Desenvolvimento do Modelo WSIVM para Aperfeiçoar a Segurança em SOA e Serviços Web
Resumo
O uso da arquitetura SOA baseado principalmente na utilização de serviços web tem obtido larga adoção, porém, devido às dificuldades encontradas quanto aos aspectos de segurança, este crescimento tem sido menor do que o esperado. O uso de serviços web herdou muitos problemas de segurança conhecidos em aplicações web e trouxe outros novos. Atualmente a maioria dos ataques são conseqüência da má validação de entradas de dados no nível das aplicações. Este trabalho propõe um modelo para validação de entradas de dados para serviços web que pode ser utilizado para impedir ataques como Cross-site Scripting e SQL injection através da especificação de modelos pré-definidos de entradas válidas. O modelo proposto denominado WSIVM (Web Services Input Validation Model) possui um XML Schema, uma especificação XML e um módulo que faz a validação das entradas de acordo com a especificação. Um estudo de caso demonstrando resultados de desempenho também é apresentado.
Referências
Apache. (2010) “Welcome to Apache Axis2/Java”. Disponível em: [link]
Bebawy, R. et al. (2005) “Nedgty: Web services firewall”, In: Proc. of the IEEE International Conference on Web Services - ICWS, Orlando, IEEE, p.597-601.
Belapurkar, A. et al. (2009), Distributed Systems Security Issues, Processes and Solutions, Hoboken, NJ: John Wiley e Sons.
Bertino, E. et al. (2009), Security for Web Services and Service-Oriented Architectures, Springer-Verlag New York Inc.
Blyth, A. (2009) “An Architecture for an XML Enabled Firewall. International Journal of Network Security”, v. 8, n. 1, p. 31-36, ISSN 1816-3548.
Cenzic. (2009) “Web Application Security Trends Report”. Disponível em: [link].
Cep. (2011) “CEPWebService”. Disponível em: [link]
Clarke, J. (2009), SQL Injection Attacks and Defense. Syngress Media Inc. Databreaches. (2009) “Top 10 Worst Data Losses or Breaches, updated”. Disponível em: [link].
Feiman, Joseph. (2010) “Security in the SOA World: Methodologies and Practices”, Enterprise Integration Summit, April 13-14, Sao Paulo, Brazil. Disponível em: [link]
Jensen, M.; Gruschka, N.; Herkenhöner, R. (2009). A survey of attacks on web services. Computer Science-Research and Development, v. 24, n. 4, p. 185-197.
Kieyzun, A. et al. (2009) “Automatic creation of SQL Injection and cross-site scripting attacks”, In: Proceedings of the 31st International Conference on Software Engineering (ICSE '09). IEEE Computer Society, Washington, DC, USA, 199-209.
Lakshminarayanan, Sitaraman. (2010) “Interoperable Security Standards for Web Services”, IT Professional, vol. 12, no. 5, pp. 42-47, Sep./Oct.
Lin, J.; Chen, J. (2009) “An Automated Mechanism for Secure Input Handling”, Journal of Computers, v. 4, n. 9, pp. 837-844, Academy Publisher.
Loh, Y.; Yau, W.; Wong, C.; Ho, W. (2006) “Design and Implementation of an XML Firewall”, In: Proceedings of the 2006 International Conference on Computational Intelligence and Security, vol. 2, pp.1147-1150, 3-6 Nov.
Microsoft. (2010) “Microsoft Anti-Cross Site Scripting Library V 4.0”. Disponível em: [link].
Nordbotten, N.A. (2009) “XML and Web Services Security Standards”, Communications Surveys & Tutorials, IEEE, vol.11, no.3, pp.4-21.
Owasp. (2010) “OWASP Top 10 Web Application Security Risks”. Disponível em: [link]
Owasp. (2011) “OWASP Code Review Guide. Codereview-Input Validation”. Disponível em: [link]
Saleem, M.Q.; Jaafar, J.; Hassan, M.F. (2010) “Model driven security frameworks for addressing security problems of Service Oriented Architecture”, In: Proc. of the 2010 Int. Symp. Information Technology (ITSim), vol.3, pp.1341-1346, 15-17 June.
Sans. (2009) “Os Maiores Riscos de Segurança Cibernética”. Disponível em: [link]
Scholte, T.; Balzarotti , D.; Kirda, E. (2011) “Quo Vadis? A Study of the Evolution of Input Validation Vulnerabilities in Web Applications”, In: Proc. of the Int. Conference on Financial Cryptography and Data Security '11, St. Lucia.
Shostack, A.; Stewart, A. (2008), The new school of information security. Boston: Addison-Wesley.
Sidharth, N.; Liu, J. (2007) “A Framework for Enhancing Web Services Security”, In: Proc. of the Computer Software and Applications Conference, 2007, COMPSAC 2007, 31st Annual International, vol.1, no., pp.23-30, 24-27 July.
Siorg. (2009) “Sistema de Informações Organizacionais do Governo Federal – SIORG – Descrição do Web Service SIORG versão 2.0”, Outubro. Disponível em: [link]
Soapui. (2010) “The Web Service, SOA and SOAP Testing Tool – soapUI”. Disponível em: [link]
Ssa. (2007) “WS-Security Wrapper”, Sosnoski Software Associates Ltd. Disponível em: [link]
Sun, L.; Li, Y. (2008) “XML and web services security”, In: Proceedings of the 12th International Conference on Computer Supported Cooperative Work in Design, CSCWD 2008, pp.765-770, 16-18 April.
