The document describes an approach for testing security aspects of service-oriented architecture (SOA) based applications. It focuses on testing specifications such as WS-Security, SAML, WS-Trust, WS-SecureConversation, and WS-Security Policy. The approach involves writing customized test assertion documents based on specifications, capturing SOAP messages at interfaces, and comparing messages to test assertions to generate test results.
This document proposes a solution for testing the security aspects of SOA-based applications. The solution involves three phases: 1) Creating a test assertion document (TAD) that identifies the security specifications implemented, 2) Using a SOAP monitor tool to capture request and response messages, and 3) Developing code to compare the SOAP messages to the TAD and generate a test result report. The proposed approach streamlines testing, increases agility, and reduces IT investment while maximizing return on investment. Reusable artifacts are created to provide better system understanding throughout the testing lifecycle.
The document discusses Microsoft's strategy and roadmap for web services and interoperability using WS-* specifications. Microsoft is committed to implementing all WS-* specifications in its products to ensure interoperability. It delivers web services capabilities through Windows Server, Visual Studio, and other products. The document outlines the WS-* specifications, their purpose, development process, and industry adoption status.
This document summarizes Layer 7 Technologies' SecureSpan solution for providing security, monitoring, and governance for services inside and outside the enterprise, including in the cloud. It discusses how SecureSpan uses centralized policy enforcement and monitoring to ensure reliability, compliance, and quality of service for services. It also explains how SecureSpan provides flexibility in deployment, interoperability with other solutions, and the ability to rapidly change policies without code changes.
The project work explores in detail, the security issues in a SOA environment and also describes the various approaches to these issues. The different approaches to SOA security (i.e. message level security, security as a service and policy driven security) are not standalone solutions, but can be deployed as mix and match solutions. A SOA security solution can make use of all the approaches to address specific security concerns. Finally the project work describes a generic SOA security model which acts as a reference model to identify security vulnerabilities in enterprise application integration (EAI). These vulnerabilities can then be addressed by the different approaches to security.
This document discusses security considerations for service-oriented architectures (SOAs). It begins by defining SOA and some common SOA technologies like SOAP, WSDL, and UDDI. It then covers important security concepts like confidentiality, integrity, non-repudiation, authentication, authorization, and availability. Specific security standards and approaches are discussed for each concept, such as encryption for confidentiality and digital signatures for integrity and non-repudiation. Authentication methods like digital certificates and SAML are also described. The document advocates for defining clear security policies and separating policy enforcement from decision making. It concludes by discussing threats to XML and debates between using REST vs SOAP/WS-Security approaches.
Architecting Secure Service Oriented Web ServicesIDES Editor
The importance of the software security has been
profound, since most attacks to software systems are based on
vulnerabilities caused by poorly designed and developed
software. Design flaws account for fifty percent of security
problems and risk analysis plays essential role in solid security
problems. Service Web Services are an integral part of next
generation Web applications. The development and use of
these services is growing at an incredible rate, and so too
security issues surrounding them. If the history of interapplication
communication repeats itself, the ease with which
web services architectures publish information about
applications across the network is only going to result in more
application hacking. At the very least, it’s going to put an even
greater burden on web architects and developers to design
and write secure code. Developing specification like WSSecurity
should be leveraged as secure maturity happens over
firewalls. In this paper, we want to discuss security
architectures design patterns for Service Oriented Web
Services. Finally, we validated this by implementing a case
study of a Service Oriented Web Services application
StockTrader Security using WS-Security and WS-Secure
Conversation.
This document proposes a solution for testing the security aspects of SOA-based applications. The solution involves three phases: 1) Creating a test assertion document (TAD) that identifies the security specifications implemented, 2) Using a SOAP monitor tool to capture request and response messages, and 3) Developing code to compare the SOAP messages to the TAD and generate a test result report. The proposed approach streamlines testing, increases agility, and reduces IT investment while maximizing return on investment. Reusable artifacts are created to provide better system understanding throughout the testing lifecycle.
The document discusses Microsoft's strategy and roadmap for web services and interoperability using WS-* specifications. Microsoft is committed to implementing all WS-* specifications in its products to ensure interoperability. It delivers web services capabilities through Windows Server, Visual Studio, and other products. The document outlines the WS-* specifications, their purpose, development process, and industry adoption status.
This document summarizes Layer 7 Technologies' SecureSpan solution for providing security, monitoring, and governance for services inside and outside the enterprise, including in the cloud. It discusses how SecureSpan uses centralized policy enforcement and monitoring to ensure reliability, compliance, and quality of service for services. It also explains how SecureSpan provides flexibility in deployment, interoperability with other solutions, and the ability to rapidly change policies without code changes.
The project work explores in detail, the security issues in a SOA environment and also describes the various approaches to these issues. The different approaches to SOA security (i.e. message level security, security as a service and policy driven security) are not standalone solutions, but can be deployed as mix and match solutions. A SOA security solution can make use of all the approaches to address specific security concerns. Finally the project work describes a generic SOA security model which acts as a reference model to identify security vulnerabilities in enterprise application integration (EAI). These vulnerabilities can then be addressed by the different approaches to security.
This document discusses security considerations for service-oriented architectures (SOAs). It begins by defining SOA and some common SOA technologies like SOAP, WSDL, and UDDI. It then covers important security concepts like confidentiality, integrity, non-repudiation, authentication, authorization, and availability. Specific security standards and approaches are discussed for each concept, such as encryption for confidentiality and digital signatures for integrity and non-repudiation. Authentication methods like digital certificates and SAML are also described. The document advocates for defining clear security policies and separating policy enforcement from decision making. It concludes by discussing threats to XML and debates between using REST vs SOAP/WS-Security approaches.
Architecting Secure Service Oriented Web ServicesIDES Editor
The importance of the software security has been
profound, since most attacks to software systems are based on
vulnerabilities caused by poorly designed and developed
software. Design flaws account for fifty percent of security
problems and risk analysis plays essential role in solid security
problems. Service Web Services are an integral part of next
generation Web applications. The development and use of
these services is growing at an incredible rate, and so too
security issues surrounding them. If the history of interapplication
communication repeats itself, the ease with which
web services architectures publish information about
applications across the network is only going to result in more
application hacking. At the very least, it’s going to put an even
greater burden on web architects and developers to design
and write secure code. Developing specification like WSSecurity
should be leveraged as secure maturity happens over
firewalls. In this paper, we want to discuss security
architectures design patterns for Service Oriented Web
Services. Finally, we validated this by implementing a case
study of a Service Oriented Web Services application
StockTrader Security using WS-Security and WS-Secure
Conversation.
State-of-the-Art in Web Services FederationOliver Pfaff
With respect to the enablement of federated identity, Web services have advantages over traditional Web applications because Web services technologies natively support the externalization of subject authentication in a standard way. This is facilitated through dedicated security services provided by the infrastructure (WS-Trust STSs). However, when it comes to advanced identity federation use cases demanding more sophisticated federation features, Web services also suffer from a scattered technology landscape not easily accessible for non-experts. This landscape at least comprises WS-Federation, Liberty-Alliance ID-WSF, OASIS WSFED. This contribution investigates these Web services federation technologies. It uses a health- care use case that demands sophisticated features in identity federation to pinpoint their capabilities. Moreover, it considers the identity federation enablement features of common Web services stacks e.g. Apache Axis, Microsoft WCF and Sun Metro. This aims at providing a compass for those who are charged with architecting, designing and building identity federation solutions in Web services environments: Which technologies are out there? What are they good for? How are they supported in Web services stack?
