Suche senden
Hochladen
Soa And Web Services Security
•
2 gefällt mir
•
1,339 views
C
ConSanFrancisco123
Folgen
Technologie
Melden
Teilen
Melden
Teilen
1 von 85
Jetzt herunterladen
Downloaden Sie, um offline zu lesen
Empfohlen
Cisco Connect Vancouver 2017 - Cloud and on premises collaboration security e...
Cisco Connect Vancouver 2017 - Cloud and on premises collaboration security e...
Cisco Canada
Deploying Secure Converged Wired, Wireless Campus
Deploying Secure Converged Wired, Wireless Campus
Rassul Ismailov
Java EE Next
Java EE Next
David Delabassee
[Cisco Connect 2018 - Vietnam] Cisco connect 2018 sanjay - cisco sda v1.0-h...
[Cisco Connect 2018 - Vietnam] Cisco connect 2018 sanjay - cisco sda v1.0-h...
Nur Shiqim Chok
Attacking XML Security
Attacking XML Security
Yusuf Motiwala
Java EE 8 - February 2017 update
Java EE 8 - February 2017 update
David Delabassee
Exploring Advanced Authentication Methods in Novell Access Manager
Exploring Advanced Authentication Methods in Novell Access Manager
Novell
Cisco Connect Vancouver 2017 - Cisco Meraki -Let Simple Work For You
Cisco Connect Vancouver 2017 - Cisco Meraki -Let Simple Work For You
Cisco Canada
Empfohlen
Cisco Connect Vancouver 2017 - Cloud and on premises collaboration security e...
Cisco Connect Vancouver 2017 - Cloud and on premises collaboration security e...
Cisco Canada
Deploying Secure Converged Wired, Wireless Campus
Deploying Secure Converged Wired, Wireless Campus
Rassul Ismailov
Java EE Next
Java EE Next
David Delabassee
[Cisco Connect 2018 - Vietnam] Cisco connect 2018 sanjay - cisco sda v1.0-h...
[Cisco Connect 2018 - Vietnam] Cisco connect 2018 sanjay - cisco sda v1.0-h...
Nur Shiqim Chok
Attacking XML Security
Attacking XML Security
Yusuf Motiwala
Java EE 8 - February 2017 update
Java EE 8 - February 2017 update
David Delabassee
Exploring Advanced Authentication Methods in Novell Access Manager
Exploring Advanced Authentication Methods in Novell Access Manager
Novell
Cisco Connect Vancouver 2017 - Cisco Meraki -Let Simple Work For You
Cisco Connect Vancouver 2017 - Cisco Meraki -Let Simple Work For You
Cisco Canada
Demystifying TrustSec, Identity, NAC and ISE
Demystifying TrustSec, Identity, NAC and ISE
Cisco Canada
Webex Control Hub -IT Control no matter where they work
Webex Control Hub -IT Control no matter where they work
Cisco Webex
TechWiseTV Workshop: Q&A OpenDNS and AnyConnect
TechWiseTV Workshop: Q&A OpenDNS and AnyConnect
Robb Boyd
Cisco connect winnipeg 2018 simplifying cloud adoption with cisco ucs
Cisco connect winnipeg 2018 simplifying cloud adoption with cisco ucs
Cisco Canada
REST in an Async World
REST in an Async World
David Delabassee
Cisco Connect Vancouver 2017 - Anatomy of Attack
Cisco Connect Vancouver 2017 - Anatomy of Attack
Cisco Canada
Ise 1 2-bdm-v4
Ise 1 2-bdm-v4
Danny Liu
Resume
Resume
Olivier Diby
Cisco Study: State of Web Security
Cisco Study: State of Web Security
Cisco Canada
JAX-RS 2.1 Reloaded
JAX-RS 2.1 Reloaded
David Delabassee
[Cisco Connect 2018 - Vietnam] Yedu s. introducing cisco dna assurance
[Cisco Connect 2018 - Vietnam] Yedu s. introducing cisco dna assurance
Nur Shiqim Chok
Cloud and On Premises Collaboration Security Explained
Cloud and On Premises Collaboration Security Explained
Cisco Canada
Cloud summit demystifying cloud security
Cloud summit demystifying cloud security
David De Vos
Cisco Connect Toronto 2018 cloud and on premises collaboration security exp...
Cisco Connect Toronto 2018 cloud and on premises collaboration security exp...
