Challenges in security design of service-oriented software

application can call a web service which can

eventually call number of web services of which a user
is not aware and then application can process the
response from web service and can further call another
web service using the processed response from
previous service and can get the required response. As
user is not aware of the how many services are
eventually getting called or where all these services
are deployed ,who is the provider of these services and
how safe are these service.So, security is the main
challenge in the design of any application using SOA.
Due to service orientated and loosely coupled
Architecture, most of the services are vulnerable for
the security attack and for the unauthorized access if
proper security measured or practices are not
implemented.

Abstract
In the Evolution of application architecture, it
changes from single standalone system to client server
architecture to distributed multi-tier architecture to
Service oriented architecture. But from the single
mainframe based systems, security is always playing
an important role. Integrating security in any of the
above architecture was always a challenge and in
SOA due to its complex structure, to incorporate the
security is really a big challenge. In SOA we treat
each and every service as an independent application
and need to maintain the security at each service with
different standards and policies. Due to its looselycoupled architecture and number of other advantages
such reuse ability, flexible and customizable nature,
its been widely used across the organizations and thus
it is important to secure the SOA infrastructure.
Though there are number of security standards and
policies such as SAML (Security Assertion Markup
Language),
WS-Security
given
by
OASIS
(Organization for the Advancement of Structured
Information Standards) are available, designing a
secure SOA infrastructure is still a challenge. Hence,
this paper mainly focus on the Challenges in security
design of service-oriented software, known
vulnerabilities and attacks in the SOA, and the
proposed some of the mitigations and designing
techniques to implement the security in SOA
application.

SOA is highly popular in recent years because of many

reasons such as [1]
1. Reuse: The code can be reused among different
services and applications number of times.
2. Maintenance: As functional modules are
independent of each other, maintenance of the
application is easy.
3.
Interoperability: Services are free to use any
language or any operating system and can run on
any framework.
4. Chaining: SOA can chain number of services and
can add the significance of the single service.
5. Flexibility: As one can change, add or delete the
services at any time, maintain the flexibility is
much easier.
Below fig shows SOA Architecture.

Keywords: Service-oriented Software, Security

challenges of SOA, Security vulnerabilities, Security
in SOA, Attacks in SOA, Secure Service-oriented
architecture, Security standards in SOA,

1. Introduction
What is service Oriented Architecture?
SOA is a combination of the different services which
are connected to each other by some standard protocol.
The application composed of different services which
are called to get the result. Each service acts as a
separate component and communicates with each
other using protocols such as SOAP or rest. The
services are created and hosted by the service
providers on the hosting server. So using well defined
interfaces we can performs or can call a particular web
service. All services which are used are platform
independent and can be reused number of times. An

Figure 1. SOA Architecture [2]

service is running. So whenever we deal with the

sensitive data, we must secure each and every service
using in the application. All the data bindings and the
references and the input and the output ports must be
secure and flow of the data should be maintain. Data
contains sensitive information must be encrypted
using any standard encryption algorithm. Though we
are not securing the channel but as the data is
encrypted, the whole SOA architecture is secure and
we can protect our data from misuse.

2. Challenges in Software Oriented Architecture

Nowadays, in developing a software application or a
software system, the software oriented architecture is
highly popular. However, when we think of software
oriented architecture, we need to deal with the new
security challenges to support the development and
design of highly secure, service-oriented systems and
applications. The developer needs to think about the
security flaws and the vulnerability. The integration of
security in a distributed software design using service
oriented architecture is difficult as there is no standard
way or design for all kinds of services in the
application. Also, the secure design for a particular
service may not be proper for the other service and can
cause a serious security flaw.
Below are some of the common security challenges:

2.2 Security vulnerabilities

Though SOA is used on a wide range in the software
development, but sometimes developers fail to
secure SOA services and architectures. In practice,
inaccurate vendor implementations, configuration
problems,
and
coding mistakes
can lead to
exploitable vulnerabilities in web services [3]
Developers must understand all these vulnerabilities
and should take necessary counter measures.

