1 / 5

Web Service Security

Web Service Security. Dr. Rebhi S. Baraka rbaraka@iugaza.edu Advanced Topics in Information Technology (SICT 4310) Department of Computer Science Faculty of Information Technology The Islamic University of Gaza. Basic Concept.

siegel
Télécharger la présentation

Web Service Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Web Service Security Dr. Rebhi S. Baraka rbaraka@iugaza.edu Advanced Topics in Information Technology (SICT 4310) Department of Computer Science Faculty of Information Technology The Islamic University of Gaza

  2. Basic Concept • The coupling of Web services has an inherent security risk such as: • Allowing interception of data that flows between services, to provide information about servers, usernames, passwords, or personal, financial, medical or other sensitive information • Allowing alteration of data that flows between services, to return incorrect results or redirect the flow to other services. • Simply shutting down the service itself, so that other dependent services can no longer function, disrupting multiple users from multiple access points.

  3. Security Measures • At a minimum, there are at least seven different types of security measures that may need to be enforced at each individual application Web-services: • Stringent service provider/service requester authentication between the application and each Web service it invokes • Access control, possibly at both ends, to determine the functions that may be requested—per invocation, based on the authentication instance • Digital signatures to ensure the validity of contents • Nonrepudiation to preclude either side from disowning a transaction once it has been executed

  4. Security Measures • XML application firewall, such as IBM’s Web Services Gateway, to decouple the end-to-end communications connection at the enterprise network boundary • Proven data encryption end to end—most likely with the industry standard SSL or its successor TLS • Denial-of-service/replay attack detection and diversion mechanisms—which typically come with powerful traffic pattern sampling, analyzing, profiling, and reporting tools that will continually monitor the network interface to spot any unusual trends.

  5. XML Security Specs • Some of the XML specifications • encryption, • digital signatures, and • key management services. • Other standards-based organizations, such as OASIS and WS-I, are working on additional specifications related to SOAP security, including • Extensible Access Control Markup Language (XACML) and • Security Assertion Markup Language (SAML). • These standards provide the security foundation for SOAP and other XML-based messaging paradigms.

More Related