SlideShare une entreprise Scribd logo

Web Services Security - Securing your Service Oriented Architecture - OWASP Talk

Télécharger en tant que PPTX, PDF
Adnan Masood
Adnan Masood

Any Service-Oriented Architecture (SOA) needs to support security features that provide auditing, authentication, authorization, condentiality, and integrity for the messages exchanged between the client and the service. Microsoft Windows Communication Foundation (WCF) provides these security features by default for any application that is built on top of the WCF framework. In this session the presenters will discuss the WCF security features related to auditing and logging, authentication, authorization, condentiality and integrity. This talk is focused on WCF security features with code demonstration to use behaviors and bindings to congure security for your WCF service. Bindings and behaviors allow you to congure transfer security, authentication, authorization, impersonation, and delegation as well as auditing and logging. This presentation will help you understand basic security-related concepts in WCF, what bindings and behaviors are and how they are used in WCF, authorization and roles in the context of WCF, impersonation and delegation in the context of WCF and what options are available for auditing in WCF. Targeted towards solution architects and developers, this talk will provide you architectural guidance regarding authentication, authorization, and communication design for your WCF services, solution patterns for common distributed application scenarios using WCF and principles, patterns, and practices for improving key security aspects in services.

Technologie
1  sur  36
The OWASP Foundation http://www.owasp.org Web Services Security Securing your Service Oriented Architecture Presented at SecureIT Conference – 28th March 2013 Adnan Masood adnan.masood@owasp.org http://blog.adnanmasood.com @adnanmasood Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation http://www.owasp.org About OWASP www.owasp.org Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation http://www.owasp.org about the speaker Adnan Masood works as a system architect / technical lead for Green dot Corporation where he develops SOA based middle-tier architectures, distributed systems, and web-applications using Microsoft technologies. He is a Microsoft Certified Trainer holding several technical certifications, including MCPD (Enterprise Developer), MCSD .NET, and SCJP-II. Adnan is attributed and published in print media and on the Web; he also teaches Windows Communication Foundation (WCF) courses at the University of California at San Diego and regularly presents at local code camps and user groups. He is actively involved in the .NET community as cofounder and president of the of San Gabriel Valley .NET Developers group. Adnan holds a Master’s degree in Computer Science; he is currently a doctoral student working towards PhD in Machine Learning; specifically discovering interestingness measures in outliers using Bayesian Belief Networks. He also holds systems architecture certification from MIT and SOA Smarts certification from Carnegie Melon University. Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation http://www.owasp.org Service Oriented Architecture A service-oriented architecture (SOA) is a set of principles and methodologies for designing and developing software in the form of interoperable services. Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation http://www.owasp.org Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation http://www.owasp.org What is an SOA Service? A SOA service is composed of three parts: A service class that implements the service to be provided A host environment to host the service One or more endpoints to which clients will connect All communication with a service happens through the endpoints. Each endpoint specifies a contract (which we will discuss in greater detail later in this chapter) that defines which methods of the service class will be accessible to the client through that specific endpoint. Because the endpoints have their own contracts, they may expose different (and perhaps overlapping) sets of methods. Each endpoint also defines a binding that specifies how a client will communicate with the service and the address where the endpoint is hosted. Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation http://www.owasp.org Tenants of SOA Boundaries are explicit. Services are autonomous. Schemas and contracts are shared, but not classes. Compatibility is based on policy. Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation http://www.owasp.org Web Services Protocol Stack Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. http://msdn.microsoft.com/en-us/library/orm-9780596527563-01-10.aspx
The OWASP Foundation http://www.owasp.org SOA using WCF Interoperability across platforms Unification of existing technologies Enabling service-oriented development Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation http://www.owasp.org Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation http://www.owasp.org What is WCF? Microsoft .Net framework API that unifies many existing standards: WS-Addressing, WS- ReliableMessaging, WS-Security etc. Supports a number of different protocols Compatible with non-Microsoft web services and clients Service Oriented Architecture A WCF Service is composed of Service class, hosting environment and one or more Endpoints Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation http://www.owasp.org Endpoint = ABC Address (where is service) http://localhost:8000/servicename Binding (how do I talk to it) WSHttpBinding Contract (what can it do) [ServiceContract] [DataContract] [OperationContract] [FaultContract] Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation http://www.owasp.org WCF Authentication (who) Who are you (client, server)? Authentication Types: None, Windows authentication, Username and Password, X.509 Certificate, Issued Token, Custom For Certificate, the local Cert Store is checked. IIdentity interface. Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation http://www.owasp.org WCF Authorization (what) What does the client have access to do? Windows Groups (default) ASP.Net Membership provider (SQL Server) WCF provides IPrincipal interface and some implementing classes. Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation http://www.owasp.org WCF Transfer Security (how) How are messages secured while in transit? Transfer Security types: None, Transport, Message, Mixed, Both Message: end to end, slower, more complicated Transport: fast, hop-to-hop Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation http://www.owasp.org WCF provides three important security features Confidentiality Integrity Authentication Security is on by default in almost all bindings You configure transport vs. Message using the security mode You configure Authentication via the client credential type WCF Provides numerous authorization options Impersonation Role based access control Service authorization behavior Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation http://www.owasp.org The CIA of Security Is Security Important? Do you have resources that have value to an adversary? If yes, then you must expect to be attacked. WCF provides basic protections that you need: CIA. Confidentiality Integrity Authentication Encrypting Signing messages Proof of identity Messages mitigates mitigates Mitigates tampering and spoofing and eavesdropping replay attacks. impersonation attacks. attacks. Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation http://www.owasp.org Decisions Decisions! The protection level required by your services Should the data be signed, encrypted or both? Transport vs. message security on bindings Can also use a hybrid of the two Authentication, or “who are you?” You choose the type of credentials you want the client to use and WCF will pick an appropriate authentication protocol Authorization or “what are you allowed to do?” Impersonate the caller, letting someone else handle authz Provide your own authorization management Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation http://www.owasp.org Declaring the required protection level The developer of a service doesn’t ultimately control how it’s exposed So what if the host application exposes unsecure endpoints Hence, developers can set the required protection level on contracts The host will fail if the required protection level isn’t met by an endpoint Setting Protection Level at Different Scopes On a particular message On individual operations and fault contracts On a service contract Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation http://www.owasp.org Protection Level Simply use the protection level property on the appropriate attribute Possible Values: None, Sign, and EncryptAndSign Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation http://www.owasp.org Configuring security in WCF Bindings Security Mode Client Credential Type Transport Username Message Certificate Mixed Windows IssuedToken These two choices determine how security protocols will be implemented. Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation http://www.owasp.org Bindings Configuration Windows Integrated <wsHttpBinding> <binding name="MyTransportSecurityBinding"> Configuring Binding Authentication <security mode="Transport"> <transport clientCredentialType="Windows"/> </security> </binding> Security Settings </wsHttpBinding> Service Supplies <wsHttpBinding> <binding name="MyMessageSecurityBinding"> X.509 cert; client <security mode="Message"> supplies username + <message clientCredentialType="UserName"/> password </security> </binding> </wsHttpBinding> Service runs SSL <wsHttpBinding> <binding name="MyMixedSecurityBinding"> client supplies SAML <security mode="TransportWithMessageCredential"> token <message clientCredentialType="IssuedToken"/> </security> </binding> </wsHttpBinding> Foundation Copyright © The OWASP Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation http://www.owasp.org Transport Security Each Transport typically has a built in security layer that you can use HTTP using SSL TCP/NP using Kerberos MSMQ using certificates Provides point to point security between nodes Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation http://www.owasp.org Transport Security Trade-Offs Benefits Mature and well understood Security Model Better Performance Drawbacks Constrains the type of client credentials You get point to point authentication, not end to end authentication Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation http://www.owasp.org Message Security Message Security pushes authentication down into SOAP headers Provides same security features as transport security But in transport-neutral way (pushes security into SOAP messages) Provides an end to end security solution across all nodes Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation http://www.owasp.org Interesting Analogy  http://blogs.msdn.com/b/vbertocci/archive/2005/04/25/end-to-end- security-or-why-you-shouldn-t-drive-your-motorcycle-naked.aspx Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation http://www.owasp.org Message Security Tradeoffs Benefits Supports a wide variety of crednentials Largely independent of transport Supports end to end authentication Multiple WCF extensibility hooks Drawbacks Newer isn’t always better for security WS-* isn’t as broadly adopted as SSL Perf can be significantly worse Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation http://www.owasp.org Mixed Mode TransportwithMessageCredential Speed and maturity of transport security Flexibility of client credentail types embdeed in message Transport security typically supplied by SSL Authenticates service to client via service’s certificate Sign and encrypt payload WS-Security header holds client credential Opens Up many options for credential format Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation http://www.owasp.org Authentication in standard bindings Binding Name Transport Message Default Client Credential BasicHttpBinding Supported Supported None WSHttpBinding Supported Default Windows WSDualHttpBinding Supported Default Windows NetTcpBinding Default Supported Windows NetNamedPipesBinding Default Supported NetMsmqBinding Default Supported Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation http://www.owasp.org Security Call Context Every secure WCF operation has a ServiceSecurityContext object ServiceSecurityContext.Current OperationContext.ServiceSecurityContext The context object provides you with information about the caller Use PrimaryIdentity or WindowsIdentity to access the IIdentity object IsAnonymous will tell you if it was an anonymous call Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation http://www.owasp.org Authorization Options Role-based Access Control Windows groups a simple option (use Iprincipal) Use an ASP.NET role provider PrincipalPermission works reasonably well ServiceAuthorizationBehavior Decision based on SOAP action & client identity Fires earlier than PrincipalPermission Keeps Authz logic out of service implementation Impersonation Only an option with windows crednetials User WindowsIdentity.Impersonate or [OperationBehavior] Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation http://www.owasp.org Impersonation Impersonation is a Windows Feature Must be using Windows authentication for this to work Easy to get this working for local resources Trickier for remote resources (requires delegation) Temporarily take on the client identity You’re passing the authorization problem to a system behind you Great when you’re accessing existing secure resources Can eliminate the need for you to implement authz in your app Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
Summary & Conclusion
The OWASP Foundation http://www.owasp.org WCF provides three important security features Confidentiality Integrity Authentication Security is on by default in almost all bindings You configure transport vs. message using the security mode You configure authentication via the client credential type WCF provides numerous authorization options Impersonation Role-based access control via groups, roles or claims Service authorization behavior Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation http://www.owasp.org References Security in Windows Communication Foundation http://msdn.microsoft.com/en-us/magazine/cc163570.aspx WCF Security Architecture http://msdn.microsoft.com/en-us/library/ms788756.aspx Pluralsight course on WCF Security http://pluralsight.com/training/courses/TableOfContents?courseName=wc f-design-concepts&highlight=aaron-skonnard_security#security Fundamentals of WCF Security www.code-magazine.com/article.aspx?quickid=0611051 6 Steps to Implement DUAL Security on WCF using User name + SSL http://www.codeproject.com/Articles/82737/6-Steps-to-Implement-DUAL- Security-on-WCF-using-Us Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation http://www.owasp.org Thank You! Adnan Masood adnan.masood@owasp.org @adnanmasood Blog: www.AdnanMasood.com Pasadena .NET User Group: www.sgvdotnet.org Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