A Single Strong Authentication Platform for Cloud and On-Premise ApplicationsSafeNet
Strong authentication and single sign-on for SaaS applications is available with SafeNet
Authentication Manager and SafeWord 2008.
With either platform, the enterprise security team retains complete control over the
configuration, deployment, and administration of the authentication infrastructure, which
remains in the enterprise’s IT domain.
Organizations can deploy either platform in their network’s DMZ, so users can authenticate
directly to cloud-based applications and services, rather than having to go through the corporate VPN. As a result, users have a faster, more seamless experience accessing on-premise and
cloud-based applications, while enterprises enjoy optimized security.
This document discusses security considerations for service-oriented architectures (SOA) and on-demand environments. It describes several subsystems that are important for a comprehensive security management architecture (MASS), including access control, identity and credential management, information flow control, security auditing, and solution integrity. Technologies that can be used to implement each subsystem are also outlined, such as directories, firewalls, encryption, and systems management solutions. The document stresses that security requires an integrated approach across all of these areas.
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
The document discusses enterprise single sign-on (ESSO) solutions for securing access to cloud applications. It notes that ESSO solutions can improve security, compliance, and productivity by reducing the number of passwords users need to manage. The Oracle ESSO suite provides single sign-on to applications, centralized password management, strong authentication, and audit/reporting capabilities. It has over 20 million licenses sold and is used by many large enterprise customers across industries.
For years enterprises have invested in identity, privacy and threat protection technologies to guard their information and communication from attack, theft or compromise. The growth in SaaS and IaaS usage however introduces the need to secure information and communication that spans the enterprise and cloud. This presentation will look at approaches for extending existing enterprise security investments into the cloud without significant cost or complexity.
SecureFirst Solutions Private Limited is a security centric Organization assisting its clients in developing and maintaining secure applications. Our offerings include:
Management and Reporting System [MaRS]
Security as a Service [XaaS]
On-demand Training [OdT]
Managed Services [MS]
Annual Maintenance & Support [AMS]
Software Development as a Service [SDaaS]
Security Automation [SA]
Business Continuity Managed Services [BCMS]
Threat Intelligence [TI]
This document provides an overview of web services security. It discusses the main concerns of authentication, authorization, confidentiality and integrity. It presents a framework for web services security and describes how security can be implemented at the transport, message and application levels. Various usage scenarios for web services are explored, and the security implications of scenarios like enterprise application integration, reusing existing business logic, and business partner collaboration are examined. Emerging standards for web services security are also overviewed.
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010Michael Noel
Organizations planning for Extranet access to SharePoint 2010 or faced with providing access to an Intranet from multiple internal authentication platforms often find it challenging to properly architect SharePoint for extranets, to isolate content, and to manage identities across disparate systems. The complexity involved in understanding how to isolate content from a security perspective but still provide for a collaborative space for end users is complex, and if not done correctly can lead to security breaches and confusion. This session focuses on understanding the various extranet models for SharePoint 2010 and providing real world guidance on how to implement them. Covered are extranet content models and extranet authentication options, including Claims-based authentication and also covering advanced options using tools such as Microsoft's Forefront Identity Manager (FIM) 2010 to centralize identity management to SharePoint 2010 farms, allowing for better control, automatic account provisioning, and synchronization of profile information across multiple SharePoint authentication providers. • Review Extranet design options with SharePoint 2010 • Understand the need for identity management across SharePoint farms • Examine real world deployment guidance and architecture for SharePoint environments using multiple authentication providers
SEASPC 2011 - Collaborating with Extranet Partners on SharePoint 2010 Michael Noel
Organizations planning for Extranet access to SharePoint 2010 or faced with providing access to an Intranet from multiple internal authentication platforms often find it challenging to properly architect SharePoint for extranets, to isolate content, and to manage identities across disparate systems. The complexity involved in understanding how to isolate content from a security perspective but still provide for a collaborative space for end users is complex, and if not done correctly can lead to security breaches and confusion. This session focuses on understanding the various extranet models for SharePoint 2010 and providing real world guidance on how to implement them. Covered are extranet content models and extranet authentication options, including Claims-based authentication and also covering advanced options using tools such as Microsoft's Forefront Identity Manager (FIM) 2010 to centralize identity management to SharePoint 2010 farms, allowing for better control, automatic account provisioning, and synchronization of profile information across multiple SharePoint authentication providers. • Review Extranet design options with SharePoint 2010 • Understand the need for identity management across SharePoint farms • Examine real world deployment guidance and architecture for SharePoint environments using multiple authentication providers
Microsoft Windows Azure Platform Appfabric for Technical Decision MakersMicrosoft Private Cloud
This document discusses Microsoft's Service Bus and Access Control capabilities on the Windows Azure platform. It provides an overview of how they enable secure connectivity across network boundaries, simplify authorization, and support federated identity. Examples are given of how they allow for high availability, scale out, and multi-tenancy. The presentation also includes case studies of how various companies have used Service Bus and Access Control to improve efficiency, agility, and focus.
Web application vulnerability assessments identify exploitable vulnerabilities in web applications. Axoss performs these assessments following the OWASP methodology, which involves thoroughly investigating the site for vulnerabilities, reviewing components using automated tools and manual validation, and providing a comprehensive report highlighting any susceptible areas. Web application assessments should be conducted annually to check for vulnerabilities and ensure sensitive applications and data remain protected from unauthorized access and compromise.
WebSphere Integration User Group 13 July 2015 : DataPower sessionHugh Everett
IBM DataPower Gateways provide a low startup cost and help increase ROI and reduce TCO. They combine superior performance and hardened security in physical and virtual appliances. The document discusses DataPower gateway capabilities, recent releases including support for new hypervisors and cloud platforms, and the roadmap including new cloud offerings and enhanced security features. It positions DataPower as a single, modular platform that can secure, integrate, control and optimize access across environments.
Cisco VSG_Конкурс продуктов портала VirtualizationSecurityGroup.RuVirtSGR
Cisco Virtual Security Gateway (VSG) provides security policies and controls for virtual machine to virtual machine traffic. It analyzes VM attributes and context to dynamically apply access controls. VSG inserts transparently without relying on VLANs to protect intra-segment communication. It also supports multi-tenant environments through security domain separation and granular policy assignment.
Fine Grained Authorization: Technical Insights for Using Oracle Entitlements ...Subbu Devulapalli
This document is Oracle Entitlements Server (OES) technical white paper. It gives an overview of OES product and how it applies to Fine Grained Authorization and Access Control.
