Download presentation
Presentation is loading. Please wait.
1
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org SOA Security
2
OWASP 2 Agneda What Is SOA SOA life cycle & Security SOA Generated Security Concerns / opportunities SSO & SSO Federation WS Security Standard
3
OWASP 3 Agneda What Is SOA SOA life cycle & Security SOA Generated Security Concerns / opportunities SSO & SSO Federation WS Security Standard
4
OWASP 4 SOA Example
5
OWASP 5 SOA Key Terms
6
OWASP 6 SOA - Service Oriented Architecture Business processes oriented architecture Decomposing business processes into discreet functional units = services Existing or new business functionalities are grouped into atomic business services Evolution of distributed computing and modular programming driven by newly emergent business requirements Application development focused on implementing business logic
7
OWASP 7 Service Properties Service is Loosely coupled High-level granularity Self describing Hardware or software platform interoperability Discoverable Service can be composed of other services Context-independent
8
OWASP 8 Service Oriented Architecture - Advantages & Disadvantages Advantages Maximize reuse Reduce integration cost Flexible & easily changed to reflect business process change Shortcomings Message handling and parsing Legacy application services wrapping Complex service design and implementation
9
OWASP 9 SOA Example
10
OWASP 10 Agneda What Is SOA SOA life cycle & Security SOA Generated Security Concerns / opportunities SSO & SSO Federation WS Security Standard
11
OWASP 11 Business-Driven Development Methodology
12
OWASP 12 Security Encompasses all life cycle aspects
13
OWASP 13 Agneda What Is SOA SOA life cycle & Security SOA Generated Security Concerns / opportunities SSO & SSO Federation WS Security Standard
14
OWASP 14 New Security Threats SOA Introduces the following new security threats: Services to be consumed by entities outside of the local trust domain Confidential data passes the domain’s trust boundaries Authentication and authorization data is communicated to external trust domains Security must be enforced across the trust domain Managing user and service identities
15
OWASP 15 Security Considerations The propagation of users and services across domain trust boundaries The need to seamlessly connect to other organizations on a real-time transactional basis Security controls for each service and service combinations Managing identity and security across a range of systems and services with a mix of new and old technologies Protecting business data in transit and at rest Compliance with corporate industry & regulatory standards Composite services
16
OWASP 16 New Techniques In Integration Security SOA introduces new techniques In integration security Message level security vs. transport level security Converting security enforcement into a service Declarative & policy-based security
17
OWASP 17 Message Level Security vs. Transport Level Security Transport level security (SSL/VPN) Point-to-point message exchange Encrypts the entire message Sender must trust all intermediaries Restricts protocols that can be used (i.e. https) Message level security End-to-end security Different message fields within the same message should be read by different entities
18
OWASP 18 Transport Layer Security
19
OWASP 19 Security in the Message Receiver Sender Intermediary Receiver Security Context | Security Context | HTTP security (SSL) is point-to-point WS-Security provides context over multiple end points. Receiver Sender IntermediaryReceiver Security Context
20
OWASP 20 Transport Security For Web Services Pros and Cons ProsCons Mature: SSL/VPNPoint to point: messages are in the clear after reaching SSL endpoint Supported by most servers and clients Waypoint visibility: can’t have partial visibility into the message parts Understood by most system administrators Granularity SimplerTransport dependant: applies only to HTTP
21
OWASP 21 Message Security For Web Services Pros And Cons ProsCons Persistent message self- protecting Encompasses many other standards including XML encryption, XML signature, X.509 certificates and more Portions of the message can be secured to different parties Different security policies can be applied to request and respond transport
22
OWASP 22 Message Security And Transport Security Comparison Transport SecurityMessage Security Point-to-pointEnd-to-end Mature, relatively straightforward to implement Relatively complex with many security options Not granular, applies to entire payload and across session Very granular, can apply to only part of payload and only request or response Transport dependentSame security can be applied across different transport technologies
23
OWASP 23 Message Level Security (example) integration of a brokerage and a bank. An investor securely attaches authorization to withdraw funds from a bank account to the trading request submitted to the brokerage. The attached authorization is secured from everyone, including the brokerage. Only the bank read it and make use of it.
24
OWASP 24 Converting Security into a Service Security services provide service such as: Authentication Authorization Message services Encryption decryption Signing Verification Signatures Log messages scrub messages Facilitates integration Reduces development cost
25
OWASP 25 SOA Security Reference Model
26
OWASP 26 Agneda What Is SOA SOA life cycle & Security SOA Generated Security Concerns / opportunities SSO & SSO Federation WS Security Standard
27
OWASP 27 Traditional SSO Security is hard coded into each application User credentials are transmitted across enterprise boundaries
28
OWASP 28 SOA SSO Federation
29
OWASP 29 SOA SSO Federation Cont’ Traditional limited implementation using 3 rd party SSO solutions No easy integration with applications that have not been written by the same 3 rd party SSO manufacturer SOA solution Managing security interaction between applications Clients and servers dynamically negotiate security policies Easy implementation
30
OWASP 30 Agneda What Is SOA SOA life cycle & Security SOA Generated Security Concerns / opportunities SSO & SSO Federation WS Security Standard
31
OWASP 31 WS-security Standard SOAP security (securing the web service messages) SOAP header extension Standard Feb. 2007 Ver 1.1 (OASIS) Any combination of In Request/Response Authentication Encryption Digital Signature
32
OWASP 32 Web Services Stack
33
OWASP 33 Web Services Security Architecture
34
OWASP 34 “WS –Security” Building Blocks Security Tokens Username Token Username Token with Password Digest Binary Security Token X.509 Version 3 certificates Kerberos tickets Signatures signs all or part of the soap body Reference List or Encrypted Key
35
OWASP 35 Structure of a Basic Web Services Security SOAP Header
36
OWASP 36 Structure of a Basic Web Services Security SOAP Header (cont.)
37
OWASP 37 XML Encryption in WS-Security Use of a in the Security Header Pointing to the Parts of the Message Encrypted with XML Encryption
38
OWASP 38 A Wrapped Key in a Security Header for Use in XML Encryption
39
OWASP 39 A Wrapped Key in a Security Header for Use in XML Encryption (cont.)
40
OWASP 40 Providing Integrity XML Signature in Web Services Security XML Signature Verify a security token or SAML assertion Message integrity XML syntax Explicit element points to what is being signed One or more XML signatures Overlapping is possible
41
OWASP 41 XML Signature Example
42
OWASP 42 XML Signature Example Cont’
43
OWASP 43 XML Signature Example Cont’
44
OWASP 44 XML Signature Example Cont’
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.