D10.2 Initial Report on network participation, community building

advertisement

Deliverable ID:

D10.2

Secure and Trustworthy Composite Services

Title: efforts

Integrated Project

Approved by:

Executive Board

Abstract:

Aniketos is about establishing and maintaining trustworthiness and secure behaviour in a constantly new technology, methods, tools time dynamic behaviour of composite

This deliverable is the second of three deliverables within the project in relation to Aniketos community building and standardisation. The document reports on the Community Building achievements of the

10.1. The scope of this document is to report on s efforts, events, material, infrastructure and achievements made in the open source community during Phase 2. The report will help analyse progress and adjust future plans where required. isation and ANIKETOS community establishment,

Dissemination level

PU

CO

Public

The research leading to these results has received funding from the European Community's Seventh

257930.

iii

Aniketos consortium

NO -7465 Trondheim www.sintef.com

) within the 7 th

Framework

. The consortium members are:

+47 73 59 30 06 www.tecnalia.com/en www.cnr.it

www.thalesgroup.com

www.ljmu.ac.uk/cmp www.selexelsag.com

www.search

www.atos.net

www.tssg.org

iv www.unitn.it

www.atc.gr

www.sap.com/research www.italtel.it

www.uni

www.dblue.it

www.wind.it

www.daem.gr

D10.2: Initial report on network participation, community building and standardisation efforts

Table of contents

Aniketos consortium.............................................................................................................................. iii

Table of contents ..................................................................................................................................... v

List of figures ....................................................................................................................................... vii

List of tables ......................................................................................................................................... vii

Executive summary ................................................................................................................................. 9

1 Introduction ................................................................................................................................... 10

1.1

Aniketos motivation and background .................................................................................. 10

1.2

Objective of this deliverable ................................................................................................ 10

1.3

Structure of this document ................................................................................................... 11

1.4

Relationships with other deliverables .................................................................................. 11

1.5

Contributors ......................................................................................................................... 12

2 Community roadmap achievements .............................................................................................. 13

2.1

Report on Aniketos social strategy ...................................................................................... 13

2.1.1

The project Website ......................................................................................................... 13

2.1.2

Participation to social networks ....................................................................................... 14

2.1.3

SlideShare ........................................................................................................................ 15

2.1.4

GitHub ............................................................................................................................. 15

2.1.5

YouTube .......................................................................................................................... 15

2.1.6

Other social media ........................................................................................................... 15

2.1.7

Wiki ................................................................................................................................. 16

3 Report on networking achievements ............................................................................................. 18

3.1

Commercial networking activities ....................................................................................... 18

3.2

Clustering facilitated by Effectsplus .................................................................................... 18

3.2.1

Clustering achievements in the first period ..................................................................... 18

3.2.2

Clustering achievements in the second period ................................................................. 19

3.3

Other EU-funded projects liaison activities ......................................................................... 20

3.3.1

CHOReOS – Large Scale Choreographies for the Future Internet .................................. 20

3.3.2

S-Cube, the European Network of Excellence in Software Services and Systems ......... 20

3.4

Other European networking ................................................................................................. 20

3.5

International networking outside Europe ............................................................................. 21

3.6

Specific Aniketos events ...................................................................................................... 21

3.6.1

Aniketos workshop .......................................................................................................... 21

3.6.2

Aniketos Summer School ................................................................................................ 21

4 Standardisation Report .................................................................................................................. 23

4.1

Items subject to standardisation ........................................................................................... 23

4.1.1

STS-ml ............................................................................................................................. 23

4.1.2

Response to changes and threats methods ....................................................................... 23

4.1.3

Security-by-contract models and methodologies ............................................................. 23

4.2

Standardisation initiatives .................................................................................................... 24

4.2.1

STS-ml ............................................................................................................................. 24

4.2.2

Response to changes and threats methods ....................................................................... 24

4.2.3

Security-by-contract models and methodologies ............................................................. 25

4.3

Initial contacts and future work ........................................................................................... 25

5 Report on Open Source ................................................................................................................. 26

5.1

Social dynamics in Open Source software ........................................................................... 26

5.1.1

Adoption of source code control system ......................................................................... 26

5.1.2

Adoption of community control processes ...................................................................... 26

5.1.3

Metrics for Product and Project success .......................................................................... 26 v

vi D10.2: Initial report on network participation, community building and standardisation efforts

5.2

Relevant EU Open Source projects ...................................................................................... 27

5.3

Open source libraries ........................................................................................................... 27

5.4

Future work .......................................................................................................................... 27

6 Conclusion ..................................................................................................................................... 28

7 Appendix A ................................................................................................................................... 29

8 Appendix B – Report on IPR consideration and ownership of Aniketos Foreground components

31

9 References ..................................................................................................................................... 34

D10.2: Initial report on network participation, community building and standardisation efforts vii

List of figures

Figure 1: Goal: establish and maintain security and trustworthiness in composite services ................. 10

Figure 2: Project Web Site .................................................................................................................... 13

Figure 3: Aniketos Twitter account ....................................................................................................... 14

Figure 4: Aniketos LinkedIn account .................................................................................................... 14

Figure 5 Conversion of prospective Aniketos community members .................................................... 16

List of tables

Table 1: An overview on social media-related communication channels as part of the Aniketos community building strategy ................................................................................................................. 16

D10.2: Initial report on network participation, community building and standardisation efforts

Executive summary

9

Workpackage 10 specifically targets community building, networking and standardisation activities.

This deliverable aims to report on activities described in our initial planning deliverable D10.1 including new initiatives introduced during year 2 of Aniketos in relation to community building and standardisation. These activities include effort, events, materials, infrastructure and achievements within the European and International networks. This deliverable analyses progress to date and adjusts future plans where we have identified shortcomings or areas of opportunity not yet realised.

D10.2 sums up WP10 achievements to date and provides our future plans, focusing on outreach activities. It highlights the visibility of Aniketos across research and industry communities, our fruitful dissemination of project results which has resulted in strategic networking and our ability to publicise our efforts and cluster effectively within Europe. Since our initial plans (D10.1) we have realised and matured many outlets for our communications such as the project Web Site and our accounts in

Twitter, LinkedIn, SlideShare, GitHub and YouTube. The wiki is the only item yet to be established.

There has been some commercial activity albeit low levels, reflecting the maturity of the project results at this stage of the project. Clustering activities has been active with Effectsplus, Assert4SOA,

NESSOS, FiWare, CHOReOS and S-Cube as established strategic collaboration partners. The specific

Aniketos events are on target, with our workshop complete and our summer school planning well underway. We have identified our targeted areas for standardisation and have plans in place for progress as well as establishing initial contact with the relevant bodies. Our open source infrastructure exists and benefits from our networking and communities building efforts to date, thus it is an exciting time in terms of engaging with the ICT community.

Since D10.2 relies heavily on output from the technical workpackages, this deliverable describes some of the technical achievements and their impact on work package 10 including readiness of components for release outside of the Aniketos consortium environment. IPR issues are also considered.

Aniketos has positioned itself well during the last period with the Aniketos partners actively participating in the relevant technical and security communities; it has gone ahead with the plans outlined in the initial strategy D10.1 reaching the majority of the objectives. As anticipated, Aniketos has not yet been in a position to share code or demonstrate the Aniketos functionality. However this period is just around the corner as the decision to open source the STS tool, one of the foreground components from Aniketos, has recently been agreed.

