Difference between revisions of "Category:OWASP Web Services Security Project"

From OWASP
Jump to: navigation, search
Line 4: Line 4:
  
 
The following document outlines a proposed layout for a new Web Services Security Project for the Open Web Application Security Project (OWASP).   
 
The following document outlines a proposed layout for a new Web Services Security Project for the Open Web Application Security Project (OWASP).   
 +
 +
== Current State ==
 +
 +
'''Current Relevant OWASP Pages'''
 +
 +
1. Web Services
 +
a. Securing web services
 +
b. Communication security
 +
c. Passing credentials
 +
d. Ensuring message freshness
 +
e. Protecting message integrity
 +
f. Protecting message confidentiality
 +
g. Access control
 +
h. Audit
 +
i. Web services security hierarchy
 +
i. standard committees
 +
j. SOAP
 +
i. XML signatures and encryption
 +
ii. Security specifications
 +
k. WS-Security standard
 +
i. Organization of the standard
 +
ii. Purpose
 +
l. WS-Security Building blocks
 +
i. How data is passed
 +
ii. Security header’s structure
 +
iii. Types of tokens
 +
iv. Referencing message parts
 +
m. Communication protection mechanisms
 +
i. Integrity
 +
ii. Confidentiality
 +
iii. Freshness
 +
n. Access control mechanisms
 +
i. Identification
 +
ii. Authentication
 +
iii. Authorization
 +
iv. Policy agreement
 +
o. Forming web services chains
 +
i. Incompatible user access control models
 +
ii. Service trust
 +
iii. Secure connections
 +
iv. Synchronization of user directories
 +
v. Domain federation
 +
p. Available implementations
 +
i. .NET – Web services extensions
 +
ii. Java toolkits
 +
iii. Hardware software systems
 +
q. Problems
 +
i. Immaturity of the standards
 +
ii. Performance
 +
iii. Complexity and interoperability
 +
iv. Key management
 +
r. Further reading
 +
 +
2. A Tale of Two Systems
 +
- case studies of two hypothetical systems, one of which involves openning a mainframe app to the web using a web service, and the risks that are posed.
 +
 +
3. Theres More to Securing Web Services Systems Than WS-Security
 +
a. What is a web service
 +
b. Web services from the information security perspective
 +
c. Some security implications of this perspective
 +
i. Emergent risks
 +
ii. End-to-end controls
 +
d. Interconnection of systems from different trust domains
 +
i. Some implications of the organization’s risk management process and system development life cycle
 +
ii. Emerging standards for securing web services
 +
iii. WS-Security specifications in process
 +
iv. Trust management revisited
 +
e. References
 +
 +
4. Web Services Architecture and Security
 +
a. The web services architecture
 +
b. Service oriented architectures and distributed systems
 +
c. Complexity is the enemy of security…
 +
d. The architectural models
 +
e. The policy model
 +
f. The service oriented model
 +
g. The resource oriented model
 +
h. The message oriented model
 +
i. The management model
 +
j. The rest
 +
k. References
 +
 +
5. Testing for Web Services (from OWASP Testing Guide)
 +
a. XML Structural Testing
 +
b. XML Content-level Testing
 +
c. HTTP GET parameters/REST Testing
 +
d. Naughty SOAP attachments
 +
e. Replay Testing
 +
 +
6. Image:Web services security.doc
 +
 +
7. Image:InfoSec_World_2007_-_Web_services_gateways.ppt
 +
 +
8. Image:AppSec2005DC-Alex_Stamos-Attacking_Web_Services.ppt
 +
 +
9. Image:OWASPAppSec2006Seattle_Web_Services_Security.ppt
 +
 +
10. .NET Web Service Validation
 +
a. Perfomance penalties
 +
b. Downloading
 +
c. Installation
 +
d. Reporting Bugs
 +
e. Use
 +
i. Methods of use
 +
ii. Attributes
 +
iii. Web.config changes
 +
iv. Using validation
 +
v. Using assertions
 +
 +
11. OWASP WSFuzzer Project
 +
 +
12. OWASP interceptor Project
 +
 +
13. OWASP Guide
 +
 +
14. OWASPAppSecEU2006_InlineApproachforSecureSOAPRequests.ppt
 +
 +
15. Category_talk:OWASP_XML_Security_Gateway_Evaluation_Criteria_Project
 +
 +
16. Don’t drop the SOAP OWASP.ppt
 +
 +
17. AppSec2005DC-Alex_Smolen-OWASP_WebServices_Project.ppt
 +
 +
18. AppSec2005DC-Jeff_Williams-OWASP_AppSec_Guide_2.0.ppt
 +
 +
19. OWASPAppSecEU2006_ProtectingWebServicesAndAapplications.ppt
 +
 +
 +
'''Content'''
 +
 +
- Completeness
 +
 +
- Relevance
 +
 +
- Target audience
 +
 +
'''Organization'''
 +
 +
- Ease of navigation
 +
 +
- Ease of locating a specific topic
 +
 +
- Communication of updates
 +
 +
'''Search'''
 +
 +
-
 +
 +
== Desired State ==
 +
 +
'''Content'''
 +
 +
- Completeness
 +
 +
- Relevance
 +
 +
- Target audience
 +
 +
'''Organization'''
 +
 +
- Ease of navigation
 +
 +
- Ease of locating a specific topic
 +
 +
- Communication of updates
 +
 +
'''Search'''
 +
 +
-
  
