Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

The OWASP Foundation

OWASP

http://www.owasp.org

SOA Security

<Iris Levari><OWASP role><Amdocs><irisl@amdocs.com>

<12/3/07>

2OWASP

Agneda

What Is SOA SOA life cycle & Security SOA Generated Security Concerns /

opportunities SSO & SSO Federation WS Security Standard

3OWASP

Agneda

What Is SOA SOA life cycle & Security SOA Generated Security Concerns /

opportunities SSO & SSO Federation WS Security Standard

4OWASP

SOA Example

5OWASP

SOA Key Terms

6OWASP

SOA - Service Oriented Architecture

Business processes oriented architecture Decomposing business processes into

discreet functional units = services Existing or new business functionalities are

grouped into atomic business services Evolution of distributed computing and

modular programming driven by newly emergent business requirements

Application development focused on implementing business logic

7OWASP

Service Properties

Service isLoosely coupledHigh-level granularitySelf describing Hardware or software platform interoperabilityDiscoverableService can be composed of other services Context-independent

8OWASP

Service Oriented Architecture - Advantages & Disadvantages

Advantages Maximize reuseReduce integration costFlexible & easily changed to reflect business

process change

ShortcomingsMessage handling and parsingLegacy application services wrappingComplex service design and implementation

9OWASP

SOA Example

10OWASP

Agneda

What Is SOASOA life cycle & Security SOA Generated Security Concerns /

opportunities SSO & SSO Federation WS Security Standard

11OWASP

Business-Driven Development Methodology

12OWASP

Security Encompasses all life cycle aspects

13OWASP

Agneda

What Is SOA SOA life cycle & SecuritySOA Generated Security Concerns /

opportunities SSO & SSO Federation WS Security Standard

14OWASP

New Security Threats

SOA Introduces the following new security threats:Services to be consumed by entities outside of

the local trust domainConfidential data passes the domain’s trust

boundaries Authentication and authorization data is

communicated to external trust domainsSecurity must be enforced across the trust

domain Managing user and service identities

15OWASP

Security Considerations

The propagation of users and services across domain trust boundaries

The need to seamlessly connect to other organizations on a real-time transactional basis

Security controls for each service and service combinations

Managing identity and security across a range of systems and services with a mix of new and old technologies

Protecting business data in transit and at rest Compliance with corporate industry & regulatory

standards Composite services

16OWASP

New Techniques In Integration Security

SOA introduces new techniques In integration securityMessage level security vs. transport level

security Converting security enforcement into a serviceDeclarative & policy-based security

17OWASP

Message Level Security vs. Transport Level Security

Transport level security (SSL/VPN)Point-to-point message exchangeEncrypts the entire messageSender must trust all intermediariesRestricts protocols that can be used (i.e. https)

Message level securityEnd-to-end security Different message fields within the same

message should be read by different entities

18OWASP

Transport Layer Security

19OWASP

Security in the Message

ReceiverSenderSender IntermediaryIntermediary ReceiverReceiver

Security Context

|||

Security Context

|||

HTTP security (SSL) is point-to-point

WS-Security provides context over multiple end points.

ReceiverSenderSender IntermediaryIntermediary ReceiverReceiver

Security ContextSecurity Context

20OWASP

Transport Security For Web Services Pros and Cons

Pros Cons

Mature: SSL/VPN Point to point: messages are in the clear after reaching SSL endpoint

Supported by most servers and clients

Waypoint visibility: can’t have partial visibility into the message parts

Understood by most system administrators

Granularity

Simpler Transport dependant: applies only to HTTP

21OWASP

Message Security For Web Services Pros And Cons

Pros Cons

Persistent message self-protecting

Encompasses many other standards including XML encryption, XML signature, X.509 certificates and more

Portions of the message can be secured to different parties

Different security policies can be applied to request and respond transport

23OWASP

Message Level Security (example)

integration of a brokerage and a bank. An investor securely attaches authorization to withdraw funds from a

bank account to the trading request submitted to the brokerage. The attached authorization is secured from

everyone, including the brokerage. Only the bank read it and make use of it.

24OWASP

Converting Security into a Service

Security services provide service such as:AuthenticationAuthorization

Message servicesEncryption decryption SigningVerificationSignaturesLog messages scrub messages

Facilitates integration Reduces development cost

25OWASP

SOA Security Reference Model

26OWASP

Agneda

What Is SOA SOA life cycle & Security SOA Generated Security Concerns /

opportunities SSO & SSO Federation WS Security Standard

27OWASP

Traditional SSO

Security is hard coded into each application User credentials are transmitted across enterprise boundaries

28OWASP

SOA SSO Federation

29OWASP

SOA SSO Federation Cont’

Traditional limited implementation using 3rd party SSO solutions No easy integration with applications that have

not been written by the same 3rd party SSO manufacturer

SOA solution Managing security interaction between

applicationsClients and servers dynamically negotiate

security policiesEasy implementation

30OWASP

Agneda

What Is SOA SOA life cycle & Security SOA Generated Security Concerns /

opportunities SSO & SSO FederationWS Security Standard

31OWASP

WS-security Standard

SOAP security (securing the web service messages)

SOAP header extension Standard Feb. 2007 Ver 1.1 (OASIS) Any combination of In Request/Response

AuthenticationEncryption Digital Signature

32OWASP

Web Services Stack

33OWASP

Web Services Security Architecture

34OWASP

“WS –Security” Building Blocks

Security Tokens Username Token Username Token with Password Digest Binary Security Token

X.509 Version 3 certificates Kerberos tickets

Signatures signs all or part of the soap body

Reference List or Encrypted Key

35OWASP

Structure of a Basic Web Services Security SOAP Header

36OWASP

Structure of a Basic Web Services Security SOAP Header (cont.)

37OWASP

XML Encryption in WS-Security

Use of a <ReferenceList> in the Security Header Pointing to the

Parts of the Message Encrypted with XML Encryption

40OWASP

Providing Integrity XML Signature in Web Services Security

XML SignatureVerify a security token or SAML assertion Message integrity

XML syntaxExplicit <reference> element points to what is

being signed One or more XML signaturesOverlapping is possible