Fundamentals of SOA Security Testing
|
|
- Miles Wilkins
- 8 years ago
- Views:
Transcription
1 Fundamentals of SOA Security Testing by Mamoon Yunus, CEO of Crosscheck Networks Abstract: This article describes the foundations of SOA security testing including functional, performance, interoperability, and vulnerability testing. As service-oriented architecture (SOA) begins to form the fabric of IT infrastructure, active and aggressive testing has become crucial to ensure that services are exposed safely without compromising security. Robust security testing ensures that trust (identity, privacy and integrity) is maintained within systems and threats (denial of service, mal-ware and data leaks) are eliminated from SOA deployments. Introduction Rich internet applications, service APIs, virtualization, and cloud services provide extensive integration of data for real-time information access. This drive to open up business applications for integration comes at a cost: service security. This article focuses on SOA security testing. The trustworthiness of a service is a crucial factor determined by whether or not a potential consumer makes use of a service offering. Interestingly, many service providers neglect this fact. They assume that functionally rich services are good enough for their customers. However, non-functional requirements often make the difference between successful service offerings and fruitless, academic attempts to push SOA into an organization. Figure 1 Foundation of SOA Security Testing. SOA security testing requires significant rigor and discipline because of the complex nature of SOA that involves many systems, protocols, content-types, identity tokens, encryption mechanisms, and signature techniques. Detailed business transactions exposed through services contain complex business structures in areas such as customer data, purchase orders, change requests, tax returns, financial reports, and MRI scans. Testing such complex structures security provisions (along with identity, privacy and integrity) across functional, performance, interoperability and vulnerability domains is necessary for building a secure SOA. 1
2 Security Functional Testing Functional testing is the first foundation of testing SOA security. It enables testers to verify that the services perform as required with the necessary security enabled. As a first step, the business functions of the services are verified with a service request generating a successful response. IT professionals then setup desired regression test cases for automating their testing cases. Most services, however, have security provisions enabled right from the beginning and require functional testing for the following areas: 1. Transport Protocols: Services are transport protocol independent. Most Internet facing services rely on HTTP or HTTPs for communication, however within the enterprise JMS, IBM MQ Series, Tibco EMS, and FTP are popular transport protocols. The diversity in protocols requires that the functional testing harness is capable of sending and receiving messages over such protocols. With SSL enabled over HTTP or JMS, managing the public key infrastructure (PKI) becomes necessary for secure functional testing. 2. Identity Tokens: Most services require client authentication and authorization before the request is accepted and a response is returned. The identity tokens provided for this process may come in through a variety of channels. Listed in order from simple to complex, the common identity tokens that require functional testing are as follows: a. HTTP basic authentication b. Cookie-based authentication c. HTTP x.509 mutual authentication d. SAML, WS-UserName, WS-X.509 e. Any ad-hoc content in the payload (header, message, attachment) 3. Privacy & Integrity: SOA security utilizes privacy (encryption-decryption) and integrity (signature-verification) for information in motion as well as information at rest. Through SSL the transport layer is secured, whereas messages using WS-Security standards, SOAP and XML are encrypted and signed granularly at the contentlevel. The combination of transport-level and content-level privacy and integrity provides significant control for companies to implement their security policies. With such flexibility, the burden of testing possible variations in the standards used, as well as the content over which the privacy and integrity policies are implemented, is now the responsibility of the quality assurance and security team within the organization. SOA deployments require testing for the following privacy and integrity items: a. HTTP over SSL b. SOAP/XML encryption c. SOAP/XML signatures d. MTOM and SOAP with Attachments (SwA) Functional security testing for SOA is a non-trivial endeavor. With a large variety to protocols, identity token types, privacy and integrity schemes, using established commercially available tools saves corporations time and costs by replacing the coding effort for such diverse standards with simple point-and-click test management. Once a set of test cases have been configured, the next step is to build automation test suites. With automation test suites, SOA security professionals can easily perform regression testing to ensure that new service releases behave as expected. By using commercial products to build regression tests, and by 2
3 providing developers detailed success-failure reports rather than implementing complex standards, testers efficiently and accurately maintain a high quality SOA deployment. Security Performance Testing Performance testing is the second foundation of SOA security testing. QA testers should test the scalability and robustness of services. Testers should determine response times, latency, and throughput profiles for target services. They should also determine scalability by bombarding target services with varying SOAP/XML message sizes across a range of concurrent loading clients. The following areas have a significant impact on performance testing techniques for SOA security: 1. Generating Unique Messages: Performance testing requires identifying latency and throughput bottlenecks for varying message sizes and concurrent client loads. Typically, a target service is inundated with a large number of messages and the transaction per second (TPS) is then determined based on the error rates or latency characteristics. In the case of XML messages, simply using static messages is inaccurate for SOA security testing. The consuming server should detect a repeated static message as an expired message, or a replay attack. During performance testing, a tester has to ensure that target services that require message-level security (such as WS-Signatures, WS-Encryption or SAML) can consume such messages without any errors. The tester has to ensure that SOAP messages have dynamic timestamps, nuances, and security headers. The specifications around timestamps and security elements require unique wire signatures for all messages. 