Static analysis for web service security - Tools & techniques for a secure development life cycle

In this ubiquitous IoT (Internet of Things) era, web services have become a vital part of today's critical national and public sector infrastructure. With the industry wide adaptation of service-oriented architecture (SOA), web services have become an integral component of enterprise software eco-system, resulting in new security challenges. Web services are strategic components used by wide variety of organizations for information exchange on the internet scale. The public deployments of mission critical APIs opens up possibility of software bugs to be maliciously exploited. Therefore, vulnerability identification in web services through static as well as dynamic analysis is a thriving and interesting area of research in academia, national security and industry. Using OWASP (Open Web Application Security Project) web services guidelines, this paper discusses the challenges of existing standards, and reviews new techniques and tools to improve services security by detecting vulnerabilities. Recent vulnerabilities like Shellshock and Heartbleed has shifted the focus of risk assessment to the application layer, which for majority of organization means public facing web services and web/mobile applications. RESTFul services have now become the new service development paradigm normal; therefore SOAP centric standards such as XML Encryption, XML Signature, WS-Security, and WS-SecureConversation are nearly not as relevant. In this paper we provide an overview of the OWASP top 10 vulnerabilities for web services, and discuss the potential static code analysis techniques to discover these vulnerabilities. The paper reviews the security issues targeting web services, software/program verification and security development lifecycle.

[1]  Marco Vieira,et al.  Detecting SQL Injection Vulnerabilities in Web Services , 2009, 2009 Fourth Latin-American Symposium on Dependable Computing.

[2]  Elisa Bertino,et al.  Security for Web Services and Service-Oriented Architectures , 2009 .

[3]  Adnan Masood Measuring Interestingness in Outliers with Explanation Facility using Belief Networks , 2014 .

[4]  Badrinarayanan Lakshmiraghavan Pro ASP.NET Web API Security: Securing ASP.NET Web API , 2013 .

[5]  Nils Gruschka,et al.  A survey of attacks on web services , 2009, Computer Science - Research and Development.

[6]  Adnan Masood,et al.  Measuring Interestingness – Perspectives on Anomaly Detection , 2013 .

[7]  Molly Sauter,et al.  “LOIC Will Tear Us Apart” , 2013 .

[8]  Hsun-Ming Lee,et al.  Defense Against REST-based Web Service Attacks for Enterprise Systems , 2013 .

[9]  I. Sasase,et al.  Detection of HTTP-GET flood Attack Based on Analysis of Page Access Behavior , 2007, 2007 IEEE Pacific Rim Conference on Communications, Computers and Signal Processing.

[10]  Mehran Mohsenzadeh,et al.  A New SOA Security Framework Defending Web Services against WSDL Attacks , 2011, 2011 IEEE Third Int'l Conference on Privacy, Security, Risk and Trust and 2011 IEEE Third Int'l Conference on Social Computing.

[11]  Xin Peng,et al.  Multi-Tier Security Feature Modeling for Service-Oriented Application Integration , 2009, 2009 Eighth IEEE/ACIS International Conference on Computer and Information Science.

[12]  Carla E. Brodley,et al.  Machine learning techniques for the computer security domain of anomaly detection , 2000 .

[13]  Sofiane Ouaguenouni,et al.  Probabilistic Measures for Interestingness of Deviations - A Survey , 2013 .

[14]  Nur Uysal,et al.  The Battle of Wikileaks: Mass Self-Communication, Hacker Culture, and Financial Institutions , 2011 .

[15]  Adnan Masood,et al.  Cyber security for service oriented architectures in a Web 2.0 world: An overview of SOA vulnerabilities in financial services , 2013, 2013 IEEE International Conference on Technologies for Homeland Security (HST).

[16]  Jigang Liu,et al.  A Framework for Enhancing Web Services Security , 2007, 31st Annual International Computer Software and Applications Conference (COMPSAC 2007).

[17]  Badrinarayanan Lakshmiraghavan Pro ASP.NET Web API Security , 2013, Apress.