Research On A Security Evaluation Method Based On STRIDE Model For Web Service

Web service is a distributed computing model constructed on the basis of open standard technology, and it is widely used in e-commerce and various enterprises. However, due to the Netlization, open environment, self-government, inter-operation and other characteristics of Web service, it is vulnerable to be attacked by hackers or used by the third-party for some improper commercial interests. If the security of Web service is not properly dealt with, some datum may be disclosed and some other security accident or even worse sequences may be caused, so the security and availability of Web service is one of the important factors to restrict the wide application of Web service. And how to efficiently evaluate the security of Web service is a challenging research topic with good value on application.At present, the security requirements of Web service include: confidentiality, identity validation, authorization, integrity and non-repudiation and so on. Aiming at the above security requirements of Web service, a lot of domestic and foreign standardization organizations, companies and research institutes have done related theoretical and applied research. But the current researches concern more about the testing of Web service and rarely about the issue of service security evaluation.Aiming at the characteristics of Web services and SOA systematic structure, this paper proposed a security evaluation method based on STRIDE Model for Web service, which can process security evaluation and threat modeling facing the threats and challenges in security from many angles of view, such as spoofing, tampering, repudiation, information disclosure, denial of service and elevation of privilege. According to the characteristics of Web service and the classification method of threat of STRIDE Model, Web service security evaluation model WS-SEM is designed to analyze the index quantizing method and the steps to be carried out of security property from the aspects of anti-spoofing, anti-tampering, anti-repudiation, anti-information disclosure, anti-denial of Service and anti-elevation of privilege, it can provide users with reference evaluation and protective strategy for Web service security.At the end of this paper, with the combination of a case study on SOA applications system of an enterprise, to use WS-SEM evaluation model to carry out threat modeling and risk analysis for SOA application. From the perspective of service consumer to analyze and evaluate threat can provide reference gist for administrators to find weak links in security defense and optimizing system security design. The experimental results show that the model has some versatility and reference value.