Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Slides:



Advertisements
Similar presentations
0 McLean, VA August 8, 2006 SOA, Semantics and Security.
Advertisements

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
PETs and ID Management Privacy & Security Workshop JC Cannon Privacy Strategist Corporate Privacy Group Microsoft Corporation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
1 Pertemuan 9 Network Security and E-Commerce Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi: >
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Wireless Network Security. Wireless Security Overview concerns for wireless security are similar to those found in a wired environment concerns for wireless.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Chapter 2 Information Security Overview The Executive Guide to Information Security manual.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz
Copyright © 2006 CyberRAVE LLC. All rights reserved. 1 Virtual Private Network Service Grid A Fixed-to-Mobile Secure Communications Framework Managed Security.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
“Copyright © 2001 John Wiley & Sons, Inc. All rights reserved. Reproduction or translation of this work beyond that permitted in Section 117 of the 1976.
Software Updates © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
© Copyright 2011, Alembic Foundation. All Rights Reserved. Aurion: Health Information Exchange Technology Today Alembic Foundation OSCON 2011 July 27,
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Systems Analysis and Design in a Changing World, 6th Edition 1 Chapter 12 - Databases, Controls, and Security.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
An XML based Security Assertion Markup Language
Engineering Essential Characteristics Security Engineering Process Overview.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright 2009 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
All Rights Reserved 2014 © CMG Consulting LLC Federated Identity Management and Access Andres Carvallo Dwight Moore CMG Consulting, LLC October
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Deconstructing API Security
Security Patterns for Web Services 02/03/05 Nelly A. Delessy.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Esri UC 2014 | Technical Workshop | What is new in ArcGIS 10.2.x for Server Ismael Chivite, Greg Tieman.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Sicherheitsaspekte beim Betrieb von IT-Systemen Christian Leichtfried, BDE Smart Energy IBM Austria December 2011.
Risk Controls in IA Zachary Rensko COSC 481. Outline Definition Risk Control Strategies Risk Control Categories The Human Firewall Project OCTAVE.
Access Policy - Federation March 23, 2016
What is REST API ? A REST (Representational State Transfer) Server simply provides access to resources and the REST client accesses and presents the.
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
Tim Bornholtz Director of Technology Services
IBM GTS Storage Security and Compliance overview.
Presentation transcript:

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike 2.5 License. To view this license, visit The OWASP Foundation 6 th OWASP AppSec Conference Milan - May XML Security Gateway Evaluation Criteria Project Update Gunnar Peterson, OWASP XSGEC Project Lead Managing Principal, Arctec Group

6 th OWASP AppSec Conference – Milan – May About Arctec Group  Best in class enterprise architecture consulting provider focused on enterprise, software, and security architecture  Client list includes numerous global 500 companies, world’s largest electronic financial exchanges, emerging startups and Dept. Homeland Security  Headquarters: IDS Center, Minneapolis, MN; Clientele: global  Web:

6 th OWASP AppSec Conference – Milan – May About the speaker Gunnar Peterson Managing Principal, Arctec Group Editor Build Security In software security column for IEEE Security & Privacy Journal ( Primary and contributing author for DHS/CERT Build Security In portal on Web Services security, Identity, and Risk management ( Project lead: OWASP XML Security Gateway Evaluation Critieria Project _Project Associate editor Information Security Bulletin ( Contributor Web Application Firewall Evaluation Criteria ( Blog: ( Slides/presentations (

6 th OWASP AppSec Conference – Milan – May OWASP XML Security Gateway Evaluation Criteria Project (XSGEC)  Goals:  Defines an open standard for evaluating XML Security Gateways such as those used to protect and provide security services for Web services applications  Add clarity to the process of assessing the XML Security Gateway strengths and weaknesses  Enlighten the community as to the utility of XML Security Gateways to deliver security services for distributed systems.  Team: Mix of industry professionals, vendors, and consultants

6 th OWASP AppSec Conference – Milan – May XSGEC Guiding Principles  Define evaluation criteria supporting a transparent, level playing field for XML Security Gateway solutions to define their solution's key value proposition  Where practical, attempt to standardize nomenclature and metrics  Educate the community on the design considerations for XML security

6 th OWASP AppSec Conference – Milan – May XML Security Gateway Pattern  Context: The primary goal of Web services is to solve interoperability and integration problems. Web services traverse multiple technologies and runtimes.  Problem: Web service requesters and providers do not agree upon binary runtimes like J2EE, instead they agree upon service contracts, message exchange patterns, and schema. Service and message level authentication, authorization, and auditing services for Web services are not delivered by a single container, rather these services must span technical and organizational boundaries

6 th OWASP AppSec Conference – Milan – May XML Security Gateway Pattern  Solution: Use a XML Security Gateway to provide decentralized security services for Web services

6 th OWASP AppSec Conference – Milan – May SOAP in the clear Joe Smith hard2guess 1234

