PWSSEC: Secure Web Services-based Systems Development Process

Abstract

Web services (WS, hereafter) paradigm has attained such a relevance in both, the academic and industry world, that the vision of Internet is evolving, passing from being considered as a mere repository of data to become the underlying infrastructure on which complex business processes and alliances are being deployed. Security is a key aspect if WS are to be generally accepted and adopted. In fact, over the past years, the most important consortiums of Internet, like IETF, W3C or OASIS, are producing a huge number of WS-based security standards. Despite of this spectacular growing, a development process that facilitates the systematic integration of security within all stages of WS-based software development life-cycle does not exist yet. In this paper, we present PWSSec (Process for Web Services Security) as a security requirement-centered, and architectural and standard-based process that guides developers of WS-based systems when integrating security in their development processes. PWSSec is composed of three stages, WSSecReq (Web Services Security Requirements), WSSecArch (Web Services Security Architecture) and WSSecTech (Web Services Security Technologies) that enable and facilitates the activities of specifying WS-specific security requirements, defining WS-based security architectures and identifying and configuring WS-based security standards, respectively.