Cisco Canada
How to Transform Your Workplace with Hybrid Collaboration
How to Transform Your Workplace with Hybrid Collaboration
Cisco Webex
Daniel Pastrana 12-15-19
Daniel Pastrana 12-15-19
Daniel Pastrana
John Merline - How make your cloud SASE
John Merline - How make your cloud SASE
AWS Chicago
Cisco Connect 2018 Singapore - Easing the Transition
Cisco Connect 2018 Singapore - Easing the Transition
NetworkCollaborators
Cisco Connect Toronto 2018 consuming public and private clouds
Cisco Connect Toronto 2018 consuming public and private clouds
Cisco Canada
Monetizing The Enterprise: Borderless Networks
Monetizing The Enterprise: Borderless Networks
Cisco Service Provider
Cisco Connect Ottawa 2018 cloud and on premises collaboration security explained
Cisco Connect Ottawa 2018 cloud and on premises collaboration security explained
Cisco Canada
Application Services On The Web Sales Forcecom
Application Services On The Web Sales Forcecom
QConLondon2008
Weitere ähnliche Inhalte
Was ist angesagt?
Demystifying TrustSec, Identity, NAC and ISE
Demystifying TrustSec, Identity, NAC and ISE
Cisco Canada
Webex Control Hub -IT Control no matter where they work
Webex Control Hub -IT Control no matter where they work
Cisco Webex
TechWiseTV Workshop: Q&A OpenDNS and AnyConnect
TechWiseTV Workshop: Q&A OpenDNS and AnyConnect
Robb Boyd
Cisco connect winnipeg 2018 simplifying cloud adoption with cisco ucs
Cisco connect winnipeg 2018 simplifying cloud adoption with cisco ucs
Cisco Canada
REST in an Async World
REST in an Async World
David Delabassee
Cisco Connect Vancouver 2017 - Anatomy of Attack
Cisco Connect Vancouver 2017 - Anatomy of Attack
Cisco Canada
Ise 1 2-bdm-v4
Ise 1 2-bdm-v4
Danny Liu
Resume
Resume
Olivier Diby
Cisco Study: State of Web Security
Cisco Study: State of Web Security
Cisco Canada
JAX-RS 2.1 Reloaded
JAX-RS 2.1 Reloaded
David Delabassee
[Cisco Connect 2018 - Vietnam] Yedu s. introducing cisco dna assurance
[Cisco Connect 2018 - Vietnam] Yedu s. introducing cisco dna assurance
Nur Shiqim Chok
Cloud and On Premises Collaboration Security Explained
Cloud and On Premises Collaboration Security Explained
Cisco Canada
Cloud summit demystifying cloud security
Cloud summit demystifying cloud security
David De Vos
Cisco Connect Toronto 2018 cloud and on premises collaboration security exp...
Cisco Connect Toronto 2018 cloud and on premises collaboration security exp...
Cisco Canada
How to Transform Your Workplace with Hybrid Collaboration
How to Transform Your Workplace with Hybrid Collaboration
Cisco Webex
Daniel Pastrana 12-15-19
Daniel Pastrana 12-15-19
Daniel Pastrana
John Merline - How make your cloud SASE
John Merline - How make your cloud SASE
AWS Chicago
Cisco Connect 2018 Singapore - Easing the Transition
Cisco Connect 2018 Singapore - Easing the Transition
NetworkCollaborators
Cisco Connect Toronto 2018 consuming public and private clouds
Cisco Connect Toronto 2018 consuming public and private clouds
Cisco Canada
Monetizing The Enterprise: Borderless Networks
Monetizing The Enterprise: Borderless Networks
Cisco Service Provider
Was ist angesagt?
(20)
Demystifying TrustSec, Identity, NAC and ISE
Demystifying TrustSec, Identity, NAC and ISE
Webex Control Hub -IT Control no matter where they work
Webex Control Hub -IT Control no matter where they work
TechWiseTV Workshop: Q&A OpenDNS and AnyConnect
TechWiseTV Workshop: Q&A OpenDNS and AnyConnect
Cisco connect winnipeg 2018 simplifying cloud adoption with cisco ucs
Cisco connect winnipeg 2018 simplifying cloud adoption with cisco ucs
REST in an Async World
REST in an Async World
Cisco Connect Vancouver 2017 - Anatomy of Attack
Cisco Connect Vancouver 2017 - Anatomy of Attack
Ise 1 2-bdm-v4
Ise 1 2-bdm-v4
Resume
Resume
Cisco Study: State of Web Security
Cisco Study: State of Web Security
JAX-RS 2.1 Reloaded
JAX-RS 2.1 Reloaded
[Cisco Connect 2018 - Vietnam] Yedu s. introducing cisco dna assurance
[Cisco Connect 2018 - Vietnam] Yedu s. introducing cisco dna assurance
Cloud and On Premises Collaboration Security Explained
Cloud and On Premises Collaboration Security Explained
Cloud summit demystifying cloud security
Cloud summit demystifying cloud security
Cisco Connect Toronto 2018 cloud and on premises collaboration security exp...
Cisco Connect Toronto 2018 cloud and on premises collaboration security exp...