It is worth noting that through our complementary activities with WP11 as described in section 1.4

Aniketos has been extremely successful at outreach in that there have been 3 press releases, 7 journal publications, 34 conference publications, 22 workshops attended and 6 posters presented. The high level of dissemination of Aniketos results has helped the community building and networking opportunities greatly so that synergies are now ripe for achieving collaboration and public awareness and contribution opportunities for Aniketos in the remaining period.

10 D10.2: Initial report on network participation, community building and standardisation efforts

1 Introduction

1.1

Aniketos motivation and background

The Future Internet will provide an environment in which a diverse range of services are offered by a diverse range of suppliers, and users are likely to unknowingly invoke underlying services in a dynamic and ad hoc manner. Moving from today’s static services, we will see service consumers that transparently mix and match service components depending on service availability, quality, price and security attributes. Thus, the applications end users see may be composed of multiple services from many different providers, and the end user may have little in the way of guarantee that a particular service or service supplier will actually offer the security claimed.

Service developers Service providers Service end users

Invoke

End user trust assurance and acceptance

Identification of responsible party

Compose

Provide

Self-protection

Trust evaluation

Security validation

Adapt/recompose

Discovery and composition support based on trustworthiness, security properties and metrics

Relevant threat awareness

Trust and security monitoring

Threat notification

Component change

Change of threats

Change of environment

Design-time Runtime

Figure 1: Goal: establish and maintain security and trustworthiness in composite services

Aniketos is about establishing and maintaining trustworthiness and secure behaviour in a constantly changing service environment. The project aligns existing and develop new technology, methods, tools and security services that support the design-time creation and run-time dynamic behaviour of composite services, addressing service developers, service providers and service end users.

Aniketos provides methods for analysing, solving, and sharing information on how new threats and vulnerabilities can be mitigated. The project constructs a platform for creating and maintaining secure and trusted composite services. Specifications, best practices, standards and certification work related to security and trust of composite services are promoted for inclusion in European reference architectures. Our approach to achieving trustworthiness and security of adaptive services takes account of socio-technical aspects as well as basic technical issues.

1.2

Objective of this deliverable

This deliverable is the second of three deliverables within the Aniketos project work package 10 in relation to community building, it will report on our network participation, community building and standardisation activity. This objective aims to document efforts to date in relation to events, material, infrastructure and achievements.

D10.2: Initial report on network participation, community building and standardisation efforts 11

It assesses the approaches taken and determines required adjustments where necessary. It reports on the steps and procedures followed to create and maintain the user community and assess the impact and visibility within the relevant communities of practice.

It discusses the Aniketos position in our involvement in the relevant European and International networks. The report also includes some analysis of possible contribution to relevant standards.

1.3

Structure of this document

This document is divided into seven sections:

Section 1 is the introduction, section 2 reports on the community roadmap achievements, the next section reports on our networking achievements; it describes our networking and clustering work to date and events in Europe with other research communities. Section 4 provides a report and future plans for standardisation contributions and section 5 details our progress on the Open Source front.

Section 6 provides a conclusion and the last section provides references. Appendix A outlines our workshop report and Appendix B provides the IPR details for Aniketos components.

1.4

Relationships with other deliverables

WP10 and WP11 complement each other closely. An example that illustrates the distinction between the activities of WP10 (Community Building and Networking) and WP11 (Dissemination) is the following: the researchers in Aniketos expanding the knowledge in their expert domain, for example

‘Trustworthiness Monitoring of Dynamic Service Compositions’

1

, have documented their findings and successfully submitted to a conference and subsequently presented at the event. The first stage can be described as pure research activity (WP3), the second as dissemination of findings and results (WP11) and the third stage can be described as networking and community building (WP10). It is this distinction that positions Aniketos clearly in exploiting its research in the future.

D10.2 relates to the following deliverables:

D10.1 Initial Plan on Aniketos Community Building describes the baseline plan against which

D10.2 measures progress.

D11.3 Second dissemination and exploitation plan presents an augmented and revised plan of activities and the approach to developing a realistic business plan to achieve the expected exploitation impact.

D5.2 Initial ANIKETOS platform integration provides the draft prototype implementation of the

ANIKETOS platform, integrating the functionalities for both the design and run-time support of security aspects in service composition. The outreach activities in D10.2 depend on D5.2 prototype and integration.

D7.2 Results of the first validation and evaluation of the ANIKETOS platform reports on the evaluation results from Phase 2. This helps to determine the acceptance criteria for releasing

Aniketos code to GitHub and external communities, as described in D10.2.

D8.1 Distance learning material collection will include programmer’s guides and reference manuals (including code samples) and be complemented with a number of public webinars that explain the operation and the usage of certain components. It will support both internal and external interested parties in the digestion of all information regarding Aniketos project results and thus support the community building and networking activities by providing relevant outreach material.

D9.1 Demonstration material and events from Phase 2 describes the planning and the development of demonstration activities based on preliminary results from WP2-5. WP10 will in

1 http://www.slideshare.net/Aniketos/wewst11-trustworthiness-monitoring-of-dynamic-service-compositions-v2

12 D10.2: Initial report on network participation, community building and standardisation efforts the next period use the demo material for outreach purposes as a tangible integrated Aniketos solution.

1.5

Contributors

The following partners have contributed to this deliverable:

CNR contributed particularly in the area of networking and using its dissemination activities and publications to position Aniketos in the research domain.

SEARCH-LAB has contributed significantly toward the community roadmap achievements and social strategy while continuing to participate in outreach activities of networking and community building.

SINTEF has been pivotal in representing Aniketos within the EU research community and has contributed to the networking and clustering activities. SINTEF also acts as a link to other outreach activities to ensure complementary activities, minimise overlap and maximise synergies.

TECNALIA has been able to provide input in relation to how the technical workpackages liaise with the outreach activities in addition to contributions for standardisation and networking in relation to dissemination activities.

THALES has been central to the standardisation strategy so that Aniketos can have a tangible impact.

TSSG have contributed to establishing and maintaining many of the social media outlets, promoting community building at all levels within the project and building and maintaining our community and external visibility. TSSG has contributed to the open source strategy, collaborating with other work packages and other EU projects to position Aniketos to ‘out live’ its project duration and realise its potential.

However it is important to note that all Aniketos partners contribute to the community building aspects in their networking activities, this section specifies the contributors to the production of this deliverable. Where certain partners have contributed their contribution is acknowledged within the description of the activity.

D10.2: Initial report on Aniketos community building 13

2 Community roadmap achievements

This section looks to the community building strategy and roadmap developed in D10.1 and highlights the achievements during phase 2 in relation to the WP10 milestones.

2.1

Report on Aniketos social strategy

The aim of social media is to establish interactive communication with individuals, communities and organizations through internet-based applications. The most important aspect of social media is that users actively take part in creating the content – therefore the success of the whole process relies on the strategy and communication approach of the user.

With respect to Aniketos, using social media delivers the following benefits to the project:

1.

Provide permanent visibility

2.

Reach global audience

3.

Accessible and cheap channel

4.

Easy to use and develop

5.

Spontaneous and quick response from participants

6.

Create positive feelings from participants towards Aniketos brand.

We have long since created several social media accounts, and identified possibilities for other social media avenues to follow. As the project produces results such as prototypes and publications, the social media applications are used to promote the Aniketos community.

2.1.1

The project Website

We have integrated social media functionality into the website – the Twitter feed is available in a sidebar, and both the Twitter page and the LinkedIn group are linked directly from the main site as illustrated in Figure 2 below. We have also added “Share” buttons that allow visitors to share the website’s contents through a large number of social networks (320 in total).

