A Risk-Evaluation Assisted System for Service Selection

With the rapid adoption of Service Oriented Architecture (SOA), increasingly more application-level services are developed through composing service components offered by different service providers. While such application development mode offers advantages in terms of cost-effectiveness and flexibility, application developers cannot understand or deal with risks potentially resulting from vulnerabilities within composed services due to non-transparency of the service providers. Furthermore, some of the vulnerabilities in practice are deeply hidden in dependency structures underlying composed services, thus making even the service providers fail to know the vulnerabilities. This paper proposes a risk-evaluation assisted service selection system, called Risk Evaluation-as-a-Service(or REaaS), which aims to assist application developers to understand vulnerability risks hidden within alternative services when the developers at first attempt to adopt their applications. In particular, for a given application developer´s service selection requirement, REaaS produces a ranking list based upon vulnerability risks of alternative services to serve as a guideline regarding which service has the lowest potential risks (e.g., Bugs) for this application deployment. REaaS achieves this goal through the following three steps: 1) generating a package dependency graph for each alternative service, 2) assigning threat-degrees to packages in each dependency graph, and 3) analyzing each dependency graph and evaluating service-risk of each service. We have built a REaaS prototype and used real case study to demonstrate the practicality of REaaS.