Specifying dynamic security properties of web service based systems

The security characteristics of web service based systems depend on those of the individual web services (WS) involved and the way in which they are related to each other. In principle, the security characteristics of WS or systems can be expressed in security properties that are published and available to external parties. Only by knowing the security properties of the individual WS another WS can invoke it (if it satisfies certain security requirements and capabilities) and the overall system’s security properties can be analysed and deduced. In our earlier work, we have developed the security characterisation language, SCL, to specify the static security properties of software components and systems. In this paper, we use SCL for describing security properties of WS and further enhance this language with the capability of specifying the dynamic security characteristics. The extended version of SCL (E-SCL) incorporates such features as time, time intervals, time sequence, probability, runtime conditions, and alternative security properties. Furthermore, we have developed the WS security ontology and applied it together with E-SCL to publish the dynamic security properties of WS using OWL-S and analyse them dynamically. Our approach is illustrated with an example email system.