2. Scaling Clients and Messages: SOA encompasses a wide set of use cases. In system-to-system communication, usually only a few connections are established between the systems and a large number of transactions flow through established connections. Conversely, in a user-to-system portal model, a large number of short-lived concurrent connections are usually established. Testing performance characteristics of a service exposed to a varying number of clients is critical before moving a service into production. Similarly, services may be required to handle a wide range of data size. For example, a service used for processing taxes has to handle tax messages of a few kilobytes from small businesses as well as multiple gigabytes from global corporations. Testing such services requires the ability to send a wide range of messages with security provisions such as messages with encryption and signatures enabled. Without the ability to scale both the concurrent clients and the message size with security enabled, a thorough performance profile of the service cannot be determined. 3. Understanding Security Operations and Keys: Privacy and integrity operations involve public-private key pairs. To establish privacy, the public key is used for encryption whereas the private key is used for decryption. To establish integrity, the private key is used for signing a message and the public key is used for verifying the signature. Private key operations are computationally more intensive than public key operations and have a greater impact on performance. While testing service performance characteristics, testers have to anticipate and test performance degradation based on the cryptographic operation being performed. Key size also has a significant impact on service performance, especially when private key operations (decryption or signatures) are being executed. For higher security strength, greater key sizes, up to 4096 bits, are required and a minimum 1024 bit keys are used. Going below 1024 bits is usually considered too weak and is rarely deployed. Private key operations for key sizes of 1024 bits and above are computationally expensive even while using high-end CPUs. For such operations, performance is improved by using dedicated cryptographic accelerators. SOA security testers should understand the key sizes required by corporate 3
4 policies and ensure that the services are tested for performance using the mandated key size. Performance testing for SOA security is significantly different from performance testing for websites. An erroneous but fairly common practice is to morph existing web application testing tools into services testing tools. Static WS-Security messages are generated using a cut-and-paste scheme where the message is moved into the load testing tool environment. This results in incorrect performance profiles since testing is conducted without sending unique messages. Understanding the nuances of WS-Security can be overwhelming, but developing this skill-set and utilizing the right tools is essential for building secure and scalable performance testing suites suitable for service-oriented solutions. By using commercial testing tools, this replay issue during performance testing can be easily avoided. Most SOA testing tools allow dynamic time stamps, nuances, and security tokens, to be generated. Testers can build test suites to evaluate whether the services honor expired timestamps by sending stale messages and can replay attack detection by sending duplicate nuances. Security Interoperability Testing Interoperability testing is the third foundation of SOA security testing. One of the promises of SOA is that it enables ease of integration between applications and systems. Regardless of coding environments (such as Java,.NET, or PHP) or operating systems (such as Windows, Linux or Solaris), SOA enables applications to exchange service definitions at design-time and then figure out the request and response messaging characteristics later on. Once security provisions are enabled, the interoperability testing requirement increases significantly especially in the following areas: 1. Transport Protocol Security: In most SOA deployments, HTTP with SSL (HTTPS) is used as the de facto transport protocol. While establishing the secure transport connection between a client and a server, the list of cryptographic algorithms (CipherSuites) supported by both the client and server is negotiated. For greater security, organizations turn off certain weaker algorithms on the server. This then has to be verified by the testers to ensure that only approved algorithms are being presented to the client for establishing a secure tunnel. Verifying that the SSL connection for a service is interoperable with a variety of client scenarios is the first and most crucial step in testing service security. 2. Identity Interoperability: As highlighted in the Security Functional Testing section, a variety of identity tokens may be accepted by a service for client authentication and authorization. Identity tokens also have varying version types, for example SAML 1.1 and SAML 2.0 are popular content-based tokens used for services. Testers are responsible for verifying the token types accepted by services regardless of the application, development language or operating systems that generate the identity tokens. They are also responsible for ensuring that token types that are not supported by the services are rejected with the appropriate error messages. 3. Privacy and Integrity Interoperability: Similar to the identity interoperability case, privacy and integrity interoperability have a variety of artifacts that can result in serious interoperability issues if not tested properly. Privacy requires a public key (encryption) and a private key (decryption) operation. In addition to these operations, sensitive content within the XML or SOAP message is selected for the encryption and decryption operation. Ensuring that only the correct key-pairs permit the encryption-decryption process is the responsibility of the SOA security tester. Standards used for signatures also require private key (sign) and public key (verify) operations. In addition to these operations, the signature standards permit including or excluding spaces in the message, enveloping or enveloped signatures, and a variety of other options. This flexibility is powerful, but puts a significant burden on testing signature interoperability within an SOA deployment. 4