Visit my Blog (http://finegrainedauthorization.blogspot.com/) to stay in touch with cool stuff happening in area of Identity Management/Authorization and OES. You can find more information at OES Product Page (http://www.oracle.com/technetwork/middleware/oes/overview/index.html)
Dave Carroll Application Services Salesforcedeimos
The document discusses enterprise grade business application services provided through the Force.com platform as a service (PaaS). It provides an overview of Force.com's capabilities including building any type of business application, flexibility to integrate with other systems, security, and trust due to many customers and developers using the platform. Key aspects of Force.com covered include the multi-tenant architecture, APIs for development, and security options like single sign-on and two-factor authentication.
- AWS provides security certifications and accreditations like SOC 1 Type II, ISO 27001, PCI DSS Level 1 to assure customers of the security of their infrastructure and services.
- AWS shares responsibility for security with customers - AWS is responsible for security of the cloud infrastructure while customers are responsible for security in the cloud.
- AWS uses physical and network security measures like controlled data centers, firewalls, and encryption to protect servers, storage, and data.
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...Brian Culver
How will SharePoint 2010 allow organizations to collaborate and share knowledge with clients and partners? SharePoint empowers organization to build extranet sites and partner portals inexpensively and securely. Learn what exactly is claims based authentication and how can to use it. Learn about the new multi-authentication mode in SharePoint 2010. Learn how SharePoint 2010 can help your organization open its doors to its clients and partners securely.
This document discusses security considerations for software-as-a-service (SaaS) providers. It covers identity management including internal authentication, single sign-on, and authorization. It also addresses data storage through encryption at the customer level or using multiple database instances. Data transmission security is discussed in terms of confidentiality, integrity, and non-repudiation using SSL/TLS encryption. Physical security of SaaS infrastructure is also highlighted as an important consideration. The document provides an overview of key security best practices for SaaS providers across technical architectural components.
Advanced Web Services incorporate standards like SOAP, WSDL, UDDI, as well as more complex security standards like WS-Security. They deal with asynchronous behavior and parallelism through standards like WS-ReliableMessaging. The Web Services Interoperability Organization (WS-I) promoted interoperability between web services specifications and joined the OASIS standards body. WS-Federation and related standards help establish trust relationships between security domains.
State-of-the-Art in Web Services FederationOliver Pfaff
With respect to the enablement of federated identity, Web services have advantages over traditional Web applications because Web services technologies natively support the externalization of subject authentication in a standard way. This is facilitated through dedicated security services provided by the infrastructure (WS-Trust STSs). However, when it comes to advanced identity federation use cases demanding more sophisticated federation features, Web services also suffer from a scattered technology landscape not easily accessible for non-experts. This landscape at least comprises WS-Federation, Liberty-Alliance ID-WSF, OASIS WSFED. This contribution investigates these Web services federation technologies. It uses a health- care use case that demands sophisticated features in identity federation to pinpoint their capabilities. Moreover, it considers the identity federation enablement features of common Web services stacks e.g. Apache Axis, Microsoft WCF and Sun Metro. This aims at providing a compass for those who are charged with architecting, designing and building identity federation solutions in Web services environments: Which technologies are out there? What are they good for? How are they supported in Web services stack?
A Single Strong Authentication Platform for Cloud and On-Premise ApplicationsSafeNet
Strong authentication and single sign-on for SaaS applications is available with SafeNet
Authentication Manager and SafeWord 2008.
With either platform, the enterprise security team retains complete control over the
configuration, deployment, and administration of the authentication infrastructure, which
remains in the enterprise’s IT domain.
Organizations can deploy either platform in their network’s DMZ, so users can authenticate
directly to cloud-based applications and services, rather than having to go through the corporate VPN. As a result, users have a faster, more seamless experience accessing on-premise and
cloud-based applications, while enterprises enjoy optimized security.
This document discusses security considerations for service-oriented architectures (SOA) and on-demand environments. It describes several subsystems that are important for a comprehensive security management architecture (MASS), including access control, identity and credential management, information flow control, security auditing, and solution integrity. Technologies that can be used to implement each subsystem are also outlined, such as directories, firewalls, encryption, and systems management solutions. The document stresses that security requires an integrated approach across all of these areas.
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
The document discusses enterprise single sign-on (ESSO) solutions for securing access to cloud applications. It notes that ESSO solutions can improve security, compliance, and productivity by reducing the number of passwords users need to manage. The Oracle ESSO suite provides single sign-on to applications, centralized password management, strong authentication, and audit/reporting capabilities. It has over 20 million licenses sold and is used by many large enterprise customers across industries.
For years enterprises have invested in identity, privacy and threat protection technologies to guard their information and communication from attack, theft or compromise. The growth in SaaS and IaaS usage however introduces the need to secure information and communication that spans the enterprise and cloud. This presentation will look at approaches for extending existing enterprise security investments into the cloud without significant cost or complexity.
SecureFirst Solutions Private Limited is a security centric Organization assisting its clients in developing and maintaining secure applications. Our offerings include:
Management and Reporting System [MaRS]
Security as a Service [XaaS]
On-demand Training [OdT]
Managed Services [MS]
Annual Maintenance & Support [AMS]
Software Development as a Service [SDaaS]
Security Automation [SA]
Business Continuity Managed Services [BCMS]
Threat Intelligence [TI]
This document provides an overview of web services security. It discusses the main concerns of authentication, authorization, confidentiality and integrity. It presents a framework for web services security and describes how security can be implemented at the transport, message and application levels. Various usage scenarios for web services are explored, and the security implications of scenarios like enterprise application integration, reusing existing business logic, and business partner collaboration are examined. Emerging standards for web services security are also overviewed.
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010Michael Noel
Organizations planning for Extranet access to SharePoint 2010 or faced with providing access to an Intranet from multiple internal authentication platforms often find it challenging to properly architect SharePoint for extranets, to isolate content, and to manage identities across disparate systems. The complexity involved in understanding how to isolate content from a security perspective but still provide for a collaborative space for end users is complex, and if not done correctly can lead to security breaches and confusion. This session focuses on understanding the various extranet models for SharePoint 2010 and providing real world guidance on how to implement them. Covered are extranet content models and extranet authentication options, including Claims-based authentication and also covering advanced options using tools such as Microsoft's Forefront Identity Manager (FIM) 2010 to centralize identity management to SharePoint 2010 farms, allowing for better control, automatic account provisioning, and synchronization of profile information across multiple SharePoint authentication providers. • Review Extranet design options with SharePoint 2010 • Understand the need for identity management across SharePoint farms • Examine real world deployment guidance and architecture for SharePoint environments using multiple authentication providers
SEASPC 2011 - Collaborating with Extranet Partners on SharePoint 2010 Michael Noel
Organizations planning for Extranet access to SharePoint 2010 or faced with providing access to an Intranet from multiple internal authentication platforms often find it challenging to properly architect SharePoint for extranets, to isolate content, and to manage identities across disparate systems. The complexity involved in understanding how to isolate content from a security perspective but still provide for a collaborative space for end users is complex, and if not done correctly can lead to security breaches and confusion. This session focuses on understanding the various extranet models for SharePoint 2010 and providing real world guidance on how to implement them. Covered are extranet content models and extranet authentication options, including Claims-based authentication and also covering advanced options using tools such as Microsoft's Forefront Identity Manager (FIM) 2010 to centralize identity management to SharePoint 2010 farms, allowing for better control, automatic account provisioning, and synchronization of profile information across multiple SharePoint authentication providers. • Review Extranet design options with SharePoint 2010 • Understand the need for identity management across SharePoint farms • Examine real world deployment guidance and architecture for SharePoint environments using multiple authentication providers
Microsoft Windows Azure Platform Appfabric for Technical Decision MakersMicrosoft Private Cloud
This document discusses Microsoft's Service Bus and Access Control capabilities on the Windows Azure platform. It provides an overview of how they enable secure connectivity across network boundaries, simplify authorization, and support federated identity. Examples are given of how they allow for high availability, scale out, and multi-tenancy. The presentation also includes case studies of how various companies have used Service Bus and Access Control to improve efficiency, agility, and focus.