Recommandé

Web Service Security
Web Service SecurityWeb Service Security
Web Service SecurityLuqman Shareef
 
Web Service Security
Web Service SecurityWeb Service Security
Web Service SecurityPrabath Siriwardena
 
WS - Security
WS - SecurityWS - Security
WS - SecurityPrabath Siriwardena
 
Owasp Au Rev4
Owasp Au Rev4Owasp Au Rev4
Owasp Au Rev4sumsid1234
 
Owasp top-ten-mapping-2015-05-lwc
Owasp top-ten-mapping-2015-05-lwcOwasp top-ten-mapping-2015-05-lwc
Owasp top-ten-mapping-2015-05-lwcKaty Anton
 
OWASP Open SAMM
OWASP Open SAMMOWASP Open SAMM
OWASP Open SAMMintive
 
Spark with Azure HDInsight - Tampa Bay Data Science - Adnan Masood, PhD
Spark with Azure HDInsight - Tampa Bay Data Science - Adnan Masood, PhDSpark with Azure HDInsight - Tampa Bay Data Science - Adnan Masood, PhD
Spark with Azure HDInsight - Tampa Bay Data Science - Adnan Masood, PhDAdnan Masood
 
Open Group Conference 2011 - The Canonical Data Zone
Open Group Conference 2011 - The Canonical Data ZoneOpen Group Conference 2011 - The Canonical Data Zone
Open Group Conference 2011 - The Canonical Data ZoneGary Farrow
 

Recommandé

Web Service Security
Web Service SecurityWeb Service Security
Web Service SecurityLuqman Shareef
 
Web Service Security
Web Service SecurityWeb Service Security
Web Service SecurityPrabath Siriwardena
 
WS - Security
WS - SecurityWS - Security
WS - SecurityPrabath Siriwardena
 
Owasp Au Rev4
Owasp Au Rev4Owasp Au Rev4
Owasp Au Rev4sumsid1234
 
Owasp top-ten-mapping-2015-05-lwc
Owasp top-ten-mapping-2015-05-lwcOwasp top-ten-mapping-2015-05-lwc
Owasp top-ten-mapping-2015-05-lwcKaty Anton
 
OWASP Open SAMM
OWASP Open SAMMOWASP Open SAMM
OWASP Open SAMMintive
 
Spark with Azure HDInsight - Tampa Bay Data Science - Adnan Masood, PhD
Spark with Azure HDInsight - Tampa Bay Data Science - Adnan Masood, PhDSpark with Azure HDInsight - Tampa Bay Data Science - Adnan Masood, PhD
Spark with Azure HDInsight - Tampa Bay Data Science - Adnan Masood, PhDAdnan Masood
 
Open Group Conference 2011 - The Canonical Data Zone
Open Group Conference 2011 - The Canonical Data ZoneOpen Group Conference 2011 - The Canonical Data Zone
Open Group Conference 2011 - The Canonical Data ZoneGary Farrow
 
XML And Web Services Security Standards
XML And Web Services Security StandardsXML And Web Services Security Standards
XML And Web Services Security Standardsguest68465b
 
Cyberoam security on amazon web services
Cyberoam security on amazon web servicesCyberoam security on amazon web services
Cyberoam security on amazon web servicesCyberoamAcademy
 
Web Service Security
Web Service SecurityWeb Service Security
Web Service Securityn|u - The Open Security Community
 
Web Application Security | A developer's perspective - Insecure Direct Object...
Web Application Security | A developer's perspective - Insecure Direct Object...Web Application Security | A developer's perspective - Insecure Direct Object...
Web Application Security | A developer's perspective - Insecure Direct Object...n|u - The Open Security Community
 
Rebooting Software Development - OWASP AppSecUSA
Rebooting Software Development - OWASP AppSecUSA Rebooting Software Development - OWASP AppSecUSA
Rebooting Software Development - OWASP AppSecUSA Nick Galbreath
 
