Model-based Security Engineering of SOA Systems Using Modified "UML-SOA-Sec"

Abstract

In SOA environment, software systems are composed of services which are scattered across enterprises and architectures. Security play vital role during the design, development and operation of SOA application. However, analysis of today’s software development approaches reveals that the engineering of security into the system design is often neglected. Currently security is incorporated in SOA applications in an ad-hoc manner and integrated during the applications development phase or administration phase or it is out sourced. In practice security is not defined during the early phases of software development and left onto developers. Properly configuring security requirements in SOA applications is quite difficult for developers because they are not security experts; furthermore, SOA security is cross-domain and all required information is not available at downstream phases. This reveals the importance of adding security objectives in early development phases i.e. at design phase by the business process expert. However, a business process expert is unable to specify security objectives due to lake of security modelling elements in a general purpose modelling languages. As a result, he/she either ignores the security objectives in a business process model or indicates them in textual way. The post-hoc, low-level integration of security has a negative impact on resulting SOA applications. A Domain Specific Language named “UML-SOA-Sec” is proposed for the Model driven development of secure SOA systems based on the UML. Aim is to facilitate the business process expert in modelling the security requirements along the business process modelling. This security annotated business process model will facilitate the security expert in specifying the concrete security implementation. As a proof of work; proposed “UML-SOA-Sec” is applied to modelling of a typical business process of healthcare system.