SlideShare a Scribd company logo

Web Services Security - Presentation

Download as PPT, PDF
Muhammad Jawaid Shamshad
Muhammad Jawaid Shamshad
1 of 25
Web Services SecurityWeb Services Security By:By: Muhammad Jawaid ShamshadMuhammad Jawaid Shamshad MS/PhD (CS)MS/PhD (CS) 052210052210 Advisor:Advisor: Naeem JanjuaNaeem Janjua
AgendaAgenda ► IntroductionIntroduction ► Terms and ConceptsTerms and Concepts  Web ServicesWeb Services  WSDLWSDL  Discovering Web Services (UDDI, ebXML)Discovering Web Services (UDDI, ebXML) ► Need for SecurityNeed for Security ► Goal of SecurityGoal of Security ► Requirements for Web Service SecurityRequirements for Web Service Security ► EASIEASI  EASI RequirementsEASI Requirements  EASI FrameworkEASI Framework ► ConclusionConclusion ► Literature SourcesLiterature Sources ► Q & AQ & A
IntroductionIntroduction ►Web services provide fast and flexibleWeb services provide fast and flexible information sharing between people andinformation sharing between people and businesses.businesses. ►But along with the benefits, there is aBut along with the benefits, there is a serious risk:serious risk:  Sensitive and private data can be exposedSensitive and private data can be exposed ►How to secure web services?How to secure web services?
Terms and ConceptsTerms and Concepts ►Web ServiceWeb Service ►SOAPSOAP ►WSDLWSDL ►Discovering Web ServiceDiscovering Web Service  UDDIUDDI  ebXMLebXML
Web ServiceWeb Service ►DefinitionDefinition  "Web services are software applications that"Web services are software applications that can be discovered, described, and accessedcan be discovered, described, and accessed based on XML and standard Web protocolsbased on XML and standard Web protocols over intranets, extranets, and the Internet“over intranets, extranets, and the Internet“ ►Main focus is interoperabilityMain focus is interoperability ►Uses SOAP protocol as syntax of messageUses SOAP protocol as syntax of message and uses HTTP to transfer that messageand uses HTTP to transfer that message
SOAPSOAP ►DefinitionDefinition  ““Lightweight protocol for exchange ofLightweight protocol for exchange of information in a decentralized, distributedinformation in a decentralized, distributed environment“environment“ ►Created by Microsoft, DevelopMentor, IBM,Created by Microsoft, DevelopMentor, IBM, Lotus, and Userland in 1999Lotus, and Userland in 1999 ►XML-based protocolXML-based protocol ►Web services transfers XML messages inWeb services transfers XML messages in SOAP format encapsulated in SOAPSOAP format encapsulated in SOAP envelopenvelop
SOAPSOAP ►SOAP header contains the meta informationSOAP header contains the meta information and the body contains the actual messageand the body contains the actual message in XML syntaxin XML syntax
WSDLWSDL ► DefinitionDefinition  ““An XML format for describing network services as a setAn XML format for describing network services as a set of endpoints operating on messages containing eitherof endpoints operating on messages containing either document-oriented or procedure-oriented information“document-oriented or procedure-oriented information“ ► Developed by IBM and Microsoft in 2000Developed by IBM and Microsoft in 2000 ► Contains information where the service is located,Contains information where the service is located, what the service does, and how to invoke thewhat the service does, and how to invoke the serviceservice ► Application can look at the WSDL and dynamicallyApplication can look at the WSDL and dynamically construct SOAP messagesconstruct SOAP messages
Discovering Web ServicesDiscovering Web Services ►How to search desired web service andHow to search desired web service and communicate with itcommunicate with it  Universal Description, Discovery, andUniversal Description, Discovery, and Integration (UDDI)Integration (UDDI)  ebXML RegistriesebXML Registries
UDDIUDDI ► Introduced by Ariba, Microsoft, and IBM in 2000Introduced by Ariba, Microsoft, and IBM in 2000 ► Not yet a standard but implemented by majorNot yet a standard but implemented by major vendors like Microsoft and IBMvendors like Microsoft and IBM ► Information availableInformation available  white pageswhite pages of company contact information,of company contact information,  yellow pagesyellow pages that categorize businesses by standardthat categorize businesses by standard categorization, andcategorization, and  green pagesgreen pages that document the technical informationthat document the technical information about web services, like WSDLabout web services, like WSDL
ebXMLebXML ► A standard created by OASIS in 2001A standard created by OASIS in 2001 ► Provide a common way for businesses to quicklyProvide a common way for businesses to quickly and dynamically perform business transactionsand dynamically perform business transactions based on common business practicesbased on common business practices ► Information availableInformation available  Business processes and components described in XMLBusiness processes and components described in XML  Capabilities of a trading partnerCapabilities of a trading partner  Trading partner agreements between companiesTrading partner agreements between companies
Need for SecurityNeed for Security ► E-commerce sites on the InternetE-commerce sites on the Internet .. These rely onThese rely on credit card authorization services from an outsidecredit card authorization services from an outside company.company. ► Cross-selling and customer relationshipCross-selling and customer relationship managementmanagement.. This relies on customer information beingThis relies on customer information being shared across many lines of business within an enterprise.shared across many lines of business within an enterprise. ► Supply chain managementSupply chain management .. This requires continuingThis requires continuing communication among all of the suppliers in acommunication among all of the suppliers in a manufacturing chain. The transactions describing themanufacturing chain. The transactions describing the supply chain that are exchanged among the enterprisessupply chain that are exchanged among the enterprises contain highly proprietary data.contain highly proprietary data.
Goal of SecurityGoal of Security ►ConfidentialityConfidentiality ►IntegrityIntegrity ►AccountabilityAccountability ►AvailabilityAvailability
Requirements for WS SecurityRequirements for WS Security ►AuthenticationAuthentication ►AuthorizationAuthorization ►CryptographyCryptography ►AccountabilityAccountability ►Security AdministrationSecurity Administration
EASIEASI ►End-to-end Enterprise Application SecurityEnd-to-end Enterprise Application Security IntegrationIntegration ►Provides a common security framework toProvides a common security framework to integrate many different security solutionsintegrate many different security solutions ►Enables new security technologies in eachEnables new security technologies in each tier to be added without affecting thetier to be added without affecting the business applicationsbusiness applications ►Framework for distributed applicationFramework for distributed application security, not limited to web services.security, not limited to web services.
EASI RequirementsEASI Requirements ► Perimeter security technologiesPerimeter security technologies .. Used between theUsed between the client and the server. Perimeter security enforcesclient and the server. Perimeter security enforces protection for customer, partner, and employee access toprotection for customer, partner, and employee access to corporate resources. Perimeter security primarily protectscorporate resources. Perimeter security primarily protects against external attackers, such as hackers.against external attackers, such as hackers. ► Mid-tier security technologiesMid-tier security technologies .. Used between theUsed between the mid-tier business components. Mid-tier security focusesmid-tier business components. Mid-tier security focuses primarily on protecting against insider attacks, but alsoprimarily on protecting against insider attacks, but also provides another layer of protection against externalprovides another layer of protection against external attackers.attackers. ► Back-office security technologiesBack-office security technologies .. Address theAddress the protection of databases and operating- system-specificprotection of databases and operating- system-specific back-end systems.back-end systems.
EASI FrameworkEASI Framework ►Specifies the interactions among theSpecifies the interactions among the security services and applicationsecurity services and application components that use those securitycomponents that use those security servicesservices. ►Possible to add new security technology solutions without making big changes. ►Supports “plug-ins” for new security technologies.
EASI Framework continued…EASI Framework continued… ►ApplicationsApplications  Provides enterprise security services forProvides enterprise security services for presentation components, business logicpresentation components, business logic components, and the back officecomponents, and the back office.  Supports security mechanisms that enforce security on behalf of security aware and security unaware applications.
EASI Framework continued…EASI Framework continued… ►Security Aware ApplicationSecurity Aware Application  Uses the security APIs to access and validateUses the security APIs to access and validate the security policies.the security policies.  May directly access security functions thatMay directly access security functions that enable the applications to perform additionalenable the applications to perform additional security checkssecurity checks
EASI Framework continued…EASI Framework continued… ►Security Unaware ApplicationSecurity Unaware Application  Does not explicitly call security servicesDoes not explicitly call security services  Security is enforced by using interceptors.  Interceptor transparently calls the underlying security APIs on behalf of the application.
EASI Framework continued…EASI Framework continued… ►Application Programming Interface  Standard Security API ►Support for APIs is based on open standards or industry de facto standards  Custom Security API ►Implemented when needs cannot be met by existing standard APIs  Vendor Security API ►May be used where open standards have not yet been defined
EASI Framework continued…EASI Framework continued… ►Core Security Services  Authentication  Authorization  Cryptography  Accountability  Security Administration
ConclusionConclusion ► It is recommended that web services be designedIt is recommended that web services be designed according to the principles of a enterpriseaccording to the principles of a enterprise application security architecture.application security architecture. ► However, it is sometimes desirable to buildHowever, it is sometimes desirable to build services capable of referencing each other, whichservices capable of referencing each other, which may lead to a finer-grained, secure servicesmay lead to a finer-grained, secure services design.design. ► When building a new service, it is worthWhen building a new service, it is worth considering carefully the pros and cons of allconsidering carefully the pros and cons of all design styles, which can result in a betterdesign styles, which can result in a better integration solution for a targeted domainintegration solution for a targeted domain
Literature SourcesLiterature Sources ►BooksBooks ►Web SitesWeb Sites ►ACM digital libraryACM digital library ►IEEE digital libraryIEEE digital library ►IEEE ExploreIEEE Explore ►PublicationsPublications
Q & AQ & A

