a guideline to secure web services - acsac 2017 · a guideline to secure web services ... ensure...
TRANSCRIPT
Outline
Web Services and their Relation toSecurity
Dimensions for Secure Web Services
Web Services Security Standards
Secure Implementation Tools andTechniques
Challenges and Conclusions
What are Web Services?
Today, we normally use Web browsers to talk to Websites
Browser names document via URL (lots of fun andgames can happen here)
Request and reply encoded in HTML, using HTTPto issue request to the site
Web Services generalize this model so thatApplications can talk to Applications
Web service definition
“A Web Service is a software system designed tosupport interoperable machine-to-machine interaction
over a network. It has an interface described inWSDL. Other systems interact with the Web servicein a manner prescribed by its description using SOAP
messages and XML.”
Source: http://www.w3.org/TR/ws-arch/
Web Services Example
Credit
Service
Rate
Service
Loan
Service
1 SOAP request
2
SOAP
response
3
SOAP request
4 SOAP response
Web Service Example
Web
Portal
Loan
Service
1
Request
3
SOAP response
2
SOAP request
User
4
HTML page
Advantages of web services?*
Web services provide interoperability between varioussoftware applications running on various platforms.
“vendor, platform, and language agnostic”
Web services leverage open standards and protocols.Protocols and data formats are text based where possible
Easy for developers to understand what is going on.
By piggybacking on HTTP, web services can work throughmany common firewall security measures without requiringchanges to their filtering rules.
The Web Services “stack”
BusinessProcesses
Qualityof
Service
Description
Messaging
Transport
Coordination
ReliableMessaging
Security
BPEL4WS (IBM only, for now)
XML, Encoding
OtherProtocols
TCP/IP or other network transport protocols
SOAP
WSDL, UDDI, Inspection
Transactions
Dimensions for Secure Web Services
Secure MessagingHTTPSXML Encrypt. XML Digital Sig.WS-Security
Resources ProtectionAccess ControlAuthorizationProtection from DOS Attacks
Contracts and Obligations
Trust Management
Components to be secured
Fir
ew
all Apps
Application
server
Database
Host
Web server
Database
server
Fir
ew
all
HostHost
Apps
Browser
Securing netwoktraffic
Securing thenetwork resource
Securing the application:Identification;Authentication;Authorization
Standards
ebXML
UDDIRegistriesDiscovery
AuditingAccountability
XACML
EPALPrivacy
RBAC
XrML
XACML
Authorization
Resource
SSL/TLS (X.509)
WS-Security (SAML, X.509)Authentication
SSL/TLS (HTTPS)
WS-Security (XML DSig/Enc)Confidentiality
and IntegrityMessaging
SpecificationsRequirementDimension
WS-* security Standardsframework
Transport level security SSL/TLS
Network level security IPSec
XML securityXML
Encryption
XML
Signature
SOAP foundation
Message security
WS SecurityWS
SecureConversation
Reliable Messaging
WS ReliableMessaging
Security mgmt.
XKMS WS-Trust
XACML SAML
WS-Policy
Policy & Access
Control
Identity Mgmt.
WS-federation Liberty SAML
What is WS-Security?
WS-Security enhances SOAP messaging toprovide quality of protection through:
message integrity,message confidentiality, andsingle message authentication.
These mechanisms can be used toaccommodate a wide variety of securitymodels and encryption technologies.WS-Security also provides a general-purpose,extensible mechanism for associating securitytokens with messages:
Security policies for WebServices
The concept of Policy: Guiding principles and procedures
Security policy might mean different things to different people:
Firewall filtering rules
Access control policy
Privacy policy
WS-Policy
Web Services Policy 1.2 - Framework(WS-Policy) W3C Member Submission25 April 2006
Status: public draft release for review andevaluation only
Main goal: The WS-Policy and WS-PolicyAttachment aim to offer mechanisms torepresent the capabilities and requirements ofWeb services as Policies
XACML
eXtensible Access Control MarkupLanguage 2 (XACML) Version 2.0 OASISStandard, 1 Feb 2005
Status: approved OASIS Standard within theOASIS Access 12 Control TC.
XACML Overview
XACML is a general purpose access control policylanguage for managing access to resources
It describes both a policy language and anaccess control decision request/responselanguage
Access control based on subject and objectattributes
Consistent with and building upon SAML
Security Assertion MarkupLanguage (SAML)
Developed by the OASIS XML-BasedSecurity Services Technical Committee(SSTC)
Status: SAML V2.0 OASIS Standardspecification set was approved on 15March 2005
Main goal: authentication andauthorization
SAML goalThe goal:
promote interoperability between disparateauthentication and authorization systems
How:defining an XML-based framework for communicatingsecurity and identity information (e.g., authentication,entitlements, and attribute) between computingentities
Secure Implementation Tools andTechniques
XML ParsersXML Parsers are the first component to process input to Web services
They must be robust
Large or specially formed XML documents can lead to DOS Attacks
Secure Implementation Tools andTechniques
Procedural Languages:C and C++
Less overhead, which is useful for embedded systems: J2EE and.NET frameworks take up hundreds of megabytes of hard diskspaceCan directly interface with legacy applications developed in C orC++Susceptibility to programming errors may require additionprotections like XML Gateways or OS level restrictions
Java and .NETWidely considered to be more secure languagesTwo of the most popular languages for developing Web servicesProvide robust sandboxes (JVM and .NET Code Access Security)Large number of third-party libraries available for Java and .NETWeb services
Secure Implementation Tools andTechniques
Security Testing
Functional testing of security mechanismsEnsure that Web service security mechanisms work as required
Security-focused unit testingPerform security testing on individual components of the Webservice
Vulnerability assessmentsAttempt to attack the Web service using known attack types
Web service code reviews and testingCheck the source code for vulnerabilities or security errorsPerform testing with unexpected or random input to findsusceptibility to unknown attacks
Common Attacks against Web Services
Attacks on Integrity: Parameter Tampering, XMLSchema Poisoning
DOS Attacks: Flooding Attacks, Send OversizedPayloads to XML Parsers, Buffer Overflow Exploits
Command Injection: SQL Injection, XML Injection
Malicious Code Attacks: Virus, Worms, Trojan Horse
Challenges for Secure Web Services
Contracts and Negotiation
Protection from Common Attacks
End to End QoS and QoP
Interoperability among competing Standards
Methodologies for Secure Web Services
Life Cycle Management