ws security - rest vs soap
TRANSCRIPT
![Page 1: Ws Security - Rest vs Soap](https://reader034.vdocuments.us/reader034/viewer/2022052205/54520135af795919308b49a8/html5/thumbnails/1.jpg)
Application Security Forum - 2012 Western Switzerland
7-8 novembre 2012 - Y-Parc / Yverdon-les-Bains https://www.appsec-forum.ch
Initiation à la sécurité des Web Services (SOAP vs REST)
Sylvain MARET Principal Consultant / MARET Consulting OpenID Switzerland & OWASP Switzerland
08.11.2012, Version 1.1 @smaret
![Page 2: Ws Security - Rest vs Soap](https://reader034.vdocuments.us/reader034/viewer/2022052205/54520135af795919308b49a8/html5/thumbnails/2.jpg)
Agenda
Qu’est-ce qu’un Web Service ?
SOAP
REST
Threat Modeling / ACME SA
Réduction des risques
Conclusion
Questions
2
![Page 3: Ws Security - Rest vs Soap](https://reader034.vdocuments.us/reader034/viewer/2022052205/54520135af795919308b49a8/html5/thumbnails/3.jpg)
Bio
18 years of experience in ICT Security
Principal Consultant at MARET Consulting
Expert at Engineer School of Yverdon
Swiss French Area delegate at OpenID Switzerland
Co-founder Geneva Application Security Forum
OWASP Member
Author of the blog: la Citadelle Electronique
http://ch.linkedin.com/in/smaret or @smaret
http://www.slideshare.net/smaret
Chosen field – AppSec & Digital Identity Security
3
![Page 4: Ws Security - Rest vs Soap](https://reader034.vdocuments.us/reader034/viewer/2022052205/54520135af795919308b49a8/html5/thumbnails/4.jpg)
Agenda
Qu’est-ce qu’un Web Service ?
SOAP
REST
Threat Modeling / ACME SA
Réduction des risques
Conclusion
Questions
4
![Page 5: Ws Security - Rest vs Soap](https://reader034.vdocuments.us/reader034/viewer/2022052205/54520135af795919308b49a8/html5/thumbnails/5.jpg)
Web Service: la base….
5
![Page 6: Ws Security - Rest vs Soap](https://reader034.vdocuments.us/reader034/viewer/2022052205/54520135af795919308b49a8/html5/thumbnails/6.jpg)
Web Service ?
6
XML, JSON, etc. Consumer Provider
![Page 7: Ws Security - Rest vs Soap](https://reader034.vdocuments.us/reader034/viewer/2022052205/54520135af795919308b49a8/html5/thumbnails/7.jpg)
Un peu d’histoire
1990 : DCE/RPC – Distributed Computing Environment
1992 : CORBA – Common Object Request Broker Architecture
1990-1993 : Microsoft’s DCOM -- Distributed Component Object Model
1995: RMI – Monde Java
Pour arriver à une standardisation (toujours en cours) des protocoles, outils, langages et interfaces
– SOAP
– REST
– Etc.
7
Web Service
![Page 8: Ws Security - Rest vs Soap](https://reader034.vdocuments.us/reader034/viewer/2022052205/54520135af795919308b49a8/html5/thumbnails/8.jpg)
Agenda
Qu’est-ce qu’un Web Service ?
SOAP
REST
Threat Modeling / ACME SA
Réduction des risques
Conclusion
Questions
8
![Page 9: Ws Security - Rest vs Soap](https://reader034.vdocuments.us/reader034/viewer/2022052205/54520135af795919308b49a8/html5/thumbnails/9.jpg)
SOAP vs REST ?
9
![Page 10: Ws Security - Rest vs Soap](https://reader034.vdocuments.us/reader034/viewer/2022052205/54520135af795919308b49a8/html5/thumbnails/10.jpg)
SOAP: Les ingrédients
10
![Page 11: Ws Security - Rest vs Soap](https://reader034.vdocuments.us/reader034/viewer/2022052205/54520135af795919308b49a8/html5/thumbnails/11.jpg)
SOAP: Démystification des technologies
Langages – XML
– WSDL : Descripteur du service
– UDDI: Annuaire des services
Protocoles – Transport: HTTP, HTTPS, SMTP, FTP, SMS, TFTP, SSH, etc. (TCP or UDP)
– Message: Enveloppe SOAP
Sécurité – WS-Security (Signature & Chiffrement)
Autres éléments – AuthN: SAML, X509, Username & Password, Kerberos, HTTP Digest, etc.
