Visible to the public Static analysis for web service security - Tools amp; techniques for a secure development life cycle

TitleStatic analysis for web service security - Tools amp; techniques for a secure development life cycle
Publication TypeConference Paper
Year of Publication2015
AuthorsMasood, A., Java, J.
Conference Name2015 IEEE International Symposium on Technologies for Homeland Security (HST)
Date Publishedapr
KeywordsComputer crime, critical national infrastructure, cryptography, dynamic analysis, enterprise software ecosystem, Heartbleed, information exchange, mission critical API, mobile applications, Open Web Application Security Project, Penetration Testing, program diagnostics, program verification, public deployments, public sector infrastrucure development life cycle, Secure Software Development, security challenges, Security Code Review, service development paradigm, service oriented architecture, service-oriented architecture, services security, Shellshock, Simple object access protocol, SOA, SOAP, software bugs, software verification, Source code analysis, Static Analysis Tool, static code analysis, strategic components, ubiquitous IoT, vulnerabilities detection, vulnerability identification, Web Application Security, Web applications, Web service security, web services, Web services guidelines, Web Services Security, WS-SecureConversation, WS-security, XML, XML encryption, XML signature

In this ubiquitous IoT (Internet of Things) era