Recommended

Web Services Security Tutorial
Web Services Security TutorialWeb Services Security Tutorial
Web Services Security TutorialJorgen Thelin
 
XML And Web Services Security Standards
XML And Web Services Security StandardsXML And Web Services Security Standards
XML And Web Services Security Standardsguest68465b
 
Web Service Security
Web Service SecurityWeb Service Security
Web Service Securityn|u - The Open Security Community
 
Web services security
Web services securityWeb services security
Web services securitynurmeen1
 
SOA Security Model For EAI
SOA Security Model For EAISOA Security Model For EAI
SOA Security Model For EAIvivekjv
 
(Pdf) yury chemerkin ita_2013
(Pdf) yury chemerkin ita_2013(Pdf) yury chemerkin ita_2013
(Pdf) yury chemerkin ita_2013STO STRATEGY
 
(Pdf) yury chemerkin deep_intel_2013
(Pdf) yury chemerkin deep_intel_2013(Pdf) yury chemerkin deep_intel_2013
(Pdf) yury chemerkin deep_intel_2013STO STRATEGY
 
Web Single sign on system
Web Single sign on systemWeb Single sign on system
Web Single sign on systemSwati Sinha
 

Recommended

Web Services Security Tutorial
Web Services Security TutorialWeb Services Security Tutorial
Web Services Security TutorialJorgen Thelin
 
XML And Web Services Security Standards
XML And Web Services Security StandardsXML And Web Services Security Standards
XML And Web Services Security Standardsguest68465b
 
Web Service Security
Web Service SecurityWeb Service Security
Web Service Securityn|u - The Open Security Community
 
Web services security
Web services securityWeb services security
Web services securitynurmeen1
 
