable("user_email"); String reason = (String) ex.getVariable("travel_business_reason"); String destination = (String) ex.getVariable("travel_destination"); String duration = (String) ex.getVariable("travel_duration"); // Code for accessing the web service QName SERVICE_NAME = new QName("http://travel.corp/", "TravelService"); URL WSDLURL = new URL("http://travel.corp/TravelService/Service.asmx?WSDL"); Service travelService = new Service(WSDLURL, SERVICE_NAME); ServiceSoap port = travelService.getServiceSoap(); // send order to travel service port.orderTravelAssistance(firstname,lastname,email,reason, destination,duration); } } ANIKE OS Service Compositions: Curse or Blessing for Security? 2013-09-24 21
Implementation Level Reasoning ANIKE OS Service Compositions: Curse or Blessing for Security? 2013-09-24 22
The Problem: RBAC with Separation of Duty Role-based access control (RBAC) Subjects are assigned to roles Permissions assign roles to tasks (resources) Separation of duty (SoD) restrict subjects in executing tasks We analyse: Does the RBAC configuration comply to the SoD requirements? yes: static SoD no: dynamic SoD In case of a compliance violation: change RBAC configuration ensure dynamic enforcement of SoD ANIKE OS Service Compositions: Curse or Blessing for Security? 2013-09-24 23
Security Verification Module (RBAC/SoD Check) ANIKE OS Service Compositions: Curse or Blessing for Security? 2013-09-24 24
Analysing (Dynamic | Static) Separation of Duty Does the access control enforce a separation of duty constraint Translate the composition plan to ASLan hc rbac_ac(Subject, Role, Task) := CanDoAction(Subject, Role, Task) :- user_to_role(Subject, Role), poto(Role, Task) hc poto_T6 := poto(Staff, Request Travel) hc poto_T6 := poto(Manager, Approve Absence) hc poto_T7 := poto(Manager, Approve Budget) Specify the test goal attack_state sod_securitySod1_1(Subject0,Subject1,Instance1,Instance2) := executed(Subject0,task(Request Travel,Instance1)). executed(Subject1,task(Approve Budget,Instance2)). executed(Subject3,task(Approve Absence,Instance3)) &not(equal(Subject0,Subject1)) &not(equal(Subject1,Subject2)) &not(equal(Subject2,Subject3)) Run the model checker Translate the analysis result back to BPMN (visualisation) ANIKE OS Service Compositions: Curse or Blessing for Security? 2013-09-24 25
User Interface for the Service Designer ANIKE OS Service Compositions: Curse or Blessing for Security? 2013-09-24 26
Outline 1 (Secure) Service Composition: Past, Present, and Future 2 The Aniketos Approach: Overview 3 The Aniketos Approach: Exemplary Deep Dive 4 Service Compositions: A Curse or Blessing for Security?
Why Are Enterprises Moving Services to the Cloud The shift to the cloud (SaaS) is driven by economical considerations total cost of ownership need for adaptability (flexibility) . . . Core assumption: specialised cloud providers operate systems cheaper (licenses, upgrades, etc.) achieve higher reliability provide more flexibility (elasticity, features, etc.) . . . And security? ANIKE OS Service Compositions: Curse or Blessing for Security? 2013-09-24 28
Security Chances and Risks of Service Compositions Chances Challenges regular updates XSS, SQL injection, etc. system administration misconfiguration secured data centres specialises systems . . . how to trust the provider data disclosure new attacks tenants as attackers providers as attackers how to control delegation subcontracting . . . ANIKE OS Service Compositions: Curse or Blessing for Security? 2013-09-24 29
Challenges for Type-based Approaches (in Industry) Real systems are not build from scratch existing frameworks legacy systems . . . Developers hate to write type annotations BufferedReader in = new BufferedReader(converter); we need to advertise type inference, a concise syntax for typed languages, and helpful error messages Weakly/dynamically typed languages are gaining popularity light-weight typed based analysis approaches type systems for well-defined subsets that can interact with the whole language (libraries, etc.) ANIKE OS Service Compositions: Curse or Blessing for Security? 2013-09-24 30
Conclusion “ The interesting challenges are still ahead of us! Real systems are large and complex: many programming languages or frameworks many security technologies highly distributed There is a trend towards weakly typed languages can we provide type-based analysis for such systems can we provide (strongly) typed alternatives that provide similar flexibility can integrate existing frameworks Security is more than CIA needs to be ensured on all levels implementation level vulnerabilities configuration errors security frameworks/implementation (authentication, crypto) business-level compliance legal frameworks ANIKE OS Service Compositions: Curse or Blessing for Security? 2013-09-24 31
Thank you for your attention! Any questions or remarks?
References Achim D. Brucker and Isabelle Hang. Secure and compliant implementation of business process-driven systems. In Marcello La Rosa and Pnina Soffer, editors, Joint Workshop on Security in Business Processes (SBP), volume 132 of Lecture Notes in Business Information Processing (LNBIP), pages 662–674. Springer-Verlag, 2012. Achim D. Brucker, Isabelle Hang, Gero Lückemeyer, and Raj Ruparel. SecureBPMN: Modeling and enforcing access control requirements in business processes. In ACM symposium on access control models and technologies (SACMAT), pages 123–126. ACM Press, 2012. Achim D. Brucker, Francesco Malmignati, Madjid Merabti, Qi Shi, and Bo Zhou. A framework for secure service composition. In ASE/IEEE International Conference on Information Privacy, Security, Risk and Trust (PASSAT). IEEE Computer Society, 2013. Luca Compagna, Pierre Guilleminot, and Achim D. Brucker. Business process compliance via security validation as a service. In Manuel Oriol and John Penix, editors, IEEE International Conference on Software Testing, Verification and Validation (ICST), pages 455–462. IEEE Computer Society, 2013. ANIKE OS Service Compositions: Curse or Blessing for Security? 2013-09-24 33

Recomendados

A Framework for Secure Service Composition
A Framework for Secure Service CompositionA Framework for Secure Service Composition
A Framework for Secure Service CompositionAchim D. Brucker
 
Cloud-Based Customer Experience Management Solutions For Government Agencies
Cloud-Based Customer Experience Management Solutions For Government AgenciesCloud-Based Customer Experience Management Solutions For Government Agencies
Cloud-Based Customer Experience Management Solutions For Government AgenciesRightNow Technologies
 
PRISMACLOUD Cloud Security and Privacy by Design
PRISMACLOUD Cloud Security and Privacy by DesignPRISMACLOUD Cloud Security and Privacy by Design
PRISMACLOUD Cloud Security and Privacy by DesignPRISMACLOUD Project
 