Figure 2: Project Web Site

14 D10.2: Report on Aniketos community building

2.1.2

Participation to social networks

Twitter: The Aniketos Twitter account (Figure 3 below) is active at http://twitter.com/#!/AniketosEU . It provides a feed of Aniketos-relevant information: workshops, publications, community events, and

Aniketos products (such as the STS Tool). It has tweeted 11 times and it currently has 34 followers.

Figure 3: Aniketos Twitter account

LinkedIn: The Aniketos LinkedIn group (Figure 4 below) has been created, and is available at http://www.linkedin.com/groups?gid=3450426 . Currently the group is mainly used for intra-project communication, however we now see an increase in project external members. The group has approx. 60 members, it is envisaged that this group will be more active during Phase 3 when output from Aniketos is more tangible within the public domain. There is a facility for group statistics within the Aniketos

LinkedIn account and we are planning to explore this further during the next phase.

Figure 4: Aniketos LinkedIn account

D10.2: Initial report on Aniketos community building 15

Facebook: Facebook communities are heavily content-driven. As shown by an investigation into reasons that may cause consumers to withdraw their “Like”s of a particular brand, more than half of people leaving a community do so either because of a lack of consistent updates, or uninteresting material

2

. In a highly technical context where the constant flow of information is more important, this percentage may be even higher. Therefore, we have decided to forego participating in the Facebook community.

2.1.3

SlideShare

SlideShare is a widely-used hosting service for slide-sets and presentations. As part of our dissemination, training, networking and community building objectives we have registered a SlideShare account at http://www.slideshare.net/Aniketos . Some material about Aniketos and Aniketos-related publications has been added already, and new material will continue to be added throughout the project as it becomes available; training presentations will be added after the first iteration of Aniketos distance learning material becomes finalised in M26.

2.1.4

GitHub

The Aniketos GitHub account is active at https://GitHub.com/AniketosEU currently there are no

Aniketos components available for non-consortium members to contribute to code, a project or product at this stage. This situation is about to change as the STS-tool is about to be shared on GitHub to external communities and is currently in negotiation upon its license decision. Each component will need to go through this process and WP 10 will support this through guidelines and advice where necessary. Once the IPR status of each of the Aniketos foreground components is fully decided by the component owner as detailed in Appendix B – Report on IPR consideration and ownership of Aniketos Foreground components the open-source components will be uploaded to GitHub. We expect this to take place from

M24 onward. It is also expected that we will need to define release criteria for uploading code to GitHub, the process for this have been discussed at workshop meetings with WP5 contributors.

2.1.5

YouTube

The Aniketos YouTube channel is active at http://www.youtube.com/user/aniketoseu . Currently WP8 and WP9 are working on demonstration and training videos; once published, they will be uploaded to

YouTube as well.

YouTube will be a very useful platform for distributing videos related to the project. The type of material that will be distributed through YouTube includes:

Demonstrations about various Aniketos components (WP9)

Training webinars (WP8)

Technical how-to videos (technical WPs via WP9)

All of these videos can draw in interested parties, and make some aspects of Aniketos easier to understand for potential Aniketos end-users.

2.1.6

Other social media

As the project progresses, further social media tools will be used to attract members, participants, users to the Aniketos website and its community – and this way encourage Aniketos’ community developing strategy. Target groups are professionals who will adopt or contribute to the Aniketos platform. It is important to note that social media tools only work if relevant, high-quality content targeted to the interest of users and participants already exists and we will strive toward this objective. Well-designed and built pages in social network sites are capable to act as valuable “landing pages” where basic information about the project is structured. Participants can start their “Aniketos virtual tour” in these social media accounts which presents a very important so called entry-level relationship stage. These

2

DDB Opinionway: Facebook and brands, October 2010, Page 73. See http://bit.ly/9M1ndL

16 D10.2: Report on Aniketos community building tools will provide us conversion to the main site which will provide good quality relevant visitors. This is depicted in Figure 5.

Social media

ANIKETOS WEBSITE

Acquire Retain

Figure 5 Conversion of prospective Aniketos community members

There are many social media tools available. It is very important to understand the strengths and weaknesses of each tool and integrate these technologies into one synergistic, efficient social media tactical plan. We have studied the available social media outlets; Table 1 below summarises our findings.

Table 1: An overview on social media-related communication channels as part of the Aniketos community building strategy

Channel

Project website

Twitter

URL http://www.aniketos.eu/ http://twitter.com/#!/AniketosEU

LinkedIn

Slideshare

GitHub

YouTube

Planned Channel

Wiki http://www.linkedin.com/groups?gid=3450426 http://www.slideshare.net/Aniketos/ https://GitHub.com/AniketosEU http://www.youtube.com/user/aniketoseu

TBD

Developments / achievements / plans

Social media functionalities integrated

Created and actively used

Created and active for project internal use, external marketing on-going

Presentations from publications available and social media functionalities integrated

Created, first open source results to be uploaded soon

Demonstrations and recorded webinars to be uploaded once available

2.1.7

Wiki

To date there hasn’t been a requirement for a specific Aniketos wiki, thus the following section details our feasibility and recommendations for implementing a wiki rather than reporting on activity within a wiki. It is expected that once implemented the Aniketos wiki (either operated at the Aniketos community site or on the GitHub site) will allow community members to gain deep insight into the technical aspects of Aniketos, while also allowing them to refine and contribute technical content. In order to effectively populate a Wiki with useful information for interested developers and potential Aniketos contributors, we will need resources from WP8 and WP9; therefore, work on creating the Wiki is planned for M24 (at which time D9.1 should be complete, and some material from D8.1 should be available).

The actual implementation of the Wiki is still an open question under discussion. The options that are currently viable are:

1.

Use the GitHub internal Wiki.

Pros: Requires comparatively little effort to set up. Can draw traffic from other GitHub communities.

Off-site – will work even if the main Aniketos site shuts down several years after the end of the project.

D10.2: Initial report on Aniketos community building 17

Cons: Harder to ‘brand’ / personalise to Aniketos. Less total control over the site. Lack of coupling/easy integration with the community site.

2.

Host a Wiki on the aniketos.eu site.

Pros: Can be seamlessly integrated with Aniketos components, e.g. the Community Support module.

Full control over content.

Cons: Significant effort to set up and integrate with other components. Tied to the aniketos.eu site – no spillover traffic from other GitHub communities.

We are also investigating the software and structure of other EU projects that use Wiki software on their community site in case we decide to go with the second option.

18 D10.2: Report on Aniketos community building

3 Report on networking achievements

This section describes what was achieved to cluster with other projects and research themes as well as how we targeted the software development community through social media and networking mechanisms. As mentioned earlier in section 1.4, networking activities in Aniketos WP10 will complement WP11 dissemination activities.

3.1

Commercial networking activities

WP10 recommends that each industry partner specifically addresses our objective to link Aniketos with other commercial networks to expose our ICT contribution externally. To date SINTEF and SAP have targeted the following events as relevant, going forward we would hope that other commercial entities could promote Aniketos in similar networking opportunities.

3.1.1.1

SINTEF

In November 2011 SINTEF and Telenor (the fourth largest telecom operator in the world) organized a joint workshop at Fornebu (Oslo, Norway). It was dedicated to Cloud Security, and results from

Aniketos were used to present emerging concepts and technologies to various divisions and stakeholders within Telenor. The Technical Manager of Aniketos, Per Håkon Meland, gave a talk on security properties in contracts, and properties developed by Aniketos were used during a "world café" event where relevant security properties were discussed and ranked based on various service scenarios. This feedback gave us valuable insight in what kinds of requirements are desirable in contracts from both a service provider and consumer point of view. About 20 people participated to the workshop, including company lawyers, system owners, security officers, managers and service developers.