SOA Security Model For EAI
SOA Security Model For EAISOA Security Model For EAI
SOA Security Model For EAIvivekjv
 
(Pdf) yury chemerkin ita_2013
(Pdf) yury chemerkin ita_2013(Pdf) yury chemerkin ita_2013
(Pdf) yury chemerkin ita_2013STO STRATEGY
 
(Pdf) yury chemerkin deep_intel_2013
(Pdf) yury chemerkin deep_intel_2013(Pdf) yury chemerkin deep_intel_2013
(Pdf) yury chemerkin deep_intel_2013STO STRATEGY
 
Web Single sign on system
Web Single sign on systemWeb Single sign on system
Web Single sign on systemSwati Sinha
 
Layer 7 Technologies: Enabling Hybrid Enterprise/Cloud SOA
Layer 7 Technologies: Enabling Hybrid Enterprise/Cloud SOALayer 7 Technologies: Enabling Hybrid Enterprise/Cloud SOA
Layer 7 Technologies: Enabling Hybrid Enterprise/Cloud SOACA API Management
 
AS4 Webinar
AS4 WebinarAS4 Webinar
AS4 Webinarexterminatorx
 
Layer 7: Managing SOA Security and Operations with SecureSpan
Layer 7: Managing SOA Security and Operations with SecureSpanLayer 7: Managing SOA Security and Operations with SecureSpan
Layer 7: Managing SOA Security and Operations with SecureSpanCA API Management
 
Federated Identity Architectures Integrating With The Cloud
Federated Identity Architectures Integrating With The CloudFederated Identity Architectures Integrating With The Cloud
Federated Identity Architectures Integrating With The Cloudrsnarayanan
 
As4 Webinar040709
As4 Webinar040709As4 Webinar040709
As4 Webinar040709DrummondGroup
 
Cloud design patterns - Federated Identity & Gatekeeper
Cloud design patterns - Federated Identity & GatekeeperCloud design patterns - Federated Identity & Gatekeeper
Cloud design patterns - Federated Identity & GatekeeperRoger Chien
 
UMA - An Open Standard for Consent-Driven Personal Data Sharing
UMA - An Open Standard for Consent-Driven Personal Data SharingUMA - An Open Standard for Consent-Driven Personal Data Sharing
UMA - An Open Standard for Consent-Driven Personal Data SharingChris Adriaensen
 
Getting Cloud Architecture Right the First Time Ver 2
Getting Cloud Architecture Right the First Time Ver 2Getting Cloud Architecture Right the First Time Ver 2
Getting Cloud Architecture Right the First Time Ver 2David Linthicum
 
Security concerns with SaaS layer of cloud computing
Security concerns with SaaS layer of cloud computingSecurity concerns with SaaS layer of cloud computing
Security concerns with SaaS layer of cloud computingClinton DSouza
 
Cloud Security Guide - Ref Architecture and Gov. Model
Cloud Security Guide - Ref Architecture and Gov. ModelCloud Security Guide - Ref Architecture and Gov. Model
Cloud Security Guide - Ref Architecture and Gov. ModelVishal Sharma
 
Windows Server 2012 Active Directory Rights Management Services
Windows Server 2012 Active Directory Rights Management ServicesWindows Server 2012 Active Directory Rights Management Services
Windows Server 2012 Active Directory Rights Management ServicesSerhad MAKBULOĞLU, MBA
 
Vulnerabilities in SaaS layer of cloud computing
Vulnerabilities in SaaS layer of cloud computingVulnerabilities in SaaS layer of cloud computing
Vulnerabilities in SaaS layer of cloud computingClinton DSouza
 
Cloud Security: A Comprehensive Guide
Cloud Security: A Comprehensive GuideCloud Security: A Comprehensive Guide
Cloud Security: A Comprehensive GuideHTS Hosting
 
(Pdf) yury chemerkin _i-society_2013
(Pdf) yury chemerkin _i-society_2013(Pdf) yury chemerkin _i-society_2013
(Pdf) yury chemerkin _i-society_2013STO STRATEGY
 
A beginners guide to administering office 365 with power shell antonio maio
A beginners guide to administering office 365 with power shell antonio maioA beginners guide to administering office 365 with power shell antonio maio
A beginners guide to administering office 365 with power shell antonio maioAntonioMaio2
 
Workshop: Threat Intelligence - Part 1
Workshop: Threat Intelligence - Part 1Workshop: Threat Intelligence - Part 1
Workshop: Threat Intelligence - Part 1Priyanka Aash
 
Security As A Service
Security As A ServiceSecurity As A Service
Security As A ServiceOlav Tvedt
 
The security of SAAS and private cloud
The security of SAAS and private cloudThe security of SAAS and private cloud
The security of SAAS and private cloudAzure Group
 
Comprehensive Information on CASB
Comprehensive Information on CASBComprehensive Information on CASB
Comprehensive Information on CASBHTS Hosting
 
Maintaining Trust & Control of your Data in the Cloud
Maintaining Trust & Control of your Data in the CloudMaintaining Trust & Control of your Data in the Cloud
Maintaining Trust & Control of your Data in the CloudAmazon Web Services
 
WS-Trust
WS-TrustWS-Trust
WS-TrustPrabath Siriwardena
 
Web Service Security
Web Service SecurityWeb Service Security
Web Service SecurityLuqman Shareef
 

More Related Content

What's hot

Layer 7 Technologies: Enabling Hybrid Enterprise/Cloud SOA
Layer 7 Technologies: Enabling Hybrid Enterprise/Cloud SOALayer 7 Technologies: Enabling Hybrid Enterprise/Cloud SOA
Layer 7 Technologies: Enabling Hybrid Enterprise/Cloud SOACA API Management
 