2.1 Data/Information Control

Reusability is one of the main and important feature of
the distributed Software development using Service
oriented Architecture. Due to this, one service can be
called from number of applications and can be used at
different levels in the application architecture levels.
Also the number of services called from particular web
service is also unknown. The services are hidden from
each other and data is simply transferred from one
service to another without having the actual
implementation knowledge. So At high level of
architecture, the size of application seems very small
and security methods and standard used for data
control and sensitive information protection at the
application level are not adequate at each and every
service level. In client and server architecture, one is
aware of the actual physical location of the server and
thus we can control and secure the whole channel to
control the data flow and can keep sensitive data
secure throughout the transmission. We can impose
the same on clients and server machine and the whole
architecture is thus secure by having some standard
security mechanism to control the data flow.
But as the physical location of the services used in the
SOA is unknown, we cant secure the network traffic
as well as the server where the actual code of the
Mitigation: Developers must validate all the service
input parameters. One should not rely on user
understanding and assume he will only give valid
inputs. In case of SQL injection, instead of direct SQL
queries, developers must use the prepared statement
and can use server side validations. Developers must
remove all malicious scripts in the queries and
quarantine the words like javascript.

2.2.1 Injection Flaw

When input validations are not properly handled, a
malicious user can attack and breach the software
security by providing some malicious inputs. Some of
the common injection flaws are SQL injection and
Xpath. In SQL injection, an attacker can give some
malicious scripts in the user inputs and can run these
database scripts on database server and thus some
sensitive data can get exposed. If the attacker is aware
the table name and the table structure which he can
get by some exception due to improper exception
handling, then the attacker can cause some serious
damage to the database and can even control the
whole database access.
query simple SQL Injection ( )
uses o b j e c t H t tp Se rvletReque s t r ;
o b j e c t Connection c ; o b j e c t S t ri n g p ;
matches { p = r . getParameter ( ) ; }
r e pl a c e s c . execute ( p ) with
U til .CheckedSQL( c , p ) ;
Listing 1. PQL query for simple SQL injection [8]
busy making the service unavailable. As in SOA, most
of the services either uses SOAP or REST protocol, an
attacker can create a larger XML payload as a input
request and can send such multiple requests resulting
the service unavailable to the other users.
XML Parsing: By using certain parsing methods such
as SAX or DOM, an attacker mostly tries to break the
services or change the logic using the XML.As DOM
parsers loads the entire XML in the memory when
send it through input request can consume most of
server side resources resulting Denial of service.
Mitigation: A strong authentication technique to the
incoming requesting should be used and must be

2.2.2 Denial of Service Attack

If proper authentication techniques are not used then
an attacker can send number of request to the web
service and can keep all the resources of the service

processed before processing the whole body of the

incoming request. Also while processing incoming
request, one should use strong parser to validate the
request from noxious message.

application and can breach the security. Even an

attacker can loads large malicious file which takes
long time or is very difficult to process. As such
attachments are of no meaning, causes Denial of
Service Attack.

2.2.3 Information Leakage

Web services that are used to generate fault message
are always useful as it gives information if something
goes wrong in the application. But sometimes it gives
extra information. A WSDL contains server directory
information,
internal
IP address
information,
available services and methods, and other critical
information valuable to an attacker [3].
Mitigation:
One should configure the server in such way that each
it should not revel mush of the server internal
information through WSDL description.

2.4 Security issues of New Services.

Most of the organizations which uses SOA for the
application development, need to update the system to
meet the business requirements. In the initial phase, if
we imposed some security standards on the particular
service and later someone just modified the
implementation with addition of new service
endpoints, then there is no formal way to manipulate
the security of new service. In the modification, one
can add new service calls which are from some
unauthorized vender and can set the response. But
what if the service is dealing with some sensitive data?
And as business requirements changes according to
time, Organizations always prefer to have multiple
deployments of the applications. Also, deployments of
these new services can create adverse effect on the
exiting secure services as they are all interconnected.
Also whenever the new services are added to the
application, the application should be tested
thoroughly and should be checked for any
vulnerability.

2.2.4 Inadequate Testing

If testing is not done properly before the release of the
application, then number of vulnerabilities can be
found and an attacker can get multiple options to
break the application. Inadequate testing results
having lot of weakest link of which attackers are
always in search of.
Mitigation: All the services in the application should
be tested thoroughly and all security flaws needs to
remove which are noticed in the testing phase.

2.3 SOA specific Vulnerabilities

3. Security in Service Oriented Software

2.3.1. WSDL scanning

A web service generally provides information about
the operations, end point bindings and the
informations about the parameters. Out of which
some of the operations are most sensitive are used by
internal users such as administrators. The rest are
available for users who consume the WSDL. But as
the endpoints are available to end users and by
viewing the operations names, he can guess the
sensitive operations names and can get the access.
Mitigation: By using role bases access control, we can
restrict such type of attack by WSDL scanning. Use of
XML firewall also restricts attack by WSDL scanning.

