Scribd Logo
Upload

Welcome to Scribd!

  • Ws Security - Rest Vs Soap

    Uploaded by

    Sylvain MARET
    249 views45 pages

    Original Title

    Ws Security - Rest vs Soap

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    249 views45 pages

    Ws Security - Rest Vs Soap

    Uploaded by

    Sylvain MARET

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 45

    Initiation la scurit des Web Services (SOAP vs REST)

    Sylvain MARET Principal Consultant / MARET Consulting OpenID Switzerland & OWASP Switzerland
    Application Security Forum - 2012
    Western Switzerland
    7-8 novembre 2012 - Y-Parc / Yverdon-les-Bains https://www.appsec-forum.ch

    08.11.2012, Version 1.1 @smaret

    Agenda
    Quest-ce quun Web Service ? SOAP REST Threat Modeling / ACME SA Rduction des risques Conclusion Questions

    Bio
    18 years of experience in ICT Security Principal Consultant at MARET Consulting Expert at Engineer School of Yverdon Swiss French Area delegate at OpenID Switzerland Co-founder Geneva Application Security Forum OWASP Member Author of the blog: la Citadelle Electronique http://ch.linkedin.com/in/smaret or @smaret http://www.slideshare.net/smaret

    Chosen field
    AppSec & Digital Identity Security

    Agenda
    Quest-ce quun Web Service ? SOAP REST Threat Modeling / ACME SA Rduction des risques Conclusion Questions

    Web Service: la base.

    Web Service ?

    Consumer

    XML, JSON, etc.

    Provider

    Un peu dhistoire
    1990 : DCE/RPC Distributed Computing Environment 1992 : CORBA Common Object Request Broker Architecture 1990-1993 : Microsofts DCOM -- Distributed Component Object Model 1995: RMI Monde Java

    Pour arriver une standardisation (toujours en cours) des protocoles, outils, langages et interfaces
    SOAP REST Etc.

    Web Service

    Agenda
    Quest-ce quun Web Service ? SOAP REST Threat Modeling / ACME SA Rduction des risques Conclusion Questions

    SOAP vs REST ?

    10

    SOAP: Les ingrdients

    11

    SOAP: Dmystification des technologies


    Langages
    XML WSDL : Descripteur du service UDDI: Annuaire des services

    Protocoles
    Transport: HTTP, HTTPS, SMTP, FTP, SMS, TFTP, SSH, etc. (TCP or UDP) Message: Enveloppe SOAP

    Scurit
    WS-Security (Signature & Chiffrement)

    Autres lments
    AuthN: SAML, X509, Username & Password, Kerberos, HTTP Digest, etc.

    12

    Enveloppe SOAP
    - SOAP : Simple Object Access Protocol - Permet lenvoi de messages XML - Agnostique au moyen de transport - HTTP - HTTPS - FTP - etc.

    Source= wikipdia

    13

    SOAP request

    SOAP response

    14

    UDDI
    Universal Description Discovery and Integration, connu aussi sous l'acronyme UDDI, est un annuaire de services fond sur XML et plus particulirement destin aux services Web.

    15

    WSDL
    WSDL est une grammaire XML permettant de dcrire un Service Web. Le WSDL sert dcrire :
    le format de messages requis pour communiquer avec ce service les mthodes que le client peut invoquer la localisation du service le protocole de communication (SOAP RPC ou SOAP orient message)
    http://fr.wikipedia.org/wiki/Web_Services_Description_Language

    16

    WSDL

    http://predic8.com/wsdl-reading.htm

    17

    WSDL: exemple

    18

    SOAP: Dmystification des protocoles


    Dcouverte UDDI

    Description

    WSDL

    Message

    SOAP / XML HTTP, HTTPS, FTP, SFTP, SMS, SMTP (TCP or UDP)

    Protocole

    Transport

    IP

    19

    Agenda
    Quest-ce quun Web Service ? SOAP REST Threat Modeling / ACME SA Rduction des risques Conclusion Questions

    20

    REST: Les ingrdients

    21

    REST: Dmystification des technologies


    Langages
    XML JSON XHTML, HTML, PDF... as data formats

    Protocoles
    HTTP(s) Utilisation dune URL Mthode de communication (GET, POST, PUT, DELETE)

    Scurit
    Scurit du transport (SSL/TLS) Scurit des messages: HMAC & Doseta (Like XML Signature)

    Autres lments
    Oauth, API Keys

    22

    Reprsentation REST (exemple JSON)

    23

    Mthodes REST

    24

    REST: Dmystification des protocoles


    Dcouverte ???