3.1.1.2

SAP

The SAP Development Kick-off Meeting (DKOM) is the largest, internal SAP conference for developers. The annual DKOMs are held, in parallel, at multiple locations world-wide.

In 2012, DKOM took place in Karlsruhe (Germany), San Jose (California, USA), Bangalore (India), and

Shanghai (China). The DKOM is designed "by Development for Development" and sets the technology direction for the coming year, while allowing the development community to explore and experience the latest products, technologies, architectures, practices and tools.

Also in 2012, Aniketos contributed to a 45min presentation that was shown at all DKOM locations worldwide, addressing over 15000 developers. In this presentation, the Aniketos technologies developed in the context of the Security Property Determination Module were used to educate the developers in programming related security vulnerabilities for mobile applications as well as for servers written in

ABAP. The presentation featured a basic electronic health care record App (called xViewApp) for

Android devices. See D11.3 for a description of xViewApp.

3.2

Clustering facilitated by Effectsplus

Aniketos has engaged actively in clustering activities arranged by the Coordination and Support Action

(CSA) Effectsplus

3

.

3.2.1

Clustering achievements in the first period

As reported in the first period, Aniketos participated in the survey conducted by the coordinated support action Effectsplus, and in the first clustering meeting in March 2011 (Brussels). This was an introductory activity that mainly involved the project manager (Richard Sanders).

3 www.effectsplus.eu

D10.2: Initial report on Aniketos community building 19

At the second clustering event in Amsterdam in July 2011 the Technical manager (Per Håkon Meland), the leader of WP1 (Erkuden Rios), the leader of WP2 (Fabio Martinelli) and the leader of WP3 (David

Llewellyn-Jones) submitted an abstract and participated at the workshop, with a particular focus on identifying collaboration areas with other projects. The two main action points that concern Aniketos were:

1.

Creating a cluster that can work on needs for a standardised format for expressing security properties in an SLA/security contract in a machine readable way. We can then approach the relevant standardization bodies (W3C, OGF, and/or OMG) with greater momentum. Starting with a core group consisting of Aniketos, NESSOS, Assert4SOA and Contrail, and possibly expand as we go along. SINTEF offered to set up an eRoom collaboration space to share requirements/needs, scenarios/use cases, architecture and languages. Effectsplus would be involved in the effort for collaboration on topics related to Policy, which looked likely to be merged with this.

2.

Aniketos and UTrustIT

4

agreed to share information about methods (e.g. for evaluations) since both focus on the human (socio-technical) aspects.

3.2.2

Clustering achievements in the second period

In the period from November 2011 through February 2012 Aniketos united with Effectsplus, NESSOS and Assert4SOA and contributed to the submission of a workshop proposal on Web Service Security

Contracts at Cyber Security & Privacy EU Forum (CSP 2012). The proposal was accepted. This workshop became the third clustering event for Effectsplus. The workshop report is found in section 7.

At the third clustering event in Berlin during CSP 24 th

-25 th

April 2012, Aniketos held its workshop on

Web Service Security Contracts. The project contributed with a presentation by the Technical manager

(Per Håkon Meland) and Artsiom Yautsiukhin (CNR, WP2). Per Håkon introduced the three levels addressed by Aniketos: the socio-technical level (with STS ml), the business process level (with security enhanced BPMN) and the contractual level with machine-readable security properties using Conspec

(from University of Trento). Artsiom talked about contract specification and management with Conspec.

Other participants from Aniketos included the project manager (Richard Sanders), the leaders of WP1

(Erkuden Rios) and WP2 (Fabio Martinelli), as well as Dmitri Botvich (WP2) from TSSG.

The goal of the workshop was to progress on defining common areas for standardisation. TM Per Håkon

Meland contributed to this as a member of the panel chaired by Ernesto Damiani (Assert4SOA), which in addition to the collaborating projects NESSOS (Aljosa Pasic), Assert4SOA (Michele Bezzi) and FI-

WARE (Pascal Bisson/Daniel Gidon) also featured Rigo Wenning from W3C. A representative from

ETSI (Amardeo Sarma from NEC) contributed from the audience.

The panel discussed option for ways forward, and ended up deciding that Ernesto Damiani

(Assert4SOA), who would ask for expressions of interest on: a) Standardisation in assurance process and b) Standardisation in outcome of assurance process (how to express security properties).

There is further detail provided in Standardisation Report where it describes likely standardisation bodies to be ETSI and W3C.

The next Effectsplus clustering event planned is 6th September 2012 in Padua, Italy, co-located with the

SecureComm 2012 conference

5.

The aim is to choose the path forward (which standards organisation to work with, with what aim, and how to fund the efforts) at that stage. Currently we are using our intranet eRoom to discuss our approach for the event in Padua where the theme is exploitation of results.

4 http://www.utrustit.eu/

5 http://securecomm.org/2012/show/home

20 D10.2: Report on Aniketos community building

3.3

Other EU-funded projects liaison activities

3.3.1

CHOReOS – Large Scale Choreographies for the Future Internet

CHOReOS

6

is an FP7 IP project about large scale choreography of services for the future internet. The objective of the project is to define and develop tools for specifying, designing, deploying, executing and governing large non-centralized composition of services.

Since the security aspects are not covered in the DoW of CHOReOS and that the consortium does not include security experts, the CHOReOS consortium would like to create collaboration with the consortium of ANIKETOS as an actor in the composition of services security.

During the second period Aniketos had discussions with CHOReOS. At the plenary meeting in Paris in

February 2012, Hugo Vincent (project leader of CHOReOS) gave an overview of the project, and

Valerie Issarny (technical manager/scientific leader) presented the core concepts.

Common partners are Thales, CNR and WIND. Both projects use BPMN 2. In CHOReOS the issue of security and trustworthiness is largely present in the CHOReOS architecture, and they need to integrate relevant solutions. We discussed how Aniketos can provide some solutions.

We concluded that the projects complement each other, since CHOReOS is about service composition without addressing security and trust aspects, while Aniketos is about security and trustworthiness in service composition (without advancing SotA of service composition per se). We agreed to study each other's work further, in particular regarding requirements, use cases and architectural patterns.

We have also discussed the opportunities to collaborate with CHOReOS on Open source as both projects have objectives in this area. Cedric Thomas has shared the CHOReOS community building methodology deliverable [4] which they envisage being applicable to FP7 projects in general and Aniketos plan to explore this possible collaboration further with them.

3.3.2

S-Cube, the European Network of Excellence in Software Services and Systems

The SCube network of excellence has established an integrated, multidisciplinary, vibrant research community, enabling Europe to lead the software-services revolution and helping shape the softwareservice based Internet which is the backbone of our future interactive society. They have arranged the 6 th

Advanced School on Service Orientated Computing in July 2012 and Dmitri Botvich from TSSG presented a tutorial on Trust for Communication Services and Networks: Introduction and Applications from the work in Aniketos followed by a screen cast demo. This collaboration is pivotal to positioning the planned Aniketos Summer School as described in section 3.6.2.

3.4

Other European networking

Cooperation with European organizations interested in research in security includes the following:

NESSI

7

ERCIM

. 11 partners are involved in NESSI.

