Test-Based Security Certification of Composite Services

The diffusion of service-based and cloud-based systems has created a scenario where software is often made available as services, offered as commodities over corporate networks or the global net. This scenario supports the definition of business processes as composite services, which are implemented via either static or runtime composition of offerings provided by different suppliers. Fast and accurate evaluation of service's security properties becomes then a fundamental requirement and is nowadays part of the software development process. In this article, we show how the verification of security properties of composite services can be handled by test-based security certification and built to be effective and efficient in dynamic composition scenarios. Our approach builds on existing security certification schemes for monolithic services and extends them towards service compositions. It virtually certifies composite services, starting from certificates awarded to the component services. We describe three heuristic algorithms for generating runtime test-based evidence of the composite service holding the properties. These algorithms are compared with the corresponding exhaustive algorithm to evaluate their quality and performance. We also evaluate the proposed approach in a real-world industrial scenario, which considers ENGpay online payment system of Engineering Ingegneria Informatica S.p.A. The proposed industrial evaluation presents the utility and generality of the proposed approach by showing how certification results can be used as a basis to establish compliance to Payment Card Industry Data Security Standard.