SOA Security: The Basics
- 13 March, 2009 10:20
- Comments
In this article, we examine how security applies to Service Oriented Architecture (SOA). Before we discuss security for SOA, lets take a step back and examine what SOA is. SOA is an architectural approach which involves applications being exposed as "services". Originally, services in SOA were associated with a stack of technologies which included SOAP, WSDL, and UDDI. However, many grassroots developers then showed a preference for lightweight REST (Representational State Transfer) services as opposed to the more heavyweight SOAP messages, with the result that REST is now an accepted part of SOA. The rise of Web 2.0 has cemented RESTss place in the SOA world, since REST is widely used in Web 2.0. More recently, Cloud services such as Amazon's Simple Queuing Service (SQS) may be used alongside local services, to create a "hybrid" SOA environment. The result of all this is that SOA now encompasses the original SOAP/REST/UDDI stack, REST services, and the Cloud. From a security professionals point of view, all of it must be secured.
It is tempting to launch into a description of SOA Security without first asking "Why?" Why apply security to SOA? One obvious answer is to protect the SOA infrastructure against attack. This is a valid reason, but there are also enabling, positive reasons for applying security to SOA, such as the ability to monitor usage of services in a SOA. We begin by examining the attacks against SOA technologies, both SOAP and REST. Then we examine how standards such as WS-Security allow policies to be applied to SOA, thus allowing controlled usage and monitoring and finally examine the security ramifications when an enterprise integrates local on-site applications with cloud computing services.
Countering SOA Threats
What are the content-based threats affecting XML and REST services within an SOA? In the case of XML, there have been several publicized attacks such as XML Entity-Expansion, and SQL Injection.
SQL Injection
In a SOA, SQL Injection attacks involve the insertion of SQL fragments into XML data to return inappropriate data, or to produce an error which reveals database access information.
A successful SQL Injection attack in SOA has two prerequisites:
- Data received by a Service in the SOA is inserted directly into a SQL statement
- The SQL Statement is run with sufficient privileges to execute the attack.
To counter this attack, it is important to ensure that data received from untrusted users is not directly placed into SQL statements. This can be achieved by enforcing content-validation and threat-detection rules over incoming content.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.
- Bookmark this page
- Share this article
- Got more on this story? Email CIO
- Follow CIO on twitter
- Fixing Your Dropbox Problem - How the Right Data Protection Strategy Can Help
- Best Practices for Secure Enterprise Content Mobility
- 10 Mobile Security Requirements for the Bring Your Own Device (BYOD) Enterprise
- Transforming Your Business by Transforming Your Processes
- Securing SOA and Web Services with Oracle Enterprise Gateway
-
Australia's first 4G smartphone is the HTC Velocity 4G
-
Social networking, ignorance, and apathy
-
China's Alibaba sees big growth with AliExpress site
-
10 Tips for Dealing with a Bully Boss
-
How to design a successful RACI project plan
-
INFORMATION FOR SUCCESS - Customers Achieve Extreme Performance at Lowest Cost with Oracle Exadata Database Machine
How do you prioritize IT investments to ensure support for growing volumes of data and still meet your business users’ evolving requirements—such as competing more effectively, reducing IT costs, meeting compliance requirements, or anticipating changing market conditions? Read on. -
Enterprise Buyers Guide for Printers
Every enterprise owns, and regularly replaces, printers, copiers, multifunctional products and fax machines. The problem most face is not too few choices, but too many. How do you even begin to select the right one? Here is the Computerworld guide to buying a printer for the enterprise. -
Advanced Malware Exposed - How advanced malware, zero-day and targeted APT attacks are evading today's network defences
This handbook shines a light on the dark corners of advanced malware, both to educate as well as to spark renewed efforts against these stealthy and persistent threats. By understanding the tools being used by criminals, we can better defend our nations, our critical infrastructures and our citizens. It is certainly my hope that this book will provide readers with a new understanding of the rapidly developing cyber threat landscape and practical insights into how they can protect their data and computing infrastructures. - Robert F. Lentz, President and CEO, Cyber Security Strategies, LLC
-
Streaming Media Bible
-
Red Hat Fedora Linux 3 Multipack for Dummies (Fedora Core 3 Distribution with Source Code on 9 CDs for Customers Without Access to a DVD Drive)
-
Geek House
-
Macromedia Dreamweaver 8 Visual Encyclopedia
-
Beginning Expression Web
-
Photoshop Elements 2 Solutions
-
Osx86
-
Mac OS X Snow Leopard Digital Classroom
-
Microsoft® CRM 3 for Dummies®
Get exclusive access to Invitation only events CIO, reports & analysis. 
Comments
Post new comment