Cyber security for service oriented architectures in a Web 2.0 world: An overview of SOA vulnerabilities in financial services

Service oriented architecture is fast becoming ubiquitous enterprise software architecture standard in public and private sector alike. Study of literature and current attacks suggests that with the proliferation of Web API and RESTFul services, the attack vectors prioritized by OWASP top 10, includ...

Full description

Saved in:
Bibliographic Details
Published in2013 IEEE International Conference on Technologies for Homeland Security (HST) pp. 1 - 6
Main Author Masood, Adnan
Format Conference Proceeding
LanguageEnglish
Published IEEE 01.11.2013
Subjects
Availability
Computer crime
cyber security
Data security
Information security
Information systems
secure design
secure software development
security assessment
security awareness
Service oriented architecture
Simple object access protocol
SOA
Vectors
Web services
XML
Online AccessGet full text

Cover

More Information
Summary:Service oriented architecture is fast becoming ubiquitous enterprise software architecture standard in public and private sector alike. Study of literature and current attacks suggests that with the proliferation of Web API and RESTFul services, the attack vectors prioritized by OWASP top 10, including but not limited to cross site scripting (XSS), cross site request forgery (CSRF), injection, direct object reference, broken authentication and session management now equally apply to web services. In addition service oriented architecture relies heavily on XML/RESTFul web services which are vulnerable to XML Signature Wrapping Attack, Oversize Payload, Coercive parsing, SOAP Action Spoofing, XML Injection, WSDL Scanning, Metadata Spoofing, Oversized Cryptography, BPEL State Deviation, Instantiation Flooding, Indirect Flooding, WS-Addressing spoofing and Middleware Hijacking to name a few. In this paper, we review various such security issues pertaining to service oriented architecture. These and similar techniques, have been employed by Anonymous and other hacktivists, resulting in denial of service attacks on financial applications. While discussing the national security perils of hacktivism, there is an excessive focus on network layer security, and the application layer perspective is not always part of the discussion. In this research, we provide background information and rationale for securing application layer vulnerabilities to facilitate true defense in depth approach for cyber security.
DOI:10.1109/THS.2013.6698966