Professional Documents
Culture Documents
Sylvain MARET Principal Consultant / MARET Consulting OpenID Switzerland & OWASP Switzerland
Application Security Forum - 2012
Western Switzerland
7-8 novembre 2012 - Y-Parc / Yverdon-les-Bains https://www.appsec-forum.ch
Agenda
Quest-ce quun Web Service ? SOAP REST Threat Modeling / ACME SA Rduction des risques Conclusion Questions
Bio
18 years of experience in ICT Security Principal Consultant at MARET Consulting Expert at Engineer School of Yverdon Swiss French Area delegate at OpenID Switzerland Co-founder Geneva Application Security Forum OWASP Member Author of the blog: la Citadelle Electronique http://ch.linkedin.com/in/smaret or @smaret http://www.slideshare.net/smaret
Chosen field
AppSec & Digital Identity Security
Agenda
Quest-ce quun Web Service ? SOAP REST Threat Modeling / ACME SA Rduction des risques Conclusion Questions
Web Service ?
Consumer
Provider
Un peu dhistoire
1990 : DCE/RPC Distributed Computing Environment 1992 : CORBA Common Object Request Broker Architecture 1990-1993 : Microsofts DCOM -- Distributed Component Object Model 1995: RMI Monde Java
Pour arriver une standardisation (toujours en cours) des protocoles, outils, langages et interfaces
SOAP REST Etc.
Web Service
Agenda
Quest-ce quun Web Service ? SOAP REST Threat Modeling / ACME SA Rduction des risques Conclusion Questions
SOAP vs REST ?
10
11
Protocoles
Transport: HTTP, HTTPS, SMTP, FTP, SMS, TFTP, SSH, etc. (TCP or UDP) Message: Enveloppe SOAP
Scurit
WS-Security (Signature & Chiffrement)
Autres lments
AuthN: SAML, X509, Username & Password, Kerberos, HTTP Digest, etc.
12
Enveloppe SOAP
- SOAP : Simple Object Access Protocol - Permet lenvoi de messages XML - Agnostique au moyen de transport - HTTP - HTTPS - FTP - etc.
Source= wikipdia
13
SOAP request
SOAP response
14
UDDI
Universal Description Discovery and Integration, connu aussi sous l'acronyme UDDI, est un annuaire de services fond sur XML et plus particulirement destin aux services Web.
15
WSDL
WSDL est une grammaire XML permettant de dcrire un Service Web. Le WSDL sert dcrire :
le format de messages requis pour communiquer avec ce service les mthodes que le client peut invoquer la localisation du service le protocole de communication (SOAP RPC ou SOAP orient message)
http://fr.wikipedia.org/wiki/Web_Services_Description_Language
16
WSDL
http://predic8.com/wsdl-reading.htm
17
WSDL: exemple
18
Description
WSDL
Message
SOAP / XML HTTP, HTTPS, FTP, SFTP, SMS, SMTP (TCP or UDP)
Protocole
Transport
IP
19
Agenda
Quest-ce quun Web Service ? SOAP REST Threat Modeling / ACME SA Rduction des risques Conclusion Questions
20
21
Protocoles
HTTP(s) Utilisation dune URL Mthode de communication (GET, POST, PUT, DELETE)
Scurit
Scurit du transport (SSL/TLS) Scurit des messages: HMAC & Doseta (Like XML Signature)
Autres lments
Oauth, API Keys
22
23
Mthodes REST
24
Description
Message
Protocole
HTTP, HTTPS
Transport
TCP/IP
25
26
SOAP vs REST
27
Agenda
Quest-ce quun Web Service ? SOAP REST Threat Modeling / ACME SA Rduction des risques Conclusion Questions
28
http://fr.wikipedia.org/wiki/Diagramme_de_flux_de_donn%C3%A9es
29
30
Modle STRIDE
https://www.owasp.org/index.php/Application_Threat_Modeling
31
Threat 2
Attaque de lapplication
BoF Injection DoS & DDoS Etc
32
Agenda
Quest-ce quun Web Service ? SOAP REST Threat Modeling / ACME SA Rduction des risques Conclusion Questions
33
34
Chiffrement du transport
SOAP / XML HTTPS SSL/TLS tunnel SSH IPSEC Etc. HTTPS REST
35
AuthN
SOAP / XML HTTP Basic, Digest, HTTP Header Mutual SSL IP trust WS Security user name password WS SAML Authentication token XML Signature Kerberos Etc. HTTP Basic, Digest, HTTP Header Mutual SSL IP trust Oauth API Keys REST
36
37
38
39
Code security
SOAP / XML - Data input validation - Data output encoding - Pseudorandom data generation, high entropy - Strong / reliable data encryption algorithms - Data leakage prevention - Robust error & exception handling - Anti-automation and expiration measures REST - Data input validation - Data output encoding - Pseudorandom data generation, high entropy - Strong / reliable data encryption algorithms - Data leakage prevention - Robust error & exception handling - Anti-automation and expiration measures
OWASP Application Security Verification Standard (ASVS): https://www.owasp.org/index.php/ASVS WASC web application weaknesses: http://projects.webappsec.org/w/page/13246978/Threat%20Classification
40
41
Agenda
Quest-ce quun Web Service ? SOAP REST Threat Modeling / ACME SA Rduction des risques Conclusion Questions
42
Conclusion
SOAP:
Implmenter les standards WS-* lis la scurit Mettre en place un filtrage applicatif (WAF, XML GW) Complexe mettre en uvre (PKI, Secure coding, Cryptography, etc.) Architecture forte contrainte de scurit
REST
Mettre en place un filtrage applicatif (WAF, XML GW) Implmentation rapide et facile tendance Architecture de type Cloud, Intranet, Social Login, etc.
On attend avec impatience les standards scu pour REST ??? Pragmatique: protection primtrique, chiffrement et Secure Coding ???
43
44
Questions?
45