Citrix cloud services_total_economic_benefits_assessment_guide
Citrix cloud services_total_economic_benefits_assessment_guideCitrix cloud services_total_economic_benefits_assessment_guide
Citrix cloud services_total_economic_benefits_assessment_guideAlejandro Daricz
 
Information systems 365 - Cloud and BYOD Security
Information systems 365 - Cloud and BYOD SecurityInformation systems 365 - Cloud and BYOD Security
Information systems 365 - Cloud and BYOD SecurityNicholas Davis
 
Rob kloots auditoutsourcedit
Rob kloots auditoutsourceditRob kloots auditoutsourcedit
Rob kloots auditoutsourceditRobert Kloots
 
Ariel Litvin - CCSK
Ariel Litvin - CCSKAriel Litvin - CCSK
Ariel Litvin - CCSKCSAIsrael
 
A dynamic policy based security-as-a-service infrastructure for cloud environ...
A dynamic policy based security-as-a-service infrastructure for cloud environ...A dynamic policy based security-as-a-service infrastructure for cloud environ...
A dynamic policy based security-as-a-service infrastructure for cloud environ...eSAT Publishing House
 

Recomendados

A Framework for Secure Service Composition
A Framework for Secure Service CompositionA Framework for Secure Service Composition
A Framework for Secure Service CompositionAchim D. Brucker
 
Cloud-Based Customer Experience Management Solutions For Government Agencies
Cloud-Based Customer Experience Management Solutions For Government AgenciesCloud-Based Customer Experience Management Solutions For Government Agencies
Cloud-Based Customer Experience Management Solutions For Government AgenciesRightNow Technologies
 
PRISMACLOUD Cloud Security and Privacy by Design
PRISMACLOUD Cloud Security and Privacy by DesignPRISMACLOUD Cloud Security and Privacy by Design
PRISMACLOUD Cloud Security and Privacy by DesignPRISMACLOUD Project
 
Citrix cloud services_total_economic_benefits_assessment_guide
Citrix cloud services_total_economic_benefits_assessment_guideCitrix cloud services_total_economic_benefits_assessment_guide
Citrix cloud services_total_economic_benefits_assessment_guideAlejandro Daricz
 
Information systems 365 - Cloud and BYOD Security
Information systems 365 - Cloud and BYOD SecurityInformation systems 365 - Cloud and BYOD Security
Information systems 365 - Cloud and BYOD SecurityNicholas Davis
 
Rob kloots auditoutsourcedit
Rob kloots auditoutsourceditRob kloots auditoutsourcedit
Rob kloots auditoutsourceditRobert Kloots
 
Ariel Litvin - CCSK
Ariel Litvin - CCSKAriel Litvin - CCSK
Ariel Litvin - CCSKCSAIsrael
 
A dynamic policy based security-as-a-service infrastructure for cloud environ...
A dynamic policy based security-as-a-service infrastructure for cloud environ...A dynamic policy based security-as-a-service infrastructure for cloud environ...
A dynamic policy based security-as-a-service infrastructure for cloud environ...eSAT Publishing House
 
Getting Your IT Security Learners Ready for the Cloud with CCSK Certification
Getting Your IT Security Learners Ready for the Cloud with CCSK CertificationGetting Your IT Security Learners Ready for the Cloud with CCSK Certification
Getting Your IT Security Learners Ready for the Cloud with CCSK CertificationITpreneurs
 
IntelAdapt
IntelAdaptIntelAdapt
IntelAdaptMaggie Albrecht
 
CCSK Certificate of Cloud Computing Knowledge - overview
CCSK Certificate of Cloud Computing Knowledge - overviewCCSK Certificate of Cloud Computing Knowledge - overview
CCSK Certificate of Cloud Computing Knowledge - overviewPeter HJ van Eijk
 
Losing Control to the Cloud
Losing Control to the CloudLosing Control to the Cloud
Losing Control to the CloudRochester Security Summit
 
Issa 042711
Issa 042711Issa 042711
Issa 042711Erin Banks
 
CCSK, cloud security framework, Indonesia
CCSK, cloud security framework, IndonesiaCCSK, cloud security framework, Indonesia
CCSK, cloud security framework, IndonesiaWise Pacific Venture
 
Arthur van der Wees, Arthur's Legal on Making Cloud SLAs readily usable in th...
Arthur van der Wees, Arthur's Legal on Making Cloud SLAs readily usable in th...Arthur van der Wees, Arthur's Legal on Making Cloud SLAs readily usable in th...
Arthur van der Wees, Arthur's Legal on Making Cloud SLAs readily usable in th...SLA-Ready Network
 
Cloud Security for U.S. Military Agencies
Cloud Security for U.S. Military AgenciesCloud Security for U.S. Military Agencies
Cloud Security for U.S. Military AgenciesNJVC, LLC
 
(Pdf) yury chemerkin ita_2013
(Pdf) yury chemerkin ita_2013(Pdf) yury chemerkin ita_2013
(Pdf) yury chemerkin ita_2013STO STRATEGY
 
IRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
IRJET- SAAS Attacks Defense Mechanisms and Digital ForensicIRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
IRJET- SAAS Attacks Defense Mechanisms and Digital ForensicIRJET Journal
 
Ensuring PCI DSS Compliance in the Cloud
Ensuring PCI DSS Compliance in the CloudEnsuring PCI DSS Compliance in the Cloud
Ensuring PCI DSS Compliance in the CloudCognizant
 
Securing Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid CloudsSecuring Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid CloudsRightScale
 
CSA Introduction 2013 David Ross
CSA Introduction 2013 David RossCSA Introduction 2013 David Ross
CSA Introduction 2013 David RossGraeme Wood
 
Csa summit who can protect us education for cloud security professionals
Csa summit who can protect us education for cloud security professionalsCsa summit who can protect us education for cloud security professionals
Csa summit who can protect us education for cloud security professionalsCSA Argentina
 
(Pdf) yury chemerkin deep_intel_2013
(Pdf) yury chemerkin deep_intel_2013(Pdf) yury chemerkin deep_intel_2013
(Pdf) yury chemerkin deep_intel_2013STO STRATEGY
 
2022 Q1 Webinar Securite du Cloud public (1).pdf
2022 Q1 Webinar Securite du Cloud public (1).pdf2022 Q1 Webinar Securite du Cloud public (1).pdf
2022 Q1 Webinar Securite du Cloud public (1).pdfYounesChafi1
 