How to Transform Your Workplace with Hybrid Collaboration
How to Transform Your Workplace with Hybrid Collaboration
Daniel Pastrana 12-15-19
Daniel Pastrana 12-15-19
John Merline - How make your cloud SASE
John Merline - How make your cloud SASE
Cisco Connect 2018 Singapore - Easing the Transition
Cisco Connect 2018 Singapore - Easing the Transition
Cisco Connect Toronto 2018 consuming public and private clouds
Cisco Connect Toronto 2018 consuming public and private clouds
Monetizing The Enterprise: Borderless Networks
Monetizing The Enterprise: Borderless Networks
Ähnlich wie Soa And Web Services Security
Cisco Connect Ottawa 2018 cloud and on premises collaboration security explained
Cisco Connect Ottawa 2018 cloud and on premises collaboration security explained
Cisco Canada
Application Services On The Web Sales Forcecom
Application Services On The Web Sales Forcecom
QConLondon2008
Dave Carroll Application Services Salesforce
Dave Carroll Application Services Salesforce
deimos
SSO With APEX and ADFS the weblogic way
SSO With APEX and ADFS the weblogic way
makker_nl
20180605 sso with apex and adfs the weblogic way
20180605 sso with apex and adfs the weblogic way
makker_nl
SEASPC 2011 - SharePoint Security in an Insecure World: Understanding the Fiv...
SEASPC 2011 - SharePoint Security in an Insecure World: Understanding the Fiv...
Michael Noel
Securing Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid Clouds
RightScale
2012 11-16 cloud practices-in_trend_micro_2012 - chung-tsai su
2012 11-16 cloud practices-in_trend_micro_2012 - chung-tsai su
netdbncku
OpenSSO Tech Overview Aquarium
OpenSSO Tech Overview Aquarium
Eduardo Pelegri-Llopart
Balance agility and governance with #TrueDataOps and The Data Cloud
Balance agility and governance with #TrueDataOps and The Data Cloud
Kent Graziano
Understanding AWS security
Understanding AWS security
Amazon Web Services
SUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptx
Vasiliy Fomichev
Istio Service Mesh
Istio Service Mesh
Lew Tucker
Jan 2008 Allup
Jan 2008 Allup
llangit
Creating Polyglot Communication Between Kubernetes Clusters and Legacy System...
Creating Polyglot Communication Between Kubernetes Clusters and Legacy System...
VMware Tanzu
Cloud vs. On-Premises Security: Can you afford not to switch?
Cloud vs. On-Premises Security: Can you afford not to switch?
Zscaler
Azure Services Platform
Azure Services Platform
David Chou
OWASP an Introduction
OWASP an Introduction
alessiomarziali
SACON - Mobile App Security (Srinath Venkataramani)
SACON - Mobile App Security (Srinath Venkataramani)
Priyanka Aash
Presentation a hitchhiker’s guide to the inter-cloud
Presentation a hitchhiker’s guide to the inter-cloud
xKinAnx
Ähnlich wie Soa And Web Services Security
(20)
Cisco Connect Ottawa 2018 cloud and on premises collaboration security explained
Cisco Connect Ottawa 2018 cloud and on premises collaboration security explained
Application Services On The Web Sales Forcecom
Application Services On The Web Sales Forcecom
Dave Carroll Application Services Salesforce
Dave Carroll Application Services Salesforce
SSO With APEX and ADFS the weblogic way
SSO With APEX and ADFS the weblogic way
20180605 sso with apex and adfs the weblogic way
20180605 sso with apex and adfs the weblogic way
SEASPC 2011 - SharePoint Security in an Insecure World: Understanding the Fiv...
SEASPC 2011 - SharePoint Security in an Insecure World: Understanding the Fiv...
Securing Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid Clouds
2012 11-16 cloud practices-in_trend_micro_2012 - chung-tsai su
2012 11-16 cloud practices-in_trend_micro_2012 - chung-tsai su
OpenSSO Tech Overview Aquarium
OpenSSO Tech Overview Aquarium
Balance agility and governance with #TrueDataOps and The Data Cloud
Balance agility and governance with #TrueDataOps and The Data Cloud
Understanding AWS security
Understanding AWS security
SUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptx
Istio Service Mesh
Istio Service Mesh
Jan 2008 Allup
Jan 2008 Allup
Creating Polyglot Communication Between Kubernetes Clusters and Legacy System...
Creating Polyglot Communication Between Kubernetes Clusters and Legacy System...
Cloud vs. On-Premises Security: Can you afford not to switch?
Cloud vs. On-Premises Security: Can you afford not to switch?