 
== Proposed Layout ==
 
== Proposed Layout ==
Line 70: Line 239:
 
== Goals & Roadmap ==
 
== Goals & Roadmap ==
  
Currently the project goals are to ... (tbd).
+
Currently the project goals are to:
Further breakdown of tasks and future developments are listed in the [[OWSS Project Roadmap|road map]].
+
 
 +
* Creation of launch pad layout
 +
 
 +
* Create template start page for each subtopic
 +
 
 +
* Find solid external resources
 +
 
 +
* Recruit volunteer team (2-4 person)
 +
 
 +
* For each topic:
 +
 
 +
- Create start page for the subtopic topic
 +
 
 +
- Gather all existing relevant articles within OWASP
 +
 
 +
- Create plan of consolidating all the relevant information
 +
 
 +
- Contact authors of relevant articles if change is required
 +
 
 +
- Consolidate all information on the topic
 +
 
 +
- Find solid external resources
 +
 
 +
- Create link back to the main Web Services Security Project launchpad
 +
 
 +
* Research way of communicating any updates to web services pages on launchpad
 +
 
 +
* Search optimization (both OWASP and Google)
 +
 
 +
 
 +
A detailed project plan and schedule will be developed shortly and posted here.
 +
 
  
 
== Project Guiding Principles ==
 
== Project Guiding Principles ==
Line 88: Line 288:
 
== Feedback and Participation: ==
 
== Feedback and Participation: ==
  
We hope you find the OWASP Web Services Security Project to be useful. Please contribute to the Project by volunteering for one of the Tasks, sending your comments, questions, and suggestions to the [http://lists.owasp.org/mailman/listinfo/owasp-web-services-security mailing list].
+
We hope you find the OWASP Web Services Security Project to be useful. Please contribute to the Project by volunteering for one of the Tasks, sending your comments, questions, and suggestions to sahba@securitycompass.com.
  
 
== Project Contributors ==
 
== Project Contributors ==

Revision as of 18:14, 14 January 2008

Contents

Welcome to the OWASP Web Services Security Project

[a brief about web services security in general and the current state of OWASP in web services security]

The following document outlines a proposed layout for a new Web Services Security Project for the Open Web Application Security Project (OWASP).

Current State

Current Relevant OWASP Pages

1. Web Services a. Securing web services b. Communication security c. Passing credentials d. Ensuring message freshness e. Protecting message integrity f. Protecting message confidentiality g. Access control h. Audit i. Web services security hierarchy i. standard committees j. SOAP i. XML signatures and encryption ii. Security specifications k. WS-Security standard i. Organization of the standard ii. Purpose l. WS-Security Building blocks i. How data is passed ii. Security header’s structure iii. Types of tokens iv. Referencing message parts m. Communication protection mechanisms i. Integrity ii. Confidentiality iii. Freshness n. Access control mechanisms i. Identification ii. Authentication iii. Authorization iv. Policy agreement o. Forming web services chains i. Incompatible user access control models ii. Service trust iii. Secure connections iv. Synchronization of user directories v. Domain federation p. Available implementations i. .NET – Web services extensions ii. Java toolkits iii. Hardware software systems q. Problems i. Immaturity of the standards ii. Performance iii. Complexity and interoperability iv. Key management r. Further reading

2. A Tale of Two Systems - case studies of two hypothetical systems, one of which involves openning a mainframe app to the web using a web service, and the risks that are posed.