8

(the European Research Consortium in Informatics and Mathematics) is a research consortium that spans over Europe consisting of principal research organizations in each country.

OWASP

9

(the Open Web Application Security Project) is a worldwide, free, vendor agnostic and open community. SINTEF is a member of OWASP Norway and TSSG are an OWASP Ireland member and have participated in training and keep abreast of local activities and events.

6 http://www.choreos.eu

7 http://www.nessi-europe.com/ unites an ICT community of over 430 organisations from industry and academia

8 http://www.ercim.eu/

9 http://www.owasp.org/. The OWASP Foundation was established to encourage and facilitate application security projects, awarding grants to promising researchers. Dozens of projects have already been identified and granted with funds to create tools, develop guides, perform surveys, and much more. Periodically, the OWASP

Foundation launches the Seasons of Codes, which are open sponsorship program where participants/developers are paid to work on OWASP (and Web security) related projects.

D10.2: Initial report on Aniketos community building 21

TMForum

10

At Management World 2012 Aniketos members Jimmy McGibney (TSSG) and Madjid

Merabti (LJMU) participated in a security panel during a research workshop called "Security in a federated world – How can you trust somebody when you’ve only just been introduced".

3.5

International networking outside Europe

Partners of the Aniketos consortium are involved in a number of international security projects jointly funded by the EU and the US National Science Foundation (NSF), namely Inco-Trust [6] and BIC [5].

Fabio Martinelli presented Aniketos at the recent BIC technical workshop on International Cooperation in Trustworthy ICT [5].It is expected that during phase 4 of the project we will facilitate further international networking. This will be reported in D10.3.

3.6

Specific Aniketos events

As part of the Aniketos DOW task 10.2, we were to hold a workshop around month 18 to encourage focus on a particularly research theme and host a summer school around month 28 to allow members of the network to draw on researchers from outside the network to collaborate on existing ideas, contribute to network enlargement and foster new directions. The following sections detail our progress on these items during period 2.

3.6.1

Aniketos workshop

We held a workshop session at CSP EU Forum 2012

11

on Web Service Security Contracts at Cyber

Security & Privacy EU Forum (CSP 2012). Further details of the workshop can be found in Section 7

Appendix A and section 3.2.2 and associated standardisation efforts in section 4.3.

3.6.2

Aniketos Summer School

During phase 2 we held a number of teleconferences and discussions and explored the options available for the planned summer school which included the SummerSoc 6th Advanced School on Service

Oriented Computing, a Joint Aniketos / NESSoS Summer School May 2012, Malaga, Spain, ENISA, 7th

Joint European Summer School on Technology Enhanced Learning and 11th International School on

Foundations of Security Analysis and Design. We have now agreed that a Joint Aniketos / NESSoS

Summer School in May 2013 is the preferred option to ensure that we can maximise our outreach to as many students as possible. The following topics have been identified as relevant along with the associated consortium partner;

• secure service composition (CNR)

• security by contract with trust (CNR)

• managing and implementing trust requirements (CNR)

• formal methods for security management (CNR)

Developing Adaptive Socio-Technical Systems (UNITN)

Specification-based (model-based) security testing (SAP)

Static source code analysis for finding security vulnerabilities (SAP)

• formal methods for security management

Socio-technical systems modelling languages (UNITN)

Security by contract (UNITN)

As mentioned in section 3.3.2 Dmitri Botvich from TSSG presented a tutorial at SummerSoc 2012 on

Trust for Communication Services and Networks: Introduction and Applications from the work in

10 http://www.tmforum.org/browse.aspx

11 http://cspforum.eu/

22 D10.2: Report on Aniketos community building

Aniketos followed by a screen cast demo. The presentations are available on SlideShare

12

. The tutorial gives an introduction and overview of the trust management in communication networks and services.

Trust relationship is a social concept that inspired many applications in such contexts as computing, networking, social networks, e-commerce, and we consider different social perspectives involving trust that provide a broad range of the strategies applicable to very diverse application contexts. The application examples of the trust management include intrusion detection, access control, and service management. The tutorial plans to also discuss the role of the trust management in the service oriented computing. It will consider the architectural aspects of the trust management including centralised, distributed and peer-to-peer systems. During phase 3 we will make further plans for the summer school, to define the thematic areas, engage tutors, publicise to encourage students and decide whether to include provision for project demos and posters and other necessary administrative tasks.

12 http://www.slideshare.net/Aniketos/demo-summer-soc28062012 and http://www.slideshare.net/Aniketos/socjuly2012dmitribotvich ,

D10.2: Initial report on Aniketos community building 23

4 Standardisation Report

This section describes the efforts and activities performed during Phase 2 to achieve influence and contribute to existing standardisation work related to the research areas of the project.

The objective of phase 2 was to identify which items in Aniketos work could be subject to standardisation and whether there exists any standardisation initiative the work can fit into.This has been achieved and is detailed below. This section is divided into 3 subsections: the first one identifies

Aniketos items that are subject to standardisation, the second one enumerates the standardisation initiatives that are relevant for these items and the third one describes the first actions initiated by

Aniketos to contact standardisation organizations.

4.1

Items subject to standardisation

The results of each of the technical WPs, from WP1 to WP4 have been examined for items subject to standardisation. Since WP5 deals with the platform construction and integration of other technical WPs results, no specific items have been identified as subject of standardization activities.

We decided to focus on three main items that represent the heart of Aniketos contribution in order to avoid spreading our efforts on too many tasks. These items are the following: the Socio-Technical

Security modelling language (STS-ml), response to changes and threats methods, and security-bycontract models and methodologies. In this section we give some details about these items.

4.1.1

STS-ml

The Socio-Technical Security modelling language (STS-ml) developed within WP1 is a role- and goaloriented language for the elicitation, analysis, and specification of security requirements. STS-ml is expressly thought for service-oriented settings, wherein multiple autonomous and heterogeneous actors interact, through the provision of services, to fulfil their respectively strategic interests. STS-ml is built around a set of high-level concepts, such as role, agent, goal, document, information, delegation, and authorisation. It comprises a graphical notation that is supported by a computer-aided software engineering tool called STS-Tool. Starting from graphical models, the tool enables the automated derivation of security requirements that contractually constrain the interaction among actors, using the abstraction of social commitment.

4.1.2

Response to changes and threats methods

One of the goals of Aniketos is to define methods and implement tools supporting changes and threats response capabilities in the services for design-time and for run-time. This is due to the fact that dynamic environment of service composition brings new threats. In addition the Aniketos challenge of providing a platform that enables dynamic re-composition of services matching security contracts expressed by enduser needs to take into account the changes in the environment.

In order to achieve this goal, the first period of WP4 was devoted to a large preparatory work of analysing the specific context of the changes and threats in the Future Internet composition of services, which results in a “changes and threats” taxonomy that can be very useful for organisations working on identification of new threats. The WP4 team also identified a set of countermeasures during the first period that are under implementation. The Aniketos countermeasures represent a potential input for organisations interested in developing new methods that include threat response capability.

4.1.3

Security-by-contract models and methodologies

One of the main results of WP2 is a paradigm of security-by-contracts that is specific to services. This includes a contracts/policy language and an architecture that enforces service compliance to security contracts and mechanisms for ensuring that contracts are fulfilled at run-time and design time. The objective of Aniketos in this period was to:

Enable definition of service contracts with a deontic contract language (a language that can express the rights and obligations of parties to a contract in a form that can be parsed by software

24 D10.2: Report on Aniketos community building applications and processed with other data to determine state information about matters governed by the contract)

Externally expose and update contracts between independent organizations without prior relationships

Enable verification of service security properties and trustworthiness

Additionally, in D1.2 we expressed many of our needs and visions for dynamic service composition in the form of scenarios and requirements, and these can be used to influence standardisation work in this area. For instance, the eContracts XML specification by OASIS [7] contains a number of scenarios in an appendix.