Due to distributed nature of the system or architecture,

to handle the security at the service level is
challengeable. Also, services are not even in a single
network, and can be called from any remote location,
to achieve the security is really a tough task. Also the
protocol used to communicate are not that mature
enough to handle security as in many cases initially
when they were used to for communication, security
was not considered and are used to just to make the
application work. Also XML which is used for to build
the SOA security functions brings its own security
issues as there is no standard secure procedure to
define the XML.XML parser can parser the XML in
the format which they choose and brings the insecurity
to the XML signature.

2.3.2 WS-Addressing spoofing

As endpoints are visible in the WSDL, an attacker can
modify the end points and can point out to some
malicious services or any fake services. By using such
tactics an attacker cam get some sensitive information
such as Username or password.
Mitigation: Endpoints url must be validated before
process the client request can lead to avoid such
vulnerability

4. Security Architecture
Oriented Software

in

Service

In SOA, the best security architecture is one which is

not vulnerable at any point in all the services
endpoints. A security architecture should consider all
these vulnerabilities and makes sure the system is
secure enough to deal with the attackers. While

2.3.3 Harmful SOAP attachment.

An attacker can attach any malicious file or contains
to the SOAP header which is harmful to the

designing security architecture for any system, the two

main issues to main the security are:
1. Complexity nature of the SOA because of the
services and their interconnection.
2. To secure the weakest link in the system. As the
complexity of the architecture increase, it creates more
loopholes in the system and due to which it is difficult
to find the weakest insecure link in the system. And if
attacker gets access from this link, the whole system
will get exposed. So the secure architecture should
maintain the proper balance between the complexity
and the security of the application. Also, in most of the
organization, it is often seen that the security is not
considered in the early phase of the lifecycle of the
application which results many loopholes as it is
difficult to find each and every endpoint of the service
in the application as the application implementing
SOA becomes more and more complex as it proceeds
in the lifecycle. So the best practice is to consider the
security from the first phase of the application life
cycle.

loosely connected to each other by using some XML

based protocol such as SOAP or XML, can used
different environments and programming languages.
Also one cannot sure about the operating system on
which they are running. So the security standards for
one service may change from services to services. So
the model or the techniques to secure the application
at one service or at one client must be re-thought or
reconsidered as soon as the flow comes to next service.
So deal with malicious attackers along with the
complex nature of the system, it is need of the SOA
architecture to get or design highly secure service
which can be used at different levels in SOA. There
are some standards available developed by OASIS
such as WS- Security, WS-Trust, SAML 2.0, WSSecure Conversation, WS- Policy which are widely
used to impose the security in applications using SOA.
They mainly focus on the security features of the
application and mitigates most of the vulnerabilities.
Below figure shows the security architecture of SOA
application.

Below table shows the security architecture

Table 1. Security Life Cycle Phases [6]
Life Cycle
Phase
Definition
Design
From initial
Subtly
alter
idea
to
system specification
design specs
to create a flaw
production
From buildSubstitute
to specs to
security-critical chip
roll-out
on production line
Deployment
From roll-out
Substitute system
to transit to
unit while in transit
delivery to
with bogus unit
user
Operation
From
Insert malicious
and
delivery to
code into
maintenance maintenance
application, OS, or
to retirement
network
Destruction
From
Extract
stored
retirement to
key from unit to
destruction
read back-traffic

Figure 2. SOA Security Architecture [6]

The web service architecture is composed of 3 main
layers:
Web service layer
Web services framework layer
Web server layer

As we know in SOA, different services are

communicating each other either by just by simple
data transfer or call other services from to get the
result. As web services are integral part of the
distributed system, we need to make sure to secure
both client and server on which the service is deployed
and the network communication between these service
and the endpoints of the services. So we need to come
up with model which is based on distributed model
which is common to both the client and server. But
again, In SOA, the client and server or the all other
services which are independent of each other and are