Layer 7: Managing SOA Security and Operations with SecureSpan
Layer 7: Managing SOA Security and Operations with SecureSpanLayer 7: Managing SOA Security and Operations with SecureSpan
Layer 7: Managing SOA Security and Operations with SecureSpanCA API Management
 
Federated Identity Architectures Integrating With The Cloud
Federated Identity Architectures Integrating With The CloudFederated Identity Architectures Integrating With The Cloud
Federated Identity Architectures Integrating With The Cloudrsnarayanan
 
Cloud design patterns - Federated Identity & Gatekeeper
Cloud design patterns - Federated Identity & GatekeeperCloud design patterns - Federated Identity & Gatekeeper
Cloud design patterns - Federated Identity & GatekeeperRoger Chien
 
UMA - An Open Standard for Consent-Driven Personal Data Sharing
UMA - An Open Standard for Consent-Driven Personal Data SharingUMA - An Open Standard for Consent-Driven Personal Data Sharing
UMA - An Open Standard for Consent-Driven Personal Data SharingChris Adriaensen
 
Getting Cloud Architecture Right the First Time Ver 2
Getting Cloud Architecture Right the First Time Ver 2Getting Cloud Architecture Right the First Time Ver 2
Getting Cloud Architecture Right the First Time Ver 2David Linthicum
 
Security concerns with SaaS layer of cloud computing
Security concerns with SaaS layer of cloud computingSecurity concerns with SaaS layer of cloud computing
Security concerns with SaaS layer of cloud computingClinton DSouza
 
Cloud Security Guide - Ref Architecture and Gov. Model
Cloud Security Guide - Ref Architecture and Gov. ModelCloud Security Guide - Ref Architecture and Gov. Model
Cloud Security Guide - Ref Architecture and Gov. ModelVishal Sharma
 
Windows Server 2012 Active Directory Rights Management Services
Windows Server 2012 Active Directory Rights Management ServicesWindows Server 2012 Active Directory Rights Management Services
Windows Server 2012 Active Directory Rights Management ServicesSerhad MAKBULOĞLU, MBA
 
Vulnerabilities in SaaS layer of cloud computing
Vulnerabilities in SaaS layer of cloud computingVulnerabilities in SaaS layer of cloud computing
Vulnerabilities in SaaS layer of cloud computingClinton DSouza
 
Cloud Security: A Comprehensive Guide
Cloud Security: A Comprehensive GuideCloud Security: A Comprehensive Guide
Cloud Security: A Comprehensive GuideHTS Hosting
 
(Pdf) yury chemerkin _i-society_2013
(Pdf) yury chemerkin _i-society_2013(Pdf) yury chemerkin _i-society_2013
(Pdf) yury chemerkin _i-society_2013STO STRATEGY
 
A beginners guide to administering office 365 with power shell antonio maio
A beginners guide to administering office 365 with power shell antonio maioA beginners guide to administering office 365 with power shell antonio maio
A beginners guide to administering office 365 with power shell antonio maioAntonioMaio2
 
Workshop: Threat Intelligence - Part 1
Workshop: Threat Intelligence - Part 1Workshop: Threat Intelligence - Part 1
Workshop: Threat Intelligence - Part 1Priyanka Aash
 
Security As A Service
Security As A ServiceSecurity As A Service
Security As A ServiceOlav Tvedt
 
The security of SAAS and private cloud
The security of SAAS and private cloudThe security of SAAS and private cloud
The security of SAAS and private cloudAzure Group
 
Comprehensive Information on CASB
Comprehensive Information on CASBComprehensive Information on CASB
Comprehensive Information on CASBHTS Hosting
 
Maintaining Trust & Control of your Data in the Cloud
Maintaining Trust & Control of your Data in the CloudMaintaining Trust & Control of your Data in the Cloud
Maintaining Trust & Control of your Data in the CloudAmazon Web Services
 

What's hot (20)

Layer 7 Technologies: Enabling Hybrid Enterprise/Cloud SOA
Layer 7 Technologies: Enabling Hybrid Enterprise/Cloud SOALayer 7 Technologies: Enabling Hybrid Enterprise/Cloud SOA
Layer 7 Technologies: Enabling Hybrid Enterprise/Cloud SOA
 
AS4 Webinar
AS4 WebinarAS4 Webinar
AS4 Webinar
 
Layer 7: Managing SOA Security and Operations with SecureSpan
Layer 7: Managing SOA Security and Operations with SecureSpanLayer 7: Managing SOA Security and Operations with SecureSpan
Layer 7: Managing SOA Security and Operations with SecureSpan
 
Federated Identity Architectures Integrating With The Cloud
Federated Identity Architectures Integrating With The CloudFederated Identity Architectures Integrating With The Cloud
Federated Identity Architectures Integrating With The Cloud
 
As4 Webinar040709
As4 Webinar040709As4 Webinar040709
As4 Webinar040709
 
Cloud design patterns - Federated Identity & Gatekeeper
Cloud design patterns - Federated Identity & GatekeeperCloud design patterns - Federated Identity & Gatekeeper
Cloud design patterns - Federated Identity & Gatekeeper
 
UMA - An Open Standard for Consent-Driven Personal Data Sharing
UMA - An Open Standard for Consent-Driven Personal Data SharingUMA - An Open Standard for Consent-Driven Personal Data Sharing
UMA - An Open Standard for Consent-Driven Personal Data Sharing
 
Getting Cloud Architecture Right the First Time Ver 2
Getting Cloud Architecture Right the First Time Ver 2Getting Cloud Architecture Right the First Time Ver 2
Getting Cloud Architecture Right the First Time Ver 2
 
Security concerns with SaaS layer of cloud computing
Security concerns with SaaS layer of cloud computingSecurity concerns with SaaS layer of cloud computing
Security concerns with SaaS layer of cloud computing
 
