Securing Web Service: Vulnerability Testing in SOA

1
Securing Web Service Vulnerability Testing in SOA
CSE 565 Project
Shankaranarayanan Gopalakrishnan Venkatesh
Mandalapa
2
Securing Web Service Vulnerability Testing in SOA
Outline
What is this project about?
What is this presentation about?
3
Securing Web Service Vulnerability Testing in SOA
Outline
What is this project about?
What is this presentation about?
4
Securing Web Service Vulnerability Testing in SOA
What is this project about?
Problem
SOA success depends on few unsolved parameters
- Dynamic Service Composition. - Universal
Protocol Adoption. - Security. - More
Purpose
A survey on SOA security and testing methods to
evaluate them.
5
Securing Web Service Vulnerability Testing in SOA
Outline
What is this project about?
What is this presentation about?
6
Securing Web Service Vulnerability Testing in SOA
What is this presentation about?
Why security?
Security models
Vulnerability/Penetration Testing.
7
Securing Web Service Vulnerability Testing in SOA
What is this presentation about?
Why security?
Security models
Vulnerability/Penetration Testing.
8
Securing Web Service Vulnerability Testing in SOA
What is this presentation about?
Why Security?
High interdependency among services.
One insecure service could fatally affect all
other dependent services.
Services are used by unlimited number of clients
9
Securing Web Service Vulnerability Testing in SOA
What is this presentation about?
Why Security?
Security tested services increases confidence
of a user/customer or other service using it.
In short, TRUST should be established
The open architecture and protocols introduces
new security risks (XML, SOAP, WSDL)
Can produce software in 30 minutes
Can also infect/affect thousands of computers in
30 minutes
10
Securing Web Service Vulnerability Testing in SOA
What is this presentation about?
Why Security?
Protect confidentiality and integrity of data
transmitted by WS protocols over lot of services.
SOA suffers the same old security problems as
normal web services
11
Securing Web Service Vulnerability Testing in SOA
What is this presentation about?
Why Security?

• Web services security is based on
• Identification Authentication
• Authorization
• Integrity
• Non-repudiation
• Confidentiality
• Privacy

12
Securing Web Service Vulnerability Testing in SOA
What is this presentation about?
Why Security? Other Threats
???
Eve
Alice
Message Alteration
Use SOA
Dont Use SOA
Bob
- changing the message header or body during the
transit.
Loss of confidentiality
- the capability to ensure no unauthorized access
is made to the message
Falsified messages
- the message is falsified by using a different
identity of the sender
Man in the middle
- the message is being spoofed or tampered with
during transit.
Principal Spoofing
- the information about the user or subject is
being spoofed during transit
Forged claims
- the claim about sending the message is forged
by tampering with the message content
Denial of Service
13
Securing Web Service Vulnerability Testing in SOA
What is this presentation about?
Why Security?
Threats addressed by current web service protocols
14
Securing Web Service Vulnerability Testing in SOA
What is this presentation about?
Why security?
Security models
Vulnerability/Penetration Testing.
15
Securing Web Service Vulnerability Testing in SOA
What is this presentation about?
Security Models A note on standards
Lack of standards in security protocols/procedures
Hard to write services that are compatible with
others and are security compliant.
Standards alone are not enough enforce them.
Standards are all about achieving economies of
scale so that vendors can provide the same
functionality in the same way. Then, developers
can more easily write software to offer or
consume Web services.
16
Securing Web Service Vulnerability Testing in SOA
What is this presentation about?
Security Models A logical security model
A service contract established between customer
and service entity.
Should include type of service, the
identification elements and authorization
information.
17
Securing Web Service Vulnerability Testing in SOA
What is this presentation about?
SAML
SAML defines an XML Vocabulary for sharing
security assertions that specify whether and how
an entity was authenticated, information about an
entity's attributes or whether an entity is
authorized to perform a particular action
SAML assertions contain a number of required
elements
SAML defines three types of statementsauthenticat
ion, attribute, and authorization
SAML Profiles --Single sign-on (SSO), Artifact
resolution, Assertion query/request, Name
identifier mapping, Attribute.
18
Securing Web Service Vulnerability Testing in SOA
What is this presentation about?
Security Models Map standards to functional
layers in WS
Illustrates a notional reference model for Web
services security standards.This reference model
maps the different standards to the different
functional layers of a typical Web service
implementation.
19
Securing Web Service Vulnerability Testing in SOA
What is this presentation about?
Why security?
Security models
Vulnerability/Penetration Testing.
20
Securing Web Service Vulnerability Testing in SOA
What is this presentation about?
Vulnerability/Penetration Testing
method of evaluating the security of a web
service by simulating an attack by a malicious
user.
Intent - determine feasibility of an attack and
the amount of business impact of a successful
exploit.
Black box if services tested by third parties
. Black/White box if service providers test
their services.
21
Securing Web Service Vulnerability Testing in SOA
What is this presentation about?
Vulnerability/Penetration Testing

• Vulnerability test should be done for
• buffer overflows,
• deeply nested nodes,
• recursive payloads,
• schema poisoning,
• malware traveling over SOAP messages
• and other threats we discussed above

22
Securing Web Service Vulnerability Testing in SOA
What is this presentation about?
Vulnerability/Penetration Testing - Approach
Essentially, the tester is only given publicly
available information about the target, perhaps
only an IP address.

• The steps include
• Prepare
• Analyze
• Document Improve

23
Securing Web Service Vulnerability Testing in SOA
What is this presentation about?
Vulnerability/Penetration Testing - Stages
Prepare
Expectations be set about what will be attacked,
when, from where and how
Analyze
Testers attempt to acquire and control legitimate
authority illegitimately
Document Improve
Documentation of all the vulnerabilities
should be maintained and improved
24
Securing Web Service Vulnerability Testing in SOA
What is this presentation about?
Vulnerability/Penetration Testing - Stages
25
Securing Web Service Vulnerability Testing in SOA
What is this presentation about?
Swiss Cheese Approach
26
Securing Web Service Vulnerability Testing in SOA
What is this presentation about?
Vulnerability/Penetration Testing Fault
Injection
Fault Injection
The faulty data should be divided into two sets
1) To test the web service in isolation
2) To test the web service as a component in the
system environment
27
Securing Web Service Vulnerability Testing in SOA
What is this presentation about?
Webstrar framework
28
Securing Web Service Vulnerability Testing in SOA
29
Securing Web Service Vulnerability Testing in SOA
Questions ?
30
Securing Web Service Vulnerability Testing in SOA
Thank You