CISUC

SOA-Scanner: An Integrated Tool to Detect Vulnerabilities in Service-Based Infrastructures

Authors

Abstract

Service Oriented Architectures are nowadays used in a wide range of organizations to support critical daily operations. Although the underlying services should behave in a secure manner, they are often deployed with bugs that can be maliciously exploited. The characteristics of service-based environments open the door to security challenges that must be handled properly, including services under the control of multiple providers and dynamism of interactions and compositions. This paper presents an extensible tool able to widely test such infrastructures for vulnerabilities. The tool is based in an iterative process that uses interface monitoring to automatically monitor and discover the existing services, resources and interactions, and applies different testing approaches depending on the level of access to each existing services. Two case studies has been developed do demonstrate the tool, and results show that the tool can effectively be used in different service-based scenarios, under different access conditions to the target services.

Keywords

SOA; web-services; vulnerability detection; security; security testing; soa

Subject

Web services security

Conference

10th IEEE International Conference on Services Computing (SCC 2013), June 2013


Cited by

Year 2015 : 2 citations

 J. Thome, L. K. Shar, and L. Briand, “Security Slicing for Auditing XML, XPath, and SQL Injection Vulnerabilities,” in 26th IEEE International Symposium on Software Reliability Engineering, Washington, D.C., 2015.

 M.-A. Laverdiere, B. J. Berger, and E. Merloz, “Taint analysis of manual service compositions using Cross-Application Call Graphs,” in 2015 IEEE 22nd International Conference on Software Analysis, Evolution and Reengineering (SANER), 2015, pp. 585–589.