Francesco Malmignati | Selex ES (original) (raw)
Uploads
Papers by Francesco Malmignati
Software - Practice and Experience, Jul 7, 2017
In the world of large-scale applications, software-as-a-service (SaaS) in general and use of micr... more In the world of large-scale applications, software-as-a-service (SaaS) in general and use of micro-services, in particular, is bringing service-oriented architectures (SOA) to a new level: systems in general and systems that interact with human users (e.g., socio-technical systems) in particular are built by composing micro-services that are developed independently and operated by different parties. At the same time, SaaS applications are used more and more widely by enterprises as well as public services for providing critical services, including those processing security or privacy of relevant data. Therefore providing secure and reliable service compositions is increasingly needed to ensure the success of SaaS solutions. Building such service compositions securely, is still an unsolved problem. In this paper, we present a framework for modelling, validating, and ranking secure service compositions that integrate both automated services as well as services that interact with humans. As a unique feature, our approach for ranking services integrates validated properties (e. g., based on the result of formally analysing the source code of a service implementation) as well as contractual properties that are part of the servicelevel-agreement and, thus, not necessarily ensured on a technical level.
Modern applications are inherently heterogeneous: they are built by composing loosely coupled ser... more Modern applications are inherently heterogeneous: they are built by composing loosely coupled services that are, usually, offered and operated by different service providers. While this approach increases the flexibility of the composed applications, it makes the implementation of security and trustworthiness requirements difficult. As the number of security requirements is increasing dramatically, there is a need for new approaches that integrate security requirements right from the beginning while composing service-based applications. In this paper, we present a framework for secure service composition using a model-based approach for specifying, building, and executing composed services. As a unique feature, this framework integrates security requirements as a first class citizen and, thus, avoids the "security as an afterthought" paradigm.
Software: Practice and Experience, 2017
SummaryIn the world of large‐scale applications, software as a service (SaaS) in general and use ... more SummaryIn the world of large‐scale applications, software as a service (SaaS) in general and use of microservices, in particular, is bringing service‐oriented architectures to a new level: Systems in general and systems that interact with human users (eg, sociotechnical systems) in particular are built by composing microservices that are developed independently and operated by different parties. At the same time, SaaS applications are used more and more widely by enterprises as well as public services for providing critical services, including those processing security or privacy of relevant data. Therefore, providing secure and reliable service compositions is increasingly needed to ensure the success of SaaS solutions. Building such service compositions securely is still an unsolved problem.In this paper, we present a framework for modelling, validating, and ranking secure service compositions that integrate both automated services as well as services that interact with humans. As...
Lecture Notes in Computer Science, 2014
ABSTRACT Automatic translation of elicited consumer security requirements at high level (problem ... more ABSTRACT Automatic translation of elicited consumer security requirements at high level (problem space) into application or service level security requirements (solution space) has been traditionally the Achilles’ heel of security requirements engineering. Such automated translation would result in significant failure and cost reduction in application development and maintenance, particularly in those complex applications based on compositions and choreographies of services. In this paper we present a framework which makes a step forward to solve this dilemma. The framework supports the engineering of composite service security and trust requirements directly derived from the organisational needs expressed for such service. The followed approach starts with the modelling of organisation actors’ objectives and commitments among these actors, and follows with the transformation of such commitments into security elements in the service business process specification and into a consumer security policy which the service will need to be compliant with.
Lecture Notes in Computer Science, 2014
Modern applications are inherently heterogeneous: they are built by composing loosely coupled ser... more Modern applications are inherently heterogeneous: they are built by composing loosely coupled services that are, usually, offered and operated by different service providers. While this approach increases the flexibility of the composed applications, it makes the implementation of security and trustworthiness requirements much more difficult. Therefore there is a need for new approaches that integrate security requirements right from the beginning while composing service-based applications, in order to ensure security and trustworthiness. In this chapter, we present a framework for secure service composition using a model-based approach for specifying, building, and executing composed services. As a unique feature, this framework integrates security requirements as a first class citizen and, thus, avoids the "security as an afterthought" paradigm.
The Future Internet is moving from today's static services to an environment in which service con... more The Future Internet is moving from today's static services to an environment in which service consumers will transparently mix and match service components depending on service availability, quality, price and security attributes. This fact poses some challenges in terms of security and trustworthiness that should be guaranteed to the final users. In this paper, we present a platform for secure service design and composition based on the Activiti open-source workflow engine and Business Process Model and Notation (BPMN) extensions for expressing security needs over service specifications. The platform, developed in the realm of the Aniketos FP7 funded project, offers the capability to service designers and service providers to establish and maintain trustworthiness and secure behavior in today's constantly changing service environments. In order to demonstrate the validity of this approach, the use of the platform is shown in a real application scenario in which a security requirement on trustworthiness specified by design needs to be monitored and guaranteed during service execution.