Azure Services Platform
Azure Services Platform
OWASP an Introduction
OWASP an Introduction
SACON - Mobile App Security (Srinath Venkataramani)
SACON - Mobile App Security (Srinath Venkataramani)
Presentation a hitchhiker’s guide to the inter-cloud
Presentation a hitchhiker’s guide to the inter-cloud
Mehr von ConSanFrancisco123
Open Ap Is State Of The Market
Open Ap Is State Of The Market
ConSanFrancisco123
Yahoo Pipes Middleware In The Cloud
Yahoo Pipes Middleware In The Cloud
ConSanFrancisco123
Ruby V Ms A Comparison
Ruby V Ms A Comparison
ConSanFrancisco123
Yellowpagescom Behind The Curtain
Yellowpagescom Behind The Curtain
ConSanFrancisco123
Teamwork Is An Individual Skill How To Build Any Team Any Time
Teamwork Is An Individual Skill How To Build Any Team Any Time
ConSanFrancisco123
Agility Possibilities At A Personal Level
Agility Possibilities At A Personal Level
ConSanFrancisco123
Res Tful Enterprise Development
Res Tful Enterprise Development
ConSanFrancisco123
Gallio Crafting A Toolchain
Gallio Crafting A Toolchain
ConSanFrancisco123
10 Ways To Improve Your Code
10 Ways To Improve Your Code
ConSanFrancisco123
Http Status Report
Http Status Report
ConSanFrancisco123
Behind The Scenes At My Spacecom
Behind The Scenes At My Spacecom
ConSanFrancisco123
Building Blueprint With Gwt
Building Blueprint With Gwt
ConSanFrancisco123
Security Cas And Open Id
Security Cas And Open Id
ConSanFrancisco123
Making Threat Modeling Useful To Software Development
Making Threat Modeling Useful To Software Development
ConSanFrancisco123
Secure Programming With Static Analysis
Secure Programming With Static Analysis
ConSanFrancisco123
Agile Software Development In The Large
Agile Software Development In The Large
ConSanFrancisco123
Introduction Challenges In Agile And How To Overcome Them
Introduction Challenges In Agile And How To Overcome Them
ConSanFrancisco123
Business Natural Languages Development In Ruby
Business Natural Languages Development In Ruby
ConSanFrancisco123
Orbitz World Wide An Architectures Response To Growth And Change
Orbitz World Wide An Architectures Response To Growth And Change
ConSanFrancisco123
Introduction Architectures Youve Always Wondered About
Introduction Architectures Youve Always Wondered About
ConSanFrancisco123
Mehr von ConSanFrancisco123
(20)
Open Ap Is State Of The Market
Open Ap Is State Of The Market
Yahoo Pipes Middleware In The Cloud
Yahoo Pipes Middleware In The Cloud
Ruby V Ms A Comparison
Ruby V Ms A Comparison
Yellowpagescom Behind The Curtain
Yellowpagescom Behind The Curtain
Teamwork Is An Individual Skill How To Build Any Team Any Time
Teamwork Is An Individual Skill How To Build Any Team Any Time
Agility Possibilities At A Personal Level
Agility Possibilities At A Personal Level
Res Tful Enterprise Development
Res Tful Enterprise Development
Gallio Crafting A Toolchain
Gallio Crafting A Toolchain
10 Ways To Improve Your Code
10 Ways To Improve Your Code
Http Status Report
Http Status Report
Behind The Scenes At My Spacecom
Behind The Scenes At My Spacecom
Building Blueprint With Gwt
Building Blueprint With Gwt
Security Cas And Open Id
Security Cas And Open Id
Making Threat Modeling Useful To Software Development
Making Threat Modeling Useful To Software Development
Secure Programming With Static Analysis
Secure Programming With Static Analysis
Agile Software Development In The Large
Agile Software Development In The Large
Introduction Challenges In Agile And How To Overcome Them
Introduction Challenges In Agile And How To Overcome Them
Business Natural Languages Development In Ruby
Business Natural Languages Development In Ruby
Orbitz World Wide An Architectures Response To Growth And Change
Orbitz World Wide An Architectures Response To Growth And Change
Introduction Architectures Youve Always Wondered About
Introduction Architectures Youve Always Wondered About
Kürzlich hochgeladen
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
naman860154
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Neo4j
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
Michael W. Hawkins
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Malak Abu Hammad
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
hans926745
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
The Digital Insurer
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
RTylerCroy
Slack Application Development 101 Slides
Slack Application Development 101 Slides
praypatel2
How to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
naman860154
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
wesley chun
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
The Digital Insurer
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
ThousandEyes
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
The Digital Insurer
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
Kürzlich hochgeladen
(20)
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
Slack Application Development 101 Slides
Slack Application Development 101 Slides
How to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Soa And Web Services Security
1.
Top Ten Web
Services Security Issues QCon 2007 Security Briefing by Arctec Group (www.arctecgroup.net) ©2005-7 Arctec Group
2.
About Arctec Group •
Best in class enterprise architecture consulting provider focused on enterprise, software, and security architecture • Client list includes numerous global 500 companies, world’s largest electronic financial exchanges, emerging startups and Dept. Homeland Security • Headquarters: IDS Center, Minneapolis, MN; Clientele: global • Web: www.arctecgroup.net ©2005-7 Arctec Group
3.