Ijirsm ashok-kumar-h-problems-and-solutions-infrastructure-as-service-securit...
Ijirsm ashok-kumar-h-problems-and-solutions-infrastructure-as-service-securit...Ijirsm ashok-kumar-h-problems-and-solutions-infrastructure-as-service-securit...
Ijirsm ashok-kumar-h-problems-and-solutions-infrastructure-as-service-securit...IJIR JOURNALS IJIRUSA
 
Product Assessment and Consulting Offerings
Product Assessment and Consulting OfferingsProduct Assessment and Consulting Offerings
Product Assessment and Consulting OfferingsHappiest Minds Technologies
 
Frost & Sullivan 2015 North American Encrypted Network Security Solutions New...
Frost & Sullivan 2015 North American Encrypted Network Security Solutions New...Frost & Sullivan 2015 North American Encrypted Network Security Solutions New...
Frost & Sullivan 2015 North American Encrypted Network Security Solutions New...Unisys Corporation
 
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah Sheikh
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah SheikhISACA Journal Publication - Does your Cloud have a Secure Lining? Shah Sheikh
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah SheikhShah Sheikh
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
 
Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...Achim D. Brucker
 

Más contenido relacionado

La actualidad más candente

Getting Your IT Security Learners Ready for the Cloud with CCSK Certification
Getting Your IT Security Learners Ready for the Cloud with CCSK CertificationGetting Your IT Security Learners Ready for the Cloud with CCSK Certification
Getting Your IT Security Learners Ready for the Cloud with CCSK CertificationITpreneurs
 
CCSK Certificate of Cloud Computing Knowledge - overview
CCSK Certificate of Cloud Computing Knowledge - overviewCCSK Certificate of Cloud Computing Knowledge - overview
CCSK Certificate of Cloud Computing Knowledge - overviewPeter HJ van Eijk
 
CCSK, cloud security framework, Indonesia
CCSK, cloud security framework, IndonesiaCCSK, cloud security framework, Indonesia
CCSK, cloud security framework, IndonesiaWise Pacific Venture
 
Arthur van der Wees, Arthur's Legal on Making Cloud SLAs readily usable in th...
Arthur van der Wees, Arthur's Legal on Making Cloud SLAs readily usable in th...Arthur van der Wees, Arthur's Legal on Making Cloud SLAs readily usable in th...
Arthur van der Wees, Arthur's Legal on Making Cloud SLAs readily usable in th...SLA-Ready Network
 
Cloud Security for U.S. Military Agencies
Cloud Security for U.S. Military AgenciesCloud Security for U.S. Military Agencies
Cloud Security for U.S. Military AgenciesNJVC, LLC
 
(Pdf) yury chemerkin ita_2013
(Pdf) yury chemerkin ita_2013(Pdf) yury chemerkin ita_2013
(Pdf) yury chemerkin ita_2013STO STRATEGY
 
IRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
IRJET- SAAS Attacks Defense Mechanisms and Digital ForensicIRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
IRJET- SAAS Attacks Defense Mechanisms and Digital ForensicIRJET Journal
 
Ensuring PCI DSS Compliance in the Cloud
Ensuring PCI DSS Compliance in the CloudEnsuring PCI DSS Compliance in the Cloud
Ensuring PCI DSS Compliance in the CloudCognizant
 
Securing Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid CloudsSecuring Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid CloudsRightScale
 
CSA Introduction 2013 David Ross
CSA Introduction 2013 David RossCSA Introduction 2013 David Ross
CSA Introduction 2013 David RossGraeme Wood
 
Csa summit who can protect us education for cloud security professionals
Csa summit who can protect us education for cloud security professionalsCsa summit who can protect us education for cloud security professionals
Csa summit who can protect us education for cloud security professionalsCSA Argentina
 
(Pdf) yury chemerkin deep_intel_2013
(Pdf) yury chemerkin deep_intel_2013(Pdf) yury chemerkin deep_intel_2013
(Pdf) yury chemerkin deep_intel_2013STO STRATEGY
 
2022 Q1 Webinar Securite du Cloud public (1).pdf
2022 Q1 Webinar Securite du Cloud public (1).pdf2022 Q1 Webinar Securite du Cloud public (1).pdf
2022 Q1 Webinar Securite du Cloud public (1).pdfYounesChafi1
 
Ijirsm ashok-kumar-h-problems-and-solutions-infrastructure-as-service-securit...
Ijirsm ashok-kumar-h-problems-and-solutions-infrastructure-as-service-securit...Ijirsm ashok-kumar-h-problems-and-solutions-infrastructure-as-service-securit...
Ijirsm ashok-kumar-h-problems-and-solutions-infrastructure-as-service-securit...IJIR JOURNALS IJIRUSA
 
Frost & Sullivan 2015 North American Encrypted Network Security Solutions New...
Frost & Sullivan 2015 North American Encrypted Network Security Solutions New...Frost & Sullivan 2015 North American Encrypted Network Security Solutions New...
Frost & Sullivan 2015 North American Encrypted Network Security Solutions New...Unisys Corporation
 
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah Sheikh
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah SheikhISACA Journal Publication - Does your Cloud have a Secure Lining? Shah Sheikh
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah SheikhShah Sheikh
 

La actualidad más candente (20)

Getting Your IT Security Learners Ready for the Cloud with CCSK Certification
Getting Your IT Security Learners Ready for the Cloud with CCSK CertificationGetting Your IT Security Learners Ready for the Cloud with CCSK Certification
Getting Your IT Security Learners Ready for the Cloud with CCSK Certification
 
IntelAdapt
IntelAdaptIntelAdapt
IntelAdapt
 
CCSK Certificate of Cloud Computing Knowledge - overview
CCSK Certificate of Cloud Computing Knowledge - overviewCCSK Certificate of Cloud Computing Knowledge - overview
CCSK Certificate of Cloud Computing Knowledge - overview
 
Losing Control to the Cloud
Losing Control to the CloudLosing Control to the Cloud
Losing Control to the Cloud
 
Issa 042711
Issa 042711Issa 042711
Issa 042711
 
CCSK, cloud security framework, Indonesia
CCSK, cloud security framework, IndonesiaCCSK, cloud security framework, Indonesia
CCSK, cloud security framework, Indonesia
 
Arthur van der Wees, Arthur's Legal on Making Cloud SLAs readily usable in th...
Arthur van der Wees, Arthur's Legal on Making Cloud SLAs readily usable in th...Arthur van der Wees, Arthur's Legal on Making Cloud SLAs readily usable in th...
Arthur van der Wees, Arthur's Legal on Making Cloud SLAs readily usable in th...
 
