Towards a Process for Web Services Security

Web Services (WS) security has undergone an enormous development, as carried out by the major organizations and consortiums of the industry over the last few years. This has brought about the appearance of a huge number of WS security standards. Such a fact has made organizations remain reticent about adopting technologies based on this paradigm, due to the learning curve which is inevitable in the integration of security into their practical deployments. In this paper we present PWSSec (Process for Web Services Security), which enables the integration of a set of specific security stages into the traditional phases of WS-based systems development. PWSSec defines three stages, WSSecReq (Web Services Security Requirements), WSSecArch (Web Services Security Architecture) and WSSecTech (Web Services Security Technologies). These facilitate, respectively, the definition of WS-specific security requirements, the development of a WS-based security architecture and the identification of the WS security standards that the security architecture must articulate in order to implement the security services. ACM Classification: D.2.1 (Requirements/Specification)s, D.2.11 (Software Architecture), D.2.12 (Interoperability), D.2.13 (Reusable Software)