Web application vulnerability assessments identify exploitable vulnerabilities in web applications. Axoss performs these assessments following the OWASP methodology, which involves thoroughly investigating the site for vulnerabilities, reviewing components using automated tools and manual validation, and providing a comprehensive report highlighting any susceptible areas. Web application assessments should be conducted annually to check for vulnerabilities and ensure sensitive applications and data remain protected from unauthorized access and compromise.
WebSphere Integration User Group 13 July 2015 : DataPower sessionHugh Everett
IBM DataPower Gateways provide a low startup cost and help increase ROI and reduce TCO. They combine superior performance and hardened security in physical and virtual appliances. The document discusses DataPower gateway capabilities, recent releases including support for new hypervisors and cloud platforms, and the roadmap including new cloud offerings and enhanced security features. It positions DataPower as a single, modular platform that can secure, integrate, control and optimize access across environments.
Cisco VSG_Конкурс продуктов портала VirtualizationSecurityGroup.RuVirtSGR
Cisco Virtual Security Gateway (VSG) provides security policies and controls for virtual machine to virtual machine traffic. It analyzes VM attributes and context to dynamically apply access controls. VSG inserts transparently without relying on VLANs to protect intra-segment communication. It also supports multi-tenant environments through security domain separation and granular policy assignment.
Fine Grained Authorization: Technical Insights for Using Oracle Entitlements ...Subbu Devulapalli
This document is Oracle Entitlements Server (OES) technical white paper. It gives an overview of OES product and how it applies to Fine Grained Authorization and Access Control.
Visit my Blog (http://finegrainedauthorization.blogspot.com/) to stay in touch with cool stuff happening in area of Identity Management/Authorization and OES. You can find more information at OES Product Page (http://www.oracle.com/technetwork/middleware/oes/overview/index.html)
Dave Carroll Application Services Salesforcedeimos
The document discusses enterprise grade business application services provided through the Force.com platform as a service (PaaS). It provides an overview of Force.com's capabilities including building any type of business application, flexibility to integrate with other systems, security, and trust due to many customers and developers using the platform. Key aspects of Force.com covered include the multi-tenant architecture, APIs for development, and security options like single sign-on and two-factor authentication.
- AWS provides security certifications and accreditations like SOC 1 Type II, ISO 27001, PCI DSS Level 1 to assure customers of the security of their infrastructure and services.
- AWS shares responsibility for security with customers - AWS is responsible for security of the cloud infrastructure while customers are responsible for security in the cloud.
- AWS uses physical and network security measures like controlled data centers, firewalls, and encryption to protect servers, storage, and data.
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...Brian Culver
How will SharePoint 2010 allow organizations to collaborate and share knowledge with clients and partners? SharePoint empowers organization to build extranet sites and partner portals inexpensively and securely. Learn what exactly is claims based authentication and how can to use it. Learn about the new multi-authentication mode in SharePoint 2010. Learn how SharePoint 2010 can help your organization open its doors to its clients and partners securely.
This document discusses security considerations for software-as-a-service (SaaS) providers. It covers identity management including internal authentication, single sign-on, and authorization. It also addresses data storage through encryption at the customer level or using multiple database instances. Data transmission security is discussed in terms of confidentiality, integrity, and non-repudiation using SSL/TLS encryption. Physical security of SaaS infrastructure is also highlighted as an important consideration. The document provides an overview of key security best practices for SaaS providers across technical architectural components.
Advanced Web Services incorporate standards like SOAP, WSDL, UDDI, as well as more complex security standards like WS-Security. They deal with asynchronous behavior and parallelism through standards like WS-ReliableMessaging. The Web Services Interoperability Organization (WS-I) promoted interoperability between web services specifications and joined the OASIS standards body. WS-Federation and related standards help establish trust relationships between security domains.
This document summarizes previous research on securing SOA (Service Oriented Architecture). It discusses frameworks and models that have been proposed for SOA security, including SAVT, ISOAS, and FIX. It also discusses approaches using automata, data mining, and attack graphs. The proposed model in this document is a secure web-based SOA that uses three layers of services (IT services, security policy infrastructure, and business services) with an embedded security module based on PKI (Public Key Infrastructure) to provide encryption and authentication. The model aims to provide both security and flexibility while maintaining interoperability.
An Empirical Study on Testing of SOA based ServicesAbhishek Kumar
This document provides an empirical study on testing of service-oriented architecture (SOA) based services. It discusses SOA testing perspectives from different stakeholder views, different levels of SOA testing including unit, integration, system and regression testing. It also outlines the challenges of SOA testing due to its distributed, dynamic and heterogeneous nature. Traditional testing approaches are centralized and static, while SOA testing requires a collaborative approach across service providers, integrators and clients.
5 ijitcs v7-n1-7-an empirical study on testing of soa based servicesAbhishek Srivastava
Service-Oriented Architecture (SOA) removed the gap between software and business. Today, there is a business transformation among enterprises and they adopt a service based information technology (IT) model. So, testing is necessary for SOA based applications. This paper investigates different type of approaches and techniques that address the testing problems of SOA based services. Here we also investigate the differences between SOA and web services and traditional testing and SOA testing. Various testing levels are also discussed in detail. This paper also expresses various testing perspectives, challenges of SOA testing and review the many testing approaches and identify the problems that improve the testability of SOA based services.
SAML, developed by the Security Services
Technical Committee of the Organization for the
Advancement of Structured Information Standards
(OASIS), is an XML-based framework for
communicating user authentication, entitlement,
and attribute information. As its name suggests,
SAML allows business entities to make assertions
regarding the identity, attributes, and entitlements of
a subject (an entity that is often a human user) to
other entities, such as a partner company or
another enterprise application.
Secure Architecture Evaluation for Agent Based Web Service DiscoveryIDES Editor
The document proposes an agent-based architecture for secure web service discovery. It evaluates using agents to negotiate a mutually acceptable security policy between a service consumer and provider based on their security requirements. The architecture includes a discovery agent that finds services matching a consumer's criteria. A security agent describes the provider's security needs. The process involves the consumer and provider combining their security policies and the discovery agent returning matched services. The document evaluates the architecture using the ATAM method, identifying quality attributes, risks, and tradeoffs.