About the speaker •
Gunnar Peterson – Managing Principal, Arctec Group – Editor Build Security In software security column for IEEE Security & Privacy Journal (www.computer.org/security) – Primary and contributing author for DHS/CERT Build Security In portal on Web Services security, Identity, and Risk management (https://buildsecurityin.us-cert.gov/daisy/bsi/home.html) – Project lead, OWASP XML Security Gateway Evaluation Criteria project (https://www.owasp.org/index.php/Category:OWASP_XML_Security_Gateway_Evalua tion_Criteria_Project) – Associate editor Information Security Bulletin (www.chi-publishing.com) – Contributor Web Application Firewall Evaluation Criteria (http://www.webappsec.org/projects/wafec/) – Blog: (http://1raindrop.typepad.com) ©2005-7 Arctec Group
4.
Issue 1: You’re
probably not spending enough money/time/focus on app security ©2005-7 Arctec Group
5.
Cocktail napkin metrics If
I have 100 security dollars where should I spend them? ©2005-7 Arctec Group
6.
Investing your $100 •
You go to war with the numbers you have not the numbers you wish you had • Use budget numbers to get at what your business thinks is valuable • What I learned from Pete Lindstrom - An asset is worth at least what you pay to develop, own, and operate it. – Use this to get your floor ©2005-7 Arctec Group
7.
Investing your $100 Where
the business spend its money ©2005-7 Arctec Group
8.
Investing your $100
IT Budget IT Security Network 2,000,000 750,000 Host 8,000,000 400,000 Applications 32,000,000 250,000 Data 12,000,000 100,000 ©2005-7 Arctec Group
9.
IT Budget
IT Security Network 3,000,000 1,000,000 Host 8,000,000 400,000 Applications 32,000,000 250,000 Data 12,000,000 100,000 55,000,000 1,750,000 ©2005-7 Arctec Group
10.
Reblancing
IT Budget IT Security Network 3,000,000 500,000 (-500,000) Host 8,000,000 400,000 (same) Applications 32,000,000 500,000 (+250,000) Data 12,000,000 350,000 (+250,000) 55,000,000 1,750,000 (same) ©2005-7 Arctec Group
11.
Example - Rebalanced
security investment ©2005-7 Arctec Group
12.
Issue 2: Know
your security standards ©2005-7 Arctec Group
13.
Security Standards in
SOA Standard Description WS-Security How to attach security tokens to a Web service message WS-Trust How to move tokens around in a system WS-SecureConversation How to optimize for efficiency SAML Authentication, authorization, and attribute assertions XACML XML policy language for interoperable security policy See: DHS Build Security In portal paper by Lipson & Peterson “Security Concepts, Challenges, and Design Considerations for Web Services Integration” https://buildsecurityin.us-cert.gov/daisy/bsi/articles/best-practices/assembly/639.html?branch=1&language=1 ©2005-7 Arctec Group
14.
Identify standards to
address your threats ©2005-7 Arctec Group
15.
STRIDE Threat Model Threat
Description SOA Countermeasure spoofing the identity of a web Spoofing ? services requester or provider tampering with information, such Tampering ? as the contents of the SOAP body repudiate the receipt or Repudiation ? origination of a transaction Information Disclose sensitive information ? Disclosure Denial of Service Disrupt correct operation ? Elevation of ? attacker gains privileges, such as Privilege root More information on STRIDE http://msdn.microsoft.com/msdnmag/issues/06/11/ThreatModeling/default.aspx ©2005-7 Arctec Group
16.
Hello World SOAP
Message <soap:Envelope xmlns:soap=quot;http://schemas.xmlsoap.org/soap/envelope/quot;> <soap:Body> <getCustomerDetails xmlns=quot;http://servicehostquot;/> <name>Joe Smith</name> <customernumber>7301</customernumber> </soap:Body> </soap:Envelope> ©2005-7 Arctec Group
17.
Open Security Standards
WS-Secure WS-Policy WS-Trust Conversation WS-Security SOAP Foundation ©2005-7 Arctec Group
18.
Issue 3: Use
Message Level Security ©2005-7 Arctec Group
19.
WS-Security •
Requirements (from the spec) – Multiple security token formats – Multiple trust domains – Multiple signature formats – Multiple encryption technologies – End-to-end message content security and not just transport-level security • Non-Goals – Establishing a security context or authentication mechanisms. – Key derivation. – Advertisement and exchange of security policy. – How trust is established or determined. – Non-repudiation. ©2005-7 Arctec Group
20.
WS-Security •
SOAP Header for Authentication: – Timestamp – Multiple Token types identifying principals and keys • Unsigned token – Username token: username/password • Signed token format – Kerberos ticket – X509: name and public-key • XML Token format – SAML – Signatures (sign message elements with security token’s key) • XML-DigitalSignature ©2005-7 Arctec Group
21.
Authentication -- Relying on
the SOAP Message ©2005-7 Arctec Group
22.