5 While using a service, consumer applications need to determine both design-time and runtime interoperability characteristics. Developers and testers should run a set of comprehensive interoperability tests and report interoperability issues with the services. Building a comprehensive interoperability test suite ensures that SOA assets are interoperable and that services can work within heterogeneous.net, Java and PHP environments. Comprehensive interoperability testing ensures that the SOA security provisions work seamlessly and that they are prevented in becoming a hurdle for SOA deployment. Early interoperability testing ensures that development teams avoid falling into the trap of reducing or, in extreme cases, turning off identity, privacy and integrity checks to meet project deadlines. Vulnerability Testing Vulnerability testing is the fourth foundation of SOA security testing. SOA exposes internal corporate IT assets to external trading partners for higher business efficiency and collaboration. SOA, therefore, tends to expand the surface area on which attacks can be launched. As services are exposed, the service definitions provide granular details on data types, protocols, and input and output messages. This information provides a detailed roadmap for building attack vectors for the following common attacks: 1. Injection and Data Excavation: SQL Injection is a well-known technique that has been used extensively for extracting information from websites that have a backend database. Using database programming constructs, a malicious query is constructed and sent to the database through a publicly facing website. Depending on the query used, the entire database may be deleted or all the results from a target table (such as username and passwords) may be leaked from the database back to the website. The ability to plug such risks requires preprocessing code that prevents such queries from being executed through input fields on a website. With the rapid adoption of SOA, the SQL Injection threat is amplified since services that can carry such injection queries are designed to be re-useable across multiple applications and systems. XML nodes and SOAP messages can now serve as an attack vector for SQL Injection. SOA security testers are required to construct detailed test cases with SQL Injection queries and launch such tests against services. The responses are evaluated to ensure that sensitive data is not excavated from the target service. 2. Viruses and Malware: SOA provides systems a mechanism to send any content type as an attachment to the XML or SOAP message. Corporations use this channel to exchange complex data such as MRI scans, X-Rays, vehicle designs, and general documents (e.g. pdf, doc, jpeg files). Malware and viruses can permeate through corporations through the service attachment channel. SOA security testers should take benign malware and viruses, send them over XML and SOAP and ensure that the target service rejects infected requests. 3. Resource Depletion: Using information provided in service definitions, attack vectors such as buffer overflows, deeply nested nodes, and recursive payloads can create depleted hardware resources such as CPU cycles and memory. This depletion can result in a Denial of Service (DoS) to legitimate users and cause business disruption. SOA security testers can preemptively construct a set of test cases that identity such vulnerabilities in exposed services. By creating specialized tests for a target service, SOA security testers can measure the vulnerability profiles. Security testers need to ensure that vulnerabilities such as buffer overflows, deeply nested nodes, recursive payloads, schema poisoning, and malware traveling over SOAP messages do not affect their critical services. They need the ability to rapidly scan services and assess areas of exposure, determine severity levels, provide vulnerability diagnosis, and publish remediation techniques. Services vulnerability assessment is a crucial preproduction and post-production step that every developer and security professional must take to ensure risk 5
6 mitigation within his or her service-oriented architecture. Conclusion SOA has changed the way businesses interact and expose information to one another. The significant increase in real-time electronic document exchange, use of cloud-based services, and access to corporate information has resulted in improved revenue and reduced costs. The adoption of SOA has focused the industry s attention towards security. Projects that construct or consume services have to build a detailed plan for functional, performance, interoperability, and security testing of services. Enterprises have to recognize that SOA security testing requires demanding domain skills, tools, and processes that go beyond testing simple websites. Building a competent SOA security-testing team, selecting comprehensive SOA testing tools, and establishing an SOA lifecycle testing framework are crucial for ensuring a successful SOA deployment. Mamoon Yunus Mamoon is an industry-honored CEO and visionary in Web Services- and SOA-based technologies. As the founder of Forum Systems, he pioneered Web Services Security Gateways and Firewalls. Mamoon has spearheaded Forum s direction and strategy for six generations of award-winning Web Services Security products. Prior to Forum Systems, he was a Global Systems Engineer for webmethods (NASD: WEBM) where he developed XMLbased business integration and architecture plans for Global 2000 companies such as GE, Pepsi, Siemens, and Mass Mutual. Mamoon has held various high-level executive positions at Informix (acquired by IBM) and Cambridge Technology Group. He holds two Graduate Degrees in Engineering from MIT and a BSME from Georgia Institute of Technology. InfoWorld recognized Mamoon as one of 4 Up and coming CTOs to watch in He is a sought after speaker at industry conferences such as RSA, Gartner, Web Services Edge, CSI, Network Interop, and Microsoft TechEd. Mamoon has the distinction of showcasing Forum Systems entrepreneurial leadership as a case study at the MIT Sloan School of Management. He has also been featured on CNBC as Terry Bradshaw s Pick of the Week. Contributions Fundamentals of SOA Security Testing Watch Your SOA Blind Spots: A Checklist for Testing Web Services 6
Reducing Application Cost and Risk through Centralized SOA Security
Reducing Application Cost and Risk through Centralized SOA Security by Mamoon Yunus, CEO of Crosscheck Networks Abstract: This article compares centralized and decentralized application security models.