MuleSoft provides solutions for securing web services. It allows consuming and exposing existing web services in a secured way using standards like WS-Security. The CXF module in Mule supports web service security standards and provides different solutions to secure web services above transport level, such as authentication and authorization. It implements WS-Security which defines a SOAP header to carry security tokens to identify callers and their privileges.
Grid computing is concerned with the sharing and use of resources in dynamic distributed virtual
organizations. The dynamic nature of Grid environments introduces challenging security concerns that
demand new technical approaches. In this brief overview we review key Grid security issues and outline
the technologies that are being developed to address those issues. We focus on works done by Globus
Toolkits to provide security and also we will discuss about the cyber security in Grid.
WCF provides a unified programming model for building service-oriented applications. It enables developers to build secure, reliable, and transacted solutions that integrate across platforms and interoperate with existing investments. WCF implements SOAP-based web services as its fundamental communication mechanism and supports WS-* standards for security, reliability, transactions, and metadata exchange. Developers can define services using contracts, expose endpoints using addresses and bindings, and apply behaviors to customize runtime properties.
This document discusses security considerations for web services. It begins by defining key terms like web services, SOAP, WSDL, UDDI, and ebXML. It then discusses the goals of security like confidentiality, integrity, accountability and availability. Next, it covers requirements for web services security like authentication, authorization, cryptography, and accountability. It introduces the concept of Enterprise Application Security Integration (EASI) to provide a common security framework across different tiers. EASI requires perimeter security between clients and web servers, mid-tier security between application components, and back-office security for databases. The document concludes that web services should be designed according to enterprise application security architecture principles.
1. The document discusses the relationship between web services, federated identity, and security. It argues that federated identity is fundamental for securing web services across domains, and that web services enable federated identity architectures.
2. It outlines current standards for web services security and federated identity like SAML, Liberty Alliance, and WS-Federation. It also describes a potential scenario where federated identity allows a employee to securely access a supplier's system without separate credentials.
3. In summary, the document examines how web services and federated identity rely on each other, and surveys relevant standards and technologies in this area.
The New Enterprise Alphabet - .Net, XML And XBRLJorgen Thelin
The document discusses new enterprise technologies like .NET, XML, and XBRL that are enabling greater interoperability between businesses. It covers key concepts like service-oriented architecture (SOA) and web services that allow applications from different vendors to communicate. Interoperability profiles play an important role in achieving business interoperability by defining subsets of specifications for specific domains or environments. While challenges remain, initiatives like web services specifications and Microsoft's focus on standards are helping to realize the vision of an interconnected, agile enterprise.
A Survey on Authorization Systems for Web Applicationsiosrjce
IOSR Journal of Computer Engineering (IOSR-JCE) is a double blind peer reviewed International Journal that provides rapid publication (within a month) of articles in all areas of computer engineering and its applications. The journal welcomes publications of high quality papers on theoretical developments and practical applications in computer technology. Original research papers, state-of-the-art reviews, and high quality technical notes are invited for publications.
This document provides a survey of various authorization systems that have been proposed for web applications and web services. It begins with an introduction to web services and common security issues and attacks. It then describes several existing authorization models and frameworks that have been used for web services, including attribute-based access control, role-based access control using LDAP, and interactive access control. The document compares these different authorization techniques based on factors like separation of duties, fine-grained authorization, nature of the system, and performance. It concludes that most proposed systems authorize based on role models but few can dynamically authorize requests or integrate well with service-oriented architectures.
Rapid increases in information technology also changed the existing markets and transformed them into emarkets
(e-commerce) from physical markets. Equally with the e-commerce evolution, enterprises have to
recover a safer approach for implementing E-commerce and maintaining its logical security. SOA is one of
the best techniques to fulfill these requirements. SOA holds the vantage of being easy to use, flexible, and
recyclable. With the advantages, SOA is also endowed with ease for message tampering and unauthorized
access. This causes the security technology implementation of E-commerce very difficult at other
engineering sciences. This paper discusses the importance of using SOA in E-commerce and identifies the
flaws in the existing security analysis of E-commerce platforms. On the foundation of identifying defects,
this editorial also suggested an implementation design of the logical security framework for SOA supported
E-commerce system.
Designing A Logical Security Framework for E-Commerce System Based on SOA ijsc
Rapid increases in information technology also changed the existing markets and transformed them into emarkets (e-commerce) from physical markets. Equally with the e-commerce evolution, enterprises have to recover a safer approach for implementing E-commerce and maintaining its logical security. SOA is one of the best techniques to fulfill these requirements. SOA holds the vantage of being easy to use, flexible, and recyclable. With the advantages, SOA is also endowed with ease for message tampering and unauthorized access. This causes the security technology implementation of E-commerce very difficult at other engineering sciences. This paper discusses the importance of using SOA in E-commerce and identifies the flaws in the existing security analysis of E-commerce platforms. On the foundation of identifying defects, this editorial also suggested an implementation design of the logical security framework for SOA supported E-commerce system.
This document discusses metadata, security, transactions, and reliable messaging specifications for web services. It provides an overview of key specifications such as WSDL, WS-Security, WS-Transactions, and WS-Reliable Messaging that define standards for describing, securing, and coordinating web services and messages. The document also covers standards for integrating mobile devices into a service-oriented architecture.
The document discusses how service-oriented architecture (SOA) impacts IT infrastructure and introduces new considerations for performance, security, availability, service management, and virtualization. Key points include:
- SOA introduces new infrastructure components like XML gateways and introduces challenges for monitoring distributed applications and isolating performance bottlenecks.
- Security must be implemented across multiple layers to secure messages in SOA environments while propagating identities among partners.
- High availability, disaster recovery, and scalability require techniques like clustering, workload management, and data replication across SOA components.
- Service management requires monitoring all components and closing the loop between infrastructure events and business services.
- Virtualization can help decouple applications from infrastructure
Similar to Soa Testing An Approach For Testing Security Aspects Of Soa Based Application (20)
Soa Testing An Approach For Testing Security Aspects Of Soa Based Application
1. Service Oriented Architecture Testing: An Approach for Testing
Security Aspects of SOA Based application
Authored By:
Jaipal Naidu
Jaipal.naidu@enzenglobal.com
Enzen Global Solutions Pvt Ltd
# 90, Hosur Road, Madiwala
Bangalore - 560 068
Karnataka
Tel: +91 80 6712 3002
Fax: +91 80 6712 3003
Uday Kumar Vussainsagar
Uday.vussainsagar@applabs.com
AppLabs
DLF Building
6th Floor, Plot No. 129-132
APHB Colony, Gachibowli
Hyderabad - 500 019
Andhra Pradesh
Tel: +91 40 3082 9000
1 Testing Security Aspects of SOA Based application
2. Abstract
SOA is an architectural paradigm which helps organizations to transform
themselves into more flexible entities. Key issues of applications built using SOA are
testing these applications and delivering them within expected QoS. Any organization
that aims to achieve a high degree of quality in their SOA application is likely to face
many challenges
This paper describes an approach to meet the challenges in testing SOA
based applications. The main focus would on the testing approach of SOA security
aspects such as WS-Security, SAML, WS-Trust, WS-SecureConversation and WS-
Security Policy. This solution helps in writing customized Test Assertion Documents
based on the specifications provided by OASIS group and parsing these documents
with respect to the SOAP messages captured at various levels of interfaces.