    Description

    WADL, Swagger ***

    Message

    XML, JSON, etc.

    Protocole

    HTTP, HTTPS

    Transport

    TCP/IP

    *** Avant-gardiste mais peux utiliser

    25

    26

    SOAP vs REST

    27

    Agenda
    Quest-ce quun Web Service ? SOAP REST Threat Modeling / ACME SA Rduction des risques Conclusion Questions

    28

    http://fr.wikipedia.org/wiki/Diagramme_de_flux_de_donn%C3%A9es

    29

    30

    Modle STRIDE

    https://www.owasp.org/index.php/Application_Threat_Modeling

    31

    Menaces selon le DFD Acme SA


    Threat 1
    Interception des messages (Information disclosure) Modification des messages (Tampering) Usurpation didentit (Spoofing)

    Threat 2
    Attaque de lapplication
    BoF Injection DoS & DDoS Etc

    32

    Agenda
    Quest-ce quun Web Service ? SOAP REST Threat Modeling / ACME SA Rduction des risques Conclusion Questions

    33

    ACME SA: Rduction des risques ?


    Chiffrement du transport AuthN SSL Mutual AuthN / X509 WAF / XML Gateway Intgrit et confidentialit des messages Secure Coding

    34

    Chiffrement du transport
    SOAP / XML HTTPS SSL/TLS tunnel SSH IPSEC Etc. HTTPS REST

    35

    AuthN
    SOAP / XML HTTP Basic, Digest, HTTP Header Mutual SSL IP trust WS Security user name password WS SAML Authentication token XML Signature Kerberos Etc. HTTP Basic, Digest, HTTP Header Mutual SSL IP trust Oauth API Keys REST

    36

    SSL Mutual AuthN / X509 / PKI


    SOAP / XML SSL/TLS Mutual AuthN** REST SSL/TLS Mutual AuthN**

    ** Man in the middle not possible (As I Know)

    37

    WAF / XML Gateway (Protection primtrique)


    SOAP / XML Reverse Proxy Contrle requtes HTTP Rupture SSL/TLS Black List White List Validation WSDL Signature & Verification Encryption & Decryption SAML REST Reverse Proxy Contrle requtes HTTP Rupture SSL/TLS Black List White List

    38

    Intgrit et confidentialit des messages


    SOAP / XML REST

    XML Signature XML Encryption

    (p.ex: HMAC, Doseta) JSON Signature **

    ** Pas de chiffrement ma connaissance

    39

    Code security
    SOAP / XML - Data input validation - Data output encoding - Pseudorandom data generation, high entropy - Strong / reliable data encryption algorithms - Data leakage prevention - Robust error & exception handling - Anti-automation and expiration measures REST - Data input validation - Data output encoding - Pseudorandom data generation, high entropy - Strong / reliable data encryption algorithms - Data leakage prevention - Robust error & exception handling - Anti-automation and expiration measures

    OWASP Application Security Verification Standard (ASVS): https://www.owasp.org/index.php/ASVS WASC web application weaknesses: http://projects.webappsec.org/w/page/13246978/Threat%20Classification

    40

    REST & OAuth

    41

    Agenda
    Quest-ce quun Web Service ? SOAP REST Threat Modeling / ACME SA Rduction des risques Conclusion Questions

    42

    Conclusion
    SOAP:
    Implmenter les standards WS-* lis la scurit Mettre en place un filtrage applicatif (WAF, XML GW) Complexe mettre en uvre (PKI, Secure coding, Cryptography, etc.) Architecture forte contrainte de scurit

    REST
    Mettre en place un filtrage applicatif (WAF, XML GW) Implmentation rapide et facile tendance Architecture de type Cloud, Intranet, Social Login, etc.

    On attend avec impatience les standards scu pour REST ??? Pragmatique: protection primtrique, chiffrement et Secure Coding ???

    43

    Pour aller plus loin.

    44

    Questions?

    45

    Merci / Thank you!


    Contact:
    sma@maret-consulting.ch @smaret http://www.maret-consulting.ch Slides:
    http://slideshare.net/ASF-WS/

    You might also like