Hello World SOAP
Message <soap:Envelope xmlns:soap=quot;http://schemas.xmlsoap.org/soap/envelope/quot;> <soap:Body> <getCustomerDetails xmlns=quot;http://servicehostquot;/> <name>Joe Smith</name> <customernumber>7301</customernumber> </soap:Body> </soap:Envelope> ©2005-7 Arctec Group
23.
Alice Signs Message
©2005-7 Arctec Group
24.
Hello World +
Integrity <soap:Header> <wsse:Security xmlns:wsse=”…”> <dsig:Signature xmlns:dsig=”…Id=quot;Id-00000112eef195a8-…quot;> <dsig:SignatureValue>… <dsig:KeyInfo Id=quot;Id-00000112eef195a8-0000000000000008quot;> <dsig:X509Data> <dsig:X509Certificate> MIICRDCCAa0CBEX67+… <dsig:SignatureProperties Id=quot;Id-00000112eef195a8-000a”..> <dsig:SignatureProperty Id=quot;Id-00000112eef195a8-09”.. Target=quot;#Id-00000112eef195a8-0000000000000007quot;> <wsu:Timestamp xmlns:wsu=”…” wsu:Id=quot;Id-00000112eef195a8-000000000000000bquot;> <wsu:Created>2007-06-03T00:17:29Z</wsu:Created> </wsse:Security></soap:Header> <soap:Body> <ns0:getCustomerDetails xmlns:ns0=quot;http://servicehostquot;/> <name>Joe Smith</name> <customernumber>7301</customernumber>… ©2005-7 Arctec Group
25.
XML Encryption •
Security improvement over the point to point SSL solution • Encryption may be performed at element level or or all of the document content • Supports symmetric and asymmetric encryption • Deals with multi-hop transactions • Supports granular security models through element level encryption ©2005-7 Arctec Group
26.
©2005-7 Arctec Group
27.
Issue 4: Use
Longer Keys ©2005-7 Arctec Group
28.
<enc:EncryptionMethod Algorithm= quot;http://www.w3.org/2001/04/xmlenc#aes256-cbcquot;/> • 128
bit Security level (“Practical Cryptography”, Schneier & Ferguson) – To achieve 128 bit security, use 256 bit symmetric keys – Hash function examples: SHA-256, SHA- 512 – MAC example: HMAC-SHA-256 ©2005-7 Arctec Group
29.
Issue 5: Validate
Input & Encode Output ©2005-7 Arctec Group
30.
• XML Messages
can contain a number of nasty things… – Injection attacks • SQL Injection, Xpath Injection, Xquery Injection – XML Denial of Service (XDoS) • Using XML as an attack vector • Jumbo payloads • Recursion – Virus in SOAP attachments ©2005-7 Arctec Group
31.
• Schema validation
based on hardened schemas <xs:simpleType name=“Zipcodequot;> <xs:restriction base=quot;xs:stringquot; <xs:pattern value=“([0-9]{5})-([0-9]{4}) quot;/> </xs:restriction> </xs:simpleType> • Semantic validation based on white list or blacklist – Regex • Virus scanning ©2005-7 Arctec Group
32.
Output encoding • Don’t
propagate attacks <?xml version='1.0'?> <xsl:stylesheet xmlns:xsl=quot;http://www.w3.org/1999 /XSL/Transformquot; version=quot;1.0quot;> <xsl:import href=”…docbook.xslquot;/> <xsl:output method=quot;htmlquot; encoding=quot;UTF-8quot; indent=quot;noquot;/> ©2005-7 Arctec Group
33.
Issue 6: Avoid
Naïve Sign & Encrypt ©2005-7 Arctec Group
34.
Order of Operations
for Sign & Encrypt ©2005-7 Arctec Group
35.
©2005-7 Arctec Group
36.
©2005-7 Arctec Group
37.
Design Considerations Order
Considerations Sign & Encrypt -Eve only sees ciphertext - Horton Principle: “Authenticate what you mean not what you say” Encrypt & Sign - Theoretic weakness of certain weak encryption schemes - Efficiency gains because Service Provider checks signature first, can discard immediately if message fails authentication Source: “Practical Cryptography” by Schneier & Ferguson Chapter 8 ©2005-7 Arctec Group
38.
But either way
there’s still a problem… ©2005-7 Arctec Group
39.
“Defective Sign &
Encrypt S/MIME, PKCS#7, MOSS, PEM, PGP, and XML” Don Davis Trust, but verify. - Russian proverb http://world.std.com/~dtd/sign_encrypt/sign_encrypt7.html ©2005-7 Arctec Group
40.
©2005-7 Arctec Group
41.
©2005-7 Arctec Group
42.
How to fix 1.Sign
the recipient's name into the plaintext, or 2. Encrypt the sender's name into the plaintext, or 3. Incorporate both names; or 4. Sign again the signed-&-encrypted message; or 5. Encrypt again the signed ciphertext. ©2005-7 Arctec Group
43.
