Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Similar presentations


Presentation on theme: "Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP."— Presentation transcript:

1 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org SOA Security

2 OWASP 2 Agneda  What Is SOA  SOA life cycle & Security  SOA Generated Security Concerns / opportunities  SSO & SSO Federation  WS Security Standard

3 OWASP 3 Agneda  What Is SOA  SOA life cycle & Security  SOA Generated Security Concerns / opportunities  SSO & SSO Federation  WS Security Standard

4 OWASP 4 SOA Example

5 OWASP 5 SOA Key Terms

6 OWASP 6 SOA - Service Oriented Architecture  Business processes oriented architecture  Decomposing business processes into discreet functional units = services  Existing or new business functionalities are grouped into atomic business services  Evolution of distributed computing and modular programming driven by newly emergent business requirements  Application development focused on implementing business logic

7 OWASP 7 Service Properties  Service is  Loosely coupled  High-level granularity  Self describing  Hardware or software platform interoperability  Discoverable  Service can be composed of other services  Context-independent

8 OWASP 8 Service Oriented Architecture - Advantages & Disadvantages  Advantages  Maximize reuse  Reduce integration cost  Flexible & easily changed to reflect business process change  Shortcomings  Message handling and parsing  Legacy application services wrapping  Complex service design and implementation

9 OWASP 9 SOA Example

10 OWASP 10 Agneda  What Is SOA  SOA life cycle & Security  SOA Generated Security Concerns / opportunities  SSO & SSO Federation  WS Security Standard

11 OWASP 11 Business-Driven Development Methodology

12 OWASP 12 Security Encompasses all life cycle aspects

13 OWASP 13 Agneda  What Is SOA  SOA life cycle & Security  SOA Generated Security Concerns / opportunities  SSO & SSO Federation  WS Security Standard

14 OWASP 14 New Security Threats  SOA Introduces the following new security threats:  Services to be consumed by entities outside of the local trust domain  Confidential data passes the domain’s trust boundaries  Authentication and authorization data is communicated to external trust domains  Security must be enforced across the trust domain  Managing user and service identities

15 OWASP 15 Security Considerations  The propagation of users and services across domain trust boundaries  The need to seamlessly connect to other organizations on a real-time transactional basis  Security controls for each service and service combinations  Managing identity and security across a range of systems and services with a mix of new and old technologies  Protecting business data in transit and at rest  Compliance with corporate industry & regulatory standards  Composite services

16 OWASP 16 New Techniques In Integration Security  SOA introduces new techniques In integration security  Message level security vs. transport level security  Converting security enforcement into a service  Declarative & policy-based security

17 OWASP 17 Message Level Security vs. Transport Level Security  Transport level security (SSL/VPN)  Point-to-point message exchange  Encrypts the entire message  Sender must trust all intermediaries  Restricts protocols that can be used (i.e. https)  Message level security  End-to-end security  Different message fields within the same message should be read by different entities

18 OWASP 18 Transport Layer Security

19 OWASP 19 Security in the Message Receiver Sender Intermediary Receiver Security Context | Security Context |  HTTP security (SSL) is point-to-point  WS-Security provides context over multiple end points. Receiver Sender IntermediaryReceiver Security Context

20 OWASP 20 Transport Security For Web Services Pros and Cons ProsCons Mature: SSL/VPNPoint to point: messages are in the clear after reaching SSL endpoint Supported by most servers and clients Waypoint visibility: can’t have partial visibility into the message parts Understood by most system administrators Granularity SimplerTransport dependant: applies only to HTTP

21 OWASP 21 Message Security For Web Services Pros And Cons ProsCons Persistent message self- protecting Encompasses many other standards including XML encryption, XML signature, X.509 certificates and more Portions of the message can be secured to different parties Different security policies can be applied to request and respond transport

22 OWASP 22 Message Security And Transport Security Comparison Transport SecurityMessage Security Point-to-pointEnd-to-end Mature, relatively straightforward to implement Relatively complex with many security options Not granular, applies to entire payload and across session Very granular, can apply to only part of payload and only request or response Transport dependentSame security can be applied across different transport technologies

23 OWASP 23 Message Level Security (example) integration of a brokerage and a bank. An investor securely attaches authorization to withdraw funds from a bank account to the trading request submitted to the brokerage. The attached authorization is secured from everyone, including the brokerage. Only the bank read it and make use of it.

24 OWASP 24 Converting Security into a Service  Security services provide service such as:  Authentication  Authorization  Message services  Encryption decryption  Signing  Verification  Signatures  Log messages scrub messages  Facilitates integration  Reduces development cost

25 OWASP 25 SOA Security Reference Model

26 OWASP 26 Agneda  What Is SOA  SOA life cycle & Security  SOA Generated Security Concerns / opportunities  SSO & SSO Federation  WS Security Standard

27 OWASP 27 Traditional SSO Security is hard coded into each application User credentials are transmitted across enterprise boundaries

28 OWASP 28 SOA SSO Federation

29 OWASP 29 SOA SSO Federation Cont’  Traditional limited implementation using 3 rd party SSO solutions  No easy integration with applications that have not been written by the same 3 rd party SSO manufacturer  SOA solution  Managing security interaction between applications  Clients and servers dynamically negotiate security policies  Easy implementation

30 OWASP 30 Agneda  What Is SOA  SOA life cycle & Security  SOA Generated Security Concerns / opportunities  SSO & SSO Federation  WS Security Standard

31 OWASP 31 WS-security Standard  SOAP security (securing the web service messages)  SOAP header extension  Standard Feb. 2007 Ver 1.1 (OASIS)  Any combination of In Request/Response  Authentication  Encryption  Digital Signature

32 OWASP 32 Web Services Stack

33 OWASP 33 Web Services Security Architecture

34 OWASP 34 “WS –Security” Building Blocks  Security Tokens  Username Token  Username Token with Password Digest  Binary Security Token  X.509 Version 3 certificates  Kerberos tickets  Signatures signs all or part of the soap body  Reference List or Encrypted Key

35 OWASP 35 Structure of a Basic Web Services Security SOAP Header

36 OWASP 36 Structure of a Basic Web Services Security SOAP Header (cont.)

37 OWASP 37 XML Encryption in WS-Security Use of a in the Security Header Pointing to the Parts of the Message Encrypted with XML Encryption

38 OWASP 38 A Wrapped Key in a Security Header for Use in XML Encryption

39 OWASP 39 A Wrapped Key in a Security Header for Use in XML Encryption (cont.)

40 OWASP 40 Providing Integrity XML Signature in Web Services Security  XML Signature  Verify a security token or SAML assertion  Message integrity  XML syntax  Explicit element points to what is being signed  One or more XML signatures  Overlapping is possible

41 OWASP 41 XML Signature Example

42 OWASP 42 XML Signature Example Cont’

43 OWASP 43 XML Signature Example Cont’

44 OWASP 44 XML Signature Example Cont’


Download ppt "Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP."

Similar presentations


Ads by Google