Title: Gap Assessment of the Top Web Service Specifications Managing the Security of Web Services
1Gap Assessment of the Top Web Service
SpecificationsManaging the Security of Web
Services
- Cristina Fhied
- SE690 Short Presentation
- Xiaping Jia
2Outline
- 1. Introduction to Web Services
- 2. Problems with security
- 3. Security Enterprise Requirements
- 4. Project Goals
- 5. Current Enterprise Status Survey
- 6. Comparison Tables
- 7. Results
- 8. Conclusion and Recommendations
- 9.Potential Future Work
3What Is a Web Service
- Software pieces that interact with each other
using internet standards to create an application
in response to requests that conform to
agreed-upon formats.
4What Are the Characteristics
- A web service is accessible over the internet.
- Provides an interface that can be called from one
application to another. - Interface can be called from any type of
application client or service. - Acts as a liaison between the web and the
application logic that implements the service.
5How Does a Web Service Communicate?
- Uses XML on top of HTTP
- XML is a widely accepted format for exchanging
data and its semantics - The Web service STACK consists of
- XML (eXtensible Markup Language)
- SOAP (Simple Object Access Protocol)
- WSDL (Web Services Definition Language)
- UDDI (Universal Discovery Description Language)
6Web Services Stack
Returns the WSDL reference used to bind to web
service
UDDI
Specifies how to connect to a web service
WSDL
Better describes the data being sent
SOAP
XML
Acts as the envelope for XML messages
HTTP (SMTP, FTP, other)
Transport layer
7What About Current Web Security?
- To date much of web security is built around
encryption through secure socket layers (SSL)
using simple object access protocol (SOAP). - Not enough to protect supply-chain operations and
other business to business transactions.
8Threats to Security
- SOAP messages could be modified or read by
hackers - A hacker could send messages to a service that
lack appropriate security claims - Service theft (unauthorized users)
9Problem With Web Services
- focuses on the technologys ease of development
and extensibility, but security remains the major
obstacle keeping most enterprises from deploying
web services-based systems that reach outside
their firewalls.
10Enterprise Security Requirements
- Authentication
- Authorization
- Data protection
- Non-repudiation
- Confidentiality
- Integrity
- Accessibility
11Defining Requirements
- Authentication involves accepting credentials
from the entity and validating them against an
authority. - Authorization determines whether the service
has granted access to the web service to the
requestor. - Data protection ensures that the web services
request and response have not tampered with en
route. Requires both integrity and privacy. - Nonrepudiation guarantees that the message
sender is the same as the creator of the message.
12Cont. Defining Requirements
- Confidentiality contains information required
for protection against unauthorized use or
disclosure. - Accessibility must be able on a timely basis to
meet mission requirements or to avoid substantial
losses. - Integrity contained information must be
protected from unauthorized, unanticipated or
unintentional modifications.
13Ws-security New Technology for Security
- Published in April 2002 by IBM, Microsoft, and
VeriSign. - Specification aims to help enterprises build
secure web services, and applications based on
them that are broadly interoperable. - Specification proposes a standard set of SOAP
extensions that can be used when building secure
web services to implement integrity and
confidentiality.
14Current Enterprise State Survey
15Goals of Ws-security
- Provide
- Security token propagation.
- Message integrity.
- Message confidentiality.
- Flexible set of mechanisms that can be used to
construct a range of security protocols.
16Key Driving Requirements
- Multiple security tokens for authentication or
authorization - Multiple trust domains
- Multiple encryption technologies
- End-to-end message-level security and not just
transport-level security
17Project Goal
- Explore WS-security in greater detail offering
- Formal definition.
- Outlining general concepts and related
technologies. - Integration with other offered specifications.
- Assess support for enterprise security concerns.
- Research available competing security
specifications, and compare them against
WS-security and the actual needed enterprise
security specifications.
18Project Goal
- Discuss the considerations involved in making a
decision on whether to use one specification over
another by including a gap assessment for each
specification against the actual outlined
required specifications. - Discuss when to use a specific security framework
by giving several situation example patterns.
19Current Status
- Project Web Page
- Project Web Page
- Project Proposal
- Technology Review
- Ongoing Tasks
- Research more security specifications
- Gap Assessment development
20Project Plan
- Phase 1 Analysis.
- Formal definition.
- Outlining general concepts and related
technologies. - Assess support for enterprise security concerns.
- First short presentation (Fall 2003).
- Phase 2 Gap Assessment.
- Gap assessment for each security specification
against he actual outlined enterprise
specifications. - Integration with other offered specifications.
- Model of WS-Security integrating with different
available specifications. - Phase 3 Model Example.
- Examples on when to use one specification over
another. - Formalize gap assessment with WS-Security as
stand-alone framework. - Final Presentation (Winter 2004).
- Completion of SE 690 Winter 2004.
21Conclusion
- Project Web Site
- http//cfhied_at_shrike.depaul.edu/se690/abstract
- More information on Web Security
- www.webservicesecurity.com
- Questions?