A Security Meta Language for using web services security standards

Recently, the trend in information systems has shifted towards the interconnection of complex distributed systems due to the increasing availability of competing service providers and the decreasing costs of moving services online. To that end service oriented architectures with web services have become commonplace in business and government application development. Web services facilitate application implementation and deployment through the use of standards that clearly document interfaces and the message exchanges. However, the reliance on these standards has become problematic and cumbersome, especially when configuring secure systems that require explicit message properties. The standards are highly interconnected and hierarchical in nature, and correctly establishing their configuration is problematic due to the massive amounts of data that must be reviewed prior to implementation. Incorrect specifications can lead to disastrous application configurations resulting in software vulnerabilities, system unavailability and service disruption, and ultimately loss of secure protected information. The goal of this work is a reusable framework in the form of a meta-language to model secure SOAP messages. In this paper we define a Security Meta Language (SML) as a two-part model and dynamic process that documents the security relevant portions of the standards for their consistent, comprehensive, and correct application. The language contains a static portion that grounds the model in the web service standards using their documentation and data structures, and a dynamic portion that catalogs different security controls as they are applied to SOAP messages. We outline a dynamic reusable process to add new directives to the database when application requirements change or new security concerns are found. We overview all UML stereotypes and present a case study that demonstrates the correct use of the SML to guide secure message configuration in a distributed system environment.