Modeling Web Services for Test Case Generation

Similar documents
Observability and Controllability Issues in Conformance Testing of Web Service Compositions

Lesson 18 Web Services and. Service Oriented Architectures

Lesson 4 Web Service Interface Definition (Part I)

Semantic Description of Distributed Business Processes

Detecting SQL Injection Vulnerabilities in Web Services

Open Issues in WS and Cloud Security. Ernesto Damiani Università degli Studi di Milano

Hang Seng Business e-banking. New Security Device. Frequently Asked Questions

Distributed Systems. Distributed Systems

Direct Deposit Enrollments and Changes now available via AYSO

e-banking in Nepal Prepared by: Prabal Khanal Sanima Development Financial Institution (Development Bank) Kathmandu, Nepal

Service Virtualization: Managing Change in a Service-Oriented Architecture

A standards-based approach to application integration

This Annex uses the definitions set out in the Agreement on service of payment cards on the Internet (hereinafter the Agreement).

NIST s Guide to Secure Web Services

Service Oriented Architecture

Workday Mobile Security FAQ

1. Open a web browser and navigate to:

FACTS What does Mid Carolina CU do with your personal information?

The case for service oriented architecture in realising trusted, interoperable, pan-european egovernment services.

CHAPTER 1 INTRODUCTION

PC Connect Agreement & Disclosure Receipt of Disclosures Equipment Requirements Definition of Business Day

Mobile OTP Issuance Existing Users Non- Roaming Flow (Private Computer)

Oracle SOA Reference Architecture

As simple as and as secure as postal mail.

Business ebanking Fraud Prevention Best Practices

ONE SINGLE ADDRESS FOR ALL YOUR ONLINE PROCEDURES. as part of your professional activity. Business Portal

Four Top Emagined Security Services

The Top 5 Federated Single Sign-On Scenarios

Important Information About Systems Conversion

Government's Adoption of SOA and SOA Examples

Strong Authentication: Enabling Efficiency and Maximizing Security in Your Microsoft Environment

Data Security and Governance with Enterprise Enabler

ENHANCING ATM SECURITY USING FINGERPRINT AND GSM TECHNOLOGY

Digital Identity Management

Agent-based University Library System

When will my money be available in the Transfer To account?

Software Testing. Definition: Testing is a process of executing a program with data, with the sole intention of finding errors in the program.

SOA Adoption Challenges

Mobile App Discovery through Conceptual Models

Best Practices Guide to Electronic Banking

Lecture VII : Public Key Infrastructure (PKI)

Access Control Policy. Document Status. Security Classification. Level 4 - PUBLIC. Version 1.0. Approval. Review By June 2012

Set My University of Melbourne Identity Management Password for the First Time

Secure Authentication and Session. State Management for Web Services

CHAPTER - 3 WEB APPLICATION AND SECURITY

Comparing the Effectiveness of Penetration Testing and Static Code Analysis

Application for iphone and ipad irietumu HD with integrated Digipass Mobile

Service-Oriented Computing and Service-Oriented Architecture

Home Phone Call Forward Guide

Security audit advice For holders of all remote gambling operator licences including specified remote lottery licences

COPYRIGHTED MATERIAL. Chapter 1: Introduction

Security Evaluation CLX.Sentinel

PUBLIC OFFER AGREEMENT

The Virtual Digital Forensics Lab: Expanding Law Enforcement Capabilities

Intent NBI for Software Defined Networking

HIPAA Security Checklist for Healthcare Providers - Self-Evaluation Checklist

QNB Tariff of Charges

Innovative Defense Strategies for Securing SCADA & Control Systems

Two-Factor Authentication: Guide to FEXCO CFX SMS/APP Verification

Course Title: Penetration Testing: Network Threat Testing, 1st Edition

Business bank products package

Introduction to Service Oriented Architectures (SOA)

Business Intelligence meets Big Data: An Overview on Security and Privacy

Electronic Benefits Transfer (EBT) How To Use Your Benefit Card To Get Food Stamp and/or Cash Benefits. Pub-4596 (Rev. 04/08)

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and

Using Web Security Scanners to Detect Vulnerabilities in Web Services

A Systems Engineering Approach to Developing Cyber Security Professionals

A Study on Secure Electronic Medical DB System in Hospital Environment

Security Test s i t ng Eileen Donlon CMSC 737 Spring 2008

1. what is this talk about? Service-Oriented Architecture. The problem. Topic of this Talk. The solution

How Managed Services Has Changed Remote Infrastructure Management. Presented by: Bill Whitney March 26, 2008

Intensity transformations

User Manual. Finter E-Banking. Wherever you are and whenever you have time

Entrust Managed Services PKI. Getting started with digital certificates and Entrust Managed Services PKI. Document issue: 1.0

Wordware Family Website Instructions

WebService Security. A guide to set up highly secured client-server communications using WS-Security extensions to the SOAP protocol

smarshencrypt User s Guide

Secure Web Access Solution

Deposit via Credit Card

University of Liverpool

Ensuring Security in Cloud with Multi-Level IDS and Log Management System

Global eid Developments. Detlef Eckert Chief Security Advisor Microsoft Europe, Middle East, and Africa

DOH 329 Registry Physician Initiated Application

Top Ten Security and Privacy Challenges for Big Data and Smartgrids. Arnab Roy Fujitsu Laboratories of America

Journal of Electronic Banking Systems

1 What Are Web Services?

This document is not an offer, commitment, representation or warranty by AT&T and is subject to change.