As web services play an important role in the SOA,

Services must compose in a secure way and thus some
security standards and policies must be imposed. Each
service in the maintain standards and policies locally
and can communicate with other in the SOA layer

with security contracts defined for that service. This

ways of invoking methods from a web service is called
by Call by Contract mechanism and at each web
service layer we can design service compositions and
methods with security contract for that method.
An element of Security for Web Services consists of
Authentication,
Authorization,
Integrity,
onrepudiation, confidentiality, and Privacy. To secure the
web service, we must consider the factors like Secure
Messaging, Protection of resources, Negotiation of
contracts, Trust management [4]
One of the main aspects for security of Architectures
is, How well the system authenticates the users and
protects the application and data elements? [5]
Security approaches for securing Service Oriented
Architectures
1. Network Layer: At network layer, one can
implement the security using router, firewall and
packet filter. It limits to operate the client machine
within a particular network, e.g. Intranet. It can lock
the incoming and outgoing traffic based on several
factors such as IP address, machine address and
internet provider. Also use of specific ports for the
incoming traffic helps to secure the connection.
2. Transport Layer: Use of SSL and TLS limits the
access of the service to only authorised users. USE of
public key certificates and SAML encryption of data
over the network offers service to service security.
3. Application Layer Using message contents such as
digital signature, digital certificates authorized by
trusted Certificate Authority can limit the access to the
resources.

Figure 3. Security Solutions in SOA [9]

6. Conclusion
Though SOA is widely accepted by the various
originations, security in SOA is still a challenge. To
incorporate the security in SOA architecture is still a
difficult task. To build a secure application based on
SOA without having any vulnerability is challenging
and consumes a lot of resources and time. As attackers
are inventing new vulnerabilities day by day, its still
very difficult to minimize the knowledges gap
between developers and attackers. Also, due to
distributed nature of models in SOA, to implement
one standard security design pattern is not possible
rather is not sufficient as designers need to think about
the different services and the network through which
they communicate and need to secure the whole
channel. The most challenging work in security design
is to secure the weakest link as attackers are always in
search of such link and can get the access to the entire
application and can breach the security. Though a lot
of security design principles such as Secure the
weakest link, Defense in depth, Use least privilege,
Fail securely are available to identify the weakness in
the design of the SOA architecture, ensuring the
secured application is not that easy. A lot of research is
currently going on to implement new approach to
make the SOA more secure. Web services are designed
to impose the security. Efforts are taken in designing
new standards and security principles such as
WSSecurity,
WSTrust and SAML to mitigate all these
vulnerabilities and makes SOA more secure and safe
in software design.

5. Solutions for Security in SOA

As security standards and protocols are different for
each and every service in SOA, it is very challenging
to find a solution complying with every entity and
methodology. For this reason, we must employ some
measures to achieve some measure in security of SOA.
The security measures that can be used are
Confidentiality, Authorization, Security Policies,
Attack Prevention and Tolerance etc [9]. Each of these
factors helps in improving the security of Service
Oriented Architecture, in turn gaining more trust of
the end users of service. Additional security solutions
possible in SOA are shown in below figure

7. References

[1] N.Bhalla and S.Kazerooni---Web Service

Vulnerabilities A white paper outlining the
application level threats to web services.

[2] The Service Oriented Architecture (SOA)

Philosophy
http://interactiveasp.net/blogs/natesstuff/archive/
2008/11/05/the-service-oriented-architecture-soaphilosophy.aspx
[3] SOA
Security
Vulnerabilities
https://www.nsa.gov/ia/_files/factsheets/soa_secu
rity_vulnerabilities_web.pdf
[4] Kumar, D. Sravan, and M. Upendra Kumar.
"Designing Dependable Service Oriented Web
Services
Security
Architectures
Solutions." International Journal of Engineering
and Technology (2010).
[5] Mouratidis, Haralambos, and Paolo Giorgini,
eds. Integrating
security
and
software
engineering: Advances and future visions. Igi
Global, 2007..
[6] Designing Dependable Service Oriented Web
Services
Security Architectures
Solutions
http://www.enggjournals.com/ijet/docs/IJET1002-02-17.pdf
[7] Vulnerability Analysis in SOA-based Business
Processes
http://www2.informatik.unifreiburg.de/~accorsi/papers/ieee-tsc10.pdf
[8] M. Martin, B. Livshits, and M. S. Lam, Finding
application errors and security flaws using PQL: a
program query language, in ACM OOPSLA
Conference, 2005.
[9] Varvana Myllarniemi Security in ServiceOriented
Architectures:
Challenges
and
Solutions Helsinki University of Technology, P.O.
Box 9210, 02015 TKK, Finland.
[10] Ajay Tipnis and Ivan Lomelli Security a Major
Imperative for an Service-Oriented Architecture
http://www.commonskys.com/12thPrivacySecurit
y/SecurityComplianceServices/ApplicationSecurit
y/Security_A
%20MajorImperative_for_anSOAArchitecture.pdf
.