1.0 Introduction
Service oriented computing builds upon the existing distributed computing
platforms by building in the concept of service orientation. Service oriented attitude
brings about uniformity amongst the organizational software assets, which till now
were developed with Silo/ Functional based development attitude. More companies
are adopting the Service Oriented Methodology to build applications by re-using the
loosely coupled and highly cohesive services present under different domains and
environments.
SOA has grown from being a concept with disillusioned principles to the phase of
enlightenment where organizations are putting in their R & D teams to come up with
a package that can fit in to any existing IT infrastructure. We can see a comparison
of Hype Cycles in Figure 1 from 2005 to 2009 and see how SOA has grown to be a
matured offering and in to a Game changing proposition for any organization
adopting the concept early and realize the competitive advantage/ Business agility
that SOA promises.
Traditionally, the Service-Oriented Architecture is nothing new to the IT
industry, the Common Object Request Broker Architecture (CORBA) and Distributed
Component Object Model (DCOM) used to provide the same functionality though
having pitfalls. In a nutshell the Service-Oriented Architecture is an architectural
approach which makes use of applications that are already available by turning them
into services. These category of services are governed and standardized to behave
specifically and are referred to as inventory of services. It doesn't really matter if
these services are built as web services or components. Web services though not
obligatory, can be used for implementing SOA by adhering to the standards and it is
fast becoming a broad industry acceptance. The web services provide the
accessibility of functionality with a request response model over any standard
internet protocol independent of any programming language, which makes the SOA a
reality.
2 Testing Security Aspects of SOA Based application
3. Figure 1 – Analysis of SOA position using Gartner Hype Cycles
2.0 Security Aspects in Web Services
As discussed in the above section, how the Web Services constitute a
fundamental solution in realizing the SOA, the security aspects involved in Web
Services is increasingly becoming indisputable factor in implementing the SOA
strategy. There are several security standards and new emerging standards have
been proposed by many non-profit consortiums (such as OASIS, W3C) to make Web
Services development easy. The following Table 2 lists such standards and provides
a brief description about each standard
Standard Description
SAML SAML is a standard which provides authentication and
authorization for the information exchanged between two
online parties using XML – based framework.
WS-Security WS-Security is a mechanism which addresses the
security within a web service environment.
XML-Encryption XML-Encryption is a process of representing the
encrypted data in XML
XML-Signature XML-Signature is a specification of syntax and rules for
defining the XML digital signature recommended by W3C.
WS-SecureConversation The Web Service Secure Conversation is used to provide
security for the parties that wish to exchange multiple
messages by sharing a Security Context between the
communication parties for the entire communication
session.
WS-Trust The Web Service Trust is a model in which the Web
Services require that an incoming message prove a set of
claims.
3 Testing Security Aspects of SOA Based application
4. WS-SecurityPolicy WS-SecurityPolicy defines a framework for allowing web
services to express constraints and requirements by
defining policy assertions
WS-Federation WS-Federation is to allow security principle identities and
attributes to be brokered from identity and security
tokens issuers to services and other relying parties
without user intervention.
Table 1 – SOA Security Specification Standards
For each of the standards listed in the above table, the OASIS consortium has
provided specification documents which help both the Development and the Quality
Assurance teams alike. These specification documents constitute a decisive factor in
writing the customized Test Assertion Documents. The specification document for
each standard has been referenced in reference section. With so many security
standards specifications evolved and evolving in future, the obvious requirement
would be in identifying a test tool strategy. The below section provides a brief
overview of the various tools available in the market.
3.0 Existing SOA Security Tools
There are several SOA testing tools available in the market in both the categories
– commercial and open source products. The commercial products are Green Hat
Tester, Mercury products, Parasoft SOAtest, AdventNet QEngine, Borland
SilkPerformer SOA edition LISA WS – Testing. The open source products are SOAP
UI, Push To Test TESTMAKER and WS-I tools. These tools provide an excellent
support for functional, interoperability, regression and performance testing.
Some of the tools mentioned above also supports the testing of WS-Security
including X509, SAML, Username security tokens, XML Signature and Encryption.
However, we hardly find a tool which would support the testing beyond the WS-
Security. This paper provides an approach in testing the SOA applications beyond the
WS-Security specifications.
4.0 Challenges in testing Security Aspects of SOA
Consider a scenario where each Web Service in Service-Oriented Architecture
is enforced with a different security policy – it’s a testing nightmare. Any
organization having developed a Web Services based SOA application with
different security policies is bound to face the following challenges in testing
Is the business objective met when different services are orchestrated?
Is end-to-end security maintained when the services are opened, integrated,
or re-factored?
Whether services used in building the applications are WS-* Specifications
practitioners or not?
Identifying centralized SOA security management approach
Identifying a comprehensive testing approach
Availability of SOA security tools.
Lack of User Interface
4 Testing Security Aspects of SOA Based application
5. 5.0 SOA Implementation Scenario
To help the cause and to best explain the testing approach, a scenario has
been referred below which would be used again and again in the remainder of the
paper
The primary business of the retail companies is to meet the customer
expectations and sustain a competitive edge. Consider that you’re a CTO of a retail
company and you are asked to use the existing application more efficiently to meet
the growing demands of the business and competition. To enable quick development
of the application the CTO decides to use the existing business logic and customize
them into reusable services which follow different WS-* specifications. Though each
of the application functions the way it should and provides the result in accordance
with the industry standards, there is one more concern that the CTO faces. What is
the best approach to test these services which follow different WS * standards? This
is a concern because any breach in the security of the applications leads to
repercussions which have ripple effect.
So, the focus of CTO is to deliver an application whose security is not easy to
breach and find the best way to test it.
Security Security (WS-
(WS- Security SOAP
SecureConversa Message
tion) Security)
Order Service Billing Module
ESB, Middle Ware Technologies, BPEL, WS-I Security Specifications
Customer Service Shipment
Module
Security
(WS-Trust)
Security Token
Requestor
Service
Figure 2 – SOA Implementation
5 Testing Security Aspects of SOA Based application
6. As shown in Figure 2 the company makes use of Service-Oriented Approach
and embedding various Web Services Security standards for each loosely-coupled
service.
The Customer Service engages WS-Trust security mechanism in which it
authenticates the incoming request with a set of claims. The requestor can
obtain the necessary Security Token (collection of claims) from another
service called Security Token Service as shown in the Figure 2. The recipient
either trusts the Security Token or requests the STS to validate the Security
Token.
The Order Service engages WS-SecureConversation security mechanism
where it establishes Security Context with the requestors sending multiple
orders thus creating multiple messages.
The Billing Service makes use of WS-Security: SOAP Message Security by
protecting and authenticating the SOAP message through the use of security
tokens combined with digital signatures.
The Shipment Service does not make use of any security mechanism.
