J2EE应用软件的架构安全评估方法

Security Evaluation Method for the Architecture of J2EE Applications

为了识别J2EE架构设计中潜在风险以及评估J2EE安全机制的实施程度,提出了一种基于组件安全属性的J2EE架构安全性评估方法。该方法关注于架构安全机制的实施力度,将架构的安全性细化到组件层,并使用安全属性树描述组件的安全机制,从而进行评估。在评估时,首先依据J2EE层次和组件功能对组件进行分类,然后采用层次分析法和模糊评价法计算组件安全性评估要素,最后综合组件安全性要素得出J2EE设计的安全性结论。实验表明该方法提高了评估效率,使得J2EE架构安全性评估过程更具客观性和精确性。

In order to identify potential risks of J2EE architecture and assess the implementation of J2EE security mechanisms, this paper presents a quantitative J2EE security evaluation method based on the security of compo-nents. The method focuses on efforts to architecture security mechanism through refining the security of architecture to component level and describing component security mechanism by security tree. In this process, components of J2EE architecture are classified and their security measures are identified according to the component function and J2EE level. Then, an integration process of analytic hierarchy process （AHP） and fuzzy evaluation analysis is used to consider quantitative and qualitative factors in evaluating the security of components to obtain security conclu-sions of architecture. The experiments show that this method can not only improve the evaluation efficiency, but also make the security evaluation process more objective and accurate.