4.2

Standardisation initiatives

This section identifies the standardisation initiatives that are relevant for the items described in the previous section.

4.2.1

STS-ml

The goal-oriented language closest to standardisation is the Goal-oriented Requirement Language

(GRL), which is part of the User Requirements Notation (URN). URN is a Recommendation of the

International Telecommunications Union (ITU-T’s Recommendation Z.151). To our knowledge, no other goal-oriented language has been adopted by any other standardisation body. Within WP1 we will evaluate the return of effort invested in trying to push the standardisation of the STS-ML.

4.2.2

Response to changes and threats methods

The European Network & Information Security Agency (ENISA) is a Centre of Expertise that supports the Commission and the EU Member States in the area of information security. It was formed in 2004 and facilitates the exchange of information between EU institutions, the public sector and the private sector.

The ENISA 2012 Work Programme has been structured as four separate work streams:

WS1: Identifying & Responding to the Evolving Threat Environment

WS2: Improving Pan-European CIIP & Resilience

WS3: Supporting the CERT and other Operational communities

WS4: Security Economics & Governance

WS1 seems much related to the work on response to changes and threats methods done by Aniketos.

ENISA’s objective in this work stream is to provide stakeholders with information on how risks and threats are evolving. More specifically, the aim is to link particular trends to particular stakeholder communities, thereby helping such communities to recognise and respond to changes in the threat landscape that are particularly relevant to their activities. Its objective is also to propose suitable mitigation strategies and identify recommendations and implementation options for dealing with the identified risks. The principle output of WS1 is a periodic report summarising and prioritising risks by stakeholder community.

WS1 is structured in three work packages:

WPK 1.1: Emerging Opportunities & Risks

WPK 1.2: Mitigation & Implementation Strategies

WPK 1.3: Knowledge Base

The threats taxonomy defined in D4.1 can be a direct input for the first deliverable of WPK1.1, D1:

Security threat landscape in Europe.

The countermeasure methods initially defined in D4.1, developed in D4.2, and that will be extended in

D4.4 and amended with algorithms specific to services in D4.3, represent a potential input for the two deliverables of WPK1.3:

D1: Periodic report on recommendations for mitigating the risks considered and materialisation of opportunities.

D2: Implementation guidance per area/policy initiative.

D10.2: Initial report on Aniketos community building

4.2.3

Security-by-contract models and methodologies

25

ETSI is one of the world’s leading standards development organisations for Information and

Communication Technologies (ICT). It is an official European Standards Organisation that is recognized by the European Union that continually strives to collaborate with research bodies. Today ETSI's standardization activities cover a broad spectrum of security issues, from lawful interception (LI) to algorithms, from electronic signatures to smart cards, and they relate to every aspect of ICT.

For instance, the “Identity and Access Management for Networks and Services” (INS) Industry

Specification Group (ISG) takes Identity and Access Management beyond the current prime focus on the web and application domains. It represents a standardisation candidate for the Aniketos security-bycontract mechanisms that are related to identity and access management of service compositions. An

ISG, supported by Working Groups where appropriate, is an activity organized around a set of ETSI work items addressing a specific technology area. Nobody from the Aniketos consortium is a member of

ETSI, but ISGs do have their own membership, which may consist of both ETSI Members and Nonmembers. In addition, Aniketos consortium intends to approach the organisation by collaborating with other FP7 security projects (see more details in Section 4.3).

4.3

Initial contacts and future work

To establish contact with the targeted standardisation organisations is the objective of the next phase in

Aniketos. However, we have taken the first steps to start this process. In April 2012, Aniketos coorganized a joint workshop with Assert4SOA, NeSSoS and FI-WARE projects at the CSP EU Forum

2012 event in Berlin. The objective was to share common needs between projects working with contracts, and jointly try to approach standardisation organisations such as W3C and ETSI. As mentioned in section 3.2.2 Ernesto Damiani (Assert4SOA) agreed to work together towards a joint document and find a path forward, the likely standardisation organisations are the W3C and ETSI.

Possible ways forward that were proposed include:

1.

Joint efforts of existing projects (the ones present plus others willing)

2.

Involving ENISA

3.

A coordinated action led by W3C funded by the Commission (Call 10)

A W3C representative (Rigo Wenning) and an ETSI representative (Amardeo Sarma from NEC) took part in this workshop session, and we told them our interest in collaborating with both organizations (and others) in this area. The next step consists in collaborating further with Ernesto Damiani from UNIMI

(University of Milano), who will centralise the standardisation work related to web service security contracts for Assert4SOA, NeSSoS, Fi-ware in order to present it to W3C and ETSI.

CSP EU Forum 2012 was also an opportunity to meet Steve Purser from ENISA who explained that

ENISA did not compete with other work in the threats analysis area, but their task is to bring together other people's work and package it for various target groups.

The next step consists of communicating the Aniketos threats taxonomy and the countermeasures defined in WP4 to ENISA and studying how these items could fit in the deliverables listed in section

4.2.2. We have also identified a set of conferences within W3C that are relevant for Aniketos such as the

22 nd

International World Wide Web conference

13

and the W3C Technical Plenary Advisory Committee

Meetings Week (TPAC 2012).

13 http://www2013.org

26 D10.2: Report on Aniketos community building

5 Report on Open Source

Aniketos supports an Open Source strategy in relation to its components; during phase 2 efforts were directed at planning and paving the way to prepare for phase 3 where decisions on foreground component license choices and partner exploitation strategies. This has been achieved. The strategy was initially detailed in D10.1 and the progress to date has aimed to lay the foundations for open source community building and networking. This section outlines relevant literature in the domain and the steps taken to date by Aniketos to facilitate the use of the Aniketos components by Open Source activists both internal and external to the project. It is clear from the previous sections; community roadmap, networking, standardisation achievements that we have positioned Aniketos strategically to leverage our communities towards our open source objectives.

5.1

Social dynamics in Open Source software

Build and repository tools, change management, community communication all form part of the open source global software development challenges. The Aniketos project recognises that source code management and social structures will contribute to the ultimate success or demise of publicly released components. The structures now exist, in liaison with WP5 code management is defined, and in liaison with WP11 community building and networking outreach methods are mature. The following sections support the adopted approach.

5.1.1

Adoption of source code control system

The Aniketos project has selected GitHub as its platform as a tool to manage our Open Source community activity. As described in section 2.1.4, many Aniketos members are now members of the

Aniketos GitHub community. It is an exciting period as the STS-tool will be the first Aniketos component to be released to the community in the near future.

5.1.2

Adoption of community control processes

In addition to source control processes Aniketos will establish community control processes for effective management using the STS-tool as the first instance. These are further discussed in section 5.3 below.

5.1.3

Metrics for Product and Project success

Some of the stand-alone Aniketos foreground components could be deemed a product, metrics for product success have been identified across common factors such as activity levels, and number of active developers, number of downloads of code, traffic on website, number of bugs logged/fixed. Less tangible measures include usability, code quality, documentation quality, reliability of service, testability, availability to give some examples. Aniketos will record and report on both tangible data such as code downloads and less tangible data such as reliability of service should be collected in relation to the components targeted for open source release.