Researching Social Media
Researching Social MediaResearching Social Media
Researching Social MediaJennifer Ellis, JD, LLC
 
WS - SecurityPolicy
WS - SecurityPolicyWS - SecurityPolicy
WS - SecurityPolicyPrabath Siriwardena
 
Web services, the ws stack, and research prospects a survey
Web services, the ws stack, and research prospects a surveyWeb services, the ws stack, and research prospects a survey
Web services, the ws stack, and research prospects a surveybdemchak
 
Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threatsVishal Kumar
 
Business Intelligence Barista: What DataViz Tool to Use, and When?
Business Intelligence Barista: What DataViz Tool to Use, and When?Business Intelligence Barista: What DataViz Tool to Use, and When?
Business Intelligence Barista: What DataViz Tool to Use, and When?Jen Stirrup
 
Restructuring Technical Debt - A Software and System Quality Approach
Restructuring Technical Debt - A Software and System Quality ApproachRestructuring Technical Debt - A Software and System Quality Approach
Restructuring Technical Debt - A Software and System Quality ApproachAdnan Masood
 
Business Intelligence Barista: What DataViz Tool to Use, and When?
Business Intelligence Barista: What DataViz Tool to Use, and When?Business Intelligence Barista: What DataViz Tool to Use, and When?
Business Intelligence Barista: What DataViz Tool to Use, and When?Jen Stirrup
 
Realtime analytics with_hadoop
Realtime analytics with_hadoopRealtime analytics with_hadoop
Realtime analytics with_hadoopEdgar Alejandro Villegas
 
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013Abraham Aranguren
 
Introduction à la sécurité des WebServices
Introduction à la sécurité des WebServicesIntroduction à la sécurité des WebServices
Introduction à la sécurité des WebServicesConFoo
 
Cloud computing by Bhavesh
Cloud computing by BhaveshCloud computing by Bhavesh
Cloud computing by BhaveshBhavesh Khandelwal
 
Visualising the tabular model for power view upload
Visualising the tabular model for power view uploadVisualising the tabular model for power view upload
Visualising the tabular model for power view uploadJen Stirrup
 
State of OWASP 2015
State of OWASP 2015State of OWASP 2015
State of OWASP 2015tmd800
 
OWASP Free Training - SF2014 - Keary and Manico
OWASP Free Training - SF2014 - Keary and ManicoOWASP Free Training - SF2014 - Keary and Manico
OWASP Free Training - SF2014 - Keary and ManicoEoin Keary
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingJim Manico
 
Data science with Windows Azure - A Brief Introduction
Data science with Windows Azure - A Brief IntroductionData science with Windows Azure - A Brief Introduction
Data science with Windows Azure - A Brief IntroductionAdnan Masood
 
System Quality Attributes for Software Architecture
System Quality Attributes for Software ArchitectureSystem Quality Attributes for Software Architecture
System Quality Attributes for Software ArchitectureAdnan Masood
 

Contenu connexe

En vedette

XML And Web Services Security Standards
XML And Web Services Security StandardsXML And Web Services Security Standards
XML And Web Services Security Standardsguest68465b
 
Cyberoam security on amazon web services
Cyberoam security on amazon web servicesCyberoam security on amazon web services
Cyberoam security on amazon web servicesCyberoamAcademy
 
Web Application Security | A developer's perspective - Insecure Direct Object...
Web Application Security | A developer's perspective - Insecure Direct Object...Web Application Security | A developer's perspective - Insecure Direct Object...
Web Application Security | A developer's perspective - Insecure Direct Object...n|u - The Open Security Community
 
Rebooting Software Development - OWASP AppSecUSA
Rebooting Software Development - OWASP AppSecUSA Rebooting Software Development - OWASP AppSecUSA
Rebooting Software Development - OWASP AppSecUSA Nick Galbreath
 
Web services, the ws stack, and research prospects a survey
Web services, the ws stack, and research prospects a surveyWeb services, the ws stack, and research prospects a survey
Web services, the ws stack, and research prospects a surveybdemchak
 
Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threatsVishal Kumar
 
Business Intelligence Barista: What DataViz Tool to Use, and When?
Business Intelligence Barista: What DataViz Tool to Use, and When?Business Intelligence Barista: What DataViz Tool to Use, and When?
Business Intelligence Barista: What DataViz Tool to Use, and When?Jen Stirrup
 
Restructuring Technical Debt - A Software and System Quality Approach
Restructuring Technical Debt - A Software and System Quality ApproachRestructuring Technical Debt - A Software and System Quality Approach
Restructuring Technical Debt - A Software and System Quality ApproachAdnan Masood
 
Business Intelligence Barista: What DataViz Tool to Use, and When?
Business Intelligence Barista: What DataViz Tool to Use, and When?Business Intelligence Barista: What DataViz Tool to Use, and When?
Business Intelligence Barista: What DataViz Tool to Use, and When?Jen Stirrup
 
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013Abraham Aranguren
 
Introduction à la sécurité des WebServices
Introduction à la sécurité des WebServicesIntroduction à la sécurité des WebServices
Introduction à la sécurité des WebServicesConFoo
 
