Test-based security certification of composite services

Marco Anisetti, Claudio Ardagna, Ernesto Damiani, Gianluca Polegri

Research output: Contribution to journalArticlepeer-review

17 Scopus citations


The diffusion of service-based and cloud-based systems has created a scenario where software is often made available as services, offered as commodities over corporate networks or the global net. This scenario supports the definition of business processes as composite services, which are implemented via either static or runtime composition of offerings provided by different suppliers. Fast and accurate evaluation of services' security properties becomes then a fundamental requirement and is nowadays part of the software development process. In this article, we show how the verification of security properties of composite services can be handled by test-based security certification and built to be effective and efficient in dynamic composition scenarios. Our approach builds on existing security certification schemes for monolithic services and extends them towards service compositions. It virtually certifies composite services, starting from certificates awarded to the component services.We describe three heuristic algorithms for generating runtime test-based evidence of the composite service holding the properties. These algorithms are compared with the corresponding exhaustive algorithm to evaluate their quality and performance.We also evaluate the proposed approach in a real-world industrial scenario, which considers ENGpay online payment system of Engineering Ingegneria Informatica S.p.A. The proposed industrial evaluation presents the utility and generality of the proposed approach by showing how certification results can be used as a basis to establish compliance to Payment Card Industry Data Security Standard.

Original languageBritish English
Article number3
JournalACM Transactions on the Web
Issue number1
StatePublished - Dec 2018


  • Cloud
  • Model-based testing
  • Security certification
  • Service composition
  • Service-oriented architecture
  • Software-as-a-service
  • Web services


Dive into the research topics of 'Test-based security certification of composite services'. Together they form a unique fingerprint.

Cite this