Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
SOA Security
<Iris Levari><OWASP role><Amdocs><[email protected]>
<12/3/07>
2OWASP
Agneda
What Is SOA SOA life cycle & Security SOA Generated Security Concerns /
opportunities SSO & SSO Federation WS Security Standard
3OWASP
Agneda
What Is SOA SOA life cycle & Security SOA Generated Security Concerns /
opportunities SSO & SSO Federation WS Security Standard
6OWASP
SOA - Service Oriented Architecture
Business processes oriented architecture Decomposing business processes into
discreet functional units = services Existing or new business functionalities are
grouped into atomic business services Evolution of distributed computing and
modular programming driven by newly emergent business requirements
Application development focused on implementing business logic
7OWASP
Service Properties
Service isLoosely coupledHigh-level granularitySelf describing Hardware or software platform interoperabilityDiscoverableService can be composed of other services Context-independent
8OWASP
Service Oriented Architecture - Advantages & Disadvantages
Advantages Maximize reuseReduce integration costFlexible & easily changed to reflect business
process change
ShortcomingsMessage handling and parsingLegacy application services wrappingComplex service design and implementation
10OWASP
Agneda
What Is SOASOA life cycle & Security SOA Generated Security Concerns /
opportunities SSO & SSO Federation WS Security Standard
13OWASP
Agneda
What Is SOA SOA life cycle & SecuritySOA Generated Security Concerns /
opportunities SSO & SSO Federation WS Security Standard
14OWASP
New Security Threats
SOA Introduces the following new security threats:Services to be consumed by entities outside of
the local trust domainConfidential data passes the domain’s trust
boundaries Authentication and authorization data is
communicated to external trust domainsSecurity must be enforced across the trust
domain Managing user and service identities
15OWASP
Security Considerations
The propagation of users and services across domain trust boundaries
The need to seamlessly connect to other organizations on a real-time transactional basis
Security controls for each service and service combinations
Managing identity and security across a range of systems and services with a mix of new and old technologies
Protecting business data in transit and at rest Compliance with corporate industry & regulatory
standards Composite services
16OWASP
New Techniques In Integration Security
SOA introduces new techniques In integration securityMessage level security vs. transport level
security Converting security enforcement into a serviceDeclarative & policy-based security
17OWASP
Message Level Security vs. Transport Level Security
Transport level security (SSL/VPN)Point-to-point message exchangeEncrypts the entire messageSender must trust all intermediariesRestricts protocols that can be used (i.e. https)
Message level securityEnd-to-end security Different message fields within the same
message should be read by different entities
19OWASP
Security in the Message
ReceiverSenderSender IntermediaryIntermediary ReceiverReceiver
Security Context
|||
Security Context
|||
HTTP security (SSL) is point-to-point
WS-Security provides context over multiple end points.
ReceiverSenderSender IntermediaryIntermediary ReceiverReceiver
Security ContextSecurity Context
20OWASP
Transport Security For Web Services Pros and Cons
Pros Cons
Mature: SSL/VPN Point to point: messages are in the clear after reaching SSL endpoint
Supported by most servers and clients
Waypoint visibility: can’t have partial visibility into the message parts
Understood by most system administrators
Granularity
Simpler Transport dependant: applies only to HTTP
21OWASP
Message Security For Web Services Pros And Cons
Pros Cons
Persistent message self-protecting
Encompasses many other standards including XML encryption, XML signature, X.509 certificates and more
Portions of the message can be secured to different parties
Different security policies can be applied to request and respond transport
23OWASP
Message Level Security (example)
integration of a brokerage and a bank. An investor securely attaches authorization to withdraw funds from a
bank account to the trading request submitted to the brokerage. The attached authorization is secured from
everyone, including the brokerage. Only the bank read it and make use of it.
24OWASP
Converting Security into a Service
Security services provide service such as:AuthenticationAuthorization
Message servicesEncryption decryption SigningVerificationSignaturesLog messages scrub messages
Facilitates integration Reduces development cost
26OWASP
Agneda
What Is SOA SOA life cycle & Security SOA Generated Security Concerns /
opportunities SSO & SSO Federation WS Security Standard
27OWASP
Traditional SSO
Security is hard coded into each application User credentials are transmitted across enterprise boundaries
29OWASP
SOA SSO Federation Cont’
Traditional limited implementation using 3rd party SSO solutions No easy integration with applications that have
not been written by the same 3rd party SSO manufacturer
SOA solution Managing security interaction between
applicationsClients and servers dynamically negotiate
security policiesEasy implementation
30OWASP
Agneda
What Is SOA SOA life cycle & Security SOA Generated Security Concerns /
opportunities SSO & SSO FederationWS Security Standard
31OWASP
WS-security Standard
SOAP security (securing the web service messages)
SOAP header extension Standard Feb. 2007 Ver 1.1 (OASIS) Any combination of In Request/Response
AuthenticationEncryption Digital Signature
34OWASP
“WS –Security” Building Blocks
Security Tokens Username Token Username Token with Password Digest Binary Security Token
X.509 Version 3 certificates Kerberos tickets
Signatures signs all or part of the soap body
Reference List or Encrypted Key
37OWASP
XML Encryption in WS-Security
Use of a <ReferenceList> in the Security Header Pointing to the
Parts of the Message Encrypted with XML Encryption