More informationAccelerate your SOA Projects through Service Simulation
Accelerate your SOA Projects through Service Simulation Overview Modern web services-based Service Oriented Architecture (SOA) enables service consumers and producers to exchange messages over ubiquitous
More informationReducing SOA Identity Fatigue through Automated Identity Testing
TM Reducing SOA Identity Fatigue through Automated Identity Testing By Crosscheck Networks I. Introduction Identity Management plays a pivotal role in securing Web Services-based
More information24 BETTER SOFTWARE MARCH 2008 www.stickyminds.com
veer images 24 BETTER SOFTWARE MARCH 2008 www.stickyminds.com Web services the foundation of today s service-oriented architecture (SOA) are self-contained, modular applications that can be described,
More information000-609. IBM WebSphere Data Power SOA Applicances V3.8.1 Solution IMP. Version: Demo. Page <<1/10>>
000-609 IBM WebSphere Data Power SOA Applicances V3.8.1 Solution IMP Version: Demo Page 1. Which of the following is an advantage of using WS-Security instead of SSL? A. Provides assured message
More informationCreating a Strong Security Infrastructure for Exposing JBoss Services
Creating a Strong Security Infrastructure for Exposing JBoss Services JBoss Enterprise SOA Platform Service Clients Service Gateway Enterprise Services Blake Dournaee, Product Management, Intel SOA Products
More information000-284. Easy CramBible Lab DEMO ONLY VERSION 000-284. Test284,IBM WbS.DataPower SOA Appliances, Firmware V3.6.0
Easy CramBible Lab 000-284 Test284,IBM WbS.DataPower SOA Appliances, Firmware V3.6.0 ** Single-user License ** This copy can be only used by yourself for educational purposes Web: http://www.crambible.com/
More informationCS 356 Lecture 28 Internet Authentication. Spring 2013
CS 356 Lecture 28 Internet Authentication Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists
More informationCore Feature Comparison between. XML / SOA Gateways. and. Web Application Firewalls. Jason Macy jmacy@forumsys.com CTO, Forum Systems
Core Feature Comparison between XML / SOA Gateways and Web Application Firewalls Jason Macy jmacy@forumsys.com CTO, Forum Systems XML Gateway vs Competitive XML Gateways or Complementary? and s are Complementary
More informationJVA-122. Secure Java Web Development
JVA-122. Secure Java Web Development Version 7.0 This comprehensive course shows experienced developers of Java EE applications how to secure those applications and to apply best practices with regard
More informationCA SOA Security Manager
CA SOA Security Manager Implementation Guide r12.1 Second Edition This documentation and any related computer software help programs (hereinafter referred to as the "Documentation") are for your informational
More informationLecture 15 - Web Security
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Lecture 15 - Web Security CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497b-s07/
More informationAPI Management: Powered by SOA Software Dedicated Cloud
Software Dedicated Cloud The Challenge Smartphones, mobility and the IoT are changing the way users consume digital information. They re changing the expectations and experience of customers interacting
More informationVulnerability Assessment of SAP Web Services By Crosscheck Networks
TM Vulnerability Assessment of SAP Web Services By Crosscheck Networks Introduction As SAP s Web Services-enabled NetWeaver platform begins to form the fabric of IT infrastructure
More informationelearning for Secure Application Development
elearning for Secure Application Development Curriculum Application Security Awareness Series 1-2 Secure Software Development Series 2-8 Secure Architectures and Threat Modeling Series 9 Application Security
More informationService Virtualization: Managing Change in a Service-Oriented Architecture
Service Virtualization: Managing Change in a Service-Oriented Architecture Abstract Load balancers, name servers (for example, Domain Name System [DNS]), and stock brokerage services are examples of virtual
More informationINTEGRATE SALESFORCE.COM SINGLE SIGN-ON WITH THIRD-PARTY SINGLE SIGN-ON USING SENTRY A GUIDE TO SUCCESSFUL USE CASE
INTEGRATE SALESFORCE.COM SINGLE SIGN-ON WITH THIRD-PARTY SINGLE SIGN-ON USING SENTRY A GUIDE TO SUCCESSFUL USE CASE Legal Marks No portion of this document may be reproduced or copied in any form, or by
More informationLast Updated: July 2011. STATISTICA Enterprise Server Security
Last Updated: July 2011 STATISTICA Enterprise Server Security STATISTICA Enterprise Server Security Page 2 of 10 Table of Contents Executive Summary... 3 Introduction to STATISTICA Enterprise Server...
More informationAn introduction to Cryptosoft
An introduction to Cryptosoft Seamless end-to-end data centric security for every IoT ecosystem Cryptosoft is building trust in the Internet of Things and M2M by simplifying the processes that a company
More informationAn Oracle White Paper Dec 2013. Oracle Access Management Security Token Service
An Oracle White Paper Dec 2013 Oracle Access Management Security Token Service Disclaimer The following is intended to outline our general product direction. It is intended for information purposes only,
More informationCICS Web Service Security. Anthony Papageorgiou IBM CICS Development March 13, 2012 Session: 10282
Web Service Security Anthony Papageorgiou IBM Development March 13, 2012 Session: 10282 Agenda Web Service Support Overview Security Basics and Terminology Pipeline Security Overview Identity Encryption
More informationWEB APPLICATION FIREWALLS: DO WE NEED THEM?
DISTRIBUTING EMERGING TECHNOLOGIES, REGION-WIDE WEB APPLICATION FIREWALLS: DO WE NEED THEM? SHAIKH SURMED Sr. Solutions Engineer info@fvc.com www.fvc.com HAVE YOU BEEN HACKED????? WHAT IS THE PROBLEM?
