Static vs. Dynamic Validation of BSP Conformance

Author

Prennschütz-Schützenau, Stefan ; Mukhi, Nirmal K. ; Hada, Satoshi ; Sato, Naoto ; Satoh, Fumiko ; Uramoto, Naohiko

Author_Institution

IBM T.J. Watson Res. Lab., New York, NY, USA

fYear

2009

fDate

6-10 July 2009

Firstpage

919

Lastpage

927

Abstract

WS-I´s basic security profile (BSP) defines best practice guidelines for secure Web services communications, enabling interoperability between vendors. However it is difficult for developers to know if their SOA solutions are in fact compliant to these guidelines. In this paper, we discuss methods to assess compliance against BSP. We have implemented runtime validation of SOAP messages to check for compliance against BSP, a method implied by the BSP definition itself. Additionally, we have implemented a novel approach to statically validate WS security policies against BSP using Schematron. From our experiments dynamic validation for BSP compliance offers greater coverage but results in a significant overhead, while static validation is limited in its scope but extremely valuable since under reasonable assumptions it provides assurances about compliance prior to deployment. We conclude with a summation of our results and lessons for SOA practitioners.

Keywords

Web services; program diagnostics; program verification; security of data; BSP conformance; SOAP; Schematron; basic security profile; dynamic validation; secure Web services communication; static validation; Best practices; Guidelines; Laboratories; Protection; Runtime; Security; Semiconductor optical amplifiers; Service oriented architecture; Simple object access protocol; Web services; BSP; Web services; Web services security; security policy; validation;

fLanguage

English

Publisher

ieee

Conference_Titel

Web Services, 2009. ICWS 2009. IEEE International Conference on

Conference_Location

Los Angeles, CA

Print_ISBN

978-0-7695-3709-2

Type

conf

DOI

10.1109/ICWS.2009.104

Filename

5175914