Cloud Security for U.S. Military Agencies
Cloud Security for U.S. Military AgenciesCloud Security for U.S. Military Agencies
Cloud Security for U.S. Military Agencies
 
(Pdf) yury chemerkin ita_2013
(Pdf) yury chemerkin ita_2013(Pdf) yury chemerkin ita_2013
(Pdf) yury chemerkin ita_2013
 
IRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
IRJET- SAAS Attacks Defense Mechanisms and Digital ForensicIRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
IRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
 
Ensuring PCI DSS Compliance in the Cloud
Ensuring PCI DSS Compliance in the CloudEnsuring PCI DSS Compliance in the Cloud
Ensuring PCI DSS Compliance in the Cloud
 
Securing Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid CloudsSecuring Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid Clouds
 
CSA Introduction 2013 David Ross
CSA Introduction 2013 David RossCSA Introduction 2013 David Ross
CSA Introduction 2013 David Ross
 
Csa summit who can protect us education for cloud security professionals
Csa summit who can protect us education for cloud security professionalsCsa summit who can protect us education for cloud security professionals
Csa summit who can protect us education for cloud security professionals
 
(Pdf) yury chemerkin deep_intel_2013
(Pdf) yury chemerkin deep_intel_2013(Pdf) yury chemerkin deep_intel_2013
(Pdf) yury chemerkin deep_intel_2013
 
2022 Q1 Webinar Securite du Cloud public (1).pdf
2022 Q1 Webinar Securite du Cloud public (1).pdf2022 Q1 Webinar Securite du Cloud public (1).pdf
2022 Q1 Webinar Securite du Cloud public (1).pdf
 
Ijirsm ashok-kumar-h-problems-and-solutions-infrastructure-as-service-securit...
Ijirsm ashok-kumar-h-problems-and-solutions-infrastructure-as-service-securit...Ijirsm ashok-kumar-h-problems-and-solutions-infrastructure-as-service-securit...
Ijirsm ashok-kumar-h-problems-and-solutions-infrastructure-as-service-securit...
 
Product Assessment and Consulting Offerings
Product Assessment and Consulting OfferingsProduct Assessment and Consulting Offerings
Product Assessment and Consulting Offerings
 
Frost & Sullivan 2015 North American Encrypted Network Security Solutions New...
Frost & Sullivan 2015 North American Encrypted Network Security Solutions New...Frost & Sullivan 2015 North American Encrypted Network Security Solutions New...
Frost & Sullivan 2015 North American Encrypted Network Security Solutions New...
 
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah Sheikh
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah SheikhISACA Journal Publication - Does your Cloud have a Secure Lining? Shah Sheikh
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah Sheikh
 

Destacado

Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
 
Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...Achim D. Brucker
 
Isabelle: Not Only a Proof Assistant
Isabelle: Not Only a Proof AssistantIsabelle: Not Only a Proof Assistant
Isabelle: Not Only a Proof AssistantAchim D. Brucker
 
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...Achim D. Brucker
 
Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Achim D. Brucker
 
The Kingdom of God
The Kingdom of GodThe Kingdom of God
The Kingdom of GodRUBibleStudy
 

Destacado (6)

Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
 
Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...
 
Isabelle: Not Only a Proof Assistant
Isabelle: Not Only a Proof AssistantIsabelle: Not Only a Proof Assistant
Isabelle: Not Only a Proof Assistant
 
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
 
Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...
 
The Kingdom of God
The Kingdom of GodThe Kingdom of God
The Kingdom of God
 

Similar a Service Compositions: Curse or Blessing for Security?

Massimiliano Raks, Naples University on SPECS: Secure provisioning of cloud s...
Massimiliano Raks, Naples University on SPECS: Secure provisioning of cloud s...Massimiliano Raks, Naples University on SPECS: Secure provisioning of cloud s...
Massimiliano Raks, Naples University on SPECS: Secure provisioning of cloud s...SLA-Ready Network
 
No More Dark Clouds: A Privacy Preserving Framework for the Cloud
No More Dark Clouds: A Privacy Preserving Framework for the CloudNo More Dark Clouds: A Privacy Preserving Framework for the Cloud
No More Dark Clouds: A Privacy Preserving Framework for the CloudPaaSword EU Project
 
Accelerated Saa S Exec Briefing V2
Accelerated Saa S Exec Briefing V2Accelerated Saa S Exec Briefing V2
Accelerated Saa S Exec Briefing V2jeffirby
 
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWSAlert Logic
 
Effective Information Flow Control as a Service: EIFCaaS
Effective Information Flow Control as a Service: EIFCaaSEffective Information Flow Control as a Service: EIFCaaS
Effective Information Flow Control as a Service: EIFCaaSIRJET Journal
 
Cloud Security using NIST guidelines
Cloud Security using NIST guidelinesCloud Security using NIST guidelines
Cloud Security using NIST guidelinesSrishti Ahuja
 
Cloud Security using NIST guidelines
Cloud Security using NIST guidelinesCloud Security using NIST guidelines
Cloud Security using NIST guidelinesSrishti Ahuja
 
PaaSword's main idea, technical architecture and scientific challenges
PaaSword's main idea, technical architecture and scientific challenges PaaSword's main idea, technical architecture and scientific challenges
PaaSword's main idea, technical architecture and scientific challenges PaaSword EU Project
 
Cloud Security, Standards and Applications
Cloud Security, Standards and ApplicationsCloud Security, Standards and Applications
Cloud Security, Standards and ApplicationsDr. Sunil Kr. Pandey
 
G05.2013 Security Information and Event Management
G05.2013 Security Information and Event ManagementG05.2013 Security Information and Event Management
G05.2013 Security Information and Event ManagementSatya Harish
 
C11-1 CASE STUDY 11 CLOUD COMPUTING (IN)SECURITY .docx
C11-1 CASE STUDY 11 CLOUD COMPUTING (IN)SECURITY .docxC11-1 CASE STUDY 11 CLOUD COMPUTING (IN)SECURITY .docx
C11-1 CASE STUDY 11 CLOUD COMPUTING (IN)SECURITY .docxRAHUL126667
 
What is needed to start trusting the security of your applications in the cloud?
What is needed to start trusting the security of your applications in the cloud?What is needed to start trusting the security of your applications in the cloud?
What is needed to start trusting the security of your applications in the cloud?PECB
 
Securing Your Public Cloud Infrastructure
Securing Your Public Cloud InfrastructureSecuring Your Public Cloud Infrastructure
Securing Your Public Cloud InfrastructureQualys
 