Lecture Notes in Computer Science, 2014
ABSTRACT Modern applications are inherently heterogeneous: they are built by composing loosely co... more ABSTRACT Modern applications are inherently heterogeneous: they are built by composing loosely coupled services that are, usually, offered and operated by different service providers. While this approach increases the flexibility of the composed applications, it makes the implementation of security and trustworthiness requirements much more difficult. Therefore there is a need for new approaches that integrate security requirements right from the beginning while composing service-based applications, in order to ensure security and trustworthiness. In this chapter, we present a framework for secure service composition using a model-based approach for specifying, building, and executing composed services. As a unique feature, this framework integrates security requirements as a first class citizen and, thus, avoids the “security as an afterthought” paradigm.
2013 International Conference on Social Computing, 2013
ABSTRACT Modern applications are inherently heterogeneous: they are built by composing loosely co... more ABSTRACT Modern applications are inherently heterogeneous: they are built by composing loosely coupled services that are, usually, offered and operated by different service providers. While this approach increases the flexibility of the composed applications, it makes the implementation of security and trustworthiness requirements difficult. As the number of security requirements is increasing dramatically, there is a need for new approaches that integrate security requirements right from the beginning while composing service-based applications. In this paper, we present a framework for secure service composition using a model-based approach for specifying, building, and executing composed services. As a unique feature, this framework integrates security requirements as a first class citizen and, thus, avoids the "security as an afterthought" paradigm.
Lecture Notes in Computer Science, 2014
ABSTRACT Automatic translation of elicited consumer security requirements at high level (problem ... more ABSTRACT Automatic translation of elicited consumer security requirements at high level (problem space) into application or service level security requirements (solution space) has been traditionally the Achilles’ heel of security requirements engineering. Such automated translation would result in significant failure and cost reduction in application development and maintenance, particularly in those complex applications based on compositions and choreographies of services. In this paper we present a framework which makes a step forward to solve this dilemma. The framework supports the engineering of composite service security and trust requirements directly derived from the organisational needs expressed for such service. The followed approach starts with the modelling of organisation actors’ objectives and commitments among these actors, and follows with the transformation of such commitments into security elements in the service business process specification and into a consumer security policy which the service will need to be compliant with.
Software - Practice and Experience, Jul 7, 2017
In the world of large-scale applications, software-as-a-service (SaaS) in general and use of micr... more In the world of large-scale applications, software-as-a-service (SaaS) in general and use of micro-services, in particular, is bringing service-oriented architectures (SOA) to a new level: systems in general and systems that interact with human users (e.g., socio-technical systems) in particular are built by composing micro-services that are developed independently and operated by different parties. At the same time, SaaS applications are used more and more widely by enterprises as well as public services for providing critical services, including those processing security or privacy of relevant data. Therefore providing secure and reliable service compositions is increasingly needed to ensure the success of SaaS solutions. Building such service compositions securely, is still an unsolved problem. In this paper, we present a framework for modelling, validating, and ranking secure service compositions that integrate both automated services as well as services that interact with humans. As a unique feature, our approach for ranking services integrates validated properties (e. g., based on the result of formally analysing the source code of a service implementation) as well as contractual properties that are part of the servicelevel-agreement and, thus, not necessarily ensured on a technical level.
Modern applications are inherently heterogeneous: they are built by composing loosely coupled ser... more Modern applications are inherently heterogeneous: they are built by composing loosely coupled services that are, usually, offered and operated by different service providers. While this approach increases the flexibility of the composed applications, it makes the implementation of security and trustworthiness requirements difficult. As the number of security requirements is increasing dramatically, there is a need for new approaches that integrate security requirements right from the beginning while composing service-based applications. In this paper, we present a framework for secure service composition using a model-based approach for specifying, building, and executing composed services. As a unique feature, this framework integrates security requirements as a first class citizen and, thus, avoids the "security as an afterthought" paradigm.
Software: Practice and Experience, 2017
SummaryIn the world of large‐scale applications, software as a service (SaaS) in general and use ... more SummaryIn the world of large‐scale applications, software as a service (SaaS) in general and use of microservices, in particular, is bringing service‐oriented architectures to a new level: Systems in general and systems that interact with human users (eg, sociotechnical systems) in particular are built by composing microservices that are developed independently and operated by different parties. At the same time, SaaS applications are used more and more widely by enterprises as well as public services for providing critical services, including those processing security or privacy of relevant data. Therefore, providing secure and reliable service compositions is increasingly needed to ensure the success of SaaS solutions. Building such service compositions securely is still an unsolved problem.In this paper, we present a framework for modelling, validating, and ranking secure service compositions that integrate both automated services as well as services that interact with humans. As...