Visualising the tabular model for power view upload
Visualising the tabular model for power view uploadVisualising the tabular model for power view upload
Visualising the tabular model for power view uploadJen Stirrup
 
State of OWASP 2015
State of OWASP 2015State of OWASP 2015
State of OWASP 2015tmd800
 
OWASP Free Training - SF2014 - Keary and Manico
OWASP Free Training - SF2014 - Keary and ManicoOWASP Free Training - SF2014 - Keary and Manico
OWASP Free Training - SF2014 - Keary and ManicoEoin Keary
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingJim Manico
 

En vedette (20)

XML And Web Services Security Standards
XML And Web Services Security StandardsXML And Web Services Security Standards
XML And Web Services Security Standards
 
Cyberoam security on amazon web services
Cyberoam security on amazon web servicesCyberoam security on amazon web services
Cyberoam security on amazon web services
 
Web Service Security
Web Service SecurityWeb Service Security
Web Service Security
 
Web Application Security | A developer's perspective - Insecure Direct Object...
Web Application Security | A developer's perspective - Insecure Direct Object...Web Application Security | A developer's perspective - Insecure Direct Object...
Web Application Security | A developer's perspective - Insecure Direct Object...
 
Rebooting Software Development - OWASP AppSecUSA
Rebooting Software Development - OWASP AppSecUSA Rebooting Software Development - OWASP AppSecUSA
Rebooting Software Development - OWASP AppSecUSA
 
Researching Social Media
Researching Social MediaResearching Social Media
Researching Social Media
 
WS - SecurityPolicy
WS - SecurityPolicyWS - SecurityPolicy
WS - SecurityPolicy
 
Web services, the ws stack, and research prospects a survey
Web services, the ws stack, and research prospects a surveyWeb services, the ws stack, and research prospects a survey
Web services, the ws stack, and research prospects a survey
 
Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threats
 
Business Intelligence Barista: What DataViz Tool to Use, and When?
Business Intelligence Barista: What DataViz Tool to Use, and When?Business Intelligence Barista: What DataViz Tool to Use, and When?
Business Intelligence Barista: What DataViz Tool to Use, and When?
 
Restructuring Technical Debt - A Software and System Quality Approach
Restructuring Technical Debt - A Software and System Quality ApproachRestructuring Technical Debt - A Software and System Quality Approach
Restructuring Technical Debt - A Software and System Quality Approach
 
Business Intelligence Barista: What DataViz Tool to Use, and When?
Business Intelligence Barista: What DataViz Tool to Use, and When?Business Intelligence Barista: What DataViz Tool to Use, and When?
Business Intelligence Barista: What DataViz Tool to Use, and When?
 
Realtime analytics with_hadoop
Realtime analytics with_hadoopRealtime analytics with_hadoop
Realtime analytics with_hadoop
 
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
 
Introduction à la sécurité des WebServices
Introduction à la sécurité des WebServicesIntroduction à la sécurité des WebServices
Introduction à la sécurité des WebServices
 
Cloud computing by Bhavesh
Cloud computing by BhaveshCloud computing by Bhavesh
Cloud computing by Bhavesh
 
Visualising the tabular model for power view upload
Visualising the tabular model for power view uploadVisualising the tabular model for power view upload
Visualising the tabular model for power view upload
 
State of OWASP 2015
State of OWASP 2015State of OWASP 2015
State of OWASP 2015
 
OWASP Free Training - SF2014 - Keary and Manico
OWASP Free Training - SF2014 - Keary and ManicoOWASP Free Training - SF2014 - Keary and Manico
OWASP Free Training - SF2014 - Keary and Manico
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP Training
 

Plus de Adnan Masood

Data science with Windows Azure - A Brief Introduction
Data science with Windows Azure - A Brief IntroductionData science with Windows Azure - A Brief Introduction
Data science with Windows Azure - A Brief IntroductionAdnan Masood
 
System Quality Attributes for Software Architecture
System Quality Attributes for Software ArchitectureSystem Quality Attributes for Software Architecture
System Quality Attributes for Software ArchitectureAdnan Masood
 
Agile Software Development
Agile Software DevelopmentAgile Software Development
Agile Software DevelopmentAdnan Masood
 
Belief Networks & Bayesian Classification
Belief Networks & Bayesian ClassificationBelief Networks & Bayesian Classification
Belief Networks & Bayesian ClassificationAdnan Masood
 
Bayesian Networks and Association Analysis
Bayesian Networks and Association AnalysisBayesian Networks and Association Analysis
Bayesian Networks and Association AnalysisAdnan Masood
 
Probabilistic Interestingness Measures - An Introduction with Bayesian Belief...
Probabilistic Interestingness Measures - An Introduction with Bayesian Belief...Probabilistic Interestingness Measures - An Introduction with Bayesian Belief...
Probabilistic Interestingness Measures - An Introduction with Bayesian Belief...Adnan Masood
 
Bayesian Networks - A Brief Introduction
Bayesian Networks - A Brief IntroductionBayesian Networks - A Brief Introduction
Bayesian Networks - A Brief IntroductionAdnan Masood
 