TUW-ASE Summer 2015: IoT Cloud Systems
TUW-ASE Summer 2015: IoT Cloud SystemsTUW-ASE Summer 2015: IoT Cloud Systems
TUW-ASE Summer 2015: IoT Cloud SystemsHong-Linh Truong
 
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS BuildersAWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS BuildersJames Strong
 
Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0David Spinks
 
Security in cloud computing kashyap kunal
Security in cloud computing kashyap kunalSecurity in cloud computing kashyap kunal
Security in cloud computing kashyap kunalKashyap Kunal
 
Cloud Security 2014 AASNET
Cloud Security 2014 AASNETCloud Security 2014 AASNET
Cloud Security 2014 AASNETFarrukh Shahzad
 

Similar a Service Compositions: Curse or Blessing for Security? (20)

Massimiliano Raks, Naples University on SPECS: Secure provisioning of cloud s...
Massimiliano Raks, Naples University on SPECS: Secure provisioning of cloud s...Massimiliano Raks, Naples University on SPECS: Secure provisioning of cloud s...
Massimiliano Raks, Naples University on SPECS: Secure provisioning of cloud s...
 
No More Dark Clouds: A Privacy Preserving Framework for the Cloud
No More Dark Clouds: A Privacy Preserving Framework for the CloudNo More Dark Clouds: A Privacy Preserving Framework for the Cloud
No More Dark Clouds: A Privacy Preserving Framework for the Cloud
 
Accelerated Saa S Exec Briefing V2
Accelerated Saa S Exec Briefing V2Accelerated Saa S Exec Briefing V2
Accelerated Saa S Exec Briefing V2
 
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
 
Effective Information Flow Control as a Service: EIFCaaS
Effective Information Flow Control as a Service: EIFCaaSEffective Information Flow Control as a Service: EIFCaaS
Effective Information Flow Control as a Service: EIFCaaS
 
J3602068071
J3602068071J3602068071
J3602068071
 
Cloud Security using NIST guidelines
Cloud Security using NIST guidelinesCloud Security using NIST guidelines
Cloud Security using NIST guidelines
 
Cloud Security using NIST guidelines
Cloud Security using NIST guidelinesCloud Security using NIST guidelines
Cloud Security using NIST guidelines
 
PaaSword's main idea, technical architecture and scientific challenges
PaaSword's main idea, technical architecture and scientific challenges PaaSword's main idea, technical architecture and scientific challenges
PaaSword's main idea, technical architecture and scientific challenges
 
Cloud Security, Standards and Applications
Cloud Security, Standards and ApplicationsCloud Security, Standards and Applications
Cloud Security, Standards and Applications
 
G05.2013 Security Information and Event Management
G05.2013 Security Information and Event ManagementG05.2013 Security Information and Event Management
G05.2013 Security Information and Event Management
 
C11-1 CASE STUDY 11 CLOUD COMPUTING (IN)SECURITY .docx
C11-1 CASE STUDY 11 CLOUD COMPUTING (IN)SECURITY .docxC11-1 CASE STUDY 11 CLOUD COMPUTING (IN)SECURITY .docx
C11-1 CASE STUDY 11 CLOUD COMPUTING (IN)SECURITY .docx
 
What is needed to start trusting the security of your applications in the cloud?
What is needed to start trusting the security of your applications in the cloud?What is needed to start trusting the security of your applications in the cloud?
What is needed to start trusting the security of your applications in the cloud?
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing Security
 
Securing Your Public Cloud Infrastructure
Securing Your Public Cloud InfrastructureSecuring Your Public Cloud Infrastructure
Securing Your Public Cloud Infrastructure
 
TUW-ASE Summer 2015: IoT Cloud Systems
TUW-ASE Summer 2015: IoT Cloud SystemsTUW-ASE Summer 2015: IoT Cloud Systems
TUW-ASE Summer 2015: IoT Cloud Systems
 
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS BuildersAWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
 
Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0
 
Security in cloud computing kashyap kunal
Security in cloud computing kashyap kunalSecurity in cloud computing kashyap kunal
Security in cloud computing kashyap kunal
 
Cloud Security 2014 AASNET
Cloud Security 2014 AASNETCloud Security 2014 AASNET
Cloud Security 2014 AASNET
 

Más de Achim D. Brucker

Usable Security for Developers: A Nightmare
Usable Security for Developers: A NightmareUsable Security for Developers: A Nightmare
Usable Security for Developers: A NightmareAchim D. Brucker
 
Formalizing (Web) Standards: An Application of Test and Proof
Formalizing (Web) Standards: An Application of Test and ProofFormalizing (Web) Standards: An Application of Test and Proof
Formalizing (Web) Standards: An Application of Test and ProofAchim D. Brucker
 
Your (not so) smart TV is currently busy with taking down the Internet
Your (not so) smart TV is currently busy with taking down the InternetYour (not so) smart TV is currently busy with taking down the Internet
Your (not so) smart TV is currently busy with taking down the InternetAchim D. Brucker
 
Combining the Security Risks of Native and Web Development: Hybrid Apps
Combining the Security Risks of Native and Web Development: Hybrid AppsCombining the Security Risks of Native and Web Development: Hybrid Apps
Combining the Security Risks of Native and Web Development: Hybrid AppsAchim D. Brucker
 
The Evil Friend in Your Browser
The Evil Friend in Your BrowserThe Evil Friend in Your Browser
The Evil Friend in Your BrowserAchim D. Brucker
 
How to Enable Developers to Deliver Secure Code
How to Enable Developers to Deliver Secure CodeHow to Enable Developers to Deliver Secure Code
How to Enable Developers to Deliver Secure CodeAchim D. Brucker
 
Developing Secure Software: Experiences From an International Software Vendor
Developing Secure Software: Experiences From an International Software VendorDeveloping Secure Software: Experiences From an International Software Vendor
Developing Secure Software: Experiences From an International Software VendorAchim D. Brucker
 
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...Achim D. Brucker
 
Industrial Challenges of Secure Software Development
Industrial Challenges of Secure Software DevelopmentIndustrial Challenges of Secure Software Development
Industrial Challenges of Secure Software DevelopmentAchim D. Brucker
 
SAST for JavaScript: A Brief Overview of Commercial Tools
SAST for JavaScript: A Brief Overview of Commercial ToolsSAST for JavaScript: A Brief Overview of Commercial Tools
SAST for JavaScript: A Brief Overview of Commercial ToolsAchim D. Brucker
 