11
![Page 12: Ws Security - Rest vs Soap](https://reader034.vdocuments.us/reader034/viewer/2022052205/54520135af795919308b49a8/html5/thumbnails/12.jpg)
Enveloppe SOAP
12
- SOAP : Simple Object Access Protocol - Permet l’envoi de messages XML
- Agnostique au moyen de transport - HTTP - HTTPS - FTP - etc.
Source= wikipédia
![Page 13: Ws Security - Rest vs Soap](https://reader034.vdocuments.us/reader034/viewer/2022052205/54520135af795919308b49a8/html5/thumbnails/13.jpg)
13
SOAP request
SOAP response
![Page 14: Ws Security - Rest vs Soap](https://reader034.vdocuments.us/reader034/viewer/2022052205/54520135af795919308b49a8/html5/thumbnails/14.jpg)
UDDI
Universal Description Discovery and Integration, connu aussi sous l'acronyme UDDI, est un annuaire de services fondé sur XML et plus particulièrement destiné aux services Web.
14
![Page 15: Ws Security - Rest vs Soap](https://reader034.vdocuments.us/reader034/viewer/2022052205/54520135af795919308b49a8/html5/thumbnails/15.jpg)
WSDL
WSDL est une grammaire XML permettant de décrire un Service Web.
Le WSDL sert à décrire :
– le format de messages requis pour communiquer avec ce service
– les méthodes que le client peut invoquer
– la localisation du service
– le protocole de communication (SOAP RPC ou SOAP orienté message)
15
http://fr.wikipedia.org/wiki/Web_Services_Description_Language
![Page 16: Ws Security - Rest vs Soap](https://reader034.vdocuments.us/reader034/viewer/2022052205/54520135af795919308b49a8/html5/thumbnails/16.jpg)
WSDL
16
http://predic8.com/wsdl-reading.htm
![Page 17: Ws Security - Rest vs Soap](https://reader034.vdocuments.us/reader034/viewer/2022052205/54520135af795919308b49a8/html5/thumbnails/17.jpg)
WSDL: exemple
17
![Page 18: Ws Security - Rest vs Soap](https://reader034.vdocuments.us/reader034/viewer/2022052205/54520135af795919308b49a8/html5/thumbnails/18.jpg)
SOAP: Démystification des protocoles
18
UDDI
WSDL
SOAP / XML
HTTP, HTTPS, FTP, SFTP, SMS, SMTP (TCP or UDP)
IP
Découverte
Description
Message
Protocole
Transport
![Page 19: Ws Security - Rest vs Soap](https://reader034.vdocuments.us/reader034/viewer/2022052205/54520135af795919308b49a8/html5/thumbnails/19.jpg)
Agenda
Qu’est-ce qu’un Web Service ?
SOAP
REST
Threat Modeling / ACME SA
Réduction des risques
Conclusion
Questions
19
![Page 20: Ws Security - Rest vs Soap](https://reader034.vdocuments.us/reader034/viewer/2022052205/54520135af795919308b49a8/html5/thumbnails/20.jpg)
REST: Les ingrédients
20
![Page 21: Ws Security - Rest vs Soap](https://reader034.vdocuments.us/reader034/viewer/2022052205/54520135af795919308b49a8/html5/thumbnails/21.jpg)
REST: Démystification des technologies
Langages
– XML
– JSON
– XHTML, HTML, PDF... as data formats
Protocoles
– HTTP(s) Utilisation d’une URL
– Méthode de communication (GET, POST, PUT, DELETE)
Sécurité
– Sécurité du transport (SSL/TLS)
– Sécurité des messages: HMAC & Doseta (Like XML Signature)
Autres éléments
– Oauth, API Keys
21
![Page 22: Ws Security - Rest vs Soap](https://reader034.vdocuments.us/reader034/viewer/2022052205/54520135af795919308b49a8/html5/thumbnails/22.jpg)
Représentation REST (exemple JSON)
22
![Page 23: Ws Security - Rest vs Soap](https://reader034.vdocuments.us/reader034/viewer/2022052205/54520135af795919308b49a8/html5/thumbnails/23.jpg)
Méthodes REST
23
![Page 24: Ws Security - Rest vs Soap](https://reader034.vdocuments.us/reader034/viewer/2022052205/54520135af795919308b49a8/html5/thumbnails/24.jpg)
REST: Démystification des protocoles
24
XML, JSON, etc.
