The practical application of a process for eliciting and designing security in web service systems

Best practices currently state that the security requirements and security architectures of distributed software-intensive systems should be based on security risk assessments, which have been designed from security patterns, are implemented in security standards and are tool-supported throughout their development life-cycle. Web service-based information systems uphold inter-enterprise relations through the Internet, and this technology has been revealed as the reference solution with which to implement Service-Oriented Architectures. In this paper, we present the application of the Process for Web Service Security (PWSSec), developed by the authors, to a real web service-based case study. The manner in which security in inter-organizational information systems can be analyzed, designed and implemented by applying PWSSec, which combines a risk analysis and management, along with a security architecture and a standard-based approach, is also shown. We additionally present a tool built to provide support to the PWSSec process.