1 What Are Web Services?

Automatic system for providing security services in. the Internet of Things applications over Wireless Sensor Networks

(Instructor-led; 3 Days)

How TraitWare TM Can Secure and Simplify the Healthcare Industry

Guiding Principles for Technical Architecture

Hosted PBX Administrator Quick Start Guide

Di 6.1a. Warum naive SOA scheitert Ein Erfahrungsbericht. Adam Bien. January 26-30, 2009, Munich, Germany ICM - International Congress Centre Munich

MOBILE PHONE BANKING MADE EASY.

DKIM Enabled Two Factor Authenticated Secure Mail Client

Arnab Roy Fujitsu Laboratories of America and CSA Big Data WG

Auditor view about ETSI and WebTrust criteria. Christoph SUTTER

THE FIJI GOVERNMENT INFORMATION TECHNOLOGY DATABASE CREDENTIALS POLICY. Version

HOW ACUNETIX ENSURES WEB APPLICATION SECURITY

Transcription:

Modeling Web Services for Test Case Generation Service Oriented Architectures Security Ernesto Damiani Doctoral School Security Patterns for ITC Infrastructures, March-April 2011 Università di Milano

Reference Scenario Distributed and service-based infrastructure that includes three parties a customer accessing a service provided by a supplier a supplier implementing and providing a service by exposing its interfaces through the Web one or more third parties that have a business relationship with the supplier and provide a set of services that are used by the supplier to implement its business process

Reference Scenario: e-bank Supplier provides an e-bank service Customers check their account, make fund transfer, and pay taxes Interfaces boolean subscription(username,password,profile) boolean login(username,password) result fundtransfer(info,amount) result paytaxes(info,amount) boolean confirm(id) result getstatus(account_id)

Service implementation paradigms Single-call service, a single interface is exposed and all activities are managed as supplier-internal computations Conversation, the supplier defines a WSCL file specifying the interactions with the customers in order to release the service Orchestration or choreography, services are composed by the supplier to implement its business process

Web Service Modeling Model of a service is the basis for test-based certification of service security properties Systems defined using a Symbolic Transition System (STS) model Each transition regulated by a guard Models are provided at different levels of granularity WSDL WSCL Test-based conditions (input-output constraints on variables) Implementation details WS-Policy

Web Service Modeling: Levels (1) WSDL Interface only: A first basic STS-model considers the case in which a service provider exposes only the WSDL interface of its service WSDL interface extended with test-based conditions: A service provider may be willing to expose WSDL interface enriched with test-based conditions on input and output calls Extended WSDL interface and stateful implementation: The service provider may be willing to present the low-level stateful implementation of the service

Web Service Modeling: Levels (2) WSDL Interface only WSDL with test-based conditions: Extended WSDL and stateful implementation

Web Service Modeling: Levels (3) WSCL Interface only: The service provider may be willing to expose only the WSCL interface modeling the conversation with its customers WSCL interface extended with test-based conditions: The service provider may be willing to expose WSCL interface enriched with test-based conditions on input and output calls Extended WSCL interface and stateful implementation: The service provider may be willing to expose WSCL interface enriched with the overall stateful implementation

Web Service Modeling: Levels (4) WSCL Interface only WSCL with test-based conditions: Extended WSCL and stateful implementation

Web Service Modeling: Levels (5) Web service security specification: consideration of security services at container level Implemented on the top of the existing services Preserve integrity and confidentiality of the messaging Model of the service extended with hidden communication (e.g., key exchange) An ordering is established between different models at different granularities Models used to match and compare service certificates

Evidence-based Certification: A Modelbased Approach Model-based testing for service certification Need to specify in the certificate the amount of information (model) available at certification time The quality and effectiveness of the testing activities strongly depend on the available model E.g., WSDL-only permits black box testing, while implementation details permit white box testing with high coverage

banktransfer service: robustness against input malformation (1) Simplified service that implements a single banktransfer(info,amount) function The model includes extended WSDL interfaces and stateful implementation The customer calls banktransfer(info,amount) and waits for the result

banktransfer service: robustness against input malformation (2) [c1] includes the call to the function banktransfer and requires amount to be greater than zero and less than a max amount [c2] returns the output to the caller, and requires the amount in the result to be equal to the amount in the request, and the new balance to be equal to balance - amount or to be equal to error [d1]: balance amount [~d1]: balance<amount

banktransfer service: robustness against input malformation (3)

e-bank service: Integrity (1) e-bank service with a model including WSCL interfaces extended with test-based conditions The customer 1. logs in 2. calls banktransfer(info, amount) to make the transfer 3. calls confirm(id) for the final confirmation This model does not take into account the signature verification algorithm provision is in place A stronger certificate can be made on a model including internal signature checking Integrity can be certified at container level (WS- Security, WS-Policy)

e-bank service: Integrity (2)

Another Example: IFX-Based Reverse ATM Service IFX-based Deposit and Withdrawal service Provides the typical functionalities of a reverse ATM for deposit and withdrawal It allows clients to remotely deposit/withdraw money in/from their bank account Clients can use a credit/debit card with PIN, or a username and password to authenticate to the IFX-based service at the bank via the reverse ATM.

Another Example: IFX-Based Reverse ATM Service

Another Example: Test Cases

An Example of STS-Based Model for Penetration Testing STS-based model for a replay attack Black nodes and lines model real communications Dotted lines are under the control of the attacker and represent the real attack implementation FINE

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information