Security Engineering for Service-Oriented Architectures

The growing popularity of Service Oriented Architectures is mainly due to business and technology trendsthat have crystallized over thepast decade. On the business side, companies struggle to survive in a competitive - vironment that pushes them towards a tighter integration into an industry's value chain, to outsource non core business operations or to constantly- engineer business processes. These challenges boosted the demand for sc- able IT-solutions, with e?orts ultimately resulting in a ?exible architectural paradigm - Service Oriented Architectures. On the technical side, middleware standards, technologies and archit- turesbasedonXMLand Webservicesaswellastheirsecurityextensionshave matured to a sound technology base that guarantees interoperability across enterprise and application boundaries - a prerequisite to inter-organizational applications and work?ows. While the principles and concepts of Service Oriented Architectures may lookevidentandcogentfromaconceptualperspective,therealizationofint- organizational work?ows and applications based on the paradigm "Service Oriented Architecture" remains a complex task, and, all the more when it comes to security, the implementation is still bound to low-level technical knowledgeandhence error-prone. The number of books and publications o?ering implementation-level c- erageofthetechnologies,standardsandspeci?cationsasrequiredbytechnical developers lookingfor guidance on how to"add"security to service oriented solutions based on Web services and XML technology is already considerable and ever growing. The present book sets a di?erent focus. Based on the p- adigmof Model Driven Security, it shows how to systematically designand realize security-critical applications for Service Oriented Architectures.

Table of Contents:
The Basics of SOA Security Engineering.- SOA — Standards & Technology.- Basic Concepts of SOA Security.- Domain Architectures.- Realizing SOA Security.- Sectino — A Motivating Case Study from E-Government.- Security Analysis.- Modeling Security Critical SOA Applications.- Enforcing Security with the Sectet Reference Architecture.- Model Transformation & Code Generation.- Software & Security Management.- Extending Sectet: Advanced Security Policy Modeling.- A Case Study from Healthcare.- health@net — A Case Study from Healthcare.

About the Author :
Ruth Breu has been head of the research group Quality Engineering at the University of Innsbruck since 2002. Prior to that, she was a researcher at the Technische Universitat Munchen and Universitat Passau, and spent several years in industry working as a software engineering consultant. Quality Engineering focuses on foundations of model-based software development, in particular in the areas of security engineering, IT governance, model quality assessment and workflow management systems. The research group cooperates with industry partners such as Siemens, Swiss Re and Telekom Austria. Michael Hafner gained his industry experience in the automotive and the telecommunications sectors as a technical consultant on systems integration with Deloitte Consulting before joining the Quality Engineering group as a researcher. In this group he has been responsible for the design and the realization of the SECTET framework, a model-driven security infrastructure for SOA applications.

Review :
From the reviews: "The book is an important reference for professionals engaged in designing security-critical SOA systems. The authors provide an in-depth treatment of security engineering methods using advanced model-based design technology. The detailed examples and case studies make the work extremely valuable for practicing engineers as well as students." - Prof. Janos Sztipanovits, Vanderbilt University, Nashville, TN, USA "Providing the bridge between business and IT the paradigm of service-oriented architecture has an important impact on the future structuring of IT landscapes. Though security is a crucial requirement for many service oriented systems it is too often handled at a mere technical level. With their book, Hafner and Breu provide a valuable contribution to handle security requirements at the business level and to develop sustainable service oriented solutions." - Prof. Dr. Gregor Engels, University of Paderborn and Scientific Director of sd&m Research, Munich ,Germany "Going beyond applied SOA-concepts this book provides a method how to model and integrate security aspects. Including a proof of concept and practical experiences of two real projects it provides a useful reference to everyone dealing with SOA-requirements." - Alexander Lechner, Senior Technical Consultant, world-direct eBusiness/Telekom Austria "Even as a security professional, skilled in low-level computer security mechanisms and details, I cannot ignore the ever growing requests and demands of implementing and enforcing security at higher-levels of the system stack and consider the tremendous advantages of large scale service-oriented architectures for modern software engineering efforts. The model-driven security engineering approach as described here by Hafner and Breu provides an excellent introduction into the very practical and useful topic of modeling and understanding the overall system security ata very high level and then transforming it into lower policy languages. This book does an excellent job in describing the underlying principles and methodologies of this approach. It offers a solution to the dream of practical security architects to understand and describe very abstract and subtle security requirements through high-level models and how to transform those models into enforceable code by transforming the models into executables. The presented methodology has the real potential to make a strong impact on how to build Trusted Platforms in the near future – simply generate them from high-level models." - Dr. Jean-Pierre Seifert, Director Trusted Platform Laboratory, Samsung Electronics Research, San Jose, CA, USA "This extremely valuable book for IT professionals covers these emerging topics of SOA and security. … provide a sound methodological and technical basis for the engineering of security-critical scenarios. The intended audience includes industry professionals and software architects, but it might also be useful to graduate-level students with an orientation in practical/implementation matters. … Most of the chapters contain a lot of figures that are very helpful in understanding the presented material. … To conclude, this is a nice, extremely useful book for practitioners." (M. Ivanovic, ACM Computing Reviews, April, 2009)