Skip to main content
SpringerLink
Log in

Towards a Model-Driven Security Assurance of Open Source Components

  • Conference paper
  • First Online:
Software Engineering for Resilient Systems (SERENE 2017)

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 10479))

Included in the following conference series:

Abstract

Open Source software is increasingly used in a wide spectrum of applications. While the benefits of the open source components are unquestionable now, there is a great concern over security assurance provided by such components. Often open source software is a subject of frequent updates. The updates might introduce or remove a diverse range of features and hence violate security properties of the previous releases. Obviously, a manual inspection of security would be prohibitively slow and inefficient. Therefore, there is a great demand for the techniques that would allow the developers to automate the process of security assurance in the presence of frequent releases. The problem of security assurance is especially challenging because to ensure scalability, such main open source initiatives, as OpenStack adopt RESTful architecture. This requires new security assurance techniques to cater to stateless nature of the system. In this paper, we propose a model-driven framework that would allow the designers to model the security concerns and facilitate verification and validation of them in an automated manner. It enables a regular monitoring of the security features even in the presence of frequent updates. We exemplify our approach with the Keystone component of OpenStack.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. API Examples using Curl. https://docs.openstack.org/developer/keystone/devref/api_curl_examples.html. Accessed June 2017

  2. cURL. http://curl.haxx.se/. Accessed 20 May 2017

  3. HTTP Authentication. http://www.httpwatch.com/httpgallery/authentication/. Accessed 20 Aug 2013

  4. KeyStone Security and Architecture Review. https://www.openstack.org/summit/openstack-summit-atlanta-2014/session-videos/presentation/keystone-security-and-architecture-review. Accessed June 2017

  5. SOAP Request and CURL. http://dasunhegoda.com/make-soap-request-command-line-curl/596/. Accessed June 2017

  6. Web services resources framework (wsrf 1.2). https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wsrf. Accessed 01 Nov 2013

  7. Abramov, J., Anson, O., Dahan, M., Shoval, P., Sturm, A.: A methodology for integrating access control policies within database development. Comput. Secur. 31(3), 299–314 (2012)

    Article  Google Scholar 

  8. Alam, M.M., Breu, R., Breu, M.: Model driven security for web services (MDS4WS). In: Proceedings of INMIC 2004 - 8th International Multitopic Conference, pp. 498–505. IEEE (2004)

    Google Scholar 

  9. Almorsy, M., Grundy, J., Ibrahim, A.S.: Adaptable, model-driven security engineering for SaaS cloud-based applications. Autom. Softw. Eng. 21(2), 187–224 (2014)

    Article  Google Scholar 

  10. Atkinson, B., Della-Libera, G., Hada, S., Hondo, M., Hallam-Baker, P., Klein, J., LaMacchia, B., Leach, P., Manferdelli, J., Maruyama, H., et al.: Web services security (WS-Security). Specification, Microsoft Corporation (2002)

    Google Scholar 

  11. Berners-Lee, T., Fielding, R., Frystyk, H.: Hypertext transfer protocol-HTTP/1.0 (1996)

    Google Scholar 

  12. Davis, D., Malhotra, A., Warr, O.K., Chou, W.: Web services transfer (WS-Transfer). World Wide Web Consortium, Recommendation REC-ws-transfer-20111213 (2011)

    Google Scholar 

  13. Demuth, B., Wilke, C.: Model and object verification by using Dresden OCL. In: Proceedings of the Russian-German Workshop Innovation Information Technologies: Theory and Practice, pp. 81–89 (2009)

    Google Scholar 

  14. Garcia, M., Shidqie, A.J.: OCL compiler for EMF. In: Eclipse Modeling Symposium at Eclipse Summit Europe (2007)

    Google Scholar 

  15. Georg, G., Ray, I., Anastasakis, K., Bordbar, B., Toahchoodee, M., Houmb, S.H.: An aspect-oriented methodology for designing secure applications. Inf. Softw. Technol. 51(5), 846–864 (2009)