Lecture Notes in Computer Science, 2014
ABSTRACT Automatic translation of elicited consumer security requirements at high level (problem ... more ABSTRACT Automatic translation of elicited consumer security requirements at high level (problem space) into application or service level security requirements (solution space) has been traditionally the Achilles’ heel of security requirements engineering. Such automated translation would result in significant failure and cost reduction in application development and maintenance, particularly in those complex applications based on compositions and choreographies of services. In this paper we present a framework which makes a step forward to solve this dilemma. The framework supports the engineering of composite service security and trust requirements directly derived from the organisational needs expressed for such service. The followed approach starts with the modelling of organisation actors’ objectives and commitments among these actors, and follows with the transformation of such commitments into security elements in the service business process specification and into a consumer security policy which the service will need to be compliant with.
Lecture Notes in Computer Science, 2014
Modern applications are inherently heterogeneous: they are built by composing loosely coupled ser... more Modern applications are inherently heterogeneous: they are built by composing loosely coupled services that are, usually, offered and operated by different service providers. While this approach increases the flexibility of the composed applications, it makes the implementation of security and trustworthiness requirements much more difficult. Therefore there is a need for new approaches that integrate security requirements right from the beginning while composing service-based applications, in order to ensure security and trustworthiness. In this chapter, we present a framework for secure service composition using a model-based approach for specifying, building, and executing composed services. As a unique feature, this framework integrates security requirements as a first class citizen and, thus, avoids the "security as an afterthought" paradigm.
The Future Internet is moving from today's static services to an environment in which service con... more The Future Internet is moving from today's static services to an environment in which service consumers will transparently mix and match service components depending on service availability, quality, price and security attributes. This fact poses some challenges in terms of security and trustworthiness that should be guaranteed to the final users. In this paper, we present a platform for secure service design and composition based on the Activiti open-source workflow engine and Business Process Model and Notation (BPMN) extensions for expressing security needs over service specifications. The platform, developed in the realm of the Aniketos FP7 funded project, offers the capability to service designers and service providers to establish and maintain trustworthiness and secure behavior in today's constantly changing service environments. In order to demonstrate the validity of this approach, the use of the platform is shown in a real application scenario in which a security requirement on trustworthiness specified by design needs to be monitored and guaranteed during service execution.
Lecture Notes in Computer Science, 2014
ABSTRACT Modern applications are inherently heterogeneous: they are built by composing loosely co... more ABSTRACT Modern applications are inherently heterogeneous: they are built by composing loosely coupled services that are, usually, offered and operated by different service providers. While this approach increases the flexibility of the composed applications, it makes the implementation of security and trustworthiness requirements much more difficult. Therefore there is a need for new approaches that integrate security requirements right from the beginning while composing service-based applications, in order to ensure security and trustworthiness. In this chapter, we present a framework for secure service composition using a model-based approach for specifying, building, and executing composed services. As a unique feature, this framework integrates security requirements as a first class citizen and, thus, avoids the “security as an afterthought” paradigm.
2013 International Conference on Social Computing, 2013
ABSTRACT Modern applications are inherently heterogeneous: they are built by composing loosely co... more ABSTRACT Modern applications are inherently heterogeneous: they are built by composing loosely coupled services that are, usually, offered and operated by different service providers. While this approach increases the flexibility of the composed applications, it makes the implementation of security and trustworthiness requirements difficult. As the number of security requirements is increasing dramatically, there is a need for new approaches that integrate security requirements right from the beginning while composing service-based applications. In this paper, we present a framework for secure service composition using a model-based approach for specifying, building, and executing composed services. As a unique feature, this framework integrates security requirements as a first class citizen and, thus, avoids the "security as an afterthought" paradigm.
Lecture Notes in Computer Science, 2014
ABSTRACT Automatic translation of elicited consumer security requirements at high level (problem ... more ABSTRACT Automatic translation of elicited consumer security requirements at high level (problem space) into application or service level security requirements (solution space) has been traditionally the Achilles’ heel of security requirements engineering. Such automated translation would result in significant failure and cost reduction in application development and maintenance, particularly in those complex applications based on compositions and choreographies of services. In this paper we present a framework which makes a step forward to solve this dilemma. The framework supports the engineering of composite service security and trust requirements directly derived from the organisational needs expressed for such service. The followed approach starts with the modelling of organisation actors’ objectives and commitments among these actors, and follows with the transformation of such commitments into security elements in the service business process specification and into a consumer security policy which the service will need to be compliant with.