SlideShare a Scribd company logo

Profile based security assurance for service

IESS, profile picture
IESS

This document discusses research problems with enabling service consumers to select software services that meet their specific security requirements. It proposes a framework with three main processes: 1) Reflecting security assurances of services using security profiles to characterize properties from multiple stakeholder perspectives. 2) Allowing consumers to select preferred assurances. 3) Automatically checking compatibility between services' security properties and requirements. The goal is to make security transparent and allow compatibility verification to empower consumers to build secure applications.

Education
1 of 17
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
IESS 1.1 Geneva 2011 Profile-based Security Assurances for Service Software Khaled Khan Computer Science and Engineering Qatar University Qatar
Overview •  Context •  Stakeholders of services •  Research problems •  Motivating Example •  Proposed framework •  Conclusion
Software Service, Composition and Security •  An increasing interest in deploying software applications as services over the open communication channels •  A software offering a service exists independently - developed, managed by third party service provider •  These services are aimed for direct integration with any application system dynamically at run-time •  A service may be secure in one application system, but the same service may not be secure in a different application due to different security requirements •  The term `secure' is over-used and somehow misleading because it does not state the specific type of security achieved
Research Problems •  End users with limited resources could compose application based on services which are consistent with their security requirements. •  Services are normally associated with security features that are designed to withstand certain security threats •  The representation of security properties for an end-user is quite different from those for –  a security expert, or –  a software engineer, or –  a different service consumer (end-user). •  The current practice may lead the service consumer to select a service that does not tell much about its security assurances. •  The way the security features are implemented, embedded and presented is often too complex for the service consumer to understand and use. •  Services most often use the notion of “one-size-fits-all’ security assurances. •  Consequently, –  Either service consumers do not use the services of which security properties are not well understood, or –  The security properties remain unused or wrongly configured in the application because these do not conform with the users security requirements.
Problems with Service Consumers •  Difficult for the service consumer to verify the conformity of security properties between their security requirements and the assurances of third party services. •  There are two explanations for this: –  Security properties are not specified in a form easily comprehensible by the service consumer who perhaps has limited knowledge of formal security technologies, –  A lack of a suitable framework with which they could select and compose their application based on security profiles of services and their security requirements. •  Service consumers may not have enough background with formal education in computer science or security.
Research Issues •  How can a service consumer know that the level of security assurances provided by the selected service software would meet her requirements? and •  How can the consumer verify immediately that the ensured security properties of the service are consistent with her security requirements?
A Motivating Example •  Carol, a consumer, likes to book an item such as a hotel room, a car, or a flight. •  The normal sequence of steps in a service-based application includes: –  Carol searches (a service) for her preferred reservation item, and selects the item; –  Then she provides her details (another service to make the reservation); –  Makes online payment (a service too), and –  Finally receives a bar-coded digital receipt (a service) of reservation. •  In this journey of moving from one service to another in an integrated system environment (composed of multiple services), Carol may have different security requirements for each service she uses:
Security Requirements of Carol a)  For example, she wants her search parameters should not be used by anyone to link with her identity (a security property called non-linkability). b)  She also prefers her name, phone number, email and home address kept confidential (confidentiality). c)  She does not care if her suburb and street names are disclosed provided that none could identify her or her home address with these two pieces of information (non-deducability). d)  She also likes to have a guarantee that her credit card number is kept secret (confidentiality), and on one should be able to alter the amount she paid (integrity). e)  Carol also wants that no unauthorized entities are able to see (privacy) and make a copy of her receipt (authorization). f)  Finally, she needs an assurance that none could observe her activities in the Internet (non-observability). •  We can see that Carol has very specific security requirements in this scenario. •  Likewise, another consumer John, may have different requirements from Carol of the same reservation software system. •  How do we handle these types of diverse security requirements?
Research Objectives and Approaches •  Our work attempts to address the following research challenges project: –  How to make security assurances of service software transparent to consumers –  How to enable consumer select their security choices; and –  How to check the security compatibility of the selected security for services. Our approach has three main processes: –  Reflection of security assurances –  Selection of preferred assurances; and –  Checking of security compatibility.
Reflection of Security Assurances •  Mechanisms for reflecting the security assurances of services. •  Security provisions and requirements are published together with their service descriptions •  Security characterization called security profiles •  Attaching the security profile with service interfaces. •  Stakeholder-based view
Levels of Implemented Security Functions Development Characterising ISO/IEC stage Service development security properties of 15408 services Common criteria Composition stage Establishing Reasonin Systems composition compositional g security properties language Operational Execution Deriving consumer- Security stage level security goals Goal Time
Stakeholders of Services Design and Development of Service developers services Development and deployment Security designer Analysis of security threats and implementation policies Software engineer Discovery of services and functional integration Operation and Service consumer Composition User of composed application Time
Four Perspectives of Service Security Service consumer Specific security objectives actually achieved at the system-level (Operational time) Software engineer Interested in the compositional impact and conformity of the security properties (Composition time) Security designer Focuses technical details of the component security such as encryption Identifies the threats of the component, define the security policies and functions (service development time) Service developer Design, build, deploy and manage services. (service design deployment time)
Abstraction Level of Security Properties
Selection of Preferred Assurances •  Services should provide a choice of security assurances. •  Capability that enables the consumer to select their preferred security assurances •  Security profile must reflect the actual implementation of security functions
Checking of Security Compatibility •  Security compatibility between interacting services are automatically analyzed •  Conforms that they satisfy each other's security requirements. •  Ensure that the selected security properties work without compromising service security provisions.
Concluding Remarks •  Our framework has three anticipated innovative aspects. –  The first innovative aspect is that we approach security from a (service- based) software engineering perspective •  Adopt a proactive and predicative line of thinking. •  We emphasize on the service consumer's understanding and selection capabilities of service security properties –  The second innovative aspect is that the framework provides a semantic model that is essential to reason about the effectiveness of the selected security assurances –  The final aspect is the formal analysis techniques for security compatibility allow us to check automatically if the services in a composition are compatible in terms of security features •  Leads to compatible security-aware composition. This is critical to providing assurance to system users about the systems security behavior, •  Nurtures confidence and trust in the business community about service- based system security.

More Related Content

PPTX
IT6701-Information Management Unit 2
SIMONTHOMAS S
 
PDF
P0704085089
IJERD Editor
 
PPTX
Analyzing Software Architectures: A Semantic Model
Förderverein Technische Fakultät
 
PDF
Contextual Authentication: A Multi-factor Approach
PortalGuard
 
PDF
Socio technical system
Sweta Kumari Barnwal
 
PDF
Contextual Authentication
PortalGuard dba PistolStar, Inc.
 
PDF
Context Based Authentication
PortalGuard dba PistolStar, Inc.
 
PPT
Lead Allocation System - Attribute Driven Design (ADD)
Amin Bandeali
 
IT6701-Information Management Unit 2
SIMONTHOMAS S
 
P0704085089
IJERD Editor
 
Analyzing Software Architectures: A Semantic Model
Förderverein Technische Fakultät
 
Contextual Authentication: A Multi-factor Approach
PortalGuard
 
Socio technical system
Sweta Kumari Barnwal
 
Contextual Authentication
PortalGuard dba PistolStar, Inc.
 
Context Based Authentication
PortalGuard dba PistolStar, Inc.
 
Lead Allocation System - Attribute Driven Design (ADD)
Amin Bandeali
 

What's hot (20)

PPTX
Software Requirements
Nethan Shaik
 
PDF
Secure Architecture Evaluation for Agent Based Web Service Discovery
IDES Editor
 
PPT
Requirement Engineering for Dependable Systems
Kamalika Guha Roy
 
PPT
Requirment anlaysis , application, device, network requirements
csk selva
 
PDF
Engineering Software Products: 7. security and privacy
software-engineering-book
 
PPT
ppt
Videoguy
 
PDF
[WWW2014] Reconciling Mobile App Privacy and Usability on Smartphones: Could ...
Bin Liu
 
PDF
A Performance Analysis of Chasing Intruders by Implementing Mobile Agents
CSCJournals
 
PDF
Injection techniques conversys
Krishnendu Paul
 
PDF
Intro softwareeng
PINKU29
 
PPTX
Presentaion final
M Shehan Perera
 
PDF
Unit 1-overview of software engineering
arvind pandey
 
PDF
IS-1 Short Report [Muhammad Akram Abbasi]
Akram Abbasi
 
PPTX
Requirment anlaysis
csk selva
 
PPTX
Ch1-Software Engineering 9
Ian Sommerville
 
PDF
Developing User Authentication by Knowledge Based Authentication Scheme in G...
IJCSIS Research Publications
 
PDF
International Journal of Engineering Research and Development (IJERD)
IJERD Editor
 
PPTX
Ian Sommerville, Software Engineering, 9th Edition Ch 4
Mohammed Romi
 
DOC
Raju 5.7 java
Raju G P
 
DOC
Resume_Exp
Hemanth Kumar L g
 
Software Requirements
Nethan Shaik
 
Secure Architecture Evaluation for Agent Based Web Service Discovery
IDES Editor
 
Requirement Engineering for Dependable Systems
Kamalika Guha Roy
 
Requirment anlaysis , application, device, network requirements
csk selva
 
Engineering Software Products: 7. security and privacy
software-engineering-book
 
ppt
Videoguy
 
[WWW2014] Reconciling Mobile App Privacy and Usability on Smartphones: Could ...
Bin Liu
 
A Performance Analysis of Chasing Intruders by Implementing Mobile Agents
CSCJournals
 
Injection techniques conversys
Krishnendu Paul
 
Intro softwareeng
PINKU29
 
Presentaion final
M Shehan Perera
 
Unit 1-overview of software engineering
arvind pandey
 
IS-1 Short Report [Muhammad Akram Abbasi]
Akram Abbasi
 
Requirment anlaysis
csk selva
 
Ch1-Software Engineering 9
Ian Sommerville
 
Developing User Authentication by Knowledge Based Authentication Scheme in G...
IJCSIS Research Publications
 
International Journal of Engineering Research and Development (IJERD)
IJERD Editor
 
Ian Sommerville, Software Engineering, 9th Edition Ch 4
Mohammed Romi
 
Raju 5.7 java
Raju G P
 
Resume_Exp
Hemanth Kumar L g
 
Ad

Similar to Profile based security assurance for service (20)

PPT
Service-Oriented Security Engineering
Richard Veryard
 
PDF
Model for Identifying the Security of a System: A Case Study of Point Of Sale...
IOSR Journals
 
PPTX
Enumerating software security design flaws throughout the ssdlc cosac - 201...
John M. Willis
 
PPTX
Enumerating software security design flaws throughout the SSDLC
John M. Willis
 
PDF
DEPENDABLE WEB SERVICES SECURITY ARCHITECTURE DEVELOPMENT THEORETICAL AND PRA...
cscpconf
 
PDF
Requirements Engineering for Secure Software
Dr Sarika Jadhav
 
PPTX
Software Security and IDS.pptx
Muhib Ahmad Sherwani
 
PDF
MODEL-DRIVEN SECURITY ASSESSMENT AND VERIFICATION FOR BUSINESS SERVICES
ijwscjournal
 
PDF
MODEL-DRIVEN SECURITY ASSESSMENT AND VERIFICATION FOR BUSINESS SERVICES
ijwscjournal
 
PDF
MODEL-DRIVEN SECURITY ASSESSMENT AND VERIFICATION FOR BUSINESS SERVICES
ijwscjournal
 
PDF
Aniketos 2nd cluster meeting
fcleary
 
PPT
Software Security in the Real World
Mark Curphey
 
PDF
Architecting Secure Service Oriented Web Services
IDES Editor
 
PDF
Software security risk mitigation using object oriented design patterns
eSAT Journals
 
PDF
Software security risk mitigation using object
eSAT Publishing House
 
PDF
The 5 Layers of Security Testing by Alan Koch
QA or the Highway
 
PDF
The 5 Layers of Security Testing by Alan Koch
QA or the Highway
 
PDF
Soa Testing An Approach For Testing Security Aspects Of Soa Based Application
Jaipal Naidu
 
PPTX
crisc_wk_5.pptx
dotco
 
KEY
ONE Conference: Vulnerabilities in Web Applications
Netcetera
 
Service-Oriented Security Engineering
Richard Veryard
 
Model for Identifying the Security of a System: A Case Study of Point Of Sale...
IOSR Journals
 
Enumerating software security design flaws throughout the ssdlc cosac - 201...
John M. Willis
 
Enumerating software security design flaws throughout the SSDLC
John M. Willis
 
DEPENDABLE WEB SERVICES SECURITY ARCHITECTURE DEVELOPMENT THEORETICAL AND PRA...
cscpconf
 
Requirements Engineering for Secure Software
Dr Sarika Jadhav
 
Software Security and IDS.pptx
Muhib Ahmad Sherwani
 
MODEL-DRIVEN SECURITY ASSESSMENT AND VERIFICATION FOR BUSINESS SERVICES
ijwscjournal
 
MODEL-DRIVEN SECURITY ASSESSMENT AND VERIFICATION FOR BUSINESS SERVICES
ijwscjournal
 
MODEL-DRIVEN SECURITY ASSESSMENT AND VERIFICATION FOR BUSINESS SERVICES
ijwscjournal
 
Aniketos 2nd cluster meeting
fcleary
 
Software Security in the Real World
Mark Curphey
 
Architecting Secure Service Oriented Web Services
IDES Editor
 
Software security risk mitigation using object oriented design patterns
eSAT Journals
 
Software security risk mitigation using object
eSAT Publishing House
 
The 5 Layers of Security Testing by Alan Koch
QA or the Highway
 
The 5 Layers of Security Testing by Alan Koch
QA or the Highway
 
Soa Testing An Approach For Testing Security Aspects Of Soa Based Application
Jaipal Naidu
 
crisc_wk_5.pptx
dotco
 
ONE Conference: Vulnerabilities in Web Applications
Netcetera
 
Ad

More from IESS (20)

PDF
Iess11 closing session
IESS
 
PDF
Comparison of research based vs industry developed pss models
IESS
 
PDF
Towards an ontological foundation of service dominant logic
IESS
 
PDF
Designing a dynamic competency framework for the service system innovation ar...
IESS
 
PDF
Strategy based service business development for sm es
IESS
 
PDF
Business process flexibility in service composition
IESS
 
PDF
Service systems and value modeling from an appreciative system perspective
IESS
 
PDF
Service science filling the gap between knowledge and needs
IESS
 
PDF
The paradox of service industrialization
IESS
 
PDF
Implementing a request fulfillment process
IESS
 
PDF
Sustainable service innovation
IESS
 
PDF
Mining customer loyalty card programs
IESS
 
PDF
A model based method for the design of services in collaborative business env...
IESS
 
PDF
An approach to extract the business value from soa services
IESS
 
PDF
Impact analysis of process improvement on it service quality
IESS
 
PDF
Seffah iess11 keynote the human side of service science
IESS
 
PDF
On viable service systems
IESS
 
PDF
Spider maps for location based services improvement
IESS
 
PPT
IESS 1.1 intro
IESS
 
PDF
Iess10 Closing
IESS
 
Iess11 closing session
IESS
 
Comparison of research based vs industry developed pss models
IESS
 
Towards an ontological foundation of service dominant logic
IESS
 
Designing a dynamic competency framework for the service system innovation ar...
IESS
 
Strategy based service business development for sm es
IESS
 
Business process flexibility in service composition
IESS
 
Service systems and value modeling from an appreciative system perspective
IESS
 
Service science filling the gap between knowledge and needs
IESS
 
The paradox of service industrialization
IESS
 
Implementing a request fulfillment process
IESS
 
Sustainable service innovation
IESS
 
Mining customer loyalty card programs
IESS
 
A model based method for the design of services in collaborative business env...
IESS
 
An approach to extract the business value from soa services
IESS
 
Impact analysis of process improvement on it service quality
IESS
 
Seffah iess11 keynote the human side of service science
IESS
 
On viable service systems
IESS
 
Spider maps for location based services improvement
IESS
 
IESS 1.1 intro
IESS
 
Iess10 Closing
IESS
 

Recently uploaded (20)

PDF
The Lost Whites of Pakistan by Jahanzaib Mughal.pdf
jahanzaibmughal6
 
PPTX
GDM (1) (1).pptx small presentation for students
shrawanbpkihs
 
PPTX
Cell Types and Its function , kingdom of life
ClaireMangundayao1
 
PDF
A GUIDE TO GENETICS FOR UNDERGRADUATE MEDICAL STUDENTS
DrBincy A. S
 
PPTX
202450812 BayCHI UCSC-SV 20250812 v17.pptx
home
 
PPTX
Tissue processing ( HISTOPATHOLOGICAL TECHNIQUE
mathiasmelwyn7
 
PDF
3rd Neelam Sanjeevareddy Memorial Lecture.pdf
Academy of Grassroots Studies and Research of India (AGRASRI)
 
PDF
Module 4: Burden of Disease Tutorial Slides S2 2025
Jonathan Hallett
 
PPTX
Pharmacology of Heart Failure /Pharmacotherapy of CHF
Rajshri Ghogare
 
PDF
STATICS OF THE RIGID BODIES Hibbelers.pdf
pascualasturiaskaye4
 
PDF
01-Introduction-to-Information-Management.pdf
PrinceIbarra
 
PPTX
Microbial diseases, their pathogenesis and prophylaxis
DevlinaSengupta
 
PDF
RMMM.pdf make it easy to upload and study
sajedul2
 
PDF
Chinmaya Tiranga quiz Grand Finale.pdf
Nitin Suresh
 
PDF
Complications of Minimal Access Surgery at WLH
mohitsuren827
 
PPTX
Pharma ospi slides which help in ospi learning
rameetkumar304
 
PPTX
Orientation - ARALprogram of Deped to the Parents.pptx
JeromeTamayoSantiago1
 
PDF
O5-L3 Freight Transport Ops (International) V1.pdf
labyankof
 
PDF
VCE English Exam - Section C Student Revision Booklet
jpinnuck
 
PDF
Trump Administration's workforce development strategy
Mebane Rash
 
The Lost Whites of Pakistan by Jahanzaib Mughal.pdf
jahanzaibmughal6
 
GDM (1) (1).pptx small presentation for students
shrawanbpkihs
 
Cell Types and Its function , kingdom of life
ClaireMangundayao1
 
A GUIDE TO GENETICS FOR UNDERGRADUATE MEDICAL STUDENTS
DrBincy A. S
 
202450812 BayCHI UCSC-SV 20250812 v17.pptx
home
 
Tissue processing ( HISTOPATHOLOGICAL TECHNIQUE
mathiasmelwyn7
 
3rd Neelam Sanjeevareddy Memorial Lecture.pdf
Academy of Grassroots Studies and Research of India (AGRASRI)
 
Module 4: Burden of Disease Tutorial Slides S2 2025
Jonathan Hallett
 
Pharmacology of Heart Failure /Pharmacotherapy of CHF
Rajshri Ghogare
 
STATICS OF THE RIGID BODIES Hibbelers.pdf
pascualasturiaskaye4
 
01-Introduction-to-Information-Management.pdf
PrinceIbarra
 
Microbial diseases, their pathogenesis and prophylaxis
DevlinaSengupta
 
RMMM.pdf make it easy to upload and study
sajedul2
 
Chinmaya Tiranga quiz Grand Finale.pdf
Nitin Suresh
 
Complications of Minimal Access Surgery at WLH
mohitsuren827
 
Pharma ospi slides which help in ospi learning
rameetkumar304
 
Orientation - ARALprogram of Deped to the Parents.pptx
JeromeTamayoSantiago1
 
O5-L3 Freight Transport Ops (International) V1.pdf
labyankof
 
VCE English Exam - Section C Student Revision Booklet
jpinnuck
 
Trump Administration's workforce development strategy
Mebane Rash
 

Profile based security assurance for service

  • 1. IESS 1.1 Geneva 2011 Profile-based Security Assurances for Service Software Khaled Khan Computer Science and Engineering Qatar University Qatar
  • 2. Overview •  Context •  Stakeholders of services •  Research problems •  Motivating Example •  Proposed framework •  Conclusion
  • 3. Software Service, Composition and Security •  An increasing interest in deploying software applications as services over the open communication channels •  A software offering a service exists independently - developed, managed by third party service provider •  These services are aimed for direct integration with any application system dynamically at run-time •  A service may be secure in one application system, but the same service may not be secure in a different application due to different security requirements •  The term `secure' is over-used and somehow misleading because it does not state the specific type of security achieved
  • 4. Research Problems •  End users with limited resources could compose application based on services which are consistent with their security requirements. •  Services are normally associated with security features that are designed to withstand certain security threats •  The representation of security properties for an end-user is quite different from those for –  a security expert, or –  a software engineer, or –  a different service consumer (end-user). •  The current practice may lead the service consumer to select a service that does not tell much about its security assurances. •  The way the security features are implemented, embedded and presented is often too complex for the service consumer to understand and use. •  Services most often use the notion of “one-size-fits-all’ security assurances. •  Consequently, –  Either service consumers do not use the services of which security properties are not well understood, or –  The security properties remain unused or wrongly configured in the application because these do not conform with the users security requirements.
  • 5. Problems with Service Consumers •  Difficult for the service consumer to verify the conformity of security properties between their security requirements and the assurances of third party services. •  There are two explanations for this: –  Security properties are not specified in a form easily comprehensible by the service consumer who perhaps has limited knowledge of formal security technologies, –  A lack of a suitable framework with which they could select and compose their application based on security profiles of services and their security requirements. •  Service consumers may not have enough background with formal education in computer science or security.
  • 6. Research Issues •  How can a service consumer know that the level of security assurances provided by the selected service software would meet her requirements? and •  How can the consumer verify immediately that the ensured security properties of the service are consistent with her security requirements?
  • 7. A Motivating Example •  Carol, a consumer, likes to book an item such as a hotel room, a car, or a flight. •  The normal sequence of steps in a service-based application includes: –  Carol searches (a service) for her preferred reservation item, and selects the item; –  Then she provides her details (another service to make the reservation); –  Makes online payment (a service too), and –  Finally receives a bar-coded digital receipt (a service) of reservation. •  In this journey of moving from one service to another in an integrated system environment (composed of multiple services), Carol may have different security requirements for each service she uses:
  • 8. Security Requirements of Carol a)  For example, she wants her search parameters should not be used by anyone to link with her identity (a security property called non-linkability). b)  She also prefers her name, phone number, email and home address kept confidential (confidentiality). c)  She does not care if her suburb and street names are disclosed provided that none could identify her or her home address with these two pieces of information (non-deducability). d)  She also likes to have a guarantee that her credit card number is kept secret (confidentiality), and on one should be able to alter the amount she paid (integrity). e)  Carol also wants that no unauthorized entities are able to see (privacy) and make a copy of her receipt (authorization). f)  Finally, she needs an assurance that none could observe her activities in the Internet (non-observability). •  We can see that Carol has very specific security requirements in this scenario. •  Likewise, another consumer John, may have different requirements from Carol of the same reservation software system. •  How do we handle these types of diverse security requirements?
  • 9. Research Objectives and Approaches •  Our work attempts to address the following research challenges project: –  How to make security assurances of service software transparent to consumers –  How to enable consumer select their security choices; and –  How to check the security compatibility of the selected security for services. Our approach has three main processes: –  Reflection of security assurances –  Selection of preferred assurances; and –  Checking of security compatibility.
  • 10. Reflection of Security Assurances •  Mechanisms for reflecting the security assurances of services. •  Security provisions and requirements are published together with their service descriptions •  Security characterization called security profiles •  Attaching the security profile with service interfaces. •  Stakeholder-based view
  • 11. Levels of Implemented Security Functions Development Characterising ISO/IEC stage Service development security properties of 15408 services Common criteria Composition stage Establishing Reasonin Systems composition compositional g security properties language Operational Execution Deriving consumer- Security stage level security goals Goal Time
  • 12. Stakeholders of Services Design and Development of Service developers services Development and deployment Security designer Analysis of security threats and implementation policies Software engineer Discovery of services and functional integration Operation and Service consumer Composition User of composed application Time
  • 13. Four Perspectives of Service Security Service consumer Specific security objectives actually achieved at the system-level (Operational time) Software engineer Interested in the compositional impact and conformity of the security properties (Composition time) Security designer Focuses technical details of the component security such as encryption Identifies the threats of the component, define the security policies and functions (service development time) Service developer Design, build, deploy and manage services. (service design deployment time)
  • 14. Abstraction Level of Security Properties
  • 15. Selection of Preferred Assurances •  Services should provide a choice of security assurances. •  Capability that enables the consumer to select their preferred security assurances •  Security profile must reflect the actual implementation of security functions
  • 16. Checking of Security Compatibility •  Security compatibility between interacting services are automatically analyzed •  Conforms that they satisfy each other's security requirements. •  Ensure that the selected security properties work without compromising service security provisions.
  • 17. Concluding Remarks •  Our framework has three anticipated innovative aspects. –  The first innovative aspect is that we approach security from a (service- based) software engineering perspective •  Adopt a proactive and predicative line of thinking. •  We emphasize on the service consumer's understanding and selection capabilities of service security properties –  The second innovative aspect is that the framework provides a semantic model that is essential to reason about the effectiveness of the selected security assurances –  The final aspect is the formal analysis techniques for security compatibility allow us to check automatically if the services in a composition are compatible in terms of security features •  Leads to compatible security-aware composition. This is critical to providing assurance to system users about the systems security behavior, •  Nurtures confidence and trust in the business community about service- based system security.