More informationSecurity vulnerabilities in the Internet and possible solutions
Security vulnerabilities in the Internet and possible solutions 1. Introduction The foundation of today's Internet is the TCP/IP protocol suite. Since the time when these specifications were finished in
More informationCISCO ACE XML GATEWAY TO FORUM SENTRY MIGRATION GUIDE
CISCO ACE XML GATEWAY TO FORUM SENTRY MIGRATION GUIDE Legal Marks No portion of this document may be reproduced or copied in any form, or by any means graphic, electronic, or mechanical, including photocopying,
More informationSecurely Managing and Exposing Web Services & Applications
Securely Managing and Exposing Web Services & Applications Philip M Walston VP Product Management Layer 7 Technologies Layer 7 SecureSpan Products Suite of security and networking products to address the
More informationWildFire Overview. WildFire Administrator s Guide 1. Copyright 2007-2015 Palo Alto Networks
WildFire Overview WildFire provides detection and prevention of zero-day malware using a combination of malware sandboxing and signature-based detection and blocking of malware. WildFire extends the capabilities
More informationSentinet for BizTalk Server SENTINET
Sentinet for BizTalk Server SENTINET Sentinet for BizTalk Server 1 Contents Introduction... 2 Sentinet Benefits... 3 SOA and APIs Repository... 4 Security... 4 Mediation and Virtualization... 5 Authentication
More informationAPIs The Next Hacker Target Or a Business and Security Opportunity?
APIs The Next Hacker Target Or a Business and Security Opportunity? SESSION ID: SEC-T07 Tim Mather VP, CISO Cadence Design Systems @mather_tim Why Should You Care About APIs? Amazon Web Services EC2 alone
More informationAutomating Security Testing. Mark Fallon Senior Release Manager Oracle
Automating Security Testing Mark Fallon Senior Release Manager Oracle Some Ground Rules There are no silver bullets You can not test security into a product Testing however, can help discover a large percentage
More informationWhere every interaction matters.
Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper
More informationOPENIAM ACCESS MANAGER. Web Access Management made Easy
OPENIAM ACCESS MANAGER Web Access Management made Easy TABLE OF CONTENTS Introduction... 3 OpenIAM Access Manager Overview... 4 Access Gateway... 4 Authentication... 5 Authorization... 5 Role Based Access
More informationExecutive Guide to Web Services Security
Executive Guide to Web Services Security A Reactivity White Paper October 2004 ABSTRACT Businesses are rapidly adopting Web services to provide new levels of integration between applications. By comparison
More informationPassing PCI Compliance How to Address the Application Security Mandates
Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These
More informationConsiderations In Developing Firewall Selection Criteria. Adeptech Systems, Inc.
Considerations In Developing Firewall Selection Criteria Adeptech Systems, Inc. Table of Contents Introduction... 1 Firewall s Function...1 Firewall Selection Considerations... 1 Firewall Types... 2 Packet
More informationSecuring Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group
Securing Your Web Application against security vulnerabilities Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group Agenda Security Landscape Vulnerability Analysis Automated Vulnerability
More informationIntroduction to the EIS Guide
Introduction to the EIS Guide The AirWatch Enterprise Integration Service (EIS) provides organizations the ability to securely integrate with back-end enterprise systems from either the AirWatch SaaS environment
More informationSteelcape Product Overview and Functional Description
Steelcape Product Overview and Functional Description TABLE OF CONTENTS 1. General Overview 2. Applications/Uses 3. Key Features 4. Steelcape Components 5. Operations Overview: Typical Communications Session
More informationMobile Identity and Edge Security Forum Sentry Security Gateway. Jason Macy CTO, Forum Systems jmacy@forumsys.com
Mobile Identity and Edge Security Forum Sentry Security Gateway Jason Macy CTO, Forum Systems jmacy@forumsys.com Evolution Evolution of Enterprise Identities Cloud Computing Iaas Infrastructure as a Service
More informationDetecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008
Detecting Web Application Vulnerabilities Using Open Source Means OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008 Kostas Papapanagiotou Committee Member OWASP Greek Chapter conpap@owasp.gr
More informationRequirement Priority Name Requirement Text Response Comment
N-Tiered Architecture Accessibility Application architecture shall consist of a minimum of four tiers: proxy, presentation, application, and data [base]. Each of the fours tiers shall be separated with
More informationIT Architecture Review. ISACA Conference Fall 2003
IT Architecture Review ISACA Conference Fall 2003 Table of Contents Introduction Business Drivers Overview of Tiered Architecture IT Architecture Review Why review IT architecture How to conduct IT architecture
More informationLOGIIC Remote Access. Final Public Report. June 2015 1 LOGIIC - APPROVED FOR PUBLIC DISTRIBUTION
LOGIIC Remote Access June 2015 Final Public Report Document Title LOGIIC Remote Monitoring Project Public Report Version Version 1.0 Primary Author A. McIntyre (SRI) Distribution Category LOGIIC Approved
More informationThe Top Web Application Attacks: Are you vulnerable?