Web API or WCF - An Architectural Comparison
Web API or WCF - An Architectural ComparisonWeb API or WCF - An Architectural Comparison
Web API or WCF - An Architectural ComparisonAdnan Masood
 
SOLID Principles of Refactoring Presentation - Inland Empire User Group
SOLID Principles of Refactoring Presentation - Inland Empire User GroupSOLID Principles of Refactoring Presentation - Inland Empire User Group
SOLID Principles of Refactoring Presentation - Inland Empire User GroupAdnan Masood
 
Brief bibliography of interestingness measure, bayesian belief network and ca...
Brief bibliography of interestingness measure, bayesian belief network and ca...Brief bibliography of interestingness measure, bayesian belief network and ca...
Brief bibliography of interestingness measure, bayesian belief network and ca...Adnan Masood
 

Plus de Adnan Masood (10)

Data science with Windows Azure - A Brief Introduction
Data science with Windows Azure - A Brief IntroductionData science with Windows Azure - A Brief Introduction
Data science with Windows Azure - A Brief Introduction
 
System Quality Attributes for Software Architecture
System Quality Attributes for Software ArchitectureSystem Quality Attributes for Software Architecture
System Quality Attributes for Software Architecture
 
Agile Software Development
Agile Software DevelopmentAgile Software Development
Agile Software Development
 
Belief Networks & Bayesian Classification
Belief Networks & Bayesian ClassificationBelief Networks & Bayesian Classification
Belief Networks & Bayesian Classification
 
Bayesian Networks and Association Analysis
Bayesian Networks and Association AnalysisBayesian Networks and Association Analysis
Bayesian Networks and Association Analysis
 
Probabilistic Interestingness Measures - An Introduction with Bayesian Belief...
Probabilistic Interestingness Measures - An Introduction with Bayesian Belief...Probabilistic Interestingness Measures - An Introduction with Bayesian Belief...
Probabilistic Interestingness Measures - An Introduction with Bayesian Belief...
 
Bayesian Networks - A Brief Introduction
Bayesian Networks - A Brief IntroductionBayesian Networks - A Brief Introduction
Bayesian Networks - A Brief Introduction
 
Web API or WCF - An Architectural Comparison
Web API or WCF - An Architectural ComparisonWeb API or WCF - An Architectural Comparison
Web API or WCF - An Architectural Comparison
 
SOLID Principles of Refactoring Presentation - Inland Empire User Group
SOLID Principles of Refactoring Presentation - Inland Empire User GroupSOLID Principles of Refactoring Presentation - Inland Empire User Group
SOLID Principles of Refactoring Presentation - Inland Empire User Group
 
Brief bibliography of interestingness measure, bayesian belief network and ca...
Brief bibliography of interestingness measure, bayesian belief network and ca...Brief bibliography of interestingness measure, bayesian belief network and ca...
Brief bibliography of interestingness measure, bayesian belief network and ca...
 

Dernier

How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 

Dernier (20)

