CISUC

Evaluating Web Services Security

Authors

Abstract

Although web services are becoming business-critical components, they are often deployed with critical software bugs, causing security vulnerabilities that can be maliciously exploited. Develop time constraints and developers not specialized in security often lead to security cautions being disregarded, giving utmost importance to t the use of automated security testing tools to detect existing security vulnerabilities. However, automated security testing tools often do not deserve the confidence that developing teams put on them. In fact, previous research shows that many vulnerabilities remain undetected even when using well-known and widely used vulnerability detection tools.
The present work has two main contributions: the evaluation of existing tools and the proposal of new approaches for the detection of vulnerabilities. First we evaluate existing tools to assess their effectiveness in the detection of vulnerabilities in web services environments. Results show that many web services are deployed with security vulnerabilities (being SQL Injection the most common type of vulnerability in this context) and that security test tools present an unsatisfactory effectiveness in web services environment (low coverage and high number of false positives). This way, we propose two new techniques for detection of security vulnerabilities in web services. The first is based on penetration testing and target SQL Injection vulnerabilities. The second is a gray-box approach for the detection of SQL Injection and XPath Injection vulnerabilities.
The experimental evaluation shown that the penetration testing tool achieved higher effectiveness than the web security scanners on detecting SQL Injection vulnerabilities, showing that is possible to develop a vulnerability scanner for web services that performs much better than the commercial ones currently available. In relation to the proposed gray-box approach, experimental evaluation has shown that it performs much better than known tools (including commercial ones), achieving extremely high detection coverage while maintaining the false positives rate very low.

Keywords

Web Services, Security, Service Oriented Architecture, Software testing, SQL Injection, XPath Injection, Software vulnerabilities, Vulnerability detection, Dependability, black-box testing, gray-box testing.

Subject

Web Services Security

MSc Thesis

Evaluating Web Services Security, July 2009

Cited by

No citations found