Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

SOA security

advertisement 
SOA Security
OWASP
<Iris Levari>
<OWASP role>
<Amdocs>
<irisl@amdocs.com>
<12/3/07>
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document
under the terms of the OWASP License.
The OWASP Foundation
http://www.owasp.org
Agneda
What Is SOA
SOA life cycle & Security
SOA Generated Security Concerns /
opportunities
SSO & SSO Federation
WS Security Standard
OWASP
2
Agneda
What Is SOA
SOA life cycle & Security
SOA Generated Security Concerns /
opportunities
SSO & SSO Federation
WS Security Standard
OWASP
3
SOA Example
OWASP
4
SOA Key Terms
OWASP
5
SOA - Service Oriented Architecture
Business processes oriented architecture
Decomposing business processes into discreet
functional units = services
Existing or new business functionalities are
grouped into atomic business services
Evolution of distributed computing and modular
programming driven by newly emergent business
requirements
Application development focused on
implementing business logic
OWASP
6
Service Properties
Service is
Loosely coupled
High-level granularity
Self describing
Hardware or software platform interoperability
Discoverable
Service can be composed of other services
Context-independent
OWASP
7
Service Oriented Architecture - Advantages
& Disadvantages
Advantages
Maximize reuse
Reduce integration cost
Flexible & easily changed to reflect business process
change
Shortcomings
Message handling and parsing
Legacy application services wrapping
Complex service design and implementation
OWASP
8
SOA Example
OWASP
9
Agneda
What Is SOA
SOA life cycle & Security
SOA Generated Security Concerns /
opportunities
SSO & SSO Federation
WS Security Standard
OWASP
10
Business-Driven Development Methodology
OWASP
11
Security Encompasses all life cycle aspects
OWASP
12
Agneda
What Is SOA
SOA life cycle & Security
SOA Generated Security Concerns /
opportunities
SSO & SSO Federation
WS Security Standard
OWASP
13
New Security Threats
SOA Introduces the following new security
threats:
Services to be consumed by entities outside of the
local trust domain
Confidential data passes the domain’s trust boundaries
Authentication and authorization data is
communicated to external trust domains
Security must be enforced across the trust domain
Managing user and service identities
OWASP
14
Security Considerations
 The propagation of users and services across domain
trust boundaries
 The need to seamlessly connect to other organizations on
a real-time transactional basis
 Security controls for each service and service
combinations
 Managing identity and security across a range of systems
and services with a mix of new and old technologies
 Protecting business data in transit and at rest
 Compliance with corporate industry & regulatory
standards
 Composite services
OWASP
15
New Techniques In Integration Security
SOA introduces new techniques In integration
security
Message level security vs. transport level security
Converting security enforcement into a service
Declarative & policy-based security
OWASP
16
Message Level Security vs. Transport Level Security
Transport level security (SSL/VPN)
Point-to-point message exchange
Encrypts the entire message
Sender must trust all intermediaries
Restricts protocols that can be used (i.e. https)
Message level security
End-to-end security
Different message fields within the same message
should be read by different entities
OWASP
17
Transport Layer Security
OWASP
18
Security in the Message
 HTTP security (SSL) is point-to-point
Sender
Security
Context
Security
Context
|
|
|
|
|
|
Intermediary
Receiver
Receiver
 WS-Security provides context over multiple end points.
Security Context
Sender
Intermediary
Receiver
Receiver
OWASP
19
Transport Security For Web Services Pros
and Cons
Pros
Mature: SSL/VPN
Supported by most servers
and clients
Understood by most system
administrators
Simpler
Cons
Point to point: messages are
in the clear after reaching
SSL endpoint
Waypoint visibility: can’t
have partial visibility into the
message parts
Granularity
Transport dependant: applies
only to HTTP
OWASP
20
Message Security For Web Services
Pros And Cons
Pros
Persistent message selfprotecting
Cons
Encompasses many other
standards including XML
encryption, XML signature,
X.509 certificates and more
Portions of the message can
be secured to different parties
Different security policies can
be applied to request and
respond transport
OWASP
21
Message Level Security (example)
integration of a brokerage and a bank. An investor
securely attaches authorization to withdraw funds from a
bank account to the trading request submitted to the
brokerage. The attached authorization is secured from
everyone, including the brokerage. Only the bank read it
and make use of it.
OWASP
23
Converting Security into a Service
Security services provide service such as:
Authentication
Authorization
Message services
Encryption decryption
Signing
Verification
Signatures
Log messages scrub messages
Facilitates integration
Reduces development cost
OWASP
24
SOA Security Reference Model
OWASP
25
Agneda
What Is SOA
SOA life cycle & Security
SOA Generated Security Concerns /
opportunities
SSO & SSO Federation
WS Security Standard
OWASP
26
Traditional SSO
Security is hard coded into each application
User credentials are transmitted across enterprise boundaries
OWASP
27
SOA SSO Federation
OWASP
28
SOA SSO Federation Cont’
Traditional limited implementation using 3rd party
SSO solutions
No easy integration with applications that have not
been written by the same 3rd party SSO manufacturer
SOA solution
Managing security interaction between applications
Clients and servers dynamically negotiate security
policies
Easy implementation
OWASP
29
Agneda
What Is SOA
SOA life cycle & Security
SOA Generated Security Concerns /
opportunities
SSO & SSO Federation
WS Security Standard
OWASP
30
WS-security Standard
SOAP security (securing the web service
messages)
SOAP header extension
Standard Feb. 2007 Ver 1.1 (OASIS)
Any combination of In Request/Response
Authentication
Encryption
Digital Signature
OWASP
31
Web Services Stack
OWASP
32
Web Services Security Architecture
OWASP
33
“WS –Security” Building Blocks
Security Tokens
 Username Token
 Username Token with Password Digest
 Binary Security Token
 X.509 Version 3 certificates
 Kerberos tickets
Signatures signs all or part of the soap body
Reference List or Encrypted Key
OWASP
34
Structure of a Basic Web Services Security
SOAP Header
OWASP
35
Structure of a Basic Web Services Security
SOAP Header (cont.)
OWASP
36
XML Encryption in WS-Security
Use of a <ReferenceList> in the
Security Header Pointing to the
Parts of the Message Encrypted with
XML Encryption
OWASP
37
Providing Integrity
XML Signature in Web Services Security
XML Signature
Verify a security token or SAML assertion
Message integrity
XML syntax
Explicit <reference> element points to what is being
signed
One or more XML signatures
Overlapping is possible
OWASP
40
Related documents
PROPOSED ADVERTISEMENT
PROPOSED ADVERTISEMENT
Dangerous Wi-Fi Access Point: Attacks to Benign Smartphone
Dangerous Wi-Fi Access Point: Attacks to Benign Smartphone
Common Web Vulnerabilities
Common Web Vulnerabilities
Origins, Cookies and Security * Oh My!
Origins, Cookies and Security * Oh My!
Application Security 101
Application Security 101
IUTGetRoot
IUTGetRoot
Training_Instructor_Agreement
Training_Instructor_Agreement
Presentation Tagline - OWASP AppSec USA 2011
Presentation Tagline - OWASP AppSec USA 2011
Download
advertisement