Abstract
Recent models of software provisioning based on cloud architectures co-exist and interact with in-premises large and heterogeneous software ecosystems. In this increasingly complex landscape, organizations and users are striving to deal with assurance in all phases of software life cycle: acquisition, installation, use and maintenance. In this paper, we start by describing the notion of machine-readable security certificates, and discuss how they can be used for assurance-based software selection. Then, we introduce some models and tools for administrators for the automatic management of security policies, which include policy conflict detection. Finally, we discuss how these two approaches can be integrated for supporting organization to (semi-) automatically address the security requirements throughout the entire software life cycle.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The FISMA Implementation Project was established in January 2003 to produce security standards and guidelines required by US legislation.
- 2.
In some cases software vendors may prefer to remove this information to reduce the risk of possible disclosure of the internal functionalities of the software.
- 3.
For each test case, we show input (I) to the system (including related conditions) and expected output (EO).
- 4.
Our certificate is conditioned to users trusting the certificate-to-service binding. Such binding can be made trustworthy by a signature of the supplier, or even via a standard ISO/IEC 11889 Trusted Platform Module (TPM).
References
Damiani, E., Ardagna, C.A., Ioini, N.E.: Open Source Systems Security Certification, 1st edn. Springer, Heidelberg (2008)
ITSEC: Common criteria for information technology security evaluation
Anisetti, M., Ardagna, C., Damiani, E.: Toward certification of services. In: International Workshop on Business System Management and Engineering (BSME 2010), Malaga, Spain, June 2010
Bezzi, M., Sabetta, A., Spanoudakis, G.: An architecture for certification-aware service discovery. In: 2011 1st International Workshop on Securing Services on the Cloud (IWSSC), pp. 14–21. IEEE (2011)
Anisetti, M., Ardagna, C., Damiani, E.: Fine-grained modeling of web services for test-based security certification. In: 2011 IEEE International Conference on Services Computing (SCC), pp. 456–463, July 2011
Baresi, L., Di Nitto, E.: Test and Analysis of Web Services. Springer, New York (2007)
Bozkurt, M., Harman, M., Hassoun, Y.: Testing web services: a survey. Technical Report TR-10-01. Department of Computer Science, King’s College London, January 2010
Canfora, G., di Penta, M.: Service-oriented architectures testing: a survey. In: De Lucia, A., Ferrucci, F. (eds.) ISSSE 2006-2008. LNCS, vol. 5413, pp. 78–105. Springer, Heidelberg (2009)
Anisetti, M., Ardagna, C., Damiani, E.: Fine-grained modeling of web services for test-based security certification. In: Procedings of the 8th International Conference on Service Computing (SCC 2011), Washington, DC, USA, July 2011
Anisetti, M., Ardagna, C., Damiani, E., Saonara, F.: A test-based security certification scheme for web services. ACM Trans. Web (TWEB) 7, 1–41 (2013). http://www.crema.unimi.it/Biblioteca/Note_pdf/163.pdf
Plate, H.: Policy and security configuration management. In: Fischer-Hübner, S., Katsikas, S., Quirchmayr, G. (eds.) TrustBus 2012. LNCS, vol. 7449, pp. 229–231. Springer, Heidelberg (2012)
Paraboschi, S.: Integrated management of security policies. In: Li, Y. (ed.) DBSec. LNCS, vol. 6818, pp. 12–13. Springer, Heidelberg (2011)
De Capitani di Vimercati, S., Foresti, S., Jajodia, S., Paraboschi, S., Psaila, G., Samarati, P.: Integrating trust management and access control in data-intensive web applications. ACM Trans. Web 6(2), 1–44 (2012)
Casalino, M.M., Mangili, M., Plate, H., Ponta, S.E.: Detection of configuration vulnerabilities in distributed (Web) environments. In: Keromytis, A.D., Di Pietro, R. (eds.) SecureComm 2012. LNICST, vol. 106, pp. 131–148. Springer, Heidelberg (2013)
Acknowledgments
This work is partially supported by projects PoSecco (Grant No. 257129 - www.posecco.eu) and Assert4Soa (Grant No. 257351 - www.assert4soa.eu).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Bezzi, M., Damiani, E., Paraboschi, S., Plate, H. (2013). Integrating Advanced Security Certification and Policy Management. In: Felici, M. (eds) Cyber Security and Privacy. CSP 2013. Communications in Computer and Information Science, vol 182. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-41205-9_5
Download citation
DOI: https://doi.org/10.1007/978-3-642-41205-9_5
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-41204-2
Online ISBN: 978-3-642-41205-9
eBook Packages: Computer ScienceComputer Science (R0)