©2005-7 Arctec Group
44.
©2005-7 Arctec Group
45.
©2005-7 Arctec Group
46.
Issue 7: Scan
Your Stuff Before Someone Else Does ©2005-7 Arctec Group
47.
Web Services Vuln
Assessment • Test covert channels – CData tunneling – Inject commands/data into XML request • Test for XDoS • Test correct operations in unexpected order • Test request and response • Send attachments • Scan for directories containing files, extensions that allow attacker to footprint system • Scan host for any other services • Vulnerability assessment tools – iSec http://www.isecpartners.com/tools.html – NetSquare http://net-square.com/ns_freetools.shtml – OWASP - WebScarab (www.owasp.org) ©2005-7 Arctec Group
48.
Issue 8: XDoS
©2005-7 Arctec Group
49.
DTD Recursion Attack <!DOCTYPE
foobar [ <!ENTITY x0 helloquot;> <!ENTITY x1 &x0;&x0;quot;> <!ENTITY x2 &x1;&x1;quot;> <!ENTITY x3 &x2;&x2;quot;> <!ENTITY x4 &x3;&x3;quot;> ... <!ENTITY x98 &x97;&x97;quot;> <!ENTITY x99 &x98;&x98;quot;> <!ENTITY x100 &x99;&x99;quot;> ]> <foobar>&x100;</foobar> Source Vordel Taxonomoy of XML Attacks ©2005-7 Arctec Group
50.
XDoS • Attacker sends
XML bomb(s) to service – Can be used to attack CPU through recursion – Can attack memory by targeting DOM to create very large trees in memory – Can attack network with numerous small files ©2005-7 Arctec Group
51.
XDoS in the
SOAP header <SOAP> <Header> <wsse:Security> 1 GB Binary blob <Signature>…</Signature> </wsse:Security> </Header> <Body> <GetCustomerData> </Account>1234</Account> </GetCustomerData> </Body> </SOAP ©2005-7 Arctec Group
52.
Issue 9: Implement
a XML Security Gateway ©2005-7 Arctec Group
53.
• Context: The
primary goal of Web services is to solve interoperability and integration problems. Web services traverse multiple technologies and runtimes. • Problem: Web service requesters and providers do not agree upon binary runtimes like J2EE, instead they agree upon service contracts, message exchange patterns, and schema. Service and message level authentication, authorization, and auditing services for Web services are not delivered by a single container, rather these services must span technical and organizational boundaries ©2005-7 Arctec Group
54.
• Solution: Use
a XML Security Gateway to provide decentralized security services for Web services ©2005-7 Arctec Group
55.
<wsse:Security xmlns:wsse=quot;http://schemas.xmlsoap.org/ws/2003/06/secextquot;>
<saml:Assertion xmlns:saml=quot;urn:oasis:names:tc:SAML:1.0:assertionquot; AssertionID=quot;Id-000001129354af1c-0000000000000002quot; IssueInstant=quot;2007-05- 16T05:20:39Zquot; Issuer=quot;CN=Test,OU=Unknown” MajorVersion=quot;1quot; MinorVersion=quot;1quot;> <saml:Conditions NotBefore=quot;2007-05-16T04:40:35Zquot; NotOnOrAfter=quot;2007-05- 16T06:40:35Zquot;/> <saml:AuthorizationDecisionStatement Decision=quot;Permitquot; Resource=quot;http://host/servicequot;> <saml:Subject> <saml:NameIdentifier Format=quot;urn:oasis:names:tc:SAML:1.1:nameid- format:X509SubjectNamequot;>Test</saml:NameIdentifier> </saml:Subject> <saml:Action>getCustomerDetails</saml:Action> </saml:AuthorizationDecisionStatement> <dsig:SignatureValue>V6pRhOSnrvS8xT+WXIbNvlrOhVkAUMVI4YZ27KfG/jDLMwSbrsD6E3tA4 0rI6naL U+gt2OsYr58rD+AILpxNk0uxZMWdLcj3zr0gljt339DvYL6MRJBZ3KvpDmrw16PM w8Wo7ac1tGcLFVW5PV5locPs+f0V+rOGHafYTGGlubQ=</dsig:SignatureValue> <dsig:KeyInfo Id=quot;Id-000001129354af1d-0000000000000004quot;> … </saml:Assertion> </wsse:Security> </soap:Header> <soap:Body> <ns0:getCustomerDetails xmlns:ns0=quot;http://servicehostquot;/> <customernumber>1234</customernumber> ©2005-7 Arctec Group
56.
Choosing a XSG •
OWASP XML Security Gateway Evaluation Criteria Project – * Create evaluation criteria supporting a transparent, level playing field for XML Security Gateway solutions to define their solution's key value proposition – * Where practical, attempt to standardize nomenclature and metrics – * Educate the community on the design considerations for XML security ©2005-7 Arctec Group
57.
