The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
Soa Security Testing
1. SOA Testing: An
Approach to Test
the Security Aspects
of SOA based
Application
Presenter’s: Jaipal & Uday
Date:4-Nov-09
2. SOA and its Industry acceptance
SOA is becoming the most sought after
solution for any new Enterprise
Architecture Design and its steady growth
in acceptance is re-affirmed by Gartner’s
Hype Cycle.
SOA and Enterprise Architecture have a
common goal of Aligning Business and IT
objectives
2| SOA Testing Testing Security Aspects of SOA Based
Application
3. Challenges in Securing SOA environment
3| SOA Testing Testing Security Aspects of SOA Based
Application
4. Security Infrastructure in SOA implementation
Message Layer Security
Transport Layer Web Service 1
Security Security
W Specification
E
B
Web Service 2
S
Security
E Specification
R
Client Application
V
E
R Web Service 3
Security
Specification
• Security Specifications are
WS-Security
WS-Secure Conversation
WS-Trust External -
WS-Federation Security Token
Service
WS-Security Policy
4| SOA Testing Testing Security Aspects of SOA Based
Application
5. WS-Security Standards and Open Source tools
Various Security Standards which the Web Services adhere too are
SAML, WS-Security, XML-Encryption, WS-SecureConversation, WS-Trust,
WS-SecurityPolicy and WS-Federation
SAML WS-Security XML- XML- WS- WS-Trust WS- WS-
Encryption Signature SecureConver SecurityPolicy Federation
sation
SOAP UI
Push To Test
Web-Inject
WS-I Tools
5| SOA Testing Testing Security Aspects of SOA Based
Application
6. Web Services Security standards usage in a Scenario
6| SOA Testing Testing Security Aspects of SOA Based
Application
8. Solution Phase 1 – Test Assertion Document
Identify Security Specifications
WS-SECURE WS-SECURE
SAML WS-SECURITY WS-TRUST
CONVERSATION POLICY
Element/Attribute Name Description Required/Optional/Recommended
Test Assertion Document Table <<optional>>
Test Assertion XML Document
8| SOA Testing Testing Security Aspects of SOA Based
Application
9. Solution Phase 2 – Capture SOAP Messages
• Services communicate using
SOAP Protocol
• SOAP message contains the
security information
• Develop SOAP Monitor tool
to capture request and
response of services
Ex:
1) Request initiated for a web
service
2) Services establish Security
Tokens with Security
Context information
3) Data is exchanged after the
Security Token is verified
9| SOA Testing Testing Security Aspects of SOA Based
Application
10. Solution Phase 3 – Test Result Report
• Develop code to compare XML
documents (similar to DOM or SAX
parsers in Java)
• Compare SOAP header with TAD: TAD/XML
done by the code developed to
compare XML documents
• Generate the Test Result Report Test
Req&
Resp
XML
containing the status and
descriptions
Test Result Report Format
Comparison Status
True Pass – Provide the description given in the
<assertionDesription> element of TAD
False Fail - Provide the description given in the
<failureMessage> and <failureDetailDescription>
elements of TAD Test
Result
Report
10| SOA Testing Testing Security Aspects of SOA Based
Application
11. Conclusion
Maximized ROI : Streamlined Testing
approach brought in by very few
changes in the testing lifecycle
Increased Agility: Customizable at any
stage and applicable in any complicated
Enterprise Application Architecture
Reduced IT investment: Vendor Reusable and audit ready artifacts are created
independent procedure implementable which are alive throughout the Testing lifecycle
with very little training imparted to the thus enabling better understanding of the system
existing team. limitations
11| SOA Testing Testing Security Aspects of SOA Based
Application
12. Thank you
12| SOA Testing Testing Security Aspects of SOA Based
Application