Security Engineering for Service-Oriented Architectures

While their basic principles and ideas are well understood and cogent from a conceptual perspective, the realization of interorganizational workflows and applications based on service-oriented architectures (SOAs) remains a complex task, and, especially when it comes to security, the implementation is still bound to low-level technical knowledge and hence inherently error-prone.

Hafner and Breu set a different focus. Based on the paradigm of model-driven security, they show how to systematically design and realize security-critical applications for SOAs. In their presentation, they first detail how systems and security engineering go hand in hand and are integrated from the very start in the requirements elicitation and the design phase. In a second step, they apply the principles of model-driven security to SOAs. Model-driven security is an engineering paradigm that aims at the automatic generation of security-critical executable software for target architectures. Based on the general principles of model-driven software development, the automation of security engineering through proven and reliable mechanisms guarantees correctness and facilitates an agile and flexible approach to the implementation and high-level management of security-critical systems.

Their book addresses IT professionals interested in the design and realization of modern security-critical applications. It presents a synthesis of various best practices, standards and technologies from model-driven software development, security engineering, and SOAs. As a reader, you will learn how to design and realize SOA security using the framework of an extensible domain architecture for model-driven security.

From the reviews:

"The book is an important reference for professionals engaged in designing security-critical SOA systems. The authors provide an in-depth treatment of security engineering methods using advanced model-based design technology. The detailed examples and case studies make the work extremely valuable for practicing engineers as well as students." - Prof. Janos Sztipanovits, Vanderbilt University, Nashville, TN, USA

"Providing the bridge between business and IT the paradigm of service-oriented architecture has an important impact on the future structuring of IT landscapes. Though security is a crucial requirement for many service oriented systems it is too often handled at a mere technical level. With their book, Hafner and Breu provide a valuable contribution to handle security requirements at the business level and to develop sustainable service oriented solutions." - Prof. Dr. Gregor Engels, University of Paderborn and Scientific Director of sd&m Research, Munich ,Germany

"Going beyond applied SOA-concepts this book provides a method how to model and integrate security aspects. Including a proof of concept and practical experiences of two real projects it provides a useful reference to everyone dealing with SOA-requirements." - Alexander Lechner, Senior Technical Consultant, world-direct eBusiness/Telekom Austria

"Even as a security professional, skilled in low-level computer security mechanisms and details, I cannot ignore the ever growing requests and demands of implementing and enforcing security at higher-levels of the system stack and consider the tremendous advantages of large scale service-oriented architectures for modern software engineering efforts. The model-driven security engineering approach as described here by Hafner and Breu provides an excellent introduction into the very practical and useful topic of modeling and understanding the overall system security at a very high level and then transforming it into lower policy languages. This book does an excellent job in describing the underlying principles and methodologies of this approach. It offers a solution to the dream of practical security architects to understand and describe very abstract and subtle security requirements through high-level models and how to transform those models into enforceable code by transforming the models into executables. The presented methodology has the real potential to make a strong impact on how to build Trusted Platforms in the near future – simply generate them from high-level models." - Dr. Jean-Pierre Seifert, Director Trusted Platform Laboratory, Samsung Electronics Research, San Jose, CA, USA

"This extremely valuable book for IT professionals covers these emerging topics of SOA and security. … provide a sound methodological and technical basis for the engineering of security-critical scenarios. The intended audience includes industry professionals and software architects, but it might also be useful to graduate-level students with an orientation in practical/implementation matters. … Most of the chapters contain a lot of figures that are very helpful in understanding the presented material. … To conclude, this is a nice, extremely useful book for practitioners." (M. Ivanovic, ACM Computing Reviews, April, 2009)

Ruth Breu has been head of the research group Quality Engineering at the University of Innsbruck since 2002. Prior to that, she was a researcher at the Technische Universität München and Universität Passau, and spent several years in industry working as a software engineering consultant. Quality Engineering focuses on foundations of model-based software development, in particular in the areas of security engineering, IT governance, model quality assessment and workflow management systems. The research group cooperates with industry partners such as Siemens, Swiss Re and Telekom Austria.

Michael Hafner gained his industry experience in the automotive and the telecommunications sectors as a technical consultant on systems integration with Deloitte Consulting before joining the Quality Engineering group as a researcher. In this group he has been responsible for the design and the realization of the SECTET framework, a model-driven security infrastructure for SOA applications.