How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 

Web Services Security - Securing your Service Oriented Architecture - OWASP Talk

  • 1. The OWASP Foundation http://www.owasp.org Web Services Security Securing your Service Oriented Architecture Presented at SecureIT Conference – 28th March 2013 Adnan Masood adnan.masood@owasp.org http://blog.adnanmasood.com @adnanmasood Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
  • 2. The OWASP Foundation http://www.owasp.org About OWASP www.owasp.org Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
  • 3. The OWASP Foundation http://www.owasp.org about the speaker Adnan Masood works as a system architect / technical lead for Green dot Corporation where he develops SOA based middle-tier architectures, distributed systems, and web-applications using Microsoft technologies. He is a Microsoft Certified Trainer holding several technical certifications, including MCPD (Enterprise Developer), MCSD .NET, and SCJP-II. Adnan is attributed and published in print media and on the Web; he also teaches Windows Communication Foundation (WCF) courses at the University of California at San Diego and regularly presents at local code camps and user groups. He is actively involved in the .NET community as cofounder and president of the of San Gabriel Valley .NET Developers group. Adnan holds a Master’s degree in Computer Science; he is currently a doctoral student working towards PhD in Machine Learning; specifically discovering interestingness measures in outliers using Bayesian Belief Networks. He also holds systems architecture certification from MIT and SOA Smarts certification from Carnegie Melon University. Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
  • 4. The OWASP Foundation http://www.owasp.org Service Oriented Architecture A service-oriented architecture (SOA) is a set of principles and methodologies for designing and developing software in the form of interoperable services. Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
  • 5. The OWASP Foundation http://www.owasp.org Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
  • 6. The OWASP Foundation http://www.owasp.org What is an SOA Service? A SOA service is composed of three parts: A service class that implements the service to be provided A host environment to host the service One or more endpoints to which clients will connect All communication with a service happens through the endpoints. Each endpoint specifies a contract (which we will discuss in greater detail later in this chapter) that defines which methods of the service class will be accessible to the client through that specific endpoint. Because the endpoints have their own contracts, they may expose different (and perhaps overlapping) sets of methods. Each endpoint also defines a binding that specifies how a client will communicate with the service and the address where the endpoint is hosted. Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
  • 7. The OWASP Foundation http://www.owasp.org Tenants of SOA Boundaries are explicit. Services are autonomous. Schemas and contracts are shared, but not classes. Compatibility is based on policy. Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
  • 8. The OWASP Foundation http://www.owasp.org Web Services Protocol Stack Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. http://msdn.microsoft.com/en-us/library/orm-9780596527563-01-10.aspx
  • 9. The OWASP Foundation http://www.owasp.org SOA using WCF Interoperability across platforms Unification of existing technologies Enabling service-oriented development Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
  • 10. The OWASP Foundation http://www.owasp.org Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
  • 11. The OWASP Foundation http://www.owasp.org What is WCF? Microsoft .Net framework API that unifies many existing standards: WS-Addressing, WS- ReliableMessaging, WS-Security etc. Supports a number of different protocols Compatible with non-Microsoft web services and clients Service Oriented Architecture A WCF Service is composed of Service class, hosting environment and one or more Endpoints Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
  • 12. The OWASP Foundation http://www.owasp.org Endpoint = ABC Address (where is service) http://localhost:8000/servicename Binding (how do I talk to it) WSHttpBinding Contract (what can it do) [ServiceContract] [DataContract] [OperationContract] [FaultContract] Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
  • 13. The OWASP Foundation http://www.owasp.org WCF Authentication (who) Who are you (client, server)? Authentication Types: None, Windows authentication, Username and Password, X.509 Certificate, Issued Token, Custom For Certificate, the local Cert Store is checked. IIdentity interface. Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
  • 14. The OWASP Foundation http://www.owasp.org WCF Authorization (what) What does the client have access to do? Windows Groups (default) ASP.Net Membership provider (SQL Server) WCF provides IPrincipal interface and some implementing classes. Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
  • 15. The OWASP Foundation http://www.owasp.org WCF Transfer Security (how) How are messages secured while in transit? Transfer Security types: None, Transport, Message, Mixed, Both Message: end to end, slower, more complicated Transport: fast, hop-to-hop Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
  • 16. The OWASP Foundation http://www.owasp.org WCF provides three important security features Confidentiality Integrity Authentication Security is on by default in almost all bindings You configure transport vs. Message using the security mode You configure Authentication via the client credential type WCF Provides numerous authorization options Impersonation Role based access control Service authorization behavior Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
  • 17. The OWASP Foundation http://www.owasp.org The CIA of Security Is Security Important? Do you have resources that have value to an adversary? If yes, then you must expect to be attacked. WCF provides basic protections that you need: CIA. Confidentiality Integrity Authentication Encrypting Signing messages Proof of identity Messages mitigates mitigates Mitigates tampering and spoofing and eavesdropping replay attacks. impersonation attacks. attacks. Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
  • 18. The OWASP Foundation http://www.owasp.org Decisions Decisions! The protection level required by your services Should the data be signed, encrypted or both? Transport vs. message security on bindings Can also use a hybrid of the two Authentication, or “who are you?” You choose the type of credentials you want the client to use and WCF will pick an appropriate authentication protocol Authorization or “what are you allowed to do?” Impersonate the caller, letting someone else handle authz Provide your own authorization management Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
  • 19. The OWASP Foundation http://www.owasp.org Declaring the required protection level The developer of a service doesn’t ultimately control how it’s exposed So what if the host application exposes unsecure endpoints Hence, developers can set the required protection level on contracts The host will fail if the required protection level isn’t met by an endpoint Setting Protection Level at Different Scopes On a particular message On individual operations and fault contracts On a service contract Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
  • 20. The OWASP Foundation http://www.owasp.org Protection Level Simply use the protection level property on the appropriate attribute Possible Values: None, Sign, and EncryptAndSign Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
  • 21. The OWASP Foundation http://www.owasp.org Configuring security in WCF Bindings Security Mode Client Credential Type Transport Username Message Certificate Mixed Windows IssuedToken These two choices determine how security protocols will be implemented. Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