OS research [2] [3] has some metrics in respect to project performance, these key performance indications (KPIs) are based on project effectiveness and project efficiency. Specifically our GitHub repository will be able to provide statistics on number of feature requests completed, number of code commits, number of patches completed, number of products/software releases, number of bugs fixed. It is recognised that user interest is one of the most relevant aspects and that maintaining user interest may be more difficult than initially attracting users to adopt the project software. This is the level of popularity a project achieves in the community and can be measured through activity levels of announcements, releases and general communications in relation to a specific project. These metrics will be applicable to the Aniketos components but targets will need to be applied once the first products are released on GitHub and the project can be recognised by other non-consortium developers and users of the code. A cyclical approach of trial and evaluation to determine the most useful metrics will be employed.

D10.2: Initial report on Aniketos community building

5.2

Relevant EU Open Source projects

27

In recognition of previous EU funded projects in the Open Source domain we decided that an analysis of existing open source projects should be carried out, this activity has not yet been prioritised in WP10 and will be addressed during the next phase. However as described in 3.3.1 we have contacted CHOReOS and initiated some collaboration in relation to the common open source objectives that the projects have.

5.3

Open source libraries

Aniketos is committed to its open source policy and during its development lifecycle many of the components use open source libraries such as the following libraries, all of them are used within the context of an Eclipse RCP application:

EMF: http://www.eclipse.org/modeling/emf/

GEF: http://www.eclipse.org/gef/

GMF: http://www.eclipse.org/modeling/gmp/

Equinox: http://www.eclipse.org/equinox/

• iText ( http://itextpdf.com/ ) to generate pdfs ( we are considering migrating to another library that supports editable files)

Other open source libraries include:

• commons-codec-1.6 http://commons.apache.org/codec/

5.4

Future work

As mentioned in the previous sections from an open source perspective phase 3 will thrust forward on guidelines for using GitHub specifically for Aniketos, establish relevant, realistic metric targets, work with WP5 to establish source code management practices for conversion to git, using our pivotal position in the European and International research community to leverage awareness and activity levels. We are well positioned to work with our communities to realise the Aniketos potential using our open source strategy as an instrument.

28 D10.2: Report on Aniketos community building

6 Conclusion

D10.2 is an interim deliverable paving the path for outreach of the Aniketos technical solution. It is evident that the plans presented in D10.1 have been mobilised, Aniketos development has progressed and D10.2 documents the steps taken to ensure awareness and external collaboration potential for

Aniketos during phase 3 and beyond. It encompasses many outreach activities in collaboration with the other outreach work packages to ensure the project visibility and peer recognition of the research being carried out. Much has been achieved in phase 2 of Aniketos and there are many stepping stones in place to ensure that the technical deliverables can get maximum exposure, both within European networks and globally. Specifically D10.2 has clearly outlined our next steps in relation to our social media roadmap, standardisation objectives, our planned summer school, and open source strategy. There are many challenges ahead to ensure that the project results are of sufficient quality so that they can ‘outlive’ the project duration but we are confident given the steps taken to date that this is achievable and that the usefulness of Aniketos functionality can and will be realised across the targeted communities.

D10.2: Initial report on Aniketos community building 29

7 Appendix A

Workshop Report on Web Service Security Contracts

Claudio A. Ardagna, Michele Bezzi, Ernesto Damiani, and

Miguel Ponce de Leon

Abstract

The clustering Workshop on Web Service Security Contracts aimed to share ideas and experiences between relevant EU projects, standardization bodies, and other interested parties on Assurance Level

Agreement (ALA) for SOA, and align outreach activities in order to achieve a higher impact on the technological standardization and development in Europe and abroad. The proposed workshop was aimed at supporting assurance by design and assurance by contract, by paving the way toward a shared notion of ALA, including models and languages for expressing, certifying, and negotiating the assurance level of services implemented on a SOA infrastructure. It was expected that such a notion will eventually lead to a standardization effort.

Short Report

The Workshop on Web Service Security Contracts has been co-located with Cyber Security & Privacy

EU Forum 2012 and has been held on April 25, 2012. After a brief welcome by Prof. Damiani that summarized the goals and agenda of the workshop, the representatives of four FP7 EU research project has given a talk presenting their vision of assurance issues, challenges, and solution in the context of the

SOA infrastructure. In particular, Dr. Aljosa Pasic (Net- work of Excellence on Engineering Secure

Future Internet Software Services and Systems (NESSoS)) has presented how industry and academic research work together in the context of secure software and service engineering. Dr. Michele Bezzi

(Advanced Security Service cERTificate for SOA (ASSERT4SOA)) has discussed how security certifications can be moved to the SOA scenario, and has presented models and a language for security certification of services. Dr. Per Håkon Meland and Dr. Artsiom Yautsiukhin (Secure and Trustworthy

Composite Services (Aniketos)) have presented a solution to contract specification and management that supports service discovery and verification in the SOA infrastructure. Finally, Dr. Pascal Bisson and

Daniel Gidoin (Future Internet Core Platform (FIWare)) have presented a generic and extendible ICT platform for Future Internet services, focusing on a security architecture supporting security, privacy, and trust requirements. At the end of the project representatives’ talks, a panel about standardization activities in the context of security assurance solutions has been held with the participation of Dr. Rigo

Wenning from W3C. The panel has fostered an interesting and stimulating discussion between the speakers and all participants of the workshop. In particular, the discussion has focused on the potential of standardization for those security assurance solutions and concepts which are shared among several different EU projects. Among them, the panellists identified the security properties as the common ground for all projects efforts and suggested the need of having a standard definition of properties. The discussion has then moved to the identification of the different approaches that can be used to evaluate security properties distinguishing between: i) past evaluation, that is, certification that some properties hold at a given time in a given context, and ii) run-time continuous evaluation, that is, monitoring of property support over time. The panellists have identified the first possibility as the more stringent since it gives a good balancing between trustworthiness of services and liability of service providers. Finally, the discussion has identified the auditing problem as an important factor for the success of assurance techniques.

Workshop Outcome and Outlook

The workshop ended with a discussion about the next steps and activities. First of all, the involved parties will evaluate the possibility of starting a standardization effort on the security properties, assurance process, and/or assurance outcomes that integrate interested EU projects in a single framework. Two possibilities have been identified: the first will consider the definition of a community group atW3C; the second will consider the participation to a coordination action funded by the European

30 D10.2: Report on Aniketos community building

Commission. Furthermore, the workshop organizers will setup a formal group and will organize a meeting (as a follow up of this workshop) to write a joint document specifying requirements on security properties and assurance, and identifying what is in scope of the planned joint effort (e.g. lightweight

Common Criteria, formal properties and ontology, past and runtime evaluation). The opportunity of organizing this meeting during the next Effectsplus clustering event, which will be held in September 6,

Padua, Italy, and co-located with the SECURECOMM 2012 conference, will be evaluated.

D10.2: Initial report on Aniketos community building 31

8 Appendix B – Report on IPR consideration and ownership of Aniketos Foreground components

Asset Name Owner(s) Short description IPR Type

Security-by-Contract (SxC) ATOS The trademark on the use of the technology based on load-time verification in WP2

STS-tool

Model Transformation Module

(MTM)

Trustworthiness component

Contract Manager module

(CMM)

Security Property

Determination Module (SPDM)

Security Property Verification module (SPVM)

Composition Security

Validation Module (CSVM)

University of Trento The STS-tool is the CASE tool that supports the Socio-Technical Security modelling language (STS-ml).

