Security Evaluation of Service-oriented Systems with an Extensible Knowledge Base

Service-oriented software architectures promise enhanced interoperability, reusability, and flexibility for the implementation of business processes. However, assuring the quality of SOA software is challenging due to the distributed, inhomogeneous, and often non-transparent nature of service building blocks. Especially security, which is an overarching quality concern of a system, poses a hard problem for quality assurance in a SOA context. We have developed SiSOA, a method for static security analysis of SOA systems based on reverse-engineering techniques to recover the software architecture and to extract security-related information from available system artifacts. In SiSOA, the extraction and aggregation of security facts is controlled by security rules stored in an extensible knowledge base. In this paper, we describe the structure of the SiSOA knowledge base, its underlying principles, and its role within the SiSOA methodology. We briefly survey our SiSOA prototype tool, and we illustrate the application of knowledge base rules with exemplary security scenarios.