HTTP, HTTPS
TCP/IP
Message
Protocole
Transport
WADL, Swagger *** Description
*** Avant-gardiste mais peux utiliser
??? Découverte
![Page 25: Ws Security - Rest vs Soap](https://reader034.vdocuments.us/reader034/viewer/2022052205/54520135af795919308b49a8/html5/thumbnails/25.jpg)
25
![Page 26: Ws Security - Rest vs Soap](https://reader034.vdocuments.us/reader034/viewer/2022052205/54520135af795919308b49a8/html5/thumbnails/26.jpg)
SOAP vs REST
26
![Page 27: Ws Security - Rest vs Soap](https://reader034.vdocuments.us/reader034/viewer/2022052205/54520135af795919308b49a8/html5/thumbnails/27.jpg)
Agenda
Qu’est-ce qu’un Web Service ?
SOAP
REST
Threat Modeling / ACME SA
Réduction des risques
Conclusion
Questions
27
![Page 28: Ws Security - Rest vs Soap](https://reader034.vdocuments.us/reader034/viewer/2022052205/54520135af795919308b49a8/html5/thumbnails/28.jpg)
28
http://fr.wikipedia.org/wiki/Diagramme_de_flux_de_donn%C3%A9es
![Page 29: Ws Security - Rest vs Soap](https://reader034.vdocuments.us/reader034/viewer/2022052205/54520135af795919308b49a8/html5/thumbnails/29.jpg)
29
![Page 30: Ws Security - Rest vs Soap](https://reader034.vdocuments.us/reader034/viewer/2022052205/54520135af795919308b49a8/html5/thumbnails/30.jpg)
Modèle STRIDE
30
https://www.owasp.org/index.php/Application_Threat_Modeling
![Page 31: Ws Security - Rest vs Soap](https://reader034.vdocuments.us/reader034/viewer/2022052205/54520135af795919308b49a8/html5/thumbnails/31.jpg)
Menaces selon le DFD Acme SA
Threat 1
– Interception des messages (Information disclosure)
– Modification des messages (Tampering)
– Usurpation d’identité (Spoofing)
Threat 2
– Attaque de l’application • BoF
• Injection
• DoS & DDoS
• Etc
31
![Page 32: Ws Security - Rest vs Soap](https://reader034.vdocuments.us/reader034/viewer/2022052205/54520135af795919308b49a8/html5/thumbnails/32.jpg)
Agenda
Qu’est-ce qu’un Web Service ?
SOAP
REST
Threat Modeling / ACME SA
Réduction des risques
Conclusion
Questions
32
![Page 33: Ws Security - Rest vs Soap](https://reader034.vdocuments.us/reader034/viewer/2022052205/54520135af795919308b49a8/html5/thumbnails/33.jpg)
ACME SA: Réduction des risques ?
Chiffrement du transport
AuthN
SSL Mutual AuthN / X509
WAF / XML Gateway
Intégrité et confidentialité des messages
Secure Coding
33
![Page 34: Ws Security - Rest vs Soap](https://reader034.vdocuments.us/reader034/viewer/2022052205/54520135af795919308b49a8/html5/thumbnails/34.jpg)
Chiffrement du transport
34
SOAP / XML REST
HTTPS SSL/TLS tunnel SSH IPSEC Etc.
HTTPS
![Page 35: Ws Security - Rest vs Soap](https://reader034.vdocuments.us/reader034/viewer/2022052205/54520135af795919308b49a8/html5/thumbnails/35.jpg)
AuthN
35
SOAP / XML REST
HTTP Basic, Digest, HTTP Header Mutual SSL IP trust WS Security user name password WS SAML Authentication token XML Signature Kerberos Etc.