    Article  Google Scholar 

  16. Jürjens, J.: Towards development of secure systems using UMLsec. In: Hussmann, H. (ed.) FASE 2001. LNCS, vol. 2029, pp. 187–200. Springer, Heidelberg (2001). doi:10.1007/3-540-45314-8_14

    Chapter  Google Scholar 

  17. Jürjens, J., Shabalin, P.: Tools for secure systems development with UML. Int. J. Softw. Tools Technol. Transf. 9(5–6), 527–544 (2007)

    Article  Google Scholar 

  18. Meyer, B.: Applying ‘design by contract’. Computer 25(10), 40–51 (1992)

    Article  Google Scholar 

  19. Nguyen, H.P., Kramer, M., Klein, J., Traon, Y.L.: An extensive systematic review on the model-driven development of secure systems. Inf. Softw. Technol. 68, 62–81 (2015)

    Article  Google Scholar 

  20. OMG: OCL, OMG Available Specification, Version 2.0 (2006)

    Google Scholar 

  21. Pepple, K.: Deploying OpenStack. O’Reilly Media Inc., Sebastopol (2011)

    Google Scholar 

  22. Porres, I., Rauf, I.: From nondeterministic UML protocol statemachines to class contracts. In: 2010 Third International Conference on Software Testing, Verification and Validation (ICST), pp. 107–116. IEEE (2010)

    Google Scholar 

  23. Porres, I., Rauf, I.: Modeling behavioral restful web service interfaces in UML. In: Proceedings of the 2011 ACM Symposium on Applied Computing, pp. 1598–1605. ACM (2011)

    Google Scholar 

  24. Rauf, I., Porres, I.: REST: from research to practice. In: Wilde, E., Pautasso, C. (eds.) Beyond CRUD, vol. 2029, pp. 117–135. Springer, New York (2011). doi:10.1007/978-1-4419-8303-9_5

    Google Scholar 

  25. Rauf, I., Ruokonen, A., Systa, T., Porres, I.: Modeling a composite restful web service with UML. In: Proceedings of the Fourth European Conference on Software Architecture: Companion Volume, pp. 253–260. ACM (2010)

    Google Scholar 

  26. Rauf, I., Siavashi, F., Truscan, D., Porres, I.: Scenario-based design and validation of REST web service compositions. In: Monfort, V., Krempels, K.-H. (eds.) WEBIST 2014. LNBIP, vol. 226, pp. 145–160. Springer, Cham (2015). doi:10.1007/978-3-319-27030-2_10

    Chapter  Google Scholar 

  27. Sefraoui, O., Aissaoui, M., Eleuldj, M.: Openstack: toward an open-source solution for cloud computing. Int. J. Comput. Appl. 55(3) (2012)

    Google Scholar 

  28. OMG Uml. 2.0 superstructure specification. OMG, Needham (2004)

    Google Scholar 

  29. Webber, J., Parastatidis, S., Robinson, I.: REST in Practice: Hypermedia and Systems Architecture. O’Reilly Media Inc., Sebastopol (2010)

    Book  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Åbo Akademi University, Turku, Finland

    Irum Rauf & Elena Troubitsyna

Authors
  1. Irum Rauf
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Elena Troubitsyna
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Irum Rauf .

Editor information

Editors and Affiliations

  1. Newcastle University, Newcastle-upon-Tyne, United Kingdom

    Alexander Romanovsky

  2. Åbo Akademi University, Turku, Finland

    Elena A. Troubitsyna

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Rauf, I., Troubitsyna, E. (2017). Towards a Model-Driven Security Assurance of Open Source Components. In: Romanovsky, A., Troubitsyna, E. (eds) Software Engineering for Resilient Systems. SERENE 2017. Lecture Notes in Computer Science(), vol 10479. Springer, Cham. https://doi.org/10.1007/978-3-319-65948-0_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-65948-0_5

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-65947-3

  • Online ISBN: 978-3-319-65948-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation