SlideShare une entreprise Scribd logo

Choose'10: Uwe Zdun - Compliance in service-oriented architectures: A model-driven and view-based approach

CHOOSE
CHOOSE

Presented at the Choose Forum 2010 in Bern.

1  sur  33
Télécharger pour lire hors ligne
Compliance in service-oriented architectures: A model-driven and view-based approach Uwe Zdun Software Architecture Group Department of Distributed and Multimedia Systems University of Vienna http://cs.univie.ac.at/swa
2 software architecture group COMPLIANCE: THE PROBLEM DOMAIN
3 software architecture group IT Compliance IT compliance means in general complying to regulations that apply to an IT system Examples of regulations are: Basel II, IFRS, MiFID, Cobit, LSF, Tabaksblat, Sarbanes-Oxley Act These cover issues such as auditor independence, corporate governance, and enhanced financial disclosure
4 software architecture group Other Compliance Sources Regulations are just one example There are many other rules and constraints in a software system that have similar characteristics Service composition/Deployment rules Service execution order rules Information exchange policies Security policies QoS rules Business rules Laws Licenses
5 software architecture group Current Practice for Dealing with Compliance Ideal case: A SW-framework for automatically dealing with compliance Problem: It is impossible to formalize all details of a jurisdictional text Interpretation by domain experts needed Complex references to other (jurisdictional) texts Hence, in many cases, compliance today is reached on a per-case basis
6 software architecture group Issues with the Current Practice Systems are hard to maintain hard to evolve or change hard to reuse hard to understand It is difficult to ensure guaranteed compliance to a given set of rules and regulations It is difficult to keep up with constant changes in regulations and laws Domain experts are not involved enough
Compliance in SOAs So far the SOA approach does not provide any clear technological strategy or concept of how to realize, enforce, or validate various compliance concerns
8 software architecture group OUR APPROACH
Approach Overview Models and meta-models for the specification of the SOA and compliance concerns Domain-specific languages (DSLs) and architectural views for compliance concerns Model-driven validation and generation of the SOA from the models Execution, monitoring, and enforcement of compliance concerns in the running SOA
Approach: Auditor’s View Regulation / Legislation Norm/Standard Controls Automated Controls Report Manual Controls Manual Implementation Risk Management Department
Regulation / Legislation Norm/Standard Controls Automated Controls Report Manual Controls View-based, model-driven Approach Generated Implementation Risk Management Department Approach: Auditor’s View
12 software architecture group Architectural Overview MDSD Software Framework Repositories Application Servers, ESB Online Monitoring Offline Monitoring Dashboard Data Warehouse Verification Tools Compliance Request Language Design time Runtime
13 software architecture group Compliance Solution: Overview & Roles
14 software architecture group View-based, Model-driven Architecture Separation of concerns using architectural views Separate different concerns in view-based models Separation of abstraction levels: Separate technical and domain-oriented views Integrate via model relations and matching algorithms using the model-driven generator
View-based Modeling Framework (VbMF)
View-based Modeling Framework (VbMF) Separation of concerns
View-based Modeling Framework (VbMF) Separation of technical and domain-oriented views
Extended VbMF: Modelling and Integration of Compliance Concerns Core Model Flow View Model Collaboration View Model Information View Model Intellectual property and license DSL extends extends extends BPEL FLow View Model BPEL Collaboration View Model BPEL Information View Model extends extends extends Business Process Modeling QoS policy DSL Security policy DSL Compliance Modeling annotates Process-driven model instances with annotated compliance metadata instance-of Schematic Recurrent Code & Configurations generates extends Regulatory or legislative DSL Compliance Metadata Model annotates Documentation generates
Domain-Specific Languages Tooling: High-level and low-level DSLs Business/Domain experts IT/Technical experts
DSL – An Example High-Level DSL - Editor Low-Level DSL
Compliance Metadata-Model A bridge between compliance concerns and SOA elements Compliance metadata model elements: References to regulations, standards, norms, licenses, etc. Controls Referencing Services, Processes, etc. (elements that implement the control) Control type (e.g., change management control) Risks associated to the controls This allows us to specify statements like: “Service/Process X is a change management control, defined in COBIT, to comply with SOX”
Model-Driven Tool Chain Transformation Templates
23 software architecture group Execution and Monitoring Process engine Service monitors Other IT event detector Event Bus Governance of Compliance Audit Trail Event Model Dashboard
24 software architecture group Compliance Governance Dashboard
25 software architecture group EXAMPLE
26 software architecture group An Example of Process Design
27 software architecture group Searching for process fragments realizing SOX 409 concerns using the Compliance Request Language Query Models
28 software architecture group No suitable fragments are found. We model the concern using the MDD framework Models Generated Code Verified Models Generated CodeGenerated CodeGenerated Code
29 software architecture group Monitor The Process at Runtime EventsEvents Display Information Display Information
30 software architecture group Analyze compliance violation: Perform root cause analysis using the models from the model repository Models Compliance Violation
31 software architecture group Root cause analysis and process redesign in detail Before: sequential task execution; slow, lots of violations MORSE Repository UUID 1 formID = „Form8K“ duration = 2 unit = BusinessDays ... : PublishDeadline UUID 5 Business process engine 1. Deploy process models Monitoring Infrastructure 2. Emit events UUID 3UUID 2UUID 1 3. Get compliance models (rules) for process 4. Process and analyze events UUID 1 Violation detected 5. Retrieve responsible / corresponding models ID = „Sec 409 Real time issuer disclosures“ ... : ComplianceConcern UUID 4 Compliance governance Web UI 6. Report violation 7. Root cause analysis / manipulation of model(s) Assess Intrusion End yes no Personal info lost or stolen? Response Write Form 8-K Approve Form 8-K Publish Form 8-K ! UUID 3 UUID 2 UUID 4 UUID 5 Assess Intrusion End yes no Personal info lost or stolen? Response Write Form 8-K Approve Form 8-K Intrusion detected Publish Form 8-K !After: parallel task execution; faster, fewer violations UUID 1
32 software architecture group Lessons Learned On The nature of business compliance in a SOA system Scattered through many system’s elements at different abstraction levels Existing in different development phases: analysis, design, implementation, and runtime Enabling methods and technologies for business compliance in SOAs should Tackling the compliance from multiple perspectives at multiple levels of abstraction Taking into account for the constant needs for changes of laws regulations, policies, etc., to ensure incremental compliance Engaging relevant stakeholders (business/domain experts, technical experts) by providing appropriate tooling and methods
33 software architecture group Many thanks for your attention! Uwe Zdun Software Architecture Group Department of Distributed and Multimedia Systems University of Vienna http://cs.univie.ac.at/swa

Recommandé

Security patterns and model driven architecture
Security patterns and model driven architectureSecurity patterns and model driven architecture
Security patterns and model driven architecturebdemchak
 
TESEM: A Tool for Verifying Security Design Pattern Applications
TESEM: A Tool for Verifying Security Design Pattern ApplicationsTESEM: A Tool for Verifying Security Design Pattern Applications
TESEM: A Tool for Verifying Security Design Pattern ApplicationsHironori Washizaki
 
Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011Atlantic Security Conference
 
Software Design Level Vulnerability Classification Model
Software Design Level Vulnerability Classification ModelSoftware Design Level Vulnerability Classification Model
Software Design Level Vulnerability Classification ModelCSCJournals
 
[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principles[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principlesOWASP
 
Se project-methodology-for-security-project-web
Se project-methodology-for-security-project-webSe project-methodology-for-security-project-web
Se project-methodology-for-security-project-webSandeep Sharma IIMK Smart City,IoT,Bigdata,Cloud,BI,DW
 
Software security risk mitigation using object
Software security risk mitigation using objectSoftware security risk mitigation using object
Software security risk mitigation using objecteSAT Publishing House
 
Software security risk mitigation using object oriented design patterns
Software security risk mitigation using object oriented design patternsSoftware security risk mitigation using object oriented design patterns
Software security risk mitigation using object oriented design patternseSAT Journals
 

Recommandé

Security patterns and model driven architecture
Security patterns and model driven architectureSecurity patterns and model driven architecture
Security patterns and model driven architecturebdemchak
 
TESEM: A Tool for Verifying Security Design Pattern Applications
TESEM: A Tool for Verifying Security Design Pattern ApplicationsTESEM: A Tool for Verifying Security Design Pattern Applications
TESEM: A Tool for Verifying Security Design Pattern ApplicationsHironori Washizaki
 
Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011Atlantic Security Conference
 
Software Design Level Vulnerability Classification Model
Software Design Level Vulnerability Classification ModelSoftware Design Level Vulnerability Classification Model
Software Design Level Vulnerability Classification ModelCSCJournals
 
[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principles[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principlesOWASP
 
Se project-methodology-for-security-project-web
Se project-methodology-for-security-project-webSe project-methodology-for-security-project-web
Se project-methodology-for-security-project-webSandeep Sharma IIMK Smart City,IoT,Bigdata,Cloud,BI,DW
 
Software security risk mitigation using object
Software security risk mitigation using objectSoftware security risk mitigation using object
Software security risk mitigation using objecteSAT Publishing House
 
Software security risk mitigation using object oriented design patterns
Software security risk mitigation using object oriented design patternsSoftware security risk mitigation using object oriented design patterns
Software security risk mitigation using object oriented design patternseSAT Journals
 
Model based vulnerability testing report
Model based vulnerability testing reportModel based vulnerability testing report
Model based vulnerability testing reportKupili Archana
 
Conducting Security Metrics for Object-Oriented Class Design
Conducting Security Metrics for Object-Oriented Class DesignConducting Security Metrics for Object-Oriented Class Design
Conducting Security Metrics for Object-Oriented Class DesignIJCSIS Research Publications
 
Software Security Initiatives
Software Security InitiativesSoftware Security Initiatives
Software Security InitiativesMarco Morana
 
02.security systems
02.security systems02.security systems
02.security systemsSri Lanka Institute of Information Technology
 
us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digita...
us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digita...us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digita...
us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digita...Tom Nipravsky
 
A new approach for formal behavioral
A new approach for formal behavioralA new approach for formal behavioral
A new approach for formal behavioralijfcstjournal
 
Our talk in Black Hat Asia 2015 Briefing
Our talk in Black Hat Asia 2015 Briefing Our talk in Black Hat Asia 2015 Briefing
Our talk in Black Hat Asia 2015 Briefing SecPod Technologies
 
Aricent Highly Automated Vulnerability Assessment Orchestration Containers (H...
Aricent Highly Automated Vulnerability Assessment Orchestration Containers (H...Aricent Highly Automated Vulnerability Assessment Orchestration Containers (H...
Aricent Highly Automated Vulnerability Assessment Orchestration Containers (H...Aricent
 
Cissp exam-outline
Cissp exam-outlineCissp exam-outline
Cissp exam-outlineAhmet E
 
Verification of the protection services in antivirus systems by using nusmv m...
Verification of the protection services in antivirus systems by using nusmv m...Verification of the protection services in antivirus systems by using nusmv m...
Verification of the protection services in antivirus systems by using nusmv m...ijfcstjournal
 
Business cases for software security
Business cases for software securityBusiness cases for software security
Business cases for software securityMarco Morana
 
Security Development Lifecycle Tools
Security Development Lifecycle ToolsSecurity Development Lifecycle Tools
Security Development Lifecycle Toolsn|u - The Open Security Community
 
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...IJNSA Journal
 
Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016Kannan Ganapathy
 
Designing Secure Systems Using AORDD Methodologies in UML System Models
Designing Secure Systems Using AORDD Methodologies in UML System ModelsDesigning Secure Systems Using AORDD Methodologies in UML System Models
Designing Secure Systems Using AORDD Methodologies in UML System ModelsIOSR Journals
 
MODEL-DRIVEN SECURITY ASSESSMENT AND VERIFICATION FOR BUSINESS SERVICES
MODEL-DRIVEN SECURITY ASSESSMENT AND VERIFICATION FOR BUSINESS SERVICES MODEL-DRIVEN SECURITY ASSESSMENT AND VERIFICATION FOR BUSINESS SERVICES
MODEL-DRIVEN SECURITY ASSESSMENT AND VERIFICATION FOR BUSINESS SERVICES ijwscjournal
 
A successful application security program - Envision build and scale
A successful application security program - Envision build and scaleA successful application security program - Envision build and scale
A successful application security program - Envision build and scalePriyanka Aash
 
Software Reliability and Quality Assurance Challenges in Cyber Physical Syste...
Software Reliability and Quality Assurance Challenges in Cyber Physical Syste...Software Reliability and Quality Assurance Challenges in Cyber Physical Syste...
Software Reliability and Quality Assurance Challenges in Cyber Physical Syste...CSCJournals
 
V-Empower Services And Solutions
V-Empower Services And SolutionsV-Empower Services And Solutions
V-Empower Services And Solutionsguest609a5ed
 
SE2.ppt
SE2.pptSE2.ppt
SE2.pptAaMir519591
 
Introduction to the Microsoft Azure Cloud.pptx
Introduction to the Microsoft Azure Cloud.pptxIntroduction to the Microsoft Azure Cloud.pptx
Introduction to the Microsoft Azure Cloud.pptxEverestMedinilla2
 
[2015/2016] Software development process
[2015/2016] Software development process[2015/2016] Software development process
[2015/2016] Software development processIvano Malavolta
 

Contenu connexe

Tendances

Model based vulnerability testing report
Model based vulnerability testing reportModel based vulnerability testing report
Model based vulnerability testing reportKupili Archana
 
Conducting Security Metrics for Object-Oriented Class Design
Conducting Security Metrics for Object-Oriented Class DesignConducting Security Metrics for Object-Oriented Class Design
Conducting Security Metrics for Object-Oriented Class DesignIJCSIS Research Publications
 
Software Security Initiatives
Software Security InitiativesSoftware Security Initiatives
Software Security InitiativesMarco Morana
 
us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digita...
us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digita...us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digita...
us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digita...Tom Nipravsky
 
A new approach for formal behavioral
A new approach for formal behavioralA new approach for formal behavioral
A new approach for formal behavioralijfcstjournal
 
Our talk in Black Hat Asia 2015 Briefing
Our talk in Black Hat Asia 2015 Briefing Our talk in Black Hat Asia 2015 Briefing
Our talk in Black Hat Asia 2015 Briefing SecPod Technologies
 
Aricent Highly Automated Vulnerability Assessment Orchestration Containers (H...
Aricent Highly Automated Vulnerability Assessment Orchestration Containers (H...Aricent Highly Automated Vulnerability Assessment Orchestration Containers (H...
Aricent Highly Automated Vulnerability Assessment Orchestration Containers (H...Aricent
 
Cissp exam-outline
Cissp exam-outlineCissp exam-outline
Cissp exam-outlineAhmet E
 
Verification of the protection services in antivirus systems by using nusmv m...
Verification of the protection services in antivirus systems by using nusmv m...Verification of the protection services in antivirus systems by using nusmv m...
Verification of the protection services in antivirus systems by using nusmv m...ijfcstjournal
 
Business cases for software security
Business cases for software securityBusiness cases for software security
Business cases for software securityMarco Morana
 
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...IJNSA Journal
 
Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016Kannan Ganapathy
 
Designing Secure Systems Using AORDD Methodologies in UML System Models
Designing Secure Systems Using AORDD Methodologies in UML System ModelsDesigning Secure Systems Using AORDD Methodologies in UML System Models
Designing Secure Systems Using AORDD Methodologies in UML System ModelsIOSR Journals
 
MODEL-DRIVEN SECURITY ASSESSMENT AND VERIFICATION FOR BUSINESS SERVICES
MODEL-DRIVEN SECURITY ASSESSMENT AND VERIFICATION FOR BUSINESS SERVICES MODEL-DRIVEN SECURITY ASSESSMENT AND VERIFICATION FOR BUSINESS SERVICES
MODEL-DRIVEN SECURITY ASSESSMENT AND VERIFICATION FOR BUSINESS SERVICES ijwscjournal
 
A successful application security program - Envision build and scale
A successful application security program - Envision build and scaleA successful application security program - Envision build and scale
A successful application security program - Envision build and scalePriyanka Aash
 
Software Reliability and Quality Assurance Challenges in Cyber Physical Syste...
Software Reliability and Quality Assurance Challenges in Cyber Physical Syste...Software Reliability and Quality Assurance Challenges in Cyber Physical Syste...
Software Reliability and Quality Assurance Challenges in Cyber Physical Syste...CSCJournals
 
V-Empower Services And Solutions
V-Empower Services And SolutionsV-Empower Services And Solutions
V-Empower Services And Solutionsguest609a5ed
 

Tendances (19)

Model based vulnerability testing report
Model based vulnerability testing reportModel based vulnerability testing report
Model based vulnerability testing report
 
Conducting Security Metrics for Object-Oriented Class Design
Conducting Security Metrics for Object-Oriented Class DesignConducting Security Metrics for Object-Oriented Class Design
Conducting Security Metrics for Object-Oriented Class Design
 
Software Security Initiatives
Software Security InitiativesSoftware Security Initiatives
Software Security Initiatives
 
02.security systems
02.security systems02.security systems
02.security systems
 
us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digita...
us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digita...us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digita...
us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digita...
 
A new approach for formal behavioral
A new approach for formal behavioralA new approach for formal behavioral
A new approach for formal behavioral
 
Our talk in Black Hat Asia 2015 Briefing
Our talk in Black Hat Asia 2015 Briefing Our talk in Black Hat Asia 2015 Briefing
Our talk in Black Hat Asia 2015 Briefing
 
Aricent Highly Automated Vulnerability Assessment Orchestration Containers (H...
Aricent Highly Automated Vulnerability Assessment Orchestration Containers (H...Aricent Highly Automated Vulnerability Assessment Orchestration Containers (H...
Aricent Highly Automated Vulnerability Assessment Orchestration Containers (H...
 
Cissp exam-outline
Cissp exam-outlineCissp exam-outline
Cissp exam-outline
 
Verification of the protection services in antivirus systems by using nusmv m...
Verification of the protection services in antivirus systems by using nusmv m...Verification of the protection services in antivirus systems by using nusmv m...
Verification of the protection services in antivirus systems by using nusmv m...
 
Business cases for software security
Business cases for software securityBusiness cases for software security
Business cases for software security
 
Security Development Lifecycle Tools
Security Development Lifecycle ToolsSecurity Development Lifecycle Tools
Security Development Lifecycle Tools
 
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
 
Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016
 
Designing Secure Systems Using AORDD Methodologies in UML System Models
Designing Secure Systems Using AORDD Methodologies in UML System ModelsDesigning Secure Systems Using AORDD Methodologies in UML System Models
Designing Secure Systems Using AORDD Methodologies in UML System Models
 
MODEL-DRIVEN SECURITY ASSESSMENT AND VERIFICATION FOR BUSINESS SERVICES
MODEL-DRIVEN SECURITY ASSESSMENT AND VERIFICATION FOR BUSINESS SERVICES MODEL-DRIVEN SECURITY ASSESSMENT AND VERIFICATION FOR BUSINESS SERVICES
MODEL-DRIVEN SECURITY ASSESSMENT AND VERIFICATION FOR BUSINESS SERVICES
 
A successful application security program - Envision build and scale
A successful application security program - Envision build and scaleA successful application security program - Envision build and scale
A successful application security program - Envision build and scale
 
Software Reliability and Quality Assurance Challenges in Cyber Physical Syste...
Software Reliability and Quality Assurance Challenges in Cyber Physical Syste...Software Reliability and Quality Assurance Challenges in Cyber Physical Syste...
Software Reliability and Quality Assurance Challenges in Cyber Physical Syste...
 
V-Empower Services And Solutions
V-Empower Services And SolutionsV-Empower Services And Solutions
V-Empower Services And Solutions
 

Similaire à Choose'10: Uwe Zdun - Compliance in service-oriented architectures: A model-driven and view-based approach

Introduction to the Microsoft Azure Cloud.pptx
Introduction to the Microsoft Azure Cloud.pptxIntroduction to the Microsoft Azure Cloud.pptx
Introduction to the Microsoft Azure Cloud.pptxEverestMedinilla2
 
[2015/2016] Software development process
[2015/2016] Software development process[2015/2016] Software development process
[2015/2016] Software development processIvano Malavolta
 
Software development PROCESS
Software development PROCESSSoftware development PROCESS
Software development PROCESSIvano Malavolta
 
SOFTWARE ENGINEERING & ARCHITECTURE - SHORT NOTES
SOFTWARE ENGINEERING & ARCHITECTURE - SHORT NOTESSOFTWARE ENGINEERING & ARCHITECTURE - SHORT NOTES
SOFTWARE ENGINEERING & ARCHITECTURE - SHORT NOTESsuthi
 
Ch2-Software Engineering 9
Ch2-Software Engineering 9Ch2-Software Engineering 9
Ch2-Software Engineering 9Ian Sommerville
 
Software engineering
Software engineeringSoftware engineering
Software engineeringnidhi5388
 
SE18_Lec 02_Software Life Cycle Model
SE18_Lec 02_Software Life Cycle ModelSE18_Lec 02_Software Life Cycle Model
SE18_Lec 02_Software Life Cycle ModelAmr E. Mohamed
 
Elementary Probability theory Chapter 2.pptx
Elementary Probability theory Chapter 2.pptxElementary Probability theory Chapter 2.pptx
Elementary Probability theory Chapter 2.pptxethiouniverse
 
Maturity of-code-mgmt-2016-04-06
Maturity of-code-mgmt-2016-04-06Maturity of-code-mgmt-2016-04-06
Maturity of-code-mgmt-2016-04-06Bogusz Jelinski
 
Secure Design: Threat Modeling
Secure Design: Threat ModelingSecure Design: Threat Modeling
Secure Design: Threat ModelingCigital
 
Software Engineering Process Models
Software Engineering Process Models Software Engineering Process Models
Software Engineering Process Models Satya P. Joshi
 
Slides 6 design of sw arch using add
Slides 6 design of sw arch using addSlides 6 design of sw arch using add
Slides 6 design of sw arch using addJavid iqbal hashmi
 

Similaire à Choose'10: Uwe Zdun - Compliance in service-oriented architectures: A model-driven and view-based approach (20)

SE2.ppt
SE2.pptSE2.ppt
SE2.ppt
 
Introduction to the Microsoft Azure Cloud.pptx
Introduction to the Microsoft Azure Cloud.pptxIntroduction to the Microsoft Azure Cloud.pptx
Introduction to the Microsoft Azure Cloud.pptx
 
[2015/2016] Software development process
[2015/2016] Software development process[2015/2016] Software development process
[2015/2016] Software development process
 
Software development PROCESS
Software development PROCESSSoftware development PROCESS
Software development PROCESS
 
SOFTWARE ENGINEERING & ARCHITECTURE - SHORT NOTES
SOFTWARE ENGINEERING & ARCHITECTURE - SHORT NOTESSOFTWARE ENGINEERING & ARCHITECTURE - SHORT NOTES
SOFTWARE ENGINEERING & ARCHITECTURE - SHORT NOTES
 
Ch2-Software Engineering 9
Ch2-Software Engineering 9Ch2-Software Engineering 9
Ch2-Software Engineering 9
 
Chapter 2.pptx
Chapter 2.pptxChapter 2.pptx
Chapter 2.pptx
 
Software engineering
Software engineeringSoftware engineering
Software engineering
 
SE18_Lec 02_Software Life Cycle Model
SE18_Lec 02_Software Life Cycle ModelSE18_Lec 02_Software Life Cycle Model
SE18_Lec 02_Software Life Cycle Model
 
Elementary Probability theory Chapter 2.pptx
Elementary Probability theory Chapter 2.pptxElementary Probability theory Chapter 2.pptx
Elementary Probability theory Chapter 2.pptx
 
Unit2 2
Unit2 2Unit2 2
Unit2 2
 
Maturity of-code-mgmt-2016-04-06
Maturity of-code-mgmt-2016-04-06Maturity of-code-mgmt-2016-04-06
Maturity of-code-mgmt-2016-04-06
 
Week 10
Week 10Week 10
Week 10
 
Week 10
Week 10Week 10
Week 10
 
Sw engg two mark question
Sw engg two mark questionSw engg two mark question
Sw engg two mark question
 
Sdpl1
Sdpl1Sdpl1
Sdpl1
 
Secure Design: Threat Modeling
Secure Design: Threat ModelingSecure Design: Threat Modeling
Secure Design: Threat Modeling
 
3. ch 2-process model
3. ch 2-process model3. ch 2-process model
3. ch 2-process model
 
Software Engineering Process Models
Software Engineering Process Models Software Engineering Process Models
Software Engineering Process Models
 
Slides 6 design of sw arch using add
Slides 6 design of sw arch using addSlides 6 design of sw arch using add
Slides 6 design of sw arch using add
 

Plus de CHOOSE

Dissecting State-of-the-Art Android Malware Using Static and Dynamic Analysis
Dissecting State-of-the-Art Android Malware Using Static and Dynamic AnalysisDissecting State-of-the-Art Android Malware Using Static and Dynamic Analysis
Dissecting State-of-the-Art Android Malware Using Static and Dynamic AnalysisCHOOSE
 
Continuous Architecting of Stream-Based Systems
Continuous Architecting of Stream-Based SystemsContinuous Architecting of Stream-Based Systems
Continuous Architecting of Stream-Based SystemsCHOOSE
 
Modelling and Programming: Isn’t it all the same?
Modelling and Programming: Isn’t it all the same?Modelling and Programming: Isn’t it all the same?
Modelling and Programming: Isn’t it all the same?CHOOSE
 
Practical Models in Practice
Practical Models in PracticePractical Models in Practice
Practical Models in PracticeCHOOSE
 
Services and Models in a Large IT System
Services and Models in a Large IT SystemServices and Models in a Large IT System
Services and Models in a Large IT SystemCHOOSE
 
Choose'10: Jean-Marie Favre - Domain and Technique Specific Languages – A Jou...
Choose'10: Jean-Marie Favre - Domain and Technique Specific Languages – A Jou...Choose'10: Jean-Marie Favre - Domain and Technique Specific Languages – A Jou...
Choose'10: Jean-Marie Favre - Domain and Technique Specific Languages – A Jou...CHOOSE
 
Choose'10: Stephane Ducasse - Powerful DSL engineering in Smalltalk
Choose'10: Stephane Ducasse - Powerful DSL engineering in SmalltalkChoose'10: Stephane Ducasse - Powerful DSL engineering in Smalltalk
Choose'10: Stephane Ducasse - Powerful DSL engineering in SmalltalkCHOOSE
 
Choose'10: Ralf Laemmel - Dealing Confortably with the Confusion of Tongues
Choose'10: Ralf Laemmel - Dealing Confortably with the Confusion of TonguesChoose'10: Ralf Laemmel - Dealing Confortably with the Confusion of Tongues
Choose'10: Ralf Laemmel - Dealing Confortably with the Confusion of TonguesCHOOSE
 
Ralph Jocham The Risks Of Scrum Handout
Ralph Jocham The Risks Of Scrum HandoutRalph Jocham The Risks Of Scrum Handout
Ralph Jocham The Risks Of Scrum HandoutCHOOSE
 
Ralph Jocham The Risks Of Scrum
Ralph Jocham The Risks Of ScrumRalph Jocham The Risks Of Scrum
Ralph Jocham The Risks Of ScrumCHOOSE
 
Denker - Pharo: Present and Future - 2009-07-14
Denker - Pharo: Present and Future - 2009-07-14Denker - Pharo: Present and Future - 2009-07-14
Denker - Pharo: Present and Future - 2009-07-14CHOOSE
 
Hausi Müller - Towards Self-Adaptive Software-Intensive Systems
Hausi Müller - Towards Self-Adaptive Software-Intensive SystemsHausi Müller - Towards Self-Adaptive Software-Intensive Systems
Hausi Müller - Towards Self-Adaptive Software-Intensive SystemsCHOOSE
 
Ralf Laemmel - Not quite a sales pitch for C# 3.0 and .NET's LINQ - 2008-03-05
Ralf Laemmel - Not quite a sales pitch for C# 3.0 and .NET's LINQ - 2008-03-05Ralf Laemmel - Not quite a sales pitch for C# 3.0 and .NET's LINQ - 2008-03-05
Ralf Laemmel - Not quite a sales pitch for C# 3.0 and .NET's LINQ - 2008-03-05CHOOSE
 
2008 02 01 Zeller
2008 02 01 Zeller2008 02 01 Zeller
2008 02 01 ZellerCHOOSE
 

Plus de CHOOSE (14)

Dissecting State-of-the-Art Android Malware Using Static and Dynamic Analysis
Dissecting State-of-the-Art Android Malware Using Static and Dynamic AnalysisDissecting State-of-the-Art Android Malware Using Static and Dynamic Analysis
Dissecting State-of-the-Art Android Malware Using Static and Dynamic Analysis
 
Continuous Architecting of Stream-Based Systems
Continuous Architecting of Stream-Based SystemsContinuous Architecting of Stream-Based Systems
Continuous Architecting of Stream-Based Systems
 
Modelling and Programming: Isn’t it all the same?
Modelling and Programming: Isn’t it all the same?Modelling and Programming: Isn’t it all the same?
Modelling and Programming: Isn’t it all the same?
 
Practical Models in Practice
Practical Models in PracticePractical Models in Practice
Practical Models in Practice
 
Services and Models in a Large IT System
Services and Models in a Large IT SystemServices and Models in a Large IT System
Services and Models in a Large IT System
 
Choose'10: Jean-Marie Favre - Domain and Technique Specific Languages – A Jou...
Choose'10: Jean-Marie Favre - Domain and Technique Specific Languages – A Jou...Choose'10: Jean-Marie Favre - Domain and Technique Specific Languages – A Jou...
Choose'10: Jean-Marie Favre - Domain and Technique Specific Languages – A Jou...
 
Choose'10: Stephane Ducasse - Powerful DSL engineering in Smalltalk
Choose'10: Stephane Ducasse - Powerful DSL engineering in SmalltalkChoose'10: Stephane Ducasse - Powerful DSL engineering in Smalltalk
Choose'10: Stephane Ducasse - Powerful DSL engineering in Smalltalk
 
Choose'10: Ralf Laemmel - Dealing Confortably with the Confusion of Tongues
Choose'10: Ralf Laemmel - Dealing Confortably with the Confusion of TonguesChoose'10: Ralf Laemmel - Dealing Confortably with the Confusion of Tongues
Choose'10: Ralf Laemmel - Dealing Confortably with the Confusion of Tongues
 
Ralph Jocham The Risks Of Scrum Handout
Ralph Jocham The Risks Of Scrum HandoutRalph Jocham The Risks Of Scrum Handout
Ralph Jocham The Risks Of Scrum Handout
 
Ralph Jocham The Risks Of Scrum
Ralph Jocham The Risks Of ScrumRalph Jocham The Risks Of Scrum
Ralph Jocham The Risks Of Scrum
 
Denker - Pharo: Present and Future - 2009-07-14
Denker - Pharo: Present and Future - 2009-07-14Denker - Pharo: Present and Future - 2009-07-14
Denker - Pharo: Present and Future - 2009-07-14
 
Hausi Müller - Towards Self-Adaptive Software-Intensive Systems
Hausi Müller - Towards Self-Adaptive Software-Intensive SystemsHausi Müller - Towards Self-Adaptive Software-Intensive Systems
Hausi Müller - Towards Self-Adaptive Software-Intensive Systems
 
Ralf Laemmel - Not quite a sales pitch for C# 3.0 and .NET's LINQ - 2008-03-05
Ralf Laemmel - Not quite a sales pitch for C# 3.0 and .NET's LINQ - 2008-03-05Ralf Laemmel - Not quite a sales pitch for C# 3.0 and .NET's LINQ - 2008-03-05
Ralf Laemmel - Not quite a sales pitch for C# 3.0 and .NET's LINQ - 2008-03-05
 
2008 02 01 Zeller
2008 02 01 Zeller2008 02 01 Zeller
2008 02 01 Zeller
 

Choose'10: Uwe Zdun - Compliance in service-oriented architectures: A model-driven and view-based approach