Cloud Security Guide - Ref Architecture and Gov. Model
Cloud Security Guide - Ref Architecture and Gov. ModelCloud Security Guide - Ref Architecture and Gov. Model
Cloud Security Guide - Ref Architecture and Gov. Model
 
Windows Server 2012 Active Directory Rights Management Services
Windows Server 2012 Active Directory Rights Management ServicesWindows Server 2012 Active Directory Rights Management Services
Windows Server 2012 Active Directory Rights Management Services
 
Vulnerabilities in SaaS layer of cloud computing
Vulnerabilities in SaaS layer of cloud computingVulnerabilities in SaaS layer of cloud computing
Vulnerabilities in SaaS layer of cloud computing
 
Cloud Security: A Comprehensive Guide
Cloud Security: A Comprehensive GuideCloud Security: A Comprehensive Guide
Cloud Security: A Comprehensive Guide
 
(Pdf) yury chemerkin _i-society_2013
(Pdf) yury chemerkin _i-society_2013(Pdf) yury chemerkin _i-society_2013
(Pdf) yury chemerkin _i-society_2013
 
A beginners guide to administering office 365 with power shell antonio maio
A beginners guide to administering office 365 with power shell antonio maioA beginners guide to administering office 365 with power shell antonio maio
A beginners guide to administering office 365 with power shell antonio maio
 
Workshop: Threat Intelligence - Part 1
Workshop: Threat Intelligence - Part 1Workshop: Threat Intelligence - Part 1
Workshop: Threat Intelligence - Part 1
 
Security As A Service
Security As A ServiceSecurity As A Service
Security As A Service
 
The security of SAAS and private cloud
The security of SAAS and private cloudThe security of SAAS and private cloud
The security of SAAS and private cloud
 
Comprehensive Information on CASB
Comprehensive Information on CASBComprehensive Information on CASB
Comprehensive Information on CASB
 
Maintaining Trust & Control of your Data in the Cloud
Maintaining Trust & Control of your Data in the CloudMaintaining Trust & Control of your Data in the Cloud
Maintaining Trust & Control of your Data in the Cloud
 

Viewers also liked

Confoo 2012 - Web security keynote
Confoo 2012 - Web security keynoteConfoo 2012 - Web security keynote
Confoo 2012 - Web security keynoteAntonio Fontes
 
Declarative authorization in REST services in SharePoint with F# and ServiceS...
Declarative authorization in REST services in SharePoint with F# and ServiceS...Declarative authorization in REST services in SharePoint with F# and ServiceS...
Declarative authorization in REST services in SharePoint with F# and ServiceS...Sergey Tihon
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring SecurityOrest Ivasiv
 
Web security presentation
Web security presentationWeb security presentation
Web security presentationJohn Staveley
 
Best Practices for API Security
Best Practices for API SecurityBest Practices for API Security
Best Practices for API SecurityMuleSoft
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!Stormpath
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectJonathan LeBlanc
 
Rest API Security
Rest API SecurityRest API Security
Rest API SecurityStormpath
 
Firewall presentation
Firewall presentationFirewall presentation
Firewall presentationAmandeep Kaur
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 

Viewers also liked (20)

WS-Trust
WS-TrustWS-Trust
WS-Trust
 
Web Service Security
Web Service SecurityWeb Service Security
Web Service Security
 
WS - Security
WS - SecurityWS - Security
WS - Security
 
Confoo 2012 - Web security keynote
Confoo 2012 - Web security keynoteConfoo 2012 - Web security keynote
Confoo 2012 - Web security keynote
 
Avoid Getting Hacked! Presentation on Joomla! Web Security
Avoid Getting Hacked! Presentation on Joomla! Web Security Avoid Getting Hacked! Presentation on Joomla! Web Security
Avoid Getting Hacked! Presentation on Joomla! Web Security
 
XML Signature
XML SignatureXML Signature
XML Signature
 
Stateful Web Services - Short Report
Stateful Web Services - Short ReportStateful Web Services - Short Report
Stateful Web Services - Short Report
 
Stateful Web Services - Presentation
Stateful Web Services - PresentationStateful Web Services - Presentation
Stateful Web Services - Presentation
 
Web Application Firewall
Web Application FirewallWeb Application Firewall
Web Application Firewall
 
Rest security with oauth 2.0
Rest security with oauth 2.0Rest security with oauth 2.0
Rest security with oauth 2.0
 
Declarative authorization in REST services in SharePoint with F# and ServiceS...
Declarative authorization in REST services in SharePoint with F# and ServiceS...Declarative authorization in REST services in SharePoint with F# and ServiceS...
Declarative authorization in REST services in SharePoint with F# and ServiceS...
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring Security
 
Web security presentation
Web security presentationWeb security presentation
Web security presentation
 
Best Practices for API Security
Best Practices for API SecurityBest Practices for API Security
Best Practices for API Security
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
 
Firewall
Firewall Firewall
Firewall
 
Firewall presentation
Firewall presentationFirewall presentation
Firewall presentation
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 

Similar to Web Services Security - Presentation

Infographic: Why Businesses are Adopting Network Virtualization
Infographic: Why Businesses are Adopting Network VirtualizationInfographic: Why Businesses are Adopting Network Virtualization
Infographic: Why Businesses are Adopting Network VirtualizationVMware
 
Bloombase sb pc_11.18_s_bedits_sd - final r4
Bloombase sb pc_11.18_s_bedits_sd - final r4Bloombase sb pc_11.18_s_bedits_sd - final r4
Bloombase sb pc_11.18_s_bedits_sd - final r4Bloombase
 
Bloombase sb pc_11.18_s_bedits_sd - final r6
Bloombase sb pc_11.18_s_bedits_sd - final r6Bloombase sb pc_11.18_s_bedits_sd - final r6
Bloombase sb pc_11.18_s_bedits_sd - final r6Bloombase
 