The Model Transformation Module transforms the service model described through the s-t-s modelling

TECNALIA

TSSG language (SecuritySpecificationModel) into the different formats needed from the other components of the platform,

The Trustworthiness Component is a physical component, which integrates the functionalities of two logical modules, as presented in D1.2, namely the Trustworthiness Prediction and Trustworthiness Monitoring modules.

CNR

The main functionalities of the CMM are: * manages the overall security checking process * checks the compliance of agreement template from a service provider with the consumer security policy * supports the runtime usage of security contracts by: - Deriving the monitoring rules from security contracts - Updating the status of contracts based on relevant events - Responding to contract violations identified in the environment monitoring service. The CMM is a physical component, which implements part of the functionalities allocated to the logical component of the Security Verification Module.

TSSG

CNR

SAP

The Security Property Determination Module (SPDM) is responsible for managing the security properties associated with a service (whether the service is atomic or itself a composite of subservices). It interacts with the Verification Module (and the CMM) and the properties associated with services in the Marketplace.

The Property Verification Module (PVM) analyses a service implementation (e.g., based on its source code) for compliance with required security properties (e.g., absence of certain vulnerabilities, enforcement of access control, ensuring data privacy) as expressed in the contract. It is a physical component, which implements part of the functionalities allocated to the logical component of the Security Verification Module,

The Composition Security Validation Module (CSVM) verifies the service compliance to agreement templates both at design-time and at runtime. During the design-time, this module uses inputs from the Trustworthiness

Component (and more specifically the trustworthiness prediction functionality), the Security Property

Determination Module (SPDM), the Threat response recommendation module and the Secure Composition

Planner Module (through the CMM). Its output is returned to the CMM. At runtime, the CSVM is triggered through the CMM to verify the result of a secure re-composition. It is a physical component, which implements part of the functionalities allocated to the logical component of the Security Verification Module.

Foreground

Foreground

Foreground

Foreground

Foreground

Foreground

Foreground

Foreground

32 D10.2: Report on Aniketos community building

Asset Name Owner(s) Short description IPR Type

Secure Composition

Planner Module LJMU

Security policy monitoring module CNR

Threat response recommendation module (TRRM)

Service Threat

Monitoring Module

(STMM)

ATOS

THALES

The Secure Composition Planner Module (SCPM) creates one or more suggestions based on a given composition plan security features. It makes use of the Trustworthiness Component (and Trustworthiness Prediction functionality routed via Security Property Determination Module) and the SPDM itself to accomplish this. Foreground

The Security Policy Monitoring Module facilitates for the following main functionalities: It supports runtime usage of security contracts - It derives monitoring rules from security contracts - It updates the contracts status based on relevant events - It responds to contract violations Foreground

The Threat Response Recommendation Module works mainly during the validation phase. When it is invoked by the

CMM, it checks for the compliance of a service towards the contract, and recommends for re-composition or reconfiguration if needed. Foreground

The Service Threat Monitoring Module is invoked at deployment-time when a new service is deployed and registers to the monitoring service according the specifications reported in the contract. Foreground

Notification module SINTEF

Community Support

Module (CSM)

As indicated in D1.2, the notification mechanism can be based on publish/subscribe paradigm. In such case, the

Notification Module can forward notifications to relevant subscribers according to the subscription criteria, such as the alert/notification types and thresholds. The subscribers can be relevant services or end-users in the environment, or other Aniketos platform components. For example, change notifications can be sent to the Service Threat

Monitoring Module for threat analysis. Foreground

SearchLab

/ ATC

The Community Support Module is a content repository giving support to all Aniketos stakeholders, such as service developers, service composers and end users, with material, including patterns and guidelines for developing trust and security properties in composite service engineering and establishing trust among end users, as well as demonstration material to enable them realising the use of the Aniketos platform into their service engineering practices. Foreground

Threat Repository

Module (TRM) SEARCH

The Threat Repository Module is a database containing a list of threats and their associated countermeasures.

According to the precisions on countermeasures proposed above, the countermeasures stored in the Threat

Repository can be either security policies, or security patterns or monitoring controls. Foreground

D10.2: Initial report on Aniketos community building 33

Marketplace ATC

This module includes a set of services supporting Aniketos marketplace. The marketplace complements existing service registry technology, such as UDDI, with specific information on trust and security properties. Foreground

Training Material

Module (TMM)

Security

Requirements

Compliance Module

(SRCM)

Composite Service

Security Testing

Module (CSSTM)

SEARCH-

LAB

UNITN

SEARCH-

LAB

Service Composition

Framework (SCF) ELSAG

Identity

Management Service

(IdM) ATC

Platform for Runtime

Reconfigurability of

Security (PRRS) ATOS

The Training Material Module contains training and individual learning materials that enable the uptake of Aniketos practices and results and the development and delivery of secure and trustworthy services. the Security Requirements Compliance Module (SRCM) is to support the response to changes and threats that affect the satisfaction of the security and trustworthiness requirements created using the STS-Tool

Serves as a novel hybrid solution for detecting vulnerabilities at runtime in composite services; both at the time of the composition and after the composition had already taken place.

The Service Composition Framework is built as an Eclipse RCP application and contains all the

Aniketos design time modules that expose a GUI (the SCPM, CSVM and SPDM are already integrated; the MTM will be integrated in the next months.)

The Identity Management Service (IdM) is a DOSGI application, which provides a Web Services interface for authentication, authorization and registration/unregistration of identities with an identity

Provider, through the use of sessions.

The environment Platform for Run-time Reconfigurability of Security (PRRS) tool is in charge of providing monitored security solutions (PRRS-aware solutions), sending the events generated by these solutions to the Aniketos monitors (for instance the Service Threat Monitor through the IThreatEvent interface).

Foreground

Foreground

Foreground

Foreground

Foreground

Foreground

34 D10.2: Report on Aniketos community building

9 References

[1] Stiles,E.,&Cui,X.(2010):“WorkingsofCollectiveIntelligencewithinOpen

SourceCommunities”in(S..Chai,J.J.Salerno,&P.L.Mabry,Eds.)AdvancesinSocialComputing,6007

,pp282-289,Springer.Retrieved from http://www.springerlink.com/content/j95808j63p653l7k/

[2] R. English and C. M. Schweik. Identifying success and abandonment of Free/Libre and Open

Source (FLOSS) commons: A classification of Sourceforge.net projects. UPGRADE,

VIII(6):54{59, Dec. 2007

[3] West, Joel, Siobhan O’Mahony (2008) “The Role of Participation Architecture in Growing

Sponsored Open Source Communities,” Industry and Innovation, 15(2) 145-168

[4] CHOReOS community building methodology deliverable Retrieved from http://www.choreos.eu/bin/download/Download/Deliverables/CHOReOSWP09D9.7.1PlanofOp

enSourceCommunityBuildingVA.pdf

[5] BIC technical workshop on International Cooperation in Trustworthy ICT. Retrieved from http://www.bic-trust.eu/2012/07/03/bic-workshops-held-on-21-22nd-june-2012/

[6] Inco-Trust, a co-ordination action EU project on international cooperation in the area of

Trustworthy, Secure and Dependable ICT infrastructures . Retrieved from: http://www.incotrust.eu/

[7] eContracts XML specification by OASIS. Retrieved from http://docs.oasis-open.org/legalxmlecontracts/CS01/legalxml-econtracts-specification-1.0.html

]

Download