Service Oriented Architectures are nowadays used in a wide range of organizations to support critical daily operations. Although the underlying services should behave in a secure manner, they are often deployed with bugs that can be maliciously exploited. The characteristics of service-based environments open the door to security challenges that must be handled properly, including services under the control of multiple providers and dynamism of interactions and compositions. This paper presents an extensible tool able to widely test such infrastructures for vulnerabilities. The tool is based in an iterative process that uses interface monitoring to automatically monitor and discover the existing services, resources and interactions, and applies different testing approaches depending on the level of access to each existing services. Two case studies has been developed do demonstrate the tool, and results show that the tool can effectively be used in different service-based scenarios, under different access conditions to the target services.
Keywords
SOA; web-services; vulnerability detection; security; security testing; soa
Subject
Web services security
Conference
10th IEEE International Conference on Services Computing (SCC 2013), June 2013
Cited by
Year 2015 : 2 citations
J. Thome, L. K. Shar, and L. Briand, “Security Slicing for Auditing XML, XPath, and SQL Injection Vulnerabilities,” in 26th IEEE International Symposium on Software Reliability Engineering, Washington, D.C., 2015.
M.-A. Laverdiere, B. J. Berger, and E. Merloz, “Taint analysis of manual service compositions using Cross-Application Call Graphs,” in 2015 IEEE 22nd International Conference on Software Analysis, Evolution and Reengineering (SANER), 2015, pp. 585–589.
