Security-aware selection of Web Services for Reliable Composition

Dependability is an important characteristic that a trustworthy computer system should have. It is a measure of Availability, Reliability, Maintainability, Safety and Security. The focus of our research is on security of web services. Web services enable the composition of independent services with complementary functionalities to produce value-added services, which allows organizations to implement their core business only and outsource other service components over the Internet, either pre-selected or on-the-fly. The selected third party web services may have security vulnerabilities. Vulnerable web services are of limited practical use. We propose to use an intrusion-tolerant composite web service for each functionality that should be fulfilled by a third party web service. The third party services employed in this approach should be selected based on their security vulnerabilities in addition to their performance. The security vulnerabilities of the third party services are assessed using a penetration testing tool. In this paper we present our preliminary research work.

[1]  Zibin Zheng,et al.  A Distributed Replication Strategy Evaluation and Selection Framework for Fault Tolerant Web Services , 2008, 2008 IEEE International Conference on Web Services.

[2]  Matjaz B. Juric,et al.  Business process execution language for web services , 2004 .

[3]  Roberto Chinnici,et al.  Web Services Description Language (WSDL) Version 2.0 Part 1: Core Language , 2007 .

[4]  Miguel Oom Temudo de Castro,et al.  Practical Byzantine fault tolerance , 1999, OSDI '99.

[5]  H KatzRandy,et al.  A case for redundant arrays of inexpensive disks (RAID) , 1988 .

[6]  Massimiliano Rak,et al.  Intrusion Tolerant Approach for Denial of Service Attacks to Web Services , 2011, 2011 First International Conference on Data Compression, Communications and Processing.

[7]  Robert Richards Simple API for XML (SAX) , 2006 .

[8]  Phillip Hallam-Baker,et al.  Web services security: soap message security , 2003 .

[9]  Jörg Schwenk,et al.  A New Approach towards DoS Penetration Testing on Web Services , 2013, 2013 IEEE 20th International Conference on Web Services.

[10]  Nils Gruschka,et al.  A survey of attacks on web services , 2009, Computer Science - Research and Development.

[11]  Randy H. Katz,et al.  A case for redundant arrays of inexpensive disks (RAID) , 1988, SIGMOD '88.

[12]  Tibor Jager,et al.  How to break XML encryption , 2011, CCS '11.

[13]  Bev Littlewood,et al.  Modeling software design diversity: a review , 2001, CSUR.

[14]  Robert Richards Pro PHP XML and Web services , 2006 .

[15]  Robert Richards,et al.  Document Object Model (DOM) , 2006 .

[16]  Robert E. Lyons,et al.  The Use of Triple-Modular Redundancy to Improve Computer Reliability , 1962, IBM J. Res. Dev..

[17]  Magnus Almgren,et al.  An Adaptive Intrusion-Tolerant Server Architecture , 2004 .

[18]  Jörg Schwenk,et al.  On Breaking SAML: Be Whoever You Want to Be , 2012, USENIX Security Symposium.

[19]  Marco Vieira,et al.  Comparing the Effectiveness of Penetration Testing and Static Code Analysis on the Detection of SQL Injection Vulnerabilities in Web Services , 2009, 2009 15th IEEE Pacific Rim International Symposium on Dependable Computing.

[20]  Sanjay Ghemawat,et al.  MapReduce: Simplified Data Processing on Large Clusters , 2004, OSDI.

[21]  Eric Totel,et al.  COTS Diversity Based Intrusion Detection and Application to Web Servers , 2005, RAID.

[22]  Jörg Schwenk,et al.  All your clouds are belong to us: security analysis of cloud management interfaces , 2011, CCSW '11.

[23]  Paul J. Leach,et al.  Proceedings of the third symposium on Operating systems design and implementation , 1999 .

[24]  Trieu Phong Chiem A study of penetration testing tools and approaches , 2014 .

[25]  Yuanyuan Zhou,et al.  Rx: treating bugs as allergies---a safe method to survive software failures , 2005, SOSP '05.

[26]  Nils Gruschka,et al.  Vulnerable Cloud: SOAP Message Security Validation Revisited , 2009, 2009 IEEE International Conference on Web Services.

[27]  D Venkatesh,et al.  Infiltrate Testing Tool for Web Services Security , 2013 .

[28]  Bev Littlewood,et al.  Redundancy and Diversity in Security , 2004, ESORICS.

[29]  Nils Gruschka,et al.  SOA and Web Services: New Technologies, New Standards - New Attacks , 2007, Fifth European Conference on Web Services (ECOWS'07).

[30]  Vyacheslav S. Kharchenko,et al.  Using Diversity in Cloud-Based Deployment Environment to Avoid Intrusions , 2011, SERENE.

[31]  Jörg Schwenk,et al.  Penetration Testing Tool for Web Services Security , 2012, 2012 IEEE Eighth World Congress on Services.