HTTP Basic, Digest, HTTP Header Mutual SSL IP trust Oauth API Keys
![Page 36: Ws Security - Rest vs Soap](https://reader034.vdocuments.us/reader034/viewer/2022052205/54520135af795919308b49a8/html5/thumbnails/36.jpg)
SSL Mutual AuthN / X509 / PKI
36
SOAP / XML REST
SSL/TLS Mutual AuthN** SSL/TLS Mutual AuthN**
** Man in the middle not possible… (As I Know)
![Page 37: Ws Security - Rest vs Soap](https://reader034.vdocuments.us/reader034/viewer/2022052205/54520135af795919308b49a8/html5/thumbnails/37.jpg)
WAF / XML Gateway (Protection périmétrique)
37
SOAP / XML REST
Reverse Proxy Contrôle requêtes HTTP Rupture SSL/TLS Black List White List Validation WSDL Signature & Verification Encryption & Decryption SAML
Reverse Proxy Contrôle requêtes HTTP Rupture SSL/TLS Black List White List
![Page 38: Ws Security - Rest vs Soap](https://reader034.vdocuments.us/reader034/viewer/2022052205/54520135af795919308b49a8/html5/thumbnails/38.jpg)
Intégrité et confidentialité des messages
38
SOAP / XML REST
XML Signature XML Encryption
•(p.ex: HMAC, Doseta) • JSON Signature • **
** Pas de chiffrement à ma connaissance
![Page 39: Ws Security - Rest vs Soap](https://reader034.vdocuments.us/reader034/viewer/2022052205/54520135af795919308b49a8/html5/thumbnails/39.jpg)
Code security
39
SOAP / XML REST
- Data input validation - Data output encoding - Pseudorandom data generation, high entropy - Strong / reliable data encryption algorithms - Data leakage prevention - Robust error & exception handling - Anti-automation and expiration measures
- Data input validation - Data output encoding - Pseudorandom data generation, high entropy - Strong / reliable data encryption algorithms - Data leakage prevention - Robust error & exception handling - Anti-automation and expiration measures
OWASP Application Security Verification Standard (ASVS): https://www.owasp.org/index.php/ASVS WASC web application weaknesses: http://projects.webappsec.org/w/page/13246978/Threat%20Classification
![Page 40: Ws Security - Rest vs Soap](https://reader034.vdocuments.us/reader034/viewer/2022052205/54520135af795919308b49a8/html5/thumbnails/40.jpg)
REST & OAuth
40
![Page 41: Ws Security - Rest vs Soap](https://reader034.vdocuments.us/reader034/viewer/2022052205/54520135af795919308b49a8/html5/thumbnails/41.jpg)
Agenda
Qu’est-ce qu’un Web Service ?
SOAP
REST
Threat Modeling / ACME SA
Réduction des risques
Conclusion
Questions
41
![Page 42: Ws Security - Rest vs Soap](https://reader034.vdocuments.us/reader034/viewer/2022052205/54520135af795919308b49a8/html5/thumbnails/42.jpg)
Conclusion
SOAP:
– Implémenter les standards WS-* liés à la sécurité
– Mettre en place un filtrage applicatif (WAF, XML GW)
– Complexe à mettre en œuvre (PKI, Secure coding, Cryptography, etc.)
– Architecture à forte contrainte de sécurité
REST
– Mettre en place un filtrage applicatif (WAF, XML GW)
– Implémentation rapide et facile tendance
– Architecture de type Cloud, Intranet, Social Login, etc.
On attend avec impatience les standards sécu pour REST ???
– Pragmatique: protection périmétrique, chiffrement et Secure Coding ???
42
![Page 43: Ws Security - Rest vs Soap](https://reader034.vdocuments.us/reader034/viewer/2022052205/54520135af795919308b49a8/html5/thumbnails/43.jpg)
Pour aller plus loin….
43
![Page 44: Ws Security - Rest vs Soap](https://reader034.vdocuments.us/reader034/viewer/2022052205/54520135af795919308b49a8/html5/thumbnails/44.jpg)
Questions?
44
![Page 45: Ws Security - Rest vs Soap](https://reader034.vdocuments.us/reader034/viewer/2022052205/54520135af795919308b49a8/html5/thumbnails/45.jpg)
Merci / Thank you!
Contact:
@smaret
http://www.maret-consulting.ch
Slides: http://slideshare.net/ASF-WS/
45