Bloombase sb pc_11.18_s_bedits_sd - final r4
Bloombase sb pc_11.18_s_bedits_sd - final r4Bloombase sb pc_11.18_s_bedits_sd - final r4
Bloombase sb pc_11.18_s_bedits_sd - final r4Bloombase
 
Accelerated Saa S Exec Briefing V2
Accelerated Saa S Exec Briefing V2Accelerated Saa S Exec Briefing V2
Accelerated Saa S Exec Briefing V2jeffirby
 
Cisco Connect Halifax 2018 Simple IT
Cisco Connect Halifax 2018 Simple ITCisco Connect Halifax 2018 Simple IT
Cisco Connect Halifax 2018 Simple ITCisco Canada
 
Voicecon094distrfinal 090427125221 Phpapp01
Voicecon094distrfinal 090427125221 Phpapp01Voicecon094distrfinal 090427125221 Phpapp01
Voicecon094distrfinal 090427125221 Phpapp01Paolo Mundo
 
#PCMVision: VMware NSX - Transforming Security
#PCMVision: VMware NSX - Transforming Security#PCMVision: VMware NSX - Transforming Security
#PCMVision: VMware NSX - Transforming SecurityPCM
 
VMworld 2014: Virtualization 101
VMworld 2014: Virtualization 101VMworld 2014: Virtualization 101
VMworld 2014: Virtualization 101VMworld
 
Cloud Computing - Beyond the Hype
Cloud Computing - Beyond the HypeCloud Computing - Beyond the Hype
Cloud Computing - Beyond the HypeRH
 
PowerPoint Presentation
PowerPoint Presentation PowerPoint Presentation
PowerPoint Presentation christina0310
 
Real World Business Interoperability
Real World Business InteroperabilityReal World Business Interoperability
Real World Business InteroperabilityJorgen Thelin
 
ATLO Software Delivers Secure Training Programs with Sophos UTM on AWS.pdf
ATLO Software Delivers Secure Training Programs with Sophos UTM on AWS.pdfATLO Software Delivers Secure Training Programs with Sophos UTM on AWS.pdf
ATLO Software Delivers Secure Training Programs with Sophos UTM on AWS.pdfAmazon Web Services
 
UniCredit Business Integrated Solutions
UniCredit Business Integrated SolutionsUniCredit Business Integrated Solutions
UniCredit Business Integrated SolutionsCisco Case Studies
 
Security Innovations in the Cloud
Security Innovations in the CloudSecurity Innovations in the Cloud
Security Innovations in the CloudAmazon Web Services
 
Infographic - Cloud Hosting and Tenancy
Infographic - Cloud Hosting and Tenancy Infographic - Cloud Hosting and Tenancy
Infographic - Cloud Hosting and Tenancy Jeff Davis
 

Similar to Web Services Security - Presentation (20)

Infographic: Why Businesses are Adopting Network Virtualization
Infographic: Why Businesses are Adopting Network VirtualizationInfographic: Why Businesses are Adopting Network Virtualization
Infographic: Why Businesses are Adopting Network Virtualization
 
Insecure mag-19
Insecure mag-19Insecure mag-19
Insecure mag-19
 
Bloombase sb pc_11.18_s_bedits_sd - final r4
Bloombase sb pc_11.18_s_bedits_sd - final r4Bloombase sb pc_11.18_s_bedits_sd - final r4
Bloombase sb pc_11.18_s_bedits_sd - final r4
 
Bloombase sb pc_11.18_s_bedits_sd - final r6
Bloombase sb pc_11.18_s_bedits_sd - final r6Bloombase sb pc_11.18_s_bedits_sd - final r6
Bloombase sb pc_11.18_s_bedits_sd - final r6
 
Bloombase sb pc_11.18_s_bedits_sd - final r4
Bloombase sb pc_11.18_s_bedits_sd - final r4Bloombase sb pc_11.18_s_bedits_sd - final r4
Bloombase sb pc_11.18_s_bedits_sd - final r4
 
Accelerated Saa S Exec Briefing V2
Accelerated Saa S Exec Briefing V2Accelerated Saa S Exec Briefing V2
Accelerated Saa S Exec Briefing V2
 
CloudWALL Profile ENG
CloudWALL Profile ENGCloudWALL Profile ENG
CloudWALL Profile ENG
 
Web Services Security - Short Report
Web Services Security - Short ReportWeb Services Security - Short Report
Web Services Security - Short Report
 
Cisco Connect Halifax 2018 Simple IT
Cisco Connect Halifax 2018 Simple ITCisco Connect Halifax 2018 Simple IT
Cisco Connect Halifax 2018 Simple IT
 
Voicecon094distrfinal 090427125221 Phpapp01
Voicecon094distrfinal 090427125221 Phpapp01Voicecon094distrfinal 090427125221 Phpapp01
Voicecon094distrfinal 090427125221 Phpapp01
 
#PCMVision: VMware NSX - Transforming Security
#PCMVision: VMware NSX - Transforming Security#PCMVision: VMware NSX - Transforming Security
#PCMVision: VMware NSX - Transforming Security
 
VMworld 2014: Virtualization 101
VMworld 2014: Virtualization 101VMworld 2014: Virtualization 101
VMworld 2014: Virtualization 101
 
Company_Profile_Updated_17032016
Company_Profile_Updated_17032016Company_Profile_Updated_17032016
Company_Profile_Updated_17032016
 
Cloud Computing - Beyond the Hype
Cloud Computing - Beyond the HypeCloud Computing - Beyond the Hype
Cloud Computing - Beyond the Hype
 
PowerPoint Presentation
PowerPoint Presentation PowerPoint Presentation
PowerPoint Presentation
 
Real World Business Interoperability
Real World Business InteroperabilityReal World Business Interoperability
Real World Business Interoperability
 
