Abstract
Today, it is a challenging task to keep a service application running over the internet safe and secure. Based on a collection of security requirements, a so-called golden configuration can be created for such an application. When the application has been configured according to this golden configuration, it is assumed that it satisfies these requirements, that is, that it is safe and secure. This assumption is based on the best practices that were used for creating the golden configuration, and on assumptions like that nothing out-of-the-ordinary occurs. Whether the requirements are actually violated, can be checked on the traces that are left behind by the configured service application. Today’s applications typically log an enormous amount of data to keep track of everything that has happened. As such, such an event log can be regarded as the ground truth for the entire application: A security requirement is violated if and only if it shows in the event log. This paper introduces the ProMSecCo tool, which has been built to check whether the security requirements that have been used to create the golden configuration are violated by the event log as generated by the configured service application.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
European FP7 project on POlicy and SECurity COnfiguration management, see http://www.posecco.eu/.
- 2.
The event log and other files used can be downloaded from http://www.promtools.org/prom6/PoSecCo.
- 3.
ProMSecCo can be downloaded from http://www.promtools.org/prom6/PoSecCo/.
References
van der Aalst, W.M.P.: Process Mining: Discovery Conformance and Enhancement of Business Processes. Springer, Berlin (2011)
van der Aalst, W.M.P., van Hee, K.M., van der Werf, J.M.E.M., Verdonk, M.: Auditing 2.0: Using Process Mining to Support Tomorrow’s Auditor. IEEE Comput. 43(3), 102–105 (2010)
van der Aalst, W.M.P., van Hee, K.M., van der Werf, J.M.E.M., Kumar, A., Verdonk, M.C.: Conceptual model for on line auditing. Decis. Support Syst. 50(3), 636–647 (2011)
Arsac, W., Laube, A., Plate, H.: Policy chain for securing service oriented architectures. In: Di Pietro, R., Herranz, J., Damiani, E., State, R. (eds.) DPM 2012 and SETOP 2012. LNCS, vol. 7731, pp. 303–317. Springer, Heidelberg (2013)
Bezzi, M., Damiani, E., Paraboschi, S., Plate, H.: Integrating advanced security certification and policy management. In: Felici, M. (ed.) CSP EU FORUM 2013. CCIS, vol. 182, pp. 55–66. Springer, Heidelberg (2013)
Casalino, M.M., Mangili, M., Plate, H., Ponta, S.E.: Detection of configuration vulnerabilities in distributed (web) environments. In: Keromytis, A.D., Di Pietro, R. (eds.) SecureComm 2012. LNICST, vol. 106, pp. 131–148. Springer, Heidelberg (2013)
Haworth, D.A., Pietron, L.R.: Sarbanes-Oxley: Achieving compliance by starting with ISO 17799. Inf. Syst. Manage. 23(1), 73–87 (2006)
Jans, M., Lybaert, N., Vanhoof, K., van der Werf, J.M.E.M.: Business process mining for internal fraud risk reduction: results of a case study. In: 9th International Research Symposium on Accounting Information Systems, Paris (2008)
Jans, M., van der Werf, J.M.E.M., Lybaert, N., Vanhoof, K.: A business process mining application for internal transaction fraud mitigation. Expert Syst. Appl. 38(10), 13351–13359 (2011)
van Loon, J.H.W.: Design of a monitor for on-the-fly checking of business rules. Master’s thesis, Technische Universiteit Eindhoven (2011)
Neri, M.A., Guarnieri, M., Magri, E., Mutti, S., Paraboschi, S.: A model-driven approach for securing software architectures. In: SECRYPT 2013, pp. 595–602. SciTePress (2013)
PoSecCo. D4.3 - Tailoring Semantic Process Mining Methods to Behavioral Landscape Models (2011)
Verbeek, H.M.W., Buijs, J.C.A.M., van Dongen, B.F., van der Aalst, W.M.P.: XES, XESame, and ProM 6. In: Soffer, P., Proper, E. (eds.) CAiSE Forum 2010. LNBIP, vol. 72, pp. 60–75. Springer, Heidelberg (2011)
van der Werf, J.M.E.M., Verbeek, H.M.W., van der Aalst, W.M.P.: Context-aware compliance checking. In: Barros, A., Gal, A., Kindler, E. (eds.) BPM 2012. LNCS, vol. 7481, pp. 98–113. Springer, Heidelberg (2012)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
van der Werf, J.M.E.M., Verbeek, H.M.W. (2015). Online Compliance Monitoring of Service Landscapes. In: Fournier, F., Mendling, J. (eds) Business Process Management Workshops. BPM 2014. Lecture Notes in Business Information Processing, vol 202. Springer, Cham. https://doi.org/10.1007/978-3-319-15895-2_8
Download citation
DOI: https://doi.org/10.1007/978-3-319-15895-2_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-15894-5
Online ISBN: 978-3-319-15895-2
eBook Packages: Computer ScienceComputer Science (R0)