The Journal of Society for e-Business Studies (한국전자거래학회지)

Society for e-Business Studies (한국전자거래학회)
권호 표지
DOI QR코드

DOI QR Code

SOA Vulnerability Evaluation using Run-Time Dependency Measurement

실행시간 의존성 측정을 통한 SOA 취약성 평가

  • 김유경 (한양대학교 ERICA캠퍼스 컴퓨터공학과) ;
  • 도경구 (한양대학교 ERICA캠퍼스 컴퓨터공학과)
  • Received : 2011.04.15
  • Accepted : 2011.05.18
  • Published : 2011.05.31
Download PDF
⟨ Previous Next ⟩

Abstract

Traditionally research in Service Oriented Architecture(SOA) security has focused primarily on exploiting standards and solutions separately. There exists no unified methodology for SOA security to manage risks at the enterprise level. It needs to analyze preliminarily security threats and to manage enterprise risks by identifying vulnerabilities of SOA. In this paper, we propose a metric-based vulnerability assessment method using dynamic properties of services in SOA. The method is to assess vulnerability at the architecture level as well as the service level by measuring run-time dependency between services. The run-time dependency between services is an important characteristic to understand which services are affected by a vulnerable service. All services which directly or indirectly depend on the vulnerable service are exposed to the risk. Thus run-time dependency is a good indicator of vulnerability of SOA.

현재까지 서비스지향 아키텍처(SOA) 보안은 개별 표준들과 솔루션에 의한 대응에 집중해있을 뿐 전사적인 위험관리 차원의 통합적인 방법론은 부족한 실정이다. 따라서 SOA 보안 취약점 식별을 통한 다양한 보안 위협들에 대한 사전 분석과 대책 수립이 필요하다. 이를 위해 본 논문에서는 SOA 취약성을 정량적으로 분석하기 위한 SOA 동적 특성을 이용한 메트릭 기반의 취약성 평가 방법을 제안한다. SOA를 구성하는 서비스들 사이의 실행시간 종속성을 측정하여 서비스와 아키텍처 수준의 취약성을 평가한다. 서비스 사이의 실행시간 종속성은 한 서비스가 취약할 때 다른 서비스들이 얼마나 영향을 받게 되는지를 분석하기 위해 사용되는 중요한 특징이다. 한 서비스가 공격에 노출될 때 그 서비스에 종속된 서비스들도 역시 공격가능성이 높아진다. 따라서 실행시간 종속성은 SOA 아키텍처 수준의 취약성에 대한 지표로 활용할 수 있다.

Keywords

References

  1. Periorellis, P., Securing Web Services :Practical usage of standards and specifications, IgiGlobal, 2007.
  2. Lim, J. I., "Security in SOA," www.webkoreaforum.or.kr, 2007.
  3. Turner, D. et al., "Symantec global internet security threat report:Trends for july to december 2007," Symantec, Tech. Rep., 2008.
  4. Krafzig, D., Banke, K., and Slama, D., Enterprise SOA, Prentice-Hall, 2004.
  5. Arsanjani, A., Zhang, L. J., Ellis, M., Allam, A. and Channabasavaiah, K., "IBM Developer Works:Design an SOA solution using a Reference Architecture," IBM Developer Works, 2007.
  6. Gruschka, N., Jensen, M., Herkenhoner, R., and Luttenberger, N., "SOA and Web Services:New technologies, new standards-new attacks," Proceedings of the 5th IEEE European Conference on Web Services(ECOWS), pp. 35-44, 2007.
  7. Yu, W. D., Aravind, D. and Supthaweesuk, P., "Software vulnerability analysis for web services software systems," Proceedings of the 11th IEEE Symposium on Computers and Communications(ISCC), pp. 740-748, 2006.
  8. Shin, Y. and Williams, L., "An Empirical Model to Predict Security Vulnerabilities Using Code Complexity Metrics," Proceedings of the 2nd ACM-IEEE International Symposiumon Empirical Software Engineering and Measurement, pp. 315-317, 2008.
  9. Jones, J. R., "Estimating Software Vulnerability," IEEE Security and Privacy, Vol. 5, No. 4, pp. 28-32, 2007. https://doi.org/10.1109/MSP.2007.81
  10. Neuhaus, S., Zimmermann, T., Holler, C. and Zeller, A., "Predicting Vulnerable Software Components," Proceedings of ACM conference on CCCS '07, pp. 529-540, 2007.
  11. Liu, M. Y. and Traore, I., "Empirical Relationships between attack-ability and coupling:case study for DOS," Proceedings of ACM SIGPLAN Workshop on PLAS '06 pp. 57-64, 2006.
  12. Ayanam, V. S., "Software Security Vulnerability vs Software Coupling:A Study with Empirical Evidence," M. S. Thesis, The School of Computing and Software Engineering, Southern Polytechnic State University, 2009.
  13. SNAC white paper, "Service Oriented Architecture Security Vulnerabilities-Web Services," http://www.nsa.gov/snac.
  14. Lowis, L., "Towards Automated Risk Identification in Service-Oriented Architectures," Proceedings of Multikonferenz Wirtschaftsinformatik, (MKWI '08), pp. 1149-1158, 2008.
  15. Briand, L. C., Morasca, S. and Basili, V. R., "Property Based Software Engineering Measurement," IEEE Transactions on Software Engineering, Vol. 22, No. 1, pp. 68-86, 1996. https://doi.org/10.1109/32.481535

Cited by

  1. Profile-Based Dynamic Service Binding for Evolution of Converged Services vol.18, pp.2, 2013, https://doi.org/10.7838/jsebs.2013.18.2.027
  2. 중소협력업체의 효율적 비즈니스 프로세스 관리를 위한 핵심성과지표 우선순위에 대한 연구 vol.16, pp.4, 2011, https://doi.org/10.7838/jsebs.2011.16.4.321