Choosing a XSG
(cont.) • OWASP XML Security Gateway Evaluation Criteria Project – Section 1 - Authentication – Section 2 - Authorization – Section 3 - Audit Logging – Section 4 - Deployment Architecture – Section 5 - Content Validation – Section 6 - Management & Metrics – Section 7 - Transformation – Section 8 - Tools ©2005-7 Arctec Group
58.
Threat
Description Countermeasure spoofing the identity of a web Spoofing XML-Sig services requester or provider Tampering XML-Sig tampering with information, such as the contents of the SOAP body Repudiation XML-Sig repudiate the receipt or origination of a transaction Information Disclose sensitive information XML-Enc Disclosure Denial of Service Disrupt correct operation XSG attacker gains privileges, such as Elevation of XSG, Input validation Privilege root ©2005-7 Arctec Group
59.
Issue 10: Identity
Enablement in Web Services ©2005-7 Arctec Group
60.
WS-Trust: Beyond Point
to Point WS-Trust Defines a Security Token Server (STS) • Create security tokens • Validate security tokens ©2005-7 Arctec Group
61.
Claims OED - “An
assertion of the truth of something, typically one which is disputed or in doubt.” ©2005-7 Arctec Group
62.
©2005-7 Arctec Group
63.
©2005-7 Arctec Group
64.
©2005-7 Arctec Group
65.
©2005-7 Arctec Group
66.
Design Patterns
©2005-7 Arctec Group
67.
Design Patterns
©2005-7 Arctec Group
68.
Security Design Patterns •
Secure Proxies Pattern from – Blakley & Heath “Security Design Patterns” http://www.opengroup.org/bookstore/catalog/g031.htm ©2005-7 Arctec Group
69.
Example Proxy Pattern
Passwd to Userid to Guard2 Guard2 Sso Delegation guard1 guard2 authn authz protocol Ideal Yes No User User Yes No Trusted No Guard1 Guard1 No Yes No proxy Blakley & Heath “Security Design Patterns” http://www.opengroup.org/bookstore/catalog/g031.htm ©2005-7 Arctec Group
70.
Security Design Patterns
Passwd to Userid to Guard2 Guard2 Sso Delegation guard1 guard2 authn authz protocol Ideal Yes No User User Yes No Trusted No Guard1 Guard1 No Yes No proxy Authn Yes Yes User User Yes No impers Id-assert Yes No No User Yes No impers Delegate Yes Yes No User User Yes Authz proxy No No No No Yes No Login tunnel Yes No No User User no Blakley & Heath “Security Design Patterns” http://www.opengroup.org/bookstore/catalog/g031.htm ©2005-7 Arctec Group
71.
Towards an Ideal
Proxy Passwd to Userid to Guard2 Guard2 Sso Delegation guard1 guard2 authn authz protocol Ideal Yes No User User Yes No Blakley & Heath “Security Design Patterns” http://www.opengroup.org/bookstore/catalog/g031.htm ©2005-7 Arctec Group
72.
Towards an Ideal
Proxy Passwd to Userid to Guard2 Guard2 Sso Delegation guard1 guard2 authn authz protocol Ideal Yes No User User Yes No Blakley & Heath “Security Design Patterns” http://www.opengroup.org/bookstore/catalog/g031.htm ©2005-7 Arctec Group
73.
Leveraging WS-Trust • Authentication
– Extend reach of authentication technologies, for example 2FA • Authorization – Consistent authorization policy enforcement • Auditing – Central point for access control auditing • Standards – Rely on open standards instead of proprietary mechanisms ©2005-7 Arctec Group
74.
Bringing it all
together - DigitalMe & Bandit Project http://www.bandit-project.org/index.php/Digital_Me ©2005-7 Arctec Group
75.
DigitalMe •
Enable integration with InfoCard-compatible web sites and services. • User selects card to assert credentials (instead of typing in username/password) • The credentials and required claims are bundled into a request that is signed and sent to the STS. • The STS extracts information from the token request, authenticates the user via the IDP, and retrieves the requested claim values. The response is bundled into a message that is signed by the STS and returned to the identity selector. • The identity selector passes the token returned by the STS to the relying party site. • The relying party site verifies that the token is issued by a trusted STS and that the token is valid (signature is good, token hasn't expired, etc.). • Claim values are extracted from the token by the relying party and are used to complete the transaction. • http://www.bandit-project.org/index.php/Digital_Me ©2005-7 Arctec Group
76.
Passwords are tired
©2005-7 Arctec Group
77.
Cards are wired
©2005-7 Arctec Group
78.
©2005-7 Arctec Group
79.
©2005-7 Arctec Group
80.
©2005-7 Arctec Group
81.
©2005-7 Arctec Group
82.
©2005-7 Arctec Group
83.
©2005-7 Arctec Group
84.
©2005-7 Arctec Group
85.
©2005-7 Arctec Group
Jetzt herunterladen