  • 22. The OWASP Foundation http://www.owasp.org Bindings Configuration Windows Integrated <wsHttpBinding> <binding name="MyTransportSecurityBinding"> Configuring Binding Authentication <security mode="Transport"> <transport clientCredentialType="Windows"/> </security> </binding> Security Settings </wsHttpBinding> Service Supplies <wsHttpBinding> <binding name="MyMessageSecurityBinding"> X.509 cert; client <security mode="Message"> supplies username + <message clientCredentialType="UserName"/> password </security> </binding> </wsHttpBinding> Service runs SSL <wsHttpBinding> <binding name="MyMixedSecurityBinding"> client supplies SAML <security mode="TransportWithMessageCredential"> token <message clientCredentialType="IssuedToken"/> </security> </binding> </wsHttpBinding> Foundation Copyright © The OWASP Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
  • 23. The OWASP Foundation http://www.owasp.org Transport Security Each Transport typically has a built in security layer that you can use HTTP using SSL TCP/NP using Kerberos MSMQ using certificates Provides point to point security between nodes Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
  • 24. The OWASP Foundation http://www.owasp.org Transport Security Trade-Offs Benefits Mature and well understood Security Model Better Performance Drawbacks Constrains the type of client credentials You get point to point authentication, not end to end authentication Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
  • 25. The OWASP Foundation http://www.owasp.org Message Security Message Security pushes authentication down into SOAP headers Provides same security features as transport security But in transport-neutral way (pushes security into SOAP messages) Provides an end to end security solution across all nodes Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
  • 26. The OWASP Foundation http://www.owasp.org Interesting Analogy  http://blogs.msdn.com/b/vbertocci/archive/2005/04/25/end-to-end- security-or-why-you-shouldn-t-drive-your-motorcycle-naked.aspx Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
  • 27. The OWASP Foundation http://www.owasp.org Message Security Tradeoffs Benefits Supports a wide variety of crednentials Largely independent of transport Supports end to end authentication Multiple WCF extensibility hooks Drawbacks Newer isn’t always better for security WS-* isn’t as broadly adopted as SSL Perf can be significantly worse Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
  • 28. The OWASP Foundation http://www.owasp.org Mixed Mode TransportwithMessageCredential Speed and maturity of transport security Flexibility of client credentail types embdeed in message Transport security typically supplied by SSL Authenticates service to client via service’s certificate Sign and encrypt payload WS-Security header holds client credential Opens Up many options for credential format Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
  • 29. The OWASP Foundation http://www.owasp.org Authentication in standard bindings Binding Name Transport Message Default Client Credential BasicHttpBinding Supported Supported None WSHttpBinding Supported Default Windows WSDualHttpBinding Supported Default Windows NetTcpBinding Default Supported Windows NetNamedPipesBinding Default Supported NetMsmqBinding Default Supported Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
  • 30. The OWASP Foundation http://www.owasp.org Security Call Context Every secure WCF operation has a ServiceSecurityContext object ServiceSecurityContext.Current OperationContext.ServiceSecurityContext The context object provides you with information about the caller Use PrimaryIdentity or WindowsIdentity to access the IIdentity object IsAnonymous will tell you if it was an anonymous call Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
  • 31. The OWASP Foundation http://www.owasp.org Authorization Options Role-based Access Control Windows groups a simple option (use Iprincipal) Use an ASP.NET role provider PrincipalPermission works reasonably well ServiceAuthorizationBehavior Decision based on SOAP action & client identity Fires earlier than PrincipalPermission Keeps Authz logic out of service implementation Impersonation Only an option with windows crednetials User WindowsIdentity.Impersonate or [OperationBehavior] Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
  • 32. The OWASP Foundation http://www.owasp.org Impersonation Impersonation is a Windows Feature Must be using Windows authentication for this to work Easy to get this working for local resources Trickier for remote resources (requires delegation) Temporarily take on the client identity You’re passing the authorization problem to a system behind you Great when you’re accessing existing secure resources Can eliminate the need for you to implement authz in your app Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
  • 34. The OWASP Foundation http://www.owasp.org WCF provides three important security features Confidentiality Integrity Authentication Security is on by default in almost all bindings You configure transport vs. message using the security mode You configure authentication via the client credential type WCF provides numerous authorization options Impersonation Role-based access control via groups, roles or claims Service authorization behavior Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
  • 35. The OWASP Foundation http://www.owasp.org References Security in Windows Communication Foundation http://msdn.microsoft.com/en-us/magazine/cc163570.aspx WCF Security Architecture http://msdn.microsoft.com/en-us/library/ms788756.aspx Pluralsight course on WCF Security http://pluralsight.com/training/courses/TableOfContents?courseName=wc f-design-concepts&highlight=aaron-skonnard_security#security Fundamentals of WCF Security www.code-magazine.com/article.aspx?quickid=0611051 6 Steps to Implement DUAL Security on WCF using User name + SSL http://www.codeproject.com/Articles/82737/6-Steps-to-Implement-DUAL- Security-on-WCF-using-Us Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
  • 36. The OWASP Foundation http://www.owasp.org Thank You! Adnan Masood adnan.masood@owasp.org @adnanmasood Blog: www.AdnanMasood.com Pasadena .NET User Group: www.sgvdotnet.org Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

Notes de l'éditeur

  1. SOA establishes an architectural model that aims to enhance the efficiency, agility, and productivity of an enterprise by positioning services as the primary means through which solution logic is represented in support of the realization of the strategic goals associated with service-oriented computing.On a fundamental basis, the service-oriented computing platform revolves around the service-orientation design paradigm and its relationship with service-oriented architecture. In fact, the term &quot;service-oriented architecture&quot; and its associated acronym have been used so broadly by the media and within vendor marketing literature that it has almost become synonymous with service-oriented computing itself. It is therefore very important to make a clear distinction between what SOA actually is and how it relates to other service-oriented computing elements.As a form of technology architecture, an SOA implementation can consist of a combination of technologies, products, APIs, supporting infrastructure extensions, and various other parts. The actual face of a deployed service-oriented architecture is unique within each enterprise; however it is typified by the introduction of new technologies and platforms that specifically support the creation, execution, and evolution of service-oriented solutions. As a result, building a technology architecture around the service-oriented architectural model establishes an environment suitable for solution logic that has been designed in compliance with service-orientation design principles.