QM07 The Top Web Application Attacks: Are you vulnerable? John Burroughs, CISSP Sr Security Architect, Watchfire Solutions jburroughs@uk.ibm.com Agenda Current State of Web Application Security Understanding
More informationSecurity Considerations for DirectAccess Deployments. Whitepaper
Security Considerations for DirectAccess Deployments Whitepaper February 2015 This white paper discusses security planning for DirectAccess deployment. Introduction DirectAccess represents a paradigm shift
More informationContent-ID. Content-ID enables customers to apply policies to inspect and control content traversing the network.
Content-ID Content-ID enables customers to apply policies to inspect and control content traversing the network. Malware & Vulnerability Research 0-day Malware and Exploits from WildFire Industry Collaboration
More informationAssurance in Service-Oriented Environments
Assurance in Service-Oriented Environments Soumya Simanta Research, Technology, and System Solutions (RTSS) Program Software Engineering Institute Carnegie Mellon University Pittsburgh 15232 28 th October,
More informationSecure Identity Propagation Using WS- Trust, SAML2, and WS-Security 12 Apr 2011 IBM Impact
Secure Identity Propagation Using WS- Trust, SAML2, and WS-Security 12 Apr 2011 IBM Impact Robert C. Broeckelmann Jr., Enterprise Middleware Architect Ryan Triplett, Middleware Security Architect Requirements
More informationDonky Technical Overview
Donky Technical Overview This document will provide the reader with an overview of the features offered and technologies used with the Donky Messaging Network. This document will give a good base level
More informationSECURE YOUR DATA EXCHANGE WITH SAFE-T BOX
SECURE YOUR DATA EXCHANGE SAFE-T BOX WHITE PAPER Safe-T. Smart Security Made Simple. 1 The Costs of Uncontrolled Data Exchange 2 Safe-T Box Secure Data Exchange Platform 2.1 Business Applications and Data
More informationPARTNER INTEGRATION GUIDE. Edition 1.0
PARTNER INTEGRATION GUIDE Edition 1.0 Last Revised December 11, 2014 Overview This document provides standards and guidance for USAA partners when considering integration with USAA. It is an overview of
More informationSetting Up an AS4 System
INT0697_150625 Setting up an AS4 system V1r0 1 Setting Up an AS4 System 2 Version 1r0 ENTSOG AISBL; Av. de Cortenbergh 100, 1000-Brussels; Tel: +32 2 894 5100; Fax: +32 2 894 5101; info@entsog.eu, www.entsog.eu,
More informationWhite Paper Delivering Web Services Security: The Entrust Secure Transaction Platform
White Paper Delivering Web Services Security: September 2003 Copyright 2003 Entrust. All rights reserved. Entrust is a registered trademark of Entrust, Inc. in the United States and certain other countries.
More informationApplication Performance Testing Basics
Application Performance Testing Basics ABSTRACT Todays the web is playing a critical role in all the business domains such as entertainment, finance, healthcare etc. It is much important to ensure hassle-free
More informationAchta's IBAN Validation API Service Overview (achta.com)
Tel: 00 353 (0) 14773295 e: info@achta.com Achta's IBAN Validation API Service Overview (achta.com) Summary At Achta we have built a secure, scalable and cloud based API for SEPA. One of our core offerings
More information7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?
7 Network Security 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework 7.4 Firewalls 7.5 Absolute Security? 7.1 Introduction Security of Communications data transport e.g. risk
More information2015 Vulnerability Statistics Report
2015 Vulnerability Statistics Report Introduction or bugs in software may enable cyber criminals to exploit both Internet facing and internal systems. Fraud, theft (financial, identity or data) and denial-of-service
More informationApigee Gateway Specifications
Apigee Gateway Specifications Logging and Auditing Data Selection Request/response messages HTTP headers Simple Object Access Protocol (SOAP) headers Custom fragment selection via XPath Data Handling Encryption
More informationLast update: February 23, 2004
Last update: February 23, 2004 Web Security Glossary The Web Security Glossary is an alphabetical index of terms and terminology relating to web application security. The purpose of the Glossary is to
More informationLync SHIELD Product Suite
Lync SHIELD Product Suite The Natural Solution For Securing Lync Connectivity For today s mobile enterprise, the need to connect smartphones to the corporate network has become a vital business requirement.