Tsipenyuk, K.; Chess, B.; McGraw, G. (2005) “Seven pernicious kingdoms: a taxonomy of software security errors”, Security & Privacy, IEEE, v. 3, n. 6, p. 81-84.
Viega, J.; Epstein, J. (2006) “Why Applying Standards to Web Services Is Not Enough”, IEEE security & privacy, New York, NY, v. 4, n. 4, p. 25-31.
Bebawy, R. et al. (2005) “Nedgty: Web services firewall”, In: Proc. of the IEEE International Conference on Web Services - ICWS, Orlando, IEEE, p.597-601.
Belapurkar, A. et al. (2009), Distributed Systems Security Issues, Processes and Solutions, Hoboken, NJ: John Wiley e Sons.
Bertino, E. et al. (2009), Security for Web Services and Service-Oriented Architectures, Springer-Verlag New York Inc.
Blyth, A. (2009) “An Architecture for an XML Enabled Firewall. International Journal of Network Security”, v. 8, n. 1, p. 31-36, ISSN 1816-3548.
Cenzic. (2009) “Web Application Security Trends Report”. Disponível em: [link].
Cep. (2011) “CEPWebService”. Disponível em: [link]
Clarke, J. (2009), SQL Injection Attacks and Defense. Syngress Media Inc. Databreaches. (2009) “Top 10 Worst Data Losses or Breaches, updated”. Disponível em: [link].
Feiman, Joseph. (2010) “Security in the SOA World: Methodologies and Practices”, Enterprise Integration Summit, April 13-14, Sao Paulo, Brazil. Disponível em: [link]
Jensen, M.; Gruschka, N.; Herkenhöner, R. (2009). A survey of attacks on web services. Computer Science-Research and Development, v. 24, n. 4, p. 185-197.
Kieyzun, A. et al. (2009) “Automatic creation of SQL Injection and cross-site scripting attacks”, In: Proceedings of the 31st International Conference on Software Engineering (ICSE '09). IEEE Computer Society, Washington, DC, USA, 199-209.
Lakshminarayanan, Sitaraman. (2010) “Interoperable Security Standards for Web Services”, IT Professional, vol. 12, no. 5, pp. 42-47, Sep./Oct.
Lin, J.; Chen, J. (2009) “An Automated Mechanism for Secure Input Handling”, Journal of Computers, v. 4, n. 9, pp. 837-844, Academy Publisher.
Loh, Y.; Yau, W.; Wong, C.; Ho, W. (2006) “Design and Implementation of an XML Firewall”, In: Proceedings of the 2006 International Conference on Computational Intelligence and Security, vol. 2, pp.1147-1150, 3-6 Nov.
Microsoft. (2010) “Microsoft Anti-Cross Site Scripting Library V 4.0”. Disponível em: [link].
Nordbotten, N.A. (2009) “XML and Web Services Security Standards”, Communications Surveys & Tutorials, IEEE, vol.11, no.3, pp.4-21.
Owasp. (2010) “OWASP Top 10 Web Application Security Risks”. Disponível em: [link]
Owasp. (2011) “OWASP Code Review Guide. Codereview-Input Validation”. Disponível em: [link]
Saleem, M.Q.; Jaafar, J.; Hassan, M.F. (2010) “Model driven security frameworks for addressing security problems of Service Oriented Architecture”, In: Proc. of the 2010 Int. Symp. Information Technology (ITSim), vol.3, pp.1341-1346, 15-17 June.
Sans. (2009) “Os Maiores Riscos de Segurança Cibernética”. Disponível em: [link]
Scholte, T.; Balzarotti , D.; Kirda, E. (2011) “Quo Vadis? A Study of the Evolution of Input Validation Vulnerabilities in Web Applications”, In: Proc. of the Int. Conference on Financial Cryptography and Data Security '11, St. Lucia.
Shostack, A.; Stewart, A. (2008), The new school of information security. Boston: Addison-Wesley.
Sidharth, N.; Liu, J. (2007) “A Framework for Enhancing Web Services Security”, In: Proc. of the Computer Software and Applications Conference, 2007, COMPSAC 2007, 31st Annual International, vol.1, no., pp.23-30, 24-27 July.
Siorg. (2009) “Sistema de Informações Organizacionais do Governo Federal – SIORG – Descrição do Web Service SIORG versão 2.0”, Outubro. Disponível em: [link]
Soapui. (2010) “The Web Service, SOA and SOAP Testing Tool – soapUI”. Disponível em: [link]
Ssa. (2007) “WS-Security Wrapper”, Sosnoski Software Associates Ltd. Disponível em: [link]
Sun, L.; Li, Y. (2008) “XML and web services security”, In: Proceedings of the 12th International Conference on Computer Supported Cooperative Work in Design, CSCWD 2008, pp.765-770, 16-18 April.
Tsipenyuk, K.; Chess, B.; McGraw, G. (2005) “Seven pernicious kingdoms: a taxonomy of software security errors”, Security & Privacy, IEEE, v. 3, n. 6, p. 81-84.
Viega, J.; Epstein, J. (2006) “Why Applying Standards to Web Services Is Not Enough”, IEEE security & privacy, New York, NY, v. 4, n. 4, p. 25-31.
Publicado
19/07/2011
Como Citar
BRINHOSA, Rafael Bosse; WESTPHALL, Carla Merkle; WESTPHALL, Carlos Becker.
Desenvolvimento do Modelo WSIVM para Aperfeiçoar a Segurança em SOA e Serviços Web. In: SEMINÁRIO INTEGRADO DE SOFTWARE E HARDWARE (SEMISH), 38. , 2011, Natal/RN.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2011
.
p. 1307-1321.
ISSN 2595-6205.