6.0 Approach
The following non-normative approach is used for testing the security
aspects (which would otherwise be working fine when tested individually) in
conjunction with the SOA implementation scenario presented in the above section.
The approach has been broadly divided into three steps
Test Assertion Documents
Analyze thoroughly the security specification used by the web services in the
SOA application
Prepare a table (though optional) identifying required, optional and
recommended elements that the specification has defined
Prepare the Test Assertion XML document using the table defined
Capture SOAP messages
Identify or develop a simple SOAP monitor tool
Initiate the request
Capture the SOAP messages using the SOAP monitor tool
Generate Test Result Report
Compare the TAD with the captured SOAP request and response and generate
a result report
6.1. Test Assertion Documents
In this section the focus would be on building the Test Assertion Document for
one of the security specification mentioned in the SOA implementation Scenario. This
section also helps the test engineers and architects with good understanding of
preparing customized test assertion documents according to the needs of the testing.
Security Specification – WS-SecureConversation
Specification Version – 1.3
WS-SecureConversation – Please refer the Table 2.1 for the brief explanation
Notations – In the Table 2 the element is represented within the tag and the
attribute is preceded by the symbol @
Test Assertion Document Name – WS-Secure Conversation Test Assertion
Document
6 Testing Security Aspects of SOA Based application
7. Pre-Condition – The security context has to be shared by the parties before being
used. The security context can be shared by the three approaches listed below. The
Table 2 also lists the elements used in SOAP message in creating SCT through the
below listed approaches
Approach1: SCT created by a STS
Approach2: SCT created by one of the communication parties and propagated
with the message
Approach3: SCT created through negotiations/exchanges
Element/Attribute Description Required/Optional
Name /Recommended
<wsc:SecurityContex The element describes the Security Required
tToken> Context
<wsc:Identifier> The element identifies the Security Required
Context using an URI
<wsc:Instance> Provides uniqueness for the value Optional and
present in the element wsc:Identifier Required for
subsequent messages
@wsu:Id Specifies a String label for Optional
wsc:SecurityContextToken
<wsc:UnsupportedCo The element identifies any fault Recommended
ntextToken> present in the message
<wsse:SecurityToken The element is used for referencing Required
References> the Security Context
<wsse:Reference> This element is used for identifying Required
specific key instance with the use of
attribute wsc:Instance
Approach 1, 2 and 3:
<wst:RequestSecurit Request to the Token Service Required
yToken>
<wst: Contains the Security Context Required
RequestSecurityToke Response
nResponseCollection>
<wst:RequestSecurit Child element of wst: Required
yTokenResponse> RequestSecurityTokenResponseColle
ction element
<wst:RequestedSecur Contains the new Security Context Required
ityToken> Token
<wst:RequestedProof Points to the “Secret” for the Required
Token> returned context
Table 2 – WS-SecureConversation elements
Having analyzed the specification document, the next step is preparing the
Test Assertion XML document which will be subsequently be used in generating the
result report. The below Figure 3 provides a part of Test Assertion Document for the
specification WS-SecureConversation used in the order service.
7 Testing Security Aspects of SOA Based application
8. <testAssertion id="WSC0001" entryType="anySecureEnvelope" type="required" enabled="true">
<context>For any secure envelope, that describes Security Context meant for SOAP message
security with wsc:SecurityContextToken</context>
<assertionDescription>Every SOAP message that describes Security Context SHOULD have the
wsc:SecurityContextToken element specified.</assertionDescription>
<failureMessage>One or more SOAP messages in the message is without the
wsc:SecurityContextToken element.</failureMessage>
<failureDetailDescription>The wsc:SecurityContextToken element in
question.</failureDetailDescription>
<additionalEntryTypeList>
<messageInput>none</messageInput>
<wsdlInput>none</wsdlInput>
</additionalEntryTypeList>
<referenceList>
<reference>none</reference>
</referenceList>
<comments></comments>
<prereqList/>
</testAssertion>
<testAssertion id="WSC0002" entryType="anySecureEnvelope" type="required" enabled="true">
<context>For any secure envelope, that contains a wsc:SecurityContextToken meant for SOAP
message security with wsc:Identifier child element.</context>
<assertionDescription>The wsc:SecurityContextToken element MUST have the child element
wsc:Identifier specified.</assertionDescription>
<failureMessage>The wsc:SecurityContextToken elements present in the message without
their child element wsc:Identifier.</failureMessage>
<failureDetailDescription>The wsc:SecurityContextToken element in
question.</failureDetailDescription>
<additionalEntryTypeList>
<messageInput>none</messageInput>
<wsdlInput>none</wsdlInput>
</additionalEntryTypeList>
<referenceList>
<reference>none</reference>
</referenceList>
<comments></comments>
<prereqList/>
</testAssertion>
Figure 3 – Test Assertion Document
The following table lists the details about the Test Assertion XML Document. It
explains about each and every tag that is being used in the Test Assertion
Document. One thing it has to be kept in mind that this Test Assertion Document is
not a standard document and one can modify the elements by either adding or
removing the elements according to the requirements. However, the Test Assertion
document should be in the XML format as this would form a base document in
reporting the test results. To make the TAD more secure the XML document can be
referenced by an XSD or by a DTD document.
8 Testing Security Aspects of SOA Based application
9. Element Name Description
<testAssertion> This element contains the assertion for each element
identified in table 2
@id Used to provide unique id for the assertion
@entryType Used to identify the type of SOAP message
@type It describes whether the element is required or not
@enabled
<context> The element defines the context in which the element is
being used
<assertionDesription> Contains the description of the assertion
<failureMessage> Contains the failure message
<failureDetailDescription> Contains the detail description of the failure
<additionalEntryTypeList> Contains any additional information about the SOAP
message
<messageInput> Contains the input values provided to the message
<wsdlInput> Contains the WSDL URL
<referenceList> Contains the list of references if the specification is
referring to
<reference> It’s the child element of <referenceList>
<comments> Contains any additional comments
<prereqList/> Contains the list of pre-requisites if any
Table 3 – Test Assertion Document Elements Description
6.2. Capture SOAP Messages
The Service Provider and Requestor in Web Services communicate the
information with each other in a structured manner through a protocol specification
called SOAP. The SOAP protocol usually exchanges information over the application
layer protocols HTTP and HTTPS with the information being transmitted using XML.
The SOAP message constitutes the following major elements An Envelope, A Header,
A Body and A Fault, the details of which are beyond the scope of this paper.
In the SOA implementation scenario described in section 5.0 the Customer
Service communicates all the details of the Customers to the Order Web Service
securely in order to process the orders. Therefore, the Customer service will become
the Web Service Consumer and the Order Services becomes the Web Service. The
two communicating parties establish a Security Context by a token called SCT. The
following figure 4 shows the SOAP message that is captured during the
communication between the two communicating parties. It illustrates the use of SCT
by referencing.