More informationCRYPTOGRAPHY AS A SERVICE
CRYPTOGRAPHY AS A SERVICE Peter Robinson RSA, The Security Division of EMC Session ID: ADS R01 Session Classification: Advanced Introduction Deploying cryptographic keys to end points such as smart phones,
More informationIntroduction to SAML
Introduction to THE LEADER IN API AND CLOUD GATEWAY TECHNOLOGY Introduction to Introduction In today s world of rapidly expanding and growing software development; organizations, enterprises and governments
More informationPUBLIC Connecting a Customer System to SAP HCI
SAP HANA Cloud Integration for process integration 2015-05-10 PUBLIC Connecting a Customer System to SAP HCI Content 1 Introduction....4 2 Overview of Connection Setup, Tasks, and Roles.... 5 3 Operating
More informationStrategic Information Security. Attacking and Defending Web Services
Security PS Strategic Information Security. Attacking and Defending Web Services Presented By: David W. Green, CISSP dgreen@securityps.com Introduction About Security PS Application Security Assessments
More informationSSL BEST PRACTICES OVERVIEW
SSL BEST PRACTICES OVERVIEW THESE PROBLEMS ARE PERVASIVE 77.9% 5.2% 19.2% 42.3% 77.9% of sites are HTTP 5.2% have an incomplete chain 19.2% support weak/insecure cipher suites 42.3% support SSL 3.0 83.1%
More informationWHITE PAPER Usher Mobile Identity Platform
WHITE PAPER Usher Mobile Identity Platform Security Architecture For more information, visit Usher.com info@usher.com Toll Free (US ONLY): 1 888.656.4464 Direct Dial: 703.848.8710 Table of contents Introduction
More informationThe increasing popularity of mobile devices is rapidly changing how and where we
Mobile Security BACKGROUND The increasing popularity of mobile devices is rapidly changing how and where we consume business related content. Mobile workforce expectations are forcing organizations to
More informationCisco Application Networking for IBM WebSphere
Cisco Application Networking for IBM WebSphere Faster Downloads and Site Navigation, Less Bandwidth and Server Processing, and Greater Availability for Global Deployments What You Will Learn To address
More informationHow To Secure Cloud Computing
Resilient Cloud Services By Hemayamini Kurra, Glynis Dsouza, Youssif Al Nasshif, Salim Hariri University of Arizona First Franco-American Workshop on Cybersecurity 18 th October, 2013 Presentation Outline
More informationPAVING THE PATH TO THE ELIMINATION OF THE TRADITIONAL DMZ
PAVING THE PATH TO THE ELIMINATION A RSACCESS WHITE PAPER 1 The Traditional Role of DMZ 2 The Challenges of today s DMZ deployments 2.1 Ensuring the Security of Application and Data Located in the DMZ
More informationNETWORK PENETRATION TESTS FOR EHR MANAGEMENT SOLUTIONS PROVIDER
A C a s e s t u d y o n h o w Z e n Q h a s h e l p e d a L e a d i n g K - 1 2 E d u c a t i o n & L e a r n i n g S o l u t i o n s P r o v i d e r i n U S g a u g e c a p a c i t y o f t h e i r f l
More informationPrinciples and Foundations of Web Services: An Holistic View (Technologies, Business Drivers, Models, Architectures and Standards)
Principles and Foundations of Web Services: An Holistic View (Technologies, Business Drivers, Models, Architectures and Standards) Michael P. Papazoglou (INFOLAB/CRISM, Tilburg University, The Netherlands)
More informationContent-ID. Content-ID URLS THREATS DATA
Content-ID DATA CC # SSN Files THREATS Vulnerability Exploits Viruses Spyware Content-ID URLS Web Filtering Content-ID combines a real-time threat prevention engine with a comprehensive URL database and
More informationDesigning Security for Microsoft SQL Server 2005
Designing Security for Microsoft SQL Server 2005 Course 2787 Two Days Hands-On, Instructor-Led Introduction This two-day instructor-led course enables database administrators who work with enterprise environments
More informationMAXIMUM DATA SECURITY with ideals TM Virtual Data Room
MAXIMUM DATA SECURITY with ideals TM Virtual Data Room WWW.IDEALSCORP.COM ISO 27001 Certified Account Settings and Controls Administrators control users settings and can easily configure privileges for
More informationSSL Encryption and Traffic Inspection ADDRESSING THE INCREASED 2048-BIT PERFORMANCE DEMANDS OF 2048-BIT SSL CERTIFICATES
SSL Encryption and Traffic Inspection ADDRESSING THE INCREASED 2048-BIT PERFORMANCE DEMANDS OF 2048-BIT SSL CERTIFICATES Contents Introduction 3 SSL Encryption Basics 3 The Need for SSL Traffic Inspection
More informationProtecting against DoS/DDoS Attacks with FortiWeb Web Application Firewall
Protecting against DoS/DDoS Attacks with FortiWeb Web Application Firewall A FORTINET WHITE PAPER www.fortinet.com Introduction Denial of Service attacks are rapidly becoming a popular attack vector used
More informationThe Benefits of SSL Content Inspection ABSTRACT
The Benefits of SSL Content Inspection ABSTRACT SSL encryption is the de-facto encryption technology for delivering secure Web browsing and the benefits it provides is driving the levels of SSL traffic
More informationTHE HACKERS NEXT TARGET
Governance and Risk Management THE HACKERS NEXT TARGET YOUR WEB AND SOFTWARE Anthony Lim MBA CISSP CSSLP FCITIL Director, Security, Asia Pacific Rational Software ISC2 CyberSecurity Conference 09 Kuala
More informationHow to Implement Enterprise SAML SSO
How to Implement Enterprise SSO THE LEADER IN API AND CLOUD GATEWAY TECHNOLOGY How to Implement Enterprise SSO Introduction Security Assertion Markup Language, or, provides numerous The advantages and
More informationFileCloud Security FAQ
is currently used by many large organizations including banks, health care organizations, educational institutions and government agencies. Thousands of organizations rely on File- Cloud for their file
More informationCSUSB Web Application Security Standard CSUSB, Information Security & Emerging Technologies Office
CSUSB, Information Security & Emerging Technologies Office Last Revised: 03/17/2015 Draft REVISION CONTROL Document Title: Author: File Reference: CSUSB Web Application Security Standard Javier Torner
More informationA Survey on Cloud Security Issues and Techniques
A Survey on Cloud Security Issues and Techniques Garima Gupta 1, P.R.Laxmi 2 and Shubhanjali Sharma 3 1 Department of Computer Engineering, Government Engineering College, Ajmer Guptagarima09@gmail.com
More informationContents. Overview 1 SENTINET
Overview SENTINET Overview 1 Contents Introduction... 3 Customer Benefits... 4 Development and Test... 4 Production and Operations... 5 Architecture... 5 Technology Stack... 8 Features Summary... 8 Sentinet
More informationFINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE
Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security
More informationNIST s Guide to Secure Web Services
NIST s Guide to Secure Web Services Presented by Gaspar Modelo-Howard and Ratsameetip Wita Secure and Dependable Web Services National Institute of Standards and Technology. Special Publication 800-95:
More informationApplication Denial of Service Is it Really That Easy?