  • 1. Compliance in service-oriented architectures: A model-driven and view-based approach Uwe Zdun Software Architecture Group Department of Distributed and Multimedia Systems University of Vienna http://cs.univie.ac.at/swa
  • 2. 2 software architecture group COMPLIANCE: THE PROBLEM DOMAIN
  • 3. 3 software architecture group IT Compliance IT compliance means in general complying to regulations that apply to an IT system Examples of regulations are: Basel II, IFRS, MiFID, Cobit, LSF, Tabaksblat, Sarbanes-Oxley Act These cover issues such as auditor independence, corporate governance, and enhanced financial disclosure
  • 4. 4 software architecture group Other Compliance Sources Regulations are just one example There are many other rules and constraints in a software system that have similar characteristics Service composition/Deployment rules Service execution order rules Information exchange policies Security policies QoS rules Business rules Laws Licenses
  • 5. 5 software architecture group Current Practice for Dealing with Compliance Ideal case: A SW-framework for automatically dealing with compliance Problem: It is impossible to formalize all details of a jurisdictional text Interpretation by domain experts needed Complex references to other (jurisdictional) texts Hence, in many cases, compliance today is reached on a per-case basis
  • 6. 6 software architecture group Issues with the Current Practice Systems are hard to maintain hard to evolve or change hard to reuse hard to understand It is difficult to ensure guaranteed compliance to a given set of rules and regulations It is difficult to keep up with constant changes in regulations and laws Domain experts are not involved enough
  • 7. Compliance in SOAs So far the SOA approach does not provide any clear technological strategy or concept of how to realize, enforce, or validate various compliance concerns
  • 8. 8 software architecture group OUR APPROACH
  • 9. Approach Overview Models and meta-models for the specification of the SOA and compliance concerns Domain-specific languages (DSLs) and architectural views for compliance concerns Model-driven validation and generation of the SOA from the models Execution, monitoring, and enforcement of compliance concerns in the running SOA
  • 10. Approach: Auditor’s View Regulation / Legislation Norm/Standard Controls Automated Controls Report Manual Controls Manual Implementation Risk Management Department
  • 12. 12 software architecture group Architectural Overview MDSD Software Framework Repositories Application Servers, ESB Online Monitoring Offline Monitoring Dashboard Data Warehouse Verification Tools Compliance Request Language Design time Runtime
  • 13. 13 software architecture group Compliance Solution: Overview & Roles
  • 14. 14 software architecture group View-based, Model-driven Architecture Separation of concerns using architectural views Separate different concerns in view-based models Separation of abstraction levels: Separate technical and domain-oriented views Integrate via model relations and matching algorithms using the model-driven generator
  • 16. View-based Modeling Framework (VbMF) Separation of concerns
  • 17. View-based Modeling Framework (VbMF) Separation of technical and domain-oriented views
  • 18. Extended VbMF: Modelling and Integration of Compliance Concerns Core Model Flow View Model Collaboration View Model Information View Model Intellectual property and license DSL extends extends extends BPEL FLow View Model BPEL Collaboration View Model BPEL Information View Model extends extends extends Business Process Modeling QoS policy DSL Security policy DSL Compliance Modeling annotates Process-driven model instances with annotated compliance metadata instance-of Schematic Recurrent Code & Configurations generates extends Regulatory or legislative DSL Compliance Metadata Model annotates Documentation generates
  • 19. Domain-Specific Languages Tooling: High-level and low-level DSLs Business/Domain experts IT/Technical experts
  • 20. DSL – An Example High-Level DSL - Editor Low-Level DSL
  • 21. Compliance Metadata-Model A bridge between compliance concerns and SOA elements Compliance metadata model elements: References to regulations, standards, norms, licenses, etc. Controls Referencing Services, Processes, etc. (elements that implement the control) Control type (e.g., change management control) Risks associated to the controls This allows us to specify statements like: “Service/Process X is a change management control, defined in COBIT, to comply with SOX”
  • 23. 23 software architecture group Execution and Monitoring Process engine Service monitors Other IT event detector Event Bus Governance of Compliance Audit Trail Event Model Dashboard
  • 24. 24 software architecture group Compliance Governance Dashboard
  • 25. 25 software architecture group EXAMPLE
  • 26. 26 software architecture group An Example of Process Design
  • 27. 27 software architecture group Searching for process fragments realizing SOX 409 concerns using the Compliance Request Language Query Models
  • 28. 28 software architecture group No suitable fragments are found. We model the concern using the MDD framework Models Generated Code Verified Models Generated CodeGenerated CodeGenerated Code
  • 29. 29 software architecture group Monitor The Process at Runtime EventsEvents Display Information Display Information
  • 30. 30 software architecture group Analyze compliance violation: Perform root cause analysis using the models from the model repository Models Compliance Violation
  • 31. 31 software architecture group Root cause analysis and process redesign in detail Before: sequential task execution; slow, lots of violations MORSE Repository UUID 1 formID = „Form8K“ duration = 2 unit = BusinessDays ... : PublishDeadline UUID 5 Business process engine 1. Deploy process models Monitoring Infrastructure 2. Emit events UUID 3UUID 2UUID 1 3. Get compliance models (rules) for process 4. Process and analyze events UUID 1 Violation detected 5. Retrieve responsible / corresponding models ID = „Sec 409 Real time issuer disclosures“ ... : ComplianceConcern UUID 4 Compliance governance Web UI 6. Report violation 7. Root cause analysis / manipulation of model(s) Assess Intrusion End yes no Personal info lost or stolen? Response Write Form 8-K Approve Form 8-K Publish Form 8-K ! UUID 3 UUID 2 UUID 4 UUID 5 Assess Intrusion End yes no Personal info lost or stolen? Response Write Form 8-K Approve Form 8-K Intrusion detected Publish Form 8-K !After: parallel task execution; faster, fewer violations UUID 1
  • 32. 32 software architecture group Lessons Learned On The nature of business compliance in a SOA system Scattered through many system’s elements at different abstraction levels Existing in different development phases: analysis, design, implementation, and runtime Enabling methods and technologies for business compliance in SOAs should Tackling the compliance from multiple perspectives at multiple levels of abstraction Taking into account for the constant needs for changes of laws regulations, policies, etc., to ensure incremental compliance Engaging relevant stakeholders (business/domain experts, technical experts) by providing appropriate tooling and methods
  • 33. 33 software architecture group Many thanks for your attention! Uwe Zdun Software Architecture Group Department of Distributed and Multimedia Systems University of Vienna http://cs.univie.ac.at/swa