Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP SOA Security

OWASP 2 Agneda  What Is SOA  SOA life cycle & Security  SOA Generated Security Concerns / opportunities  SSO & SSO Federation  WS Security Standard

OWASP 3 Agneda  What Is SOA  SOA life cycle & Security  SOA Generated Security Concerns / opportunities  SSO & SSO Federation  WS Security Standard

OWASP 4 SOA Example

OWASP 5 SOA Key Terms

OWASP 6 SOA - Service Oriented Architecture  Business processes oriented architecture  Decomposing business processes into discreet functional units = services  Existing or new business functionalities are grouped into atomic business services  Evolution of distributed computing and modular programming driven by newly emergent business requirements  Application development focused on implementing business logic

OWASP 7 Service Properties  Service is  Loosely coupled  High-level granularity  Self describing  Hardware or software platform interoperability  Discoverable  Service can be composed of other services  Context-independent

OWASP 8 Service Oriented Architecture - Advantages & Disadvantages  Advantages  Maximize reuse  Reduce integration cost  Flexible & easily changed to reflect business process change  Shortcomings  Message handling and parsing  Legacy application services wrapping  Complex service design and implementation

OWASP 9 SOA Example

OWASP 10 Agneda  What Is SOA  SOA life cycle & Security  SOA Generated Security Concerns / opportunities  SSO & SSO Federation  WS Security Standard

OWASP 11 Business-Driven Development Methodology

OWASP 12 Security Encompasses all life cycle aspects

OWASP 13 Agneda  What Is SOA  SOA life cycle & Security  SOA Generated Security Concerns / opportunities  SSO & SSO Federation  WS Security Standard

OWASP 14 New Security Threats  SOA Introduces the following new security threats:  Services to be consumed by entities outside of the local trust domain  Confidential data passes the domain’s trust boundaries  Authentication and authorization data is communicated to external trust domains  Security must be enforced across the trust domain  Managing user and service identities

OWASP 15 Security Considerations  The propagation of users and services across domain trust boundaries  The need to seamlessly connect to other organizations on a real-time transactional basis  Security controls for each service and service combinations  Managing identity and security across a range of systems and services with a mix of new and old technologies  Protecting business data in transit and at rest  Compliance with corporate industry & regulatory standards  Composite services

OWASP 16 New Techniques In Integration Security  SOA introduces new techniques In integration security  Message level security vs. transport level security  Converting security enforcement into a service  Declarative & policy-based security

OWASP 17 Message Level Security vs. Transport Level Security  Transport level security (SSL/VPN)  Point-to-point message exchange  Encrypts the entire message  Sender must trust all intermediaries  Restricts protocols that can be used (i.e. https)  Message level security  End-to-end security  Different message fields within the same message should be read by different entities

OWASP 18 Transport Layer Security

OWASP 19 Security in the Message Receiver Sender Intermediary Receiver Security Context | Security Context |  HTTP security (SSL) is point-to-point  WS-Security provides context over multiple end points. Receiver Sender IntermediaryReceiver Security Context

OWASP 20 Transport Security For Web Services Pros and Cons ProsCons Mature: SSL/VPNPoint to point: messages are in the clear after reaching SSL endpoint Supported by most servers and clients Waypoint visibility: can’t have partial visibility into the message parts Understood by most system administrators Granularity SimplerTransport dependant: applies only to HTTP

OWASP 21 Message Security For Web Services Pros And Cons ProsCons Persistent message self- protecting Encompasses many other standards including XML encryption, XML signature, X.509 certificates and more Portions of the message can be secured to different parties Different security policies can be applied to request and respond transport

OWASP 22 Message Security And Transport Security Comparison Transport SecurityMessage Security Point-to-pointEnd-to-end Mature, relatively straightforward to implement Relatively complex with many security options Not granular, applies to entire payload and across session Very granular, can apply to only part of payload and only request or response Transport dependentSame security can be applied across different transport technologies

OWASP 23 Message Level Security (example) integration of a brokerage and a bank. An investor securely attaches authorization to withdraw funds from a bank account to the trading request submitted to the brokerage. The attached authorization is secured from everyone, including the brokerage. Only the bank read it and make use of it.

OWASP 24 Converting Security into a Service  Security services provide service such as:  Authentication  Authorization  Message services  Encryption decryption  Signing  Verification  Signatures  Log messages scrub messages  Facilitates integration  Reduces development cost

OWASP 25 SOA Security Reference Model

OWASP 26 Agneda  What Is SOA  SOA life cycle & Security  SOA Generated Security Concerns / opportunities  SSO & SSO Federation  WS Security Standard

OWASP 27 Traditional SSO Security is hard coded into each application User credentials are transmitted across enterprise boundaries

OWASP 28 SOA SSO Federation

OWASP 29 SOA SSO Federation Cont’  Traditional limited implementation using 3 rd party SSO solutions  No easy integration with applications that have not been written by the same 3 rd party SSO manufacturer  SOA solution  Managing security interaction between applications  Clients and servers dynamically negotiate security policies  Easy implementation

OWASP 30 Agneda  What Is SOA  SOA life cycle & Security  SOA Generated Security Concerns / opportunities  SSO & SSO Federation  WS Security Standard

OWASP 31 WS-security Standard  SOAP security (securing the web service messages)  SOAP header extension  Standard Feb Ver 1.1 (OASIS)  Any combination of In Request/Response  Authentication  Encryption  Digital Signature

OWASP 32 Web Services Stack

OWASP 33 Web Services Security Architecture

OWASP 34 “WS –Security” Building Blocks  Security Tokens  Username Token  Username Token with Password Digest  Binary Security Token  X.509 Version 3 certificates  Kerberos tickets  Signatures signs all or part of the soap body  Reference List or Encrypted Key

OWASP 35 Structure of a Basic Web Services Security SOAP Header

OWASP 36 Structure of a Basic Web Services Security SOAP Header (cont.)

OWASP 37 XML Encryption in WS-Security Use of a in the Security Header Pointing to the Parts of the Message Encrypted with XML Encryption

OWASP 38 A Wrapped Key in a Security Header for Use in XML Encryption

OWASP 39 A Wrapped Key in a Security Header for Use in XML Encryption (cont.)

OWASP 40 Providing Integrity XML Signature in Web Services Security  XML Signature  Verify a security token or SAML assertion  Message integrity  XML syntax  Explicit element points to what is being signed  One or more XML signatures  Overlapping is possible

OWASP 41 XML Signature Example

OWASP 42 XML Signature Example Cont’

OWASP 43 XML Signature Example Cont’

OWASP 44 XML Signature Example Cont’