Application Denial of Service Is it Really That Easy? Shay Chen Agenda Introduction to Denial of Service Attacks Application Level DoS Techniques Case Study Denial of Service Testing Mitigation Summary
More informationOWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair dave.wichers@owasp.
and Top 10 (2007 Update) Dave Wichers The Foundation Conferences Chair dave.wichers@owasp.org COO, Aspect Security dave.wichers@aspectsecurity.com Copyright 2007 - The Foundation This work is available
More informationWhat is an SSL Certificate?
Security is of the utmost importance when doing business on the Web. Your customers want to know that their information is protected when crossing data lines. A Thawte SSL Web Server Certificate or SuperCert
More informationIONA Security Platform
IONA Security Platform February 22, 2002 Igor Balabine, PhD IONA Security Architect Copyright IONA Technologies 2001 End 2 Anywhere Agenda IONA Security Platform (isp) architecture Integrating with Enterprise
More informationApplication Security in the Software Development Lifecycle
Application Security in the Software Development Lifecycle Issues, Challenges and Solutions www.quotium.com 1/15 Table of Contents EXECUTIVE SUMMARY... 3 INTRODUCTION... 4 IMPACT OF SECURITY BREACHES TO
More informationAquaLogic ESB Design and Integration (3 Days)
www.peaksolutions.com AquaLogic ESB Design and Integration (3 Days) Audience Course Abstract Designed for developers, project leaders, IT architects and other technical individuals that need to understand
More informationThreatSpike Dome: A New Approach To Security Monitoring
ThreatSpike Dome: A New Approach To Security Monitoring 2015 ThreatSpike Labs Limited The problem with SIEM Hacking, insider and advanced persistent threats can be difficult to detect with existing product
More informationSecure Authentication and Session. State Management for Web Services
Lehman 0 Secure Authentication and Session State Management for Web Services Clay Lehman CSC 499: Honors Thesis Supervised by: Dr. R. Michael Young Lehman 1 1. Introduction Web services are a relatively
More informationThreat Modeling. Frank Piessens (Frank.Piessens@cs.kuleuven.be ) KATHOLIEKE UNIVERSITEIT LEUVEN
Threat Modeling Frank Piessens (Frank.Piessens@cs.kuleuven.be ) Secappdev 2007 1 Overview Introduction Key Concepts Threats, Vulnerabilities, Countermeasures Example Microsoft s Threat Modeling Process
More informationYour Web and Applications
Governance and Risk Management Your Web and Applications The Hacker s New Target Anthony Lim MBA CISSP CSSLP FCITIL Director, Security, Asia Pacific Rational Software Social Engineering in the Business
More informationExternal Supplier Control Requirements
External Supplier Control s Cyber Security For Suppliers Categorised as Low Cyber Risk 1. Asset Protection and System Configuration Barclays Data and the assets or systems storing or processing it must
More informationSecure web transactions system
Secure web transactions system TRUSTED WEB SECURITY MODEL Recently, as the generally accepted model in Internet application development, three-tier or multi-tier applications are used. Moreover, new trends
More informationSECURING SAP NETWEAVER DEPLOYMENTS WITH SAFE-T RSACCESS
SECURING NETWEAVER DEPLOYMENTS A RSACCESS WHITE PAPER SECURING NETWEAVER DEPLOYMENTS 1 Introduction 2 NetWeaver Deployments 3 Safe-T RSAccess Overview 4 Securing NetWeaver Deployments with Safe-T RSAccess
More informationAkamai to Incapsula Migration Guide
Guide Akamai to Incapsula Migration Guide Introduction Incapsula is an enterprise-grade cloud service that helps companies deliver applications more efficiently and securely. This is accomplished through
More informationCitrix MetaFrame XP Security Standards and Deployment Scenarios
Citrix MetaFrame XP Security Standards and Deployment Scenarios Including Common Criteria Information MetaFrame XP Server for Windows with Feature Release 3 Citrix Systems, Inc. Information in this document
More information