Professional Documents
Culture Documents
.COM XML
EDI Web Services
Business Agility
Open Standards
Service Contracts
Loose Coupling
Autonomy
Abstraction
Common Semantics
Forrester:
Over 80 percent of business application
products sold between 2005 and 2008 will
be Service Oriented Business Applications
ZapThink:
Estimates that XML will
represent 25% of all network
traffic by 2006
Gartner Group:
Predicts that over 80% of all
software development will be based
on SOA by 2008
Forum SOA for e-Gov Conference 2006
Evolution of The IP Network
Application-Oriented Networking
Metadata
HTML
The Automated
Enterprise XML
SOAP
UDDI WSDL
2. Order
Fulfillment 3. EXPLOSIVE
WEB SERVER DOCUMENT
Message
APPLICATION
SERVER
4. SENSITIVE
DOCUMENT
Is message
Is this valid
Inventory Is the request privacy/integrity
XML/SOAP?
Management accessing data assured?
using inadequate
CUSTOMER
privileges?
DATABASE
• Security
– XML and SOAP expose valuable backend systems
– XML Denial of Service, buffer overruns, SQL Injections
– SSL insufficient for message confidentiality
– Protecting against unauthorized access
• Manageability
– Policy development and enforcement becomes difficult
– Root cause & business impact analysis challenging
– Upholding service level agreements becomes challenging
– And most importantly, service lifecycles accelerate out of control
Manipulating the XML Schema to alter Protect against schema poisoning by relying on
Schema Poisoning
processing information trusted WSDL documents and XML Schema’s
Scripts embedded within a SOAP message can Content inspection of SOAP attachments ensures
Malicious Code be delivered directly to applications and messages contain legitimate content as defined in
Injection databases; traditional binary executables and the WSDL, XML Schema and content security
viruses attached to SOAP payloads policies
Requestor Provider
Request/Reply
Solicit/Response
One-way
Notification
Apply
Security
Definitions
FS
Requestor Provider
(Proxy)
HTTP(s)
MQ/JMS
Tibco/JMS
Protocol
Mediation
Policy/Governance
SLAs
Exceptions Enforcement
Activity Reporting
Monitoring
Privacy
Traceability
Auditing
•Secure
– Authentication
– Encryption
Improve Secure
– Firewall
– Vulnerability Mitigation
•Monitor Security
Policy
•Testing
•Improve
Testing Monitor
•Applicable in each lifecycle phase
Development-Time Protections
Vulnerability Testing
WSDL Generation The App.
Schema Generation App.-specific
WSDL Tightening controls
Schema Tightening
Trust Management
Threat Protection
XML Acceleration
Forum SOA for e-Gov Conference 2006
PRODUCT LINE
` Web Services Firewall
SOA Gateway
XML Accelerator
Vulnerability Containment
Hardware
Software
Policy Server
4, 5 Authentication 2, 3 Authentication
/Access Delegation /Access Decision
Request Processing
Authenticates User to IdAM
Inspects Messages and Attachments for threats
Web Service Client Encrypts sensitive data
Generates SAML Assertions in WS-Security
Header Web Service
• Response Processing
Inspects messages
Forum SOA and
for e-Gov attachments
Conference 2006for threats
Inspects messages for data leaks
Obfuscates sensitive exceptions
Forum Government Focus
Web Services
Security Management
Vulnerability Database
Web Service Developers (VulCon™)
Feature XRAY
Enterprise SOA
Centralized Management √
Enterprise Collaboration √
Shared Library (User selected DB) √
Web Services
Security Management
Internet
XML SOAP
Web Services
Security Management
Internet
XML SOAP
XML
Vulnerability
Intelligence
Database
Security Threat
Intelligence