(001) <?xml version="1.0" encoding="utf-8"?>
(002) <s11:Envelope xmlns:s11=”http://www.w3.org/2003/05/soap-envelope”
xmlns:ds=”http://www.w3.org/2000/09/xmldsig#”
xmlns:wsse=”http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-
wssecurity-secext-1.0.xsd” xmlns:wsu=”http://docs.oasis-
open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd”
xmlns:wsc=”http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512”>
9 Testing Security Aspects of SOA Based application
10. (003) <s11:Header>
(004) <wsse:Security>
(005) <wsc:SecurityContextToken wsu:Id="MyID">
(006) <wsc:Identifier> uuid:20189D76AA5794EBCA1214227
5347662</wsc:Identifier>
(007) </wsc:SecurityContextToken>
(008) <ds:Signature>
(009) <ds:Signature>
(010) <ds:KeyInfo>
(011) <wsse:SecurityTokenReference>
(012) <wsse:Reference URI="#MyID"/>
(013) </wsse:SecurityTokenReference>
(014) </ds:KeyInfo>
(015) </ds:Signature>
(016) </wsse:Security>
(017) </s11:Header>
(018) <s11:Body wsu:Id="MsgBody">
(019) ………..
(020) </s11:Body>
Figure 4 – Sample WS-SecureConversation SOAP Message
The above SOAP message is captured when client initiates the request. The
SOAP message can be captured either using any of the open source SOAP Monitor
tools or by writing code in any language.
6.3. Generating the Test Result Report
The last and important step is generating the test results. The test results can
be easily generated by comparing each element in the SOAP Header with the TAD
developed using the specification. The results can be documented as given in table 4
below. The comparison of XML documents can be done using DOM or SAX parsers in
JAVA or the users can use the library native to the selected programming language.
The result report can also be saved in HTML or XML format after the parsing is done.
Comparison Status
True Pass – Provide the description given in the
<assertionDesription> element of TAD
False Fail - Provide the description given in the <failureMessage>
and <failureDetailDescription> elements of TAD
Table 4 – Test Result Report
7.0 Why accept the solution
Let us start referring to section 5.0 and ponder over the scenario's that
existed in front of the CTO.
Using the existing IT infrastructure, deliver/ customize applications which
provide results as per the marketplace requirements
Tackle the situation with no or very less capital expenditure
Choose the best way to secure the changes made and deploy the solution
with less lead time than other potential solutions would have taken
10 Testing Security Aspects of SOA Based application
11. Approach analysis:
By choosing the Web Services based SOA approach, most of the challenges that
existed were resolved. Let’s see how
Intrinsic Interoperability of all Web Services coupled with the feature that
they were governed/ federated by a common service contract helped in
designing a solution that was compatible with the existing IT infrastructure.
The system built was flexible and adaptive to any ad-hoc business
requirements that would arise intermittently.
With no new IT products being purchased to achieve the fore stated flexibility,
there were fewer IT vendors to interact and lesser integration challenges.
Merits of any solution are measured in the terms of how the new approach
maximizes the ROI, induces new agility in the system and there by reducing the
burden of new investment in trying times.
Maximum ROI:
The approach presented in section 6.0 enables organizations to maximize ROI
because of the fact that system gives the all important competitive advantage
in terms of faster product turnaround, enhanced decision making capabilities
and streamlining the operations by fewer changes in the IT infrastructure.
Increased Agility:
The quality assurance team need not wait for the new versions of SOA testing
tools to be released because the solution provides core details of testing the
security aspects of web services
The QA team can also use the approach for testing individual as well as
integrated web service using the principles of SOA and V-model testing
The testing team can customize the approach at any stage. For example,
XPath can be used in the <assertionDescription> element of TAD.
IT Investment:
The investment on new skills will be greatly reduced because the existing
resources having skills in testing and xml technologies can be utilized to work
on the solution. For those with no experience can be utilized after providing
some basic training.
The overall IT infrastructure cost is also very less because the solution can be
easily integrated with the infrastructure used for the development of SOA
application
There are certain steps that have to be additionally followed when implementing the
solution.
The test assertion document is not a conventional test case document that is
followed in testing traditional web applications to make it simpler and user
friendly
The test engineers have to spend time to prepare TAD, capture the SOAP
messages and generate the test result.
In short, we can say that the solution demands better Test engineers to carry out the
job. It has been estimated that over 60% of the companies are trying to establish
center of excellence in testing space of SOA. Adopting the open source solution
prescribed will certainly help the companies in implementing a cost effective
approach of testing the security aspects of web services beyond WS-Security.
Organizations will benefit by following this non-normative approach by paying less
for testing the web services. The approach will also enable the test architects to
implement a user – friendly SOA security tool which can be customized according to
the needs of testing requirements. There is also a very high probability of extending
11 Testing Security Aspects of SOA Based application
12. this tool to cover the other aspects of SOA testing such as Functionality,
Interoperability and Performance.
Reference:
http://www.gartner.com/
http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/ws-
secureconversation-1.3-os.pdf
http://docs.oasis-open.org/ws-sx/ws-trust/200512/ws-trust-1.3-os.pdf
http://www.w3.org/Submission/WS-Policy/
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/v1.3/os/ws-securitypolicy-1.3-
spec-os.pdf
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0.pdf
http://www.oasis-open.org/specs/#samlv1.1
http://docs.oasis-open.org/security/saml/v2.0/sstc-saml-approved-errata-2.0.pdf
http://saml.xml.org/
http://msdn.microsoft.com/en-us/library/ms951273.aspx
http://www.w3.org/TR/xmlenc-core/
http://www.w3.org/TR/xmldsig-core/
http://download.boulder.ibm.com/ibmdl/pub/software/dw/specs/ws-fed/WS-
Federation-V1-1B.pdf?S_TACT=105AGX04&S_CMP=LP
http://www.applabs.com/
Authors Biography
Uday Kumar Vussainsagar
Uday Kumar has three and half years of experience in IT and Software Quality
Assurance. He is currently working as a senior software engineer in the software
quality assurance division of AppLabs. Manual testing and automation testing in
various domains is his forte.
He is currently pursuing Post Graduate Diploma in M.Tech from International
Institute of Information Technology, Hyderabad and is a Graduate Engineer in
Computer Science Engineering from JNTU.
Jaipal Naidu Lingutla
Jaipal Naidu has over three and half years of experience in IT and Business
Consulting. He is presently with Enzen Global Solutions pvt Ltd as a Business Analyst
in their Utilities Consulting division. Prior to Enzen, he worked with Satyam Computer
Services Ltd towards virtualization of Business Processes, and Implementation of
back-office operations by leveraging Virtual Shared Service capabilities and service
redesign.
He holds a Post Graduate Diploma in Management from Symbiosis Institute of
Management Studies and is a Graduate Engineer in Computer Science and
Information Technology from JNTU.
12 Testing Security Aspects of SOA Based application
13. Appendix:
Acronyms
OASIS – Organization for the Advancement of Structured Information
Standards
W3C – World Wide Web Consortium
STS – Security Token Service
SCT – Security Context Token
XSD – XML Schema Document
DTD – Document Type Definition
TAD – Test Assertion Document
SOAP – Simple Object Access Protocol
XML – Extensible Markup Language
SAML – Security Assertion Markup Language
ROI – Return on Investments
13 Testing Security Aspects of SOA Based application