ATLO Software Delivers Secure Training Programs with Sophos UTM on AWS.pdf
ATLO Software Delivers Secure Training Programs with Sophos UTM on AWS.pdfATLO Software Delivers Secure Training Programs with Sophos UTM on AWS.pdf
ATLO Software Delivers Secure Training Programs with Sophos UTM on AWS.pdf
 
UniCredit Business Integrated Solutions
UniCredit Business Integrated SolutionsUniCredit Business Integrated Solutions
UniCredit Business Integrated Solutions
 
Security Innovations in the Cloud
Security Innovations in the CloudSecurity Innovations in the Cloud
Security Innovations in the Cloud
 
Infographic - Cloud Hosting and Tenancy
Infographic - Cloud Hosting and Tenancy Infographic - Cloud Hosting and Tenancy
Infographic - Cloud Hosting and Tenancy
 

Web Services Security - Presentation

  • 1. Web Services SecurityWeb Services Security By:By: Muhammad Jawaid ShamshadMuhammad Jawaid Shamshad MS/PhD (CS)MS/PhD (CS) 052210052210 Advisor:Advisor: Naeem JanjuaNaeem Janjua
  • 2. AgendaAgenda ► IntroductionIntroduction ► Terms and ConceptsTerms and Concepts  Web ServicesWeb Services  WSDLWSDL  Discovering Web Services (UDDI, ebXML)Discovering Web Services (UDDI, ebXML) ► Need for SecurityNeed for Security ► Goal of SecurityGoal of Security ► Requirements for Web Service SecurityRequirements for Web Service Security ► EASIEASI  EASI RequirementsEASI Requirements  EASI FrameworkEASI Framework ► ConclusionConclusion ► Literature SourcesLiterature Sources ► Q & AQ & A
  • 3. IntroductionIntroduction ►Web services provide fast and flexibleWeb services provide fast and flexible information sharing between people andinformation sharing between people and businesses.businesses. ►But along with the benefits, there is aBut along with the benefits, there is a serious risk:serious risk:  Sensitive and private data can be exposedSensitive and private data can be exposed ►How to secure web services?How to secure web services?
  • 4. Terms and ConceptsTerms and Concepts ►Web ServiceWeb Service ►SOAPSOAP ►WSDLWSDL ►Discovering Web ServiceDiscovering Web Service  UDDIUDDI  ebXMLebXML
  • 5. Web ServiceWeb Service ►DefinitionDefinition  "Web services are software applications that"Web services are software applications that can be discovered, described, and accessedcan be discovered, described, and accessed based on XML and standard Web protocolsbased on XML and standard Web protocols over intranets, extranets, and the Internet“over intranets, extranets, and the Internet“ ►Main focus is interoperabilityMain focus is interoperability ►Uses SOAP protocol as syntax of messageUses SOAP protocol as syntax of message and uses HTTP to transfer that messageand uses HTTP to transfer that message
  • 6. SOAPSOAP ►DefinitionDefinition  ““Lightweight protocol for exchange ofLightweight protocol for exchange of information in a decentralized, distributedinformation in a decentralized, distributed environment“environment“ ►Created by Microsoft, DevelopMentor, IBM,Created by Microsoft, DevelopMentor, IBM, Lotus, and Userland in 1999Lotus, and Userland in 1999 ►XML-based protocolXML-based protocol ►Web services transfers XML messages inWeb services transfers XML messages in SOAP format encapsulated in SOAPSOAP format encapsulated in SOAP envelopenvelop
  • 7. SOAPSOAP ►SOAP header contains the meta informationSOAP header contains the meta information and the body contains the actual messageand the body contains the actual message in XML syntaxin XML syntax
  • 8. WSDLWSDL ► DefinitionDefinition  ““An XML format for describing network services as a setAn XML format for describing network services as a set of endpoints operating on messages containing eitherof endpoints operating on messages containing either document-oriented or procedure-oriented information“document-oriented or procedure-oriented information“ ► Developed by IBM and Microsoft in 2000Developed by IBM and Microsoft in 2000 ► Contains information where the service is located,Contains information where the service is located, what the service does, and how to invoke thewhat the service does, and how to invoke the serviceservice ► Application can look at the WSDL and dynamicallyApplication can look at the WSDL and dynamically construct SOAP messagesconstruct SOAP messages
  • 9. Discovering Web ServicesDiscovering Web Services ►How to search desired web service andHow to search desired web service and communicate with itcommunicate with it  Universal Description, Discovery, andUniversal Description, Discovery, and Integration (UDDI)Integration (UDDI)  ebXML RegistriesebXML Registries
  • 10. UDDIUDDI ► Introduced by Ariba, Microsoft, and IBM in 2000Introduced by Ariba, Microsoft, and IBM in 2000 ► Not yet a standard but implemented by majorNot yet a standard but implemented by major vendors like Microsoft and IBMvendors like Microsoft and IBM ► Information availableInformation available  white pageswhite pages of company contact information,of company contact information,  yellow pagesyellow pages that categorize businesses by standardthat categorize businesses by standard categorization, andcategorization, and  green pagesgreen pages that document the technical informationthat document the technical information about web services, like WSDLabout web services, like WSDL
  • 11. ebXMLebXML ► A standard created by OASIS in 2001A standard created by OASIS in 2001 ► Provide a common way for businesses to quicklyProvide a common way for businesses to quickly and dynamically perform business transactionsand dynamically perform business transactions based on common business practicesbased on common business practices ► Information availableInformation available  Business processes and components described in XMLBusiness processes and components described in XML  Capabilities of a trading partnerCapabilities of a trading partner  Trading partner agreements between companiesTrading partner agreements between companies
  • 12. Need for SecurityNeed for Security ► E-commerce sites on the InternetE-commerce sites on the Internet .. These rely onThese rely on credit card authorization services from an outsidecredit card authorization services from an outside company.company. ► Cross-selling and customer relationshipCross-selling and customer relationship managementmanagement.. This relies on customer information beingThis relies on customer information being shared across many lines of business within an enterprise.shared across many lines of business within an enterprise. ► Supply chain managementSupply chain management .. This requires continuingThis requires continuing communication among all of the suppliers in acommunication among all of the suppliers in a manufacturing chain. The transactions describing themanufacturing chain. The transactions describing the supply chain that are exchanged among the enterprisessupply chain that are exchanged among the enterprises contain highly proprietary data.contain highly proprietary data.