3. Theres More to Securing Web Services Systems Than WS-Security a. What is a web service b. Web services from the information security perspective c. Some security implications of this perspective i. Emergent risks ii. End-to-end controls d. Interconnection of systems from different trust domains i. Some implications of the organization’s risk management process and system development life cycle ii. Emerging standards for securing web services iii. WS-Security specifications in process iv. Trust management revisited e. References

4. Web Services Architecture and Security a. The web services architecture b. Service oriented architectures and distributed systems c. Complexity is the enemy of security… d. The architectural models e. The policy model f. The service oriented model g. The resource oriented model h. The message oriented model i. The management model j. The rest k. References

5. Testing for Web Services (from OWASP Testing Guide) a. XML Structural Testing b. XML Content-level Testing c. HTTP GET parameters/REST Testing d. Naughty SOAP attachments e. Replay Testing

6. Image:Web services security.doc

7. Image:InfoSec_World_2007_-_Web_services_gateways.ppt

8. Image:AppSec2005DC-Alex_Stamos-Attacking_Web_Services.ppt

9. Image:OWASPAppSec2006Seattle_Web_Services_Security.ppt

10. .NET Web Service Validation a. Perfomance penalties b. Downloading c. Installation d. Reporting Bugs e. Use i. Methods of use ii. Attributes iii. Web.config changes iv. Using validation v. Using assertions

11. OWASP WSFuzzer Project

12. OWASP interceptor Project

13. OWASP Guide

14. OWASPAppSecEU2006_InlineApproachforSecureSOAPRequests.ppt

15. Category_talk:OWASP_XML_Security_Gateway_Evaluation_Criteria_Project

16. Don’t drop the SOAP OWASP.ppt

17. AppSec2005DC-Alex_Smolen-OWASP_WebServices_Project.ppt

18. AppSec2005DC-Jeff_Williams-OWASP_AppSec_Guide_2.0.ppt

19. OWASPAppSecEU2006_ProtectingWebServicesAndAapplications.ppt


Content

- Completeness

- Relevance

- Target audience

Organization

- Ease of navigation

- Ease of locating a specific topic

- Communication of updates

Search

-

Desired State

Content

- Completeness

- Relevance

- Target audience

Organization

- Ease of navigation

- Ease of locating a specific topic

- Communication of updates

Search

-

Proposed Layout

The proposed OWASP Web Services Security Project will serve as a starting point for any web services-related inquiries on OWASP. It will consist of a launchpad or home page with an introduction to the project, regular updates to pages in the project, and links to project pages and external resources.

Launchpad Layout (click to see a bigger image)

Introduction

[brief description here]

Updates

[brief description here]

External Links

[brief description here]

OWASP Pages

[brief description here]

WS Security Docs/Presentations

[brief description here]

WS Standards

[brief description here]

WS Communications

[brief description here]

XML Security

[brief description here]

Testing Web Services

[brief description here]

WS Tools

[brief description here]

WS Gateways

[brief description here]

SOA Architecture and Design

[brief description here]

WS Implementation Platforms

[brief description here]

OWASP Top 10 Web Services Chapter

[brief description here]


Goals & Roadmap

Currently the project goals are to:

  • Creation of launch pad layout
  • Create template start page for each subtopic
  • Find solid external resources
  • Recruit volunteer team (2-4 person)
  • For each topic:

- Create start page for the subtopic topic

- Gather all existing relevant articles within OWASP

- Create plan of consolidating all the relevant information

- Contact authors of relevant articles if change is required

- Consolidate all information on the topic

- Find solid external resources

- Create link back to the main Web Services Security Project launchpad

  • Research way of communicating any updates to web services pages on launchpad
  • Search optimization (both OWASP and Google)


A detailed project plan and schedule will be developed shortly and posted here.


Project Guiding Principles

tbd

Resources and links

This project is not standalone. This project will draw pieces of information from:

  • OWASP Guide
  • Other OWASP pages
  • OWASP documents
  • Relevant external links

...

Feedback and Participation:

We hope you find the OWASP Web Services Security Project to be useful. Please contribute to the Project by volunteering for one of the Tasks, sending your comments, questions, and suggestions to sahba@securitycompass.com.

Project Contributors

If you contribute to this Project, please add your name here.
Project Leads:

Contributors:

  • you? ...

This category currently contains no pages or media.