A Collection of Real World (JavaScript) Security Problems: Examples from 2 1/...
A Collection of Real World (JavaScript) Security Problems: Examples from 2 1/...A Collection of Real World (JavaScript) Security Problems: Examples from 2 1/...
A Collection of Real World (JavaScript) Security Problems: Examples from 2 1/...Achim D. Brucker
 
Deploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large ScaleDeploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large ScaleAchim D. Brucker
 
Model-based Conformance Testing of Security Properties
Model-based Conformance Testing of Security PropertiesModel-based Conformance Testing of Security Properties
Model-based Conformance Testing of Security PropertiesAchim D. Brucker
 
Encoding Object-oriented Datatypes in HOL: Extensible Records Revisited
Encoding Object-oriented Datatypes in HOL: Extensible Records RevisitedEncoding Object-oriented Datatypes in HOL: Extensible Records Revisited
Encoding Object-oriented Datatypes in HOL: Extensible Records RevisitedAchim D. Brucker
 
Extending Access Control Models with Break-glass
Extending Access Control Models with Break-glassExtending Access Control Models with Break-glass
Extending Access Control Models with Break-glassAchim D. Brucker
 
Integrating Application Security into a Software Development Process
Integrating Application Security into a Software Development ProcessIntegrating Application Security into a Software Development Process
Integrating Application Security into a Software Development ProcessAchim D. Brucker
 
Security in the Context of Business Processes: Thoughts from a System Vendor'...
Security in the Context of Business Processes: Thoughts from a System Vendor'...Security in the Context of Business Processes: Thoughts from a System Vendor'...
Security in the Context of Business Processes: Thoughts from a System Vendor'...Achim D. Brucker
 

Más de Achim D. Brucker (17)

Usable Security for Developers: A Nightmare
Usable Security for Developers: A NightmareUsable Security for Developers: A Nightmare
Usable Security for Developers: A Nightmare
 
Formalizing (Web) Standards: An Application of Test and Proof
Formalizing (Web) Standards: An Application of Test and ProofFormalizing (Web) Standards: An Application of Test and Proof
Formalizing (Web) Standards: An Application of Test and Proof
 
Your (not so) smart TV is currently busy with taking down the Internet
Your (not so) smart TV is currently busy with taking down the InternetYour (not so) smart TV is currently busy with taking down the Internet
Your (not so) smart TV is currently busy with taking down the Internet
 
Combining the Security Risks of Native and Web Development: Hybrid Apps
Combining the Security Risks of Native and Web Development: Hybrid AppsCombining the Security Risks of Native and Web Development: Hybrid Apps
Combining the Security Risks of Native and Web Development: Hybrid Apps
 
The Evil Friend in Your Browser
The Evil Friend in Your BrowserThe Evil Friend in Your Browser
The Evil Friend in Your Browser
 
How to Enable Developers to Deliver Secure Code
How to Enable Developers to Deliver Secure CodeHow to Enable Developers to Deliver Secure Code
How to Enable Developers to Deliver Secure Code
 
Developing Secure Software: Experiences From an International Software Vendor
Developing Secure Software: Experiences From an International Software VendorDeveloping Secure Software: Experiences From an International Software Vendor
Developing Secure Software: Experiences From an International Software Vendor
 
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
 
Industrial Challenges of Secure Software Development
Industrial Challenges of Secure Software DevelopmentIndustrial Challenges of Secure Software Development
Industrial Challenges of Secure Software Development
 
SAST for JavaScript: A Brief Overview of Commercial Tools
SAST for JavaScript: A Brief Overview of Commercial ToolsSAST for JavaScript: A Brief Overview of Commercial Tools
SAST for JavaScript: A Brief Overview of Commercial Tools
 
A Collection of Real World (JavaScript) Security Problems: Examples from 2 1/...
A Collection of Real World (JavaScript) Security Problems: Examples from 2 1/...A Collection of Real World (JavaScript) Security Problems: Examples from 2 1/...
A Collection of Real World (JavaScript) Security Problems: Examples from 2 1/...
 
Deploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large ScaleDeploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large Scale
 
Model-based Conformance Testing of Security Properties
Model-based Conformance Testing of Security PropertiesModel-based Conformance Testing of Security Properties
Model-based Conformance Testing of Security Properties
 
Encoding Object-oriented Datatypes in HOL: Extensible Records Revisited
Encoding Object-oriented Datatypes in HOL: Extensible Records RevisitedEncoding Object-oriented Datatypes in HOL: Extensible Records Revisited
Encoding Object-oriented Datatypes in HOL: Extensible Records Revisited
 
Extending Access Control Models with Break-glass
Extending Access Control Models with Break-glassExtending Access Control Models with Break-glass
Extending Access Control Models with Break-glass
 
Integrating Application Security into a Software Development Process
Integrating Application Security into a Software Development ProcessIntegrating Application Security into a Software Development Process
Integrating Application Security into a Software Development Process
 
Security in the Context of Business Processes: Thoughts from a System Vendor'...
Security in the Context of Business Processes: Thoughts from a System Vendor'...Security in the Context of Business Processes: Thoughts from a System Vendor'...
Security in the Context of Business Processes: Thoughts from a System Vendor'...
 

Último

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 

Último (20)

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 

Service Compositions: Curse or Blessing for Security?