  • 13. Goal of SecurityGoal of Security ►ConfidentialityConfidentiality ►IntegrityIntegrity ►AccountabilityAccountability ►AvailabilityAvailability
  • 14. Requirements for WS SecurityRequirements for WS Security ►AuthenticationAuthentication ►AuthorizationAuthorization ►CryptographyCryptography ►AccountabilityAccountability ►Security AdministrationSecurity Administration
  • 15. EASIEASI ►End-to-end Enterprise Application SecurityEnd-to-end Enterprise Application Security IntegrationIntegration ►Provides a common security framework toProvides a common security framework to integrate many different security solutionsintegrate many different security solutions ►Enables new security technologies in eachEnables new security technologies in each tier to be added without affecting thetier to be added without affecting the business applicationsbusiness applications ►Framework for distributed applicationFramework for distributed application security, not limited to web services.security, not limited to web services.
  • 16. EASI RequirementsEASI Requirements ► Perimeter security technologiesPerimeter security technologies .. Used between theUsed between the client and the server. Perimeter security enforcesclient and the server. Perimeter security enforces protection for customer, partner, and employee access toprotection for customer, partner, and employee access to corporate resources. Perimeter security primarily protectscorporate resources. Perimeter security primarily protects against external attackers, such as hackers.against external attackers, such as hackers. ► Mid-tier security technologiesMid-tier security technologies .. Used between theUsed between the mid-tier business components. Mid-tier security focusesmid-tier business components. Mid-tier security focuses primarily on protecting against insider attacks, but alsoprimarily on protecting against insider attacks, but also provides another layer of protection against externalprovides another layer of protection against external attackers.attackers. ► Back-office security technologiesBack-office security technologies .. Address theAddress the protection of databases and operating- system-specificprotection of databases and operating- system-specific back-end systems.back-end systems.
  • 17. EASI FrameworkEASI Framework ►Specifies the interactions among theSpecifies the interactions among the security services and applicationsecurity services and application components that use those securitycomponents that use those security servicesservices. ►Possible to add new security technology solutions without making big changes. ►Supports “plug-ins” for new security technologies.
  • 18. EASI Framework continued…EASI Framework continued… ►ApplicationsApplications  Provides enterprise security services forProvides enterprise security services for presentation components, business logicpresentation components, business logic components, and the back officecomponents, and the back office.  Supports security mechanisms that enforce security on behalf of security aware and security unaware applications.
  • 19. EASI Framework continued…EASI Framework continued… ►Security Aware ApplicationSecurity Aware Application  Uses the security APIs to access and validateUses the security APIs to access and validate the security policies.the security policies.  May directly access security functions thatMay directly access security functions that enable the applications to perform additionalenable the applications to perform additional security checkssecurity checks
  • 20. EASI Framework continued…EASI Framework continued… ►Security Unaware ApplicationSecurity Unaware Application  Does not explicitly call security servicesDoes not explicitly call security services  Security is enforced by using interceptors.  Interceptor transparently calls the underlying security APIs on behalf of the application.
  • 21. EASI Framework continued…EASI Framework continued… ►Application Programming Interface  Standard Security API ►Support for APIs is based on open standards or industry de facto standards  Custom Security API ►Implemented when needs cannot be met by existing standard APIs  Vendor Security API ►May be used where open standards have not yet been defined
  • 22. EASI Framework continued…EASI Framework continued… ►Core Security Services  Authentication  Authorization  Cryptography  Accountability  Security Administration
  • 23. ConclusionConclusion ► It is recommended that web services be designedIt is recommended that web services be designed according to the principles of a enterpriseaccording to the principles of a enterprise application security architecture.application security architecture. ► However, it is sometimes desirable to buildHowever, it is sometimes desirable to build services capable of referencing each other, whichservices capable of referencing each other, which may lead to a finer-grained, secure servicesmay lead to a finer-grained, secure services design.design. ► When building a new service, it is worthWhen building a new service, it is worth considering carefully the pros and cons of allconsidering carefully the pros and cons of all design styles, which can result in a betterdesign styles, which can result in a better integration solution for a targeted domainintegration solution for a targeted domain
  • 24. Literature SourcesLiterature Sources ►BooksBooks ►Web SitesWeb Sites ►ACM digital libraryACM digital library ►IEEE digital libraryIEEE digital library ►IEEE ExploreIEEE Explore ►PublicationsPublications
  • 25. Q & AQ & A

Editor's Notes

  1. Before we can define the means by which Web services manage state, we need to explain a few terms and concepts
  2. “Web services are software applications that can be discovered, described, and accessed based on XML and standard Web protocols over intranets, extranets, and the Internet.” The definition expresses the main point that web services are software applications like other usual software applications which performs some specific tasks depending on their implementation. The main focus of web services is interoperability. Web services use XML [2] as the syntax of their message and use HTTP [3] to transfer that message. The message is basically a Simple Object Access Protocol (SOAP [4]) envelop which is in XML format.
  3. “a lightweight protocol for exchange of information in a decentralized, distributed environment.” created by Microsoft, Developmentor, IBM, Lotus, and UserLand.