AND-302-No Interop No Security How to Build Interoperable Web Service Security.pdfVIP

No Interop, No Security: How to Build Interoperable W b S ie erv ce Security Pyounguk Cho Oracle 04/23/09 | Session ID:AND-302 Session Classification: Intermediate Agenda Web Service Under Attack Web Service Security As Defense Measures W b S i I t bilit S ite erv ce n eropera y vs. ecur y Building Interoperable Secure Web Services 2 Web Service U dn er Attack Web Service : What is it? ? Evolution of previous distributed programming frameworks – Process Centric – Platform agnostic ? Web Service core – XML : Highly structured universal message exchange format – WSDL : Describes service interfaces – SOAP :XML-based Transport layer independent protocol for b iwe serv ce messages – UDDI : Naming service for web services ? “WS-etc” : other high-level services found in middleware systems are still evolving – WS-Policy – WS-SX/TX/RX – WS-Eventing Where is Web Service today? ? Adoption E b d d t d h t it i– very o y un ers an s w a s – Ubiquitously adopted and deployed – Popular for connecting platforms and applications – Starting to go beyond basics ? What are the pain points? – Security(interoperability-induced pain) – Performance – Complexity (interoperability-induced pain) Web Service Components Points to d i tiUDDI WSDL escr p on Registry Describes Service Finds Service Points to service Web Service (JEE SOA Web Service SOAP , , PL/SQL, .NET,C/C++, Legacy …) Client (JEE,SOA,.NET, PL/SQL …) Invokes with XML Messages Attack Against Web Service ? Why bother to attack web services? – Business data : Potentially more rewarding to attackers – Numerous targets due to high adoption ? Integration(intranet) ? B2Bi(public) ? Web 2.0(AJAX endpoints) – Bypassing front-end tiers ? What makes web services vulnerable? – Open architecture ? Protocol ? Service contract/blueprint – Human readable messages – Tools ? Client generation ? Message monitoring ? Automated fuzzing Attack Vectors ? Traditional threat model – Unauthorized service invocation Mal