Home Description

Current trends in the IT industry suggest that software systems in the future will be very different from their counterparts today, due to greater adoption of Service-Oriented Architectures (SOAs), the wider spread of the deployment of Software-as-a-Service (SaaS), and the increased use of wireless and mobile technologies. These trends point to large-scale, heterogeneous ICT infrastructures hosting applications that are dynamically built from loosely-coupled, well-separated services, where key non-functional properties like security, privacy, and reliability will be of increased and critical importance.

Pushing the SOA vision on an open ICT infrastructure requires careful re-thinking of current development, testing, and verification methodologies, and introduces the need of new assurance techniques that will increase the users’ trust that services will satisfy their functional and non-functional requirements. The term certification has several different meanings in ICT. Software practitioners can earn a certificate for expertise in a certain hardware or software technology. The maturity of crucial IT processes, such as software development, can be – and is often – certified. Even individual software systems can be certified as having particular non-functional properties, including safety, security, or privacy. In the ASSERT4SOA vision certification is fundamental to establish a trust model suitable for service ecosystems.

The ASSERT4SOA project is aimed at supporting new certification scenarios, where the security certification of services is required and plays a major role. Current certification schemes, however, are either insufficient in addressing the needs of such scenarios or not applicable at all. In current certification schemes, for instance, certificates are awarded to traditional, monolithic software systems and become invalid when a system performs run-time selection and composition of components. Also, current certificates lack a machine-readable format for expressing security properties. Thus, they cannot be used to support and automate run-time security assessment. As a result, today’s certification schemes simply do not provide, from an end-user perspective, a reliable way to assess the trustworthiness of a composite application in the context where (and at the time when) it will be actually executed.

ASSERT4SOA relies on existing SOA standards and certification processes in order to provide a solution and an architecture that will integrate and extend the Web service environment with a security certification process for services. ASSERT4SOA will:

  1. build a novel solution for service security certification;
  2. provide an approach that allows run-time management of security, privacy, and reliability properties of individual services, and of the business processes and applications based on them;
  3. demonstrate the benefits of integrating a certification process within the SOA’s automatic service selection and composition processes;
  4. research the obstacles to practical adoption of a service security certification process.

ASSERT4SOA will produce novel techniques, tools, and an architecture for expressing, assessing, and certifying security properties for complex service-oriented applications, composed of distributed software services that may dynamically be selected, assembled and replaced, and running within complex and continuously evolving software ecosystems. ASSERT4SOA will also enrich and adapt service discovery and composition processes to certified services.

The ASSERT4SOA certification will be handled as a dedicated set of newly developed services, collectively referred to as the ASSERT4SOA architecture, fully integrated within the SOA-based software system lifecycle. The ASSERT4SOA architecture will enable backward compatibility of existing certification processes within the SOA context, a new ontology-based format for certificates, linking security properties with evidence supporting them, and runtime certificate-aware service selection based on target assurance level for composite applications.

ASSERT4SOA therefore will increase the security and trust in SOA and Web service computation paradigms and infrastructure for business process management. Furthermore, the ASSERT4SOA architecture will provide a solution to integrate a certification process in the SOA lifecycle.

template joomla