6 th OWASP AppSec Conference – Milan – May

10 Let’s authenticate the message joesmith hard2guess T04:40:12Z 1234 …

6 th OWASP AppSec Conference – Milan – May Can we make it stronger? joesmith 2rxMBl8VSv3jctE9Nr+xKRWpK0VZu8sp7wg527Fr+7U= mkCDa1QjlnGA32+lL2ywCp4oMT8= T04:40:44Z 1234

6 th OWASP AppSec Conference – Milan – May Can we make it stronger? dZdbQbIysLPvzuS5xsf57nUMB/M= VM2cLToMCNi9I9+TXtJYrI2FBXSfuKzazY8UUk4r4hNNrQu4KhDnn0F q/mWhR0TB 8DELXF6BDkoGmKRzTi5pgxg6+FGgy/v0I+KmklR4Q3+2fzMVSZJy2i56O7oR9pJ3 fm8nAYf3ceamz0s43am07S9uDG+0EOzdbfSiGLTx4+o= CRDCCAa0CBEX67+4wDQYJKoZIhvcNAQEEBQAwaTEQMA4GA1UEBhMHVW5rbm93bjEQMA4GA1UE… … 1234

6 th OWASP AppSec Conference – Milan – May XSGEC Authentication  Evaluate XSG’s ability to  Authenticate service requesters  Assert security tokens and other authentication primitives to service providers

6 th OWASP AppSec Conference – Milan – May What about the message content?  XML Messages can contain a number of nasty things…  Injection attacks  SQL Injection, Xpath Injection, Xquery Injection  XML Denial of Service (XDoS)  Using XML as an attack vector  Jumbo payloads  Recursion  Virus in SOAP attachments

6 th OWASP AppSec Conference – Milan – May XSG Validation Services  Schema validation based on hardened schemas <xs:restriction base="xs:string"  Semantic validation based on white list or blacklist  Regex  Virus scanning  XDoS Countermeasures  Example: min/max message size

6 th OWASP AppSec Conference – Milan – May XSGEC Content Validation  Evaluate XSG’s ability to enable  Schema validation  Semantic validation  XDoS protection  Virus scanning

6 th OWASP AppSec Conference – Milan – May

6 th OWASP AppSec Conference – Milan – May XSG Sign Request <wsse:UsernameToken xmlns:wsu=" " wsu:Id="Id fac e"> XSG hF0W+PM/JIwKVQUz1lXt/rlEE73Wx1SPyqAfijguG Mk= 7jwftIDmLZjBSN5zopmyEd4iY6w=</ws se:Password> T05:23:10Z

6 th OWASP AppSec Conference – Milan – May Sign Content - Policy Applied Test getCustomerDetails V6pRhOSnrvS8xT+WXIbNvlrOhVkAUMVI4YZ27KfG/jDLMwSbrsD6E3tA40 rI6naL U+gt2OsYr58rD+AILpxNk0uxZMWdLcj3zr0gljt339DvYL6MRJBZ3KvpDmrw16PM w8Wo7ac1tGcLFVW5PV5locPs+f0V+rOGHafYTGGlubQ= … 1234

6 th OWASP AppSec Conference – Milan – May XSGEC Authorization Support  Evaluate XSG’s ability to  Assert that a specific policy has been applied by a XSG at a certain time for a given request, subject, condition, and action

6 th OWASP AppSec Conference – Milan – May Encrypt for Remote Hosts

6 th OWASP AppSec Conference – Milan – May XML Encryption <enc:EncryptionMethod Algorithm=" cbc "/> EjADnNmGlVK9wTiG+La+uHaDthMnSslN6CXvOI1DIyVT/M1asHgM+ Id dbad </enc:CarriedKey Name> <wsu:Timestamp xmlns:wsu=" wsu:Id="Id dbb d"> T05:21:56Z

6 th OWASP AppSec Conference – Milan – May XSGEC  Evaluate XSG’s ability to  Protect/encrypt/sign outbound messages

6 th OWASP AppSec Conference – Milan – May STS - Attribute & Identity Mapping

6 th OWASP AppSec Conference – Milan – May XSGEC  Evaluate XSG’s ability to:  Map inbound/outbound security tokens  Map inbound/outbound attributes

6 th OWASP AppSec Conference – Milan – May XSG Metrics  Asset metrics  Transactional throughput volume and performance  Threat metrics  Malicious requests/responses  Vulnerability metrics  Policy violations

6 th OWASP AppSec Conference – Milan – May XSGEC  Evaluate XSG’s ability to:  Provide historical,predictive, and real time metrics for  Assets  Threats  Vulnerabilities

6 th OWASP AppSec Conference – Milan – May XSGEC Understand key architecture tradeoffs & design considerations

6 th OWASP AppSec Conference – Milan – May XSGEC  Interested in participating? More information:  SP_XML_Security_Gateway_Evaluation_Criteria_ Project

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.