Home Work Packages

WP4: ASSERT-E: Evidence based certificate

WP Leader: UNIMI

WP4 focuses on the structure and handling of ASSERT–E certificates. These certificates, part of the modular ASSERT4SOA certification, aim to (i) prove that some test–related assurance activities have been carried out on a service, and (ii) specify which security properties these activities were meant to support. Checking ASSERT–E certificates will allow a service consumer to ascertain that the assurance level provided by the certificate complies with its own requirements. This will increase consumers’ confidence that their assurance requirements can be met (or, better, that they have been met at the time and in the context of certification),
substantiating the claims of service providers concerning their services security and dependability.

WP4 focuses on the structure and handling of ASSERT4SOA evidence–based certificates. These certificates, part of the modular ASSERT4SOA certification, aim to (i) prove that some test–related assurance activities have been carried out on a service, and (ii) specify which security properties these activities were meant to support. More specifically, WP4 will define all testing process artifacts used by the ASSERT4SOA certification process. Testing process artifacts will enable a trusted third party certifier to generate an evidence–based certificate guaranteeing that some tests have been performed on a method, service (or on an entire business process) in a given context and with a certain result. Also, evidence–based certificates will in most cases specify which property the tests are meant to support, and if (and how) the property was used to generate the test cases. In WP4, the ASSERT4SOA certifier will be seen as an independent, trusted tester who is trusted by both the provider and the customer to run ad–hoc test suites (or generate new ones if needed) to check the conformance of the selected services with the customer's security requirements, expressed in terms of security properties. The certifier will specify the technique used for the generation of test cases based on the information available about the service, such as, the WSDL interface, annotation metadata (e.g., pre– and post–conditions written in
service description languages like OWL–S), and the property to be certified. Also, test of composite services will include representation of the specific service composition used for the testing, including run–time services binding.

ASSERT4SOA evidence–based certifications will be comparable in terms of: i) a partial order linking security properties and their relations (defined in WP3); ii) annotation describing the characteristics of the test suites, the list of applied tests and so on (defined based on a vocabulary introduced in WP3). Comparison will be part of evidence–based certificate checking and will allow to match preferences of the adopters in terms of security properties with evidence–based certificates of the services that proof some of these properties. In addition, the customers can directly check the annotation to find out if the certification of a given service is compliant with their preferences.

WP4 will help in increasing the customers’ confidence that their assurance requirements can be met (or, better, that they have been met at the time and in the context of certification), substantiating the claims of service providers concerning their services security and dependability.

Task 4.1: Evidence-based Certification Artifacts for Services (Leader: UniMi, M1-M12):
In this task, service–specific descriptions of evidence–based assurance procedures will be provided, enabling detailed specification of testing practices (environment, run–time context) and outcome. Artifacts will represent the outcome and context of testing single web services or composed services, including run–time services binding. This task will be strictly coordinated with the lifecycle notions developed in WP2 and will provide input for WP7.

Task 4.2: Matching algorithm for evidence-based certification (Leader: UniMi, M1-M24):
Algorithms and techniques will then be designed and developed for checking compliance of an evidence–based certificate w.r.t. an assurance level or policy involving a set of desired security properties. Evidence based certificates checking will include verification of techniques used for generating the test cases, as well as of the quality of the test plan. Also, it will include computing comparison between certificates of the same property.

Task 4.3: Standalone Proof-of-concept Solution (Leader: UniMi, M13-M24):
Proof–of–concept validation of the algorithms and techniques introduced in WP4. Validation will also involve the evaluation of the relevance of evidence–based certification. This task will be provided in isolation without involving framework activity in WP6.

Task 4.4: Architectural Solutions for Evidence-based Certificates (Leader: UniMi, M13-M36):
Suitable architectural patterns will be described, specifying test–specific interactions between service providers, certifiers and users. These patterns will be coordinated with the framework definition activity in WP6. Guidelines for transparent integration of evidence–based certificate handling facilities within orchestrations will be also covered, e.g., supporting run–time re–testing when appropriate. This activity will be also coordinated with the lifecycle notions developed in WP2.

template joomla