  • 1. Service Compositions: Curse or Blessing for Security? Achim D. Brucker achim.brucker@sap.com http://www.brucker.ch/ SAP AG, Products & Innovation, Products and Innovations, Product Security Research Vincenz-Priessnitz-Str. 1, 76131 Karlsruhe, Germany 2nd International Workshop on Behavioural Types September 23-24 2013, Madrid, Spain
  • 2. Abstract Building large systems by composing reusable services is not a new idea, it is at least 25 years old. Still, only recently the scenario of dynamic interchangeable services that are consumed via public networks is becoming reality. Following the Software as a Service (Saas) paradigm, an increasing number of complex applications is offered as a service that themselves can be used composed for building even larger and more complex applications. This will lead to situations in which users are likely to unknowingly consume services in a dynamic and ad hoc manner. Leaving the rather static (and mostly on-premise) service composition scenarios of the past 25 years behind us, dynamic service compositions, have not only the potential to transform the software industry from a business perspective, they also requires new approaches for addressing the security, trustworthiness needs of users. The EU FP7 project Aniketos develops new technology, methods, tools and security services that support the design-time creation and run-time dynamic behaviour of dynamic service compositions, addressing service developers, service providers and service end users. In this talk, we will motivate several security and trustworthiness requirements that occur in dynamic service compositions and discuss the solutions developed within the project Aniketos. Based on our experiences, we will discuss open research challenges and potential opportunities for potential opportunities for applying type systems. ANIKE OS Service Compositions: Curse or Blessing for Security? 2013-09-24 2
  • 3. About Me My Employer: SAP AG Vendor of enterprise software systems World’s third largest software vendor More than 25 industries 63% of the world’s transaction revenue touches an SAP system 64 422 employees worldwide Personal Background: Senior Researcher: Security, Formal Methods, Software Engineering Security Expert: supporting all phases of a SDLC ANIKE OS Service Compositions: Curse or Blessing for Security? 2013-09-24 3
  • 4. The Aniketos Project Enable composite services to establish and maintain security and trustworthiness Goals of the Aniketos platform: Design-time discovery, composition and evaluation, threat awareness Runtime adaptation or change in service configuration Runtime monitoring, detection, notification Two related dimensions: Trustworthiness: Reputation, perception, centralised vs. distributed Security properties: Behaviour, contracts, interfaces, formal verification Aniketos Fact-Sheet: EU Integrated Project (IP), FP7 Call 5 Budget: € 13.9 Mio (€ 9.6 Mio funding) 42 month (Aug. 2010 – Feb. 2014) Coordinator: Sintef (Norway) http://www.aniketos.eu ANIKE OS Service Compositions: Curse or Blessing for Security? 2013-09-24 4
  • 5. Outline 1 (Secure) Service Composition: Past, Present, and Future 2 The Aniketos Approach: Overview 3 The Aniketos Approach: Exemplary Deep Dive 4 Service Compositions: A Curse or Blessing for Security?
  • 6. The Past: Service Compositions “ Service: a mechanism to enable access to one or more capabilities, where the access is provided using a prescribed interface . . . with constraints and policies as specified by the service description. OASIS Reference Model for Service Oriented Architecture At least 20 years old: RPCs introduced in 1980s CORBA published in 1991 Motivated by re-useability reliability Used within organisations Frameworks considered to be heavy-weight ANIKE OS Service Compositions: Curse or Blessing for Security? 2013-09-24 6
  • 7. The Past: Secure Service Compositions Photo: Holger Weinandt Recall the past: networks were expensive (and slow) only a few people had access to networked systems Security model: non-technical trust small numbers of users allowing a personal relationship system operators trust their users security perimeter limited access firewalls controlled system access ANIKE OS Service Compositions: Curse or Blessing for Security? 2013-09-24 7
  • 8. The Present: Service Composition Motivated by business needs: cost-savings flexibility Used across organisations Environment fast networks many users relatively static compositions ANIKE OS Service Compositions: Curse or Blessing for Security? 2013-09-24 8
  • 9. The Present: Secure Service Composition Access Control Photo: Syohei Arai Goal: Control access to services, resources (data), . . . The core: Usually: users, roles, access rights, . . . In special cases: data labelling or information flow On top: Separation of Duty Binding of Duty Delegation ANIKE OS Service Compositions: Curse or Blessing for Security? 2013-09-24 9
  • 10. The Present: Secure Service Composition Protecting Data (and Physical Goods) Photo: Bundesarchiv, Bild 183-R0117-0003 / CC-BY-SA Goal: Ensure confidentiality integrity (safety) of data (and goods) The core: Need-to-Know Fingerprints Encryption Sensors ANIKE OS Service Compositions: Curse or Blessing for Security? 2013-09-24 10
  • 11. The Present: Secure Service Composition Compliance and Additional Requirements Photo: Ralf Roletschek Many regulated markets Basel II/III, SoX, PCI HIPAA Many customer-specific regulations Own governance to mitigate risks Own business code of conduct Fraud detection/prevention Non-observability Customers are individually audited No “one certificate fits all” solution Security should not hinder business ANIKE OS Service Compositions: Curse or Blessing for Security? 2013-09-24 11
  • 12. The Future: Service Composition Human Resources (e.g., SuccessFactors) CRM (e.g., Salesforce) Expense Management (e.g., Concur) Log Log Log Customer On Premise Log Software as a service complex components updates controlled by provider Many external services No central orchestrator Complex data flows ANIKE OS Service Compositions: Curse or Blessing for Security? 2013-09-24 12
  • 13. The Future: Secure Service Composition We need to ensure the already discussed requirements. Many additional challenges, e.g., Customer ensure compliance in a changing environment Developer provide secure, scalable services Provider provide secure offerings protect own infrastructure protect data of customers ANIKE OS Service Compositions: Curse or Blessing for Security? 2013-09-24 13
  • 14. Outline 1 (Secure) Service Composition: Past, Present, and Future 2 The Aniketos Approach: Overview 3 The Aniketos Approach: Exemplary Deep Dive 4 Service Compositions: A Curse or Blessing for Security?
  • 15. The Aniketos Process Runtime Design-time Service providers Service developers Compose Service end users Invoke Component change Change of threats Change of environment Adapt/recompose Provide • Discovery and composition support based on trustworthiness, security properties and metrics • Relevant threat awareness • Trust and security monitoring • Threat notification •Self-protection •Trust evaluation •Security validation • End user trust assurance and acceptance • Identification of responsible party ANIKE OS Service Compositions: Curse or Blessing for Security? 2013-09-24 15
  • 16. Modeling Composition Plans using BPMN Human-centric tasks Automated tasks (services) Orchestration of services Start/end states Logical control flow (if/and/or) Error states ANIKE OS Service Compositions: Curse or Blessing for Security? 2013-09-24 16
  • 17. Security by Contract Atomic Services //service implementation import javax.servlet.http.*; public class Service { protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException { ... Service Provider Security Contract Service Security Agreement Service Customer Security Policy Service Provider/Developer Service Customer fullfills Implementation Certifi matches matches Contract Matching ANIKE OS Service Compositions: Curse or Blessing for Security? 2013-09-24 17
  • 18. Security by Contract Composed Services S0 contract S0 policy S0 S1 contract S1 policy S1 S2 contract S2 policy S2 Sn contract Sn policy Sn Service Provider Security Contract Composed Service fullfills Implementation Certification ANIKE OS Service Compositions: Curse or Blessing for Security? 2013-09-24 18
  • 19. Outline 1 (Secure) Service Composition: Past, Present, and Future 2 The Aniketos Approach: Overview 3 The Aniketos Approach: Exemplary Deep Dive 4 Service Compositions: A Curse or Blessing for Security?
  • 20. Secure Implementation of Atomic Services Check the compliance of atomic service implementations. Human tasks: Define the user interface (e.g., HTML, Java) Create, read, or update of process variables Service tasks: Define the business logic (e.g, Java, Web service specific configuration) Create, read, or update of process variables ANIKE OS Service Compositions: Curse or Blessing for Security? 2013-09-24 20
  • 21. Implementing “Contact Travel Service Company” package corp.acme; public class SendOrderToTravelAgency implements JavaDelegate { @Override public void execute(DelegateExecution ex) throws Exception { String lastname = (String) ex.getVariable("user_lastname"); String firstname = (String) ex.getVariable("user_firstname"); String email = (String) ex.getVariable("user_email"); String reason = (String) ex.getVariable("travel_business_reason"); String destination = (String) ex.getVariable("travel_destination"); String duration = (String) ex.getVariable("travel_duration"); // Code for accessing the web service QName SERVICE_NAME = new QName("http://travel.corp/", "TravelService"); URL WSDLURL = new URL("http://travel.corp/TravelService/Service.asmx?WSDL"); Service travelService = new Service(WSDLURL, SERVICE_NAME); ServiceSoap port = travelService.getServiceSoap(); // send order to travel service port.orderTravelAssistance(firstname,lastname,email,reason, destination,duration); } } ANIKE OS Service Compositions: Curse or Blessing for Security? 2013-09-24 21
  • 22. Implementation Level Reasoning ANIKE OS Service Compositions: Curse or Blessing for Security? 2013-09-24 22
  • 23. The Problem: RBAC with Separation of Duty Role-based access control (RBAC) Subjects are assigned to roles Permissions assign roles to tasks (resources) Separation of duty (SoD) restrict subjects in executing tasks We analyse: Does the RBAC configuration comply to the SoD requirements? yes: static SoD no: dynamic SoD In case of a compliance violation: change RBAC configuration ensure dynamic enforcement of SoD ANIKE OS Service Compositions: Curse or Blessing for Security? 2013-09-24 23
  • 24. Security Verification Module (RBAC/SoD Check) ANIKE OS Service Compositions: Curse or Blessing for Security? 2013-09-24 24
  • 25. Analysing (Dynamic | Static) Separation of Duty Does the access control enforce a separation of duty constraint Translate the composition plan to ASLan hc rbac_ac(Subject, Role, Task) := CanDoAction(Subject, Role, Task) :- user_to_role(Subject, Role), poto(Role, Task) hc poto_T6 := poto(Staff, Request Travel) hc poto_T6 := poto(Manager, Approve Absence) hc poto_T7 := poto(Manager, Approve Budget) Specify the test goal attack_state sod_securitySod1_1(Subject0,Subject1,Instance1,Instance2) := executed(Subject0,task(Request Travel,Instance1)). executed(Subject1,task(Approve Budget,Instance2)). executed(Subject3,task(Approve Absence,Instance3)) &not(equal(Subject0,Subject1)) &not(equal(Subject1,Subject2)) &not(equal(Subject2,Subject3)) Run the model checker Translate the analysis result back to BPMN (visualisation) ANIKE OS Service Compositions: Curse or Blessing for Security? 2013-09-24 25
  • 26. User Interface for the Service Designer ANIKE OS Service Compositions: Curse or Blessing for Security? 2013-09-24 26
  • 27. Outline 1 (Secure) Service Composition: Past, Present, and Future 2 The Aniketos Approach: Overview 3 The Aniketos Approach: Exemplary Deep Dive 4 Service Compositions: A Curse or Blessing for Security?
  • 28. Why Are Enterprises Moving Services to the Cloud The shift to the cloud (SaaS) is driven by economical considerations total cost of ownership need for adaptability (flexibility) . . . Core assumption: specialised cloud providers operate systems cheaper (licenses, upgrades, etc.) achieve higher reliability provide more flexibility (elasticity, features, etc.) . . . And security? ANIKE OS Service Compositions: Curse or Blessing for Security? 2013-09-24 28
  • 29. Security Chances and Risks of Service Compositions Chances Challenges regular updates XSS, SQL injection, etc. system administration misconfiguration secured data centres specialises systems . . . how to trust the provider data disclosure new attacks tenants as attackers providers as attackers how to control delegation subcontracting . . . ANIKE OS Service Compositions: Curse or Blessing for Security? 2013-09-24 29
  • 30. Challenges for Type-based Approaches (in Industry) Real systems are not build from scratch existing frameworks legacy systems . . . Developers hate to write type annotations BufferedReader in = new BufferedReader(converter); we need to advertise type inference, a concise syntax for typed languages, and helpful error messages Weakly/dynamically typed languages are gaining popularity light-weight typed based analysis approaches type systems for well-defined subsets that can interact with the whole language (libraries, etc.) ANIKE OS Service Compositions: Curse or Blessing for Security? 2013-09-24 30
  • 31. Conclusion “ The interesting challenges are still ahead of us! Real systems are large and complex: many programming languages or frameworks many security technologies highly distributed There is a trend towards weakly typed languages can we provide type-based analysis for such systems can we provide (strongly) typed alternatives that provide similar flexibility can integrate existing frameworks Security is more than CIA needs to be ensured on all levels implementation level vulnerabilities configuration errors security frameworks/implementation (authentication, crypto) business-level compliance legal frameworks ANIKE OS Service Compositions: Curse or Blessing for Security? 2013-09-24 31
  • 32. Thank you for your attention! Any questions or remarks?
  • 33. References Achim D. Brucker and Isabelle Hang. Secure and compliant implementation of business process-driven systems. In Marcello La Rosa and Pnina Soffer, editors, Joint Workshop on Security in Business Processes (SBP), volume 132 of Lecture Notes in Business Information Processing (LNBIP), pages 662–674. Springer-Verlag, 2012. Achim D. Brucker, Isabelle Hang, Gero Lückemeyer, and Raj Ruparel. SecureBPMN: Modeling and enforcing access control requirements in business processes. In ACM symposium on access control models and technologies (SACMAT), pages 123–126. ACM Press, 2012. Achim D. Brucker, Francesco Malmignati, Madjid Merabti, Qi Shi, and Bo Zhou. A framework for secure service composition. In ASE/IEEE International Conference on Information Privacy, Security, Risk and Trust (PASSAT). IEEE Computer Society, 2013. Luca Compagna, Pierre Guilleminot, and Achim D. Brucker. Business process compliance via security validation as a service. In Manuel Oriol and John Penix, editors, IEEE International Conference on Software Testing, Verification and Validation (ICST), pages 455–462. IEEE Computer Society, 2013. ANIKE OS Service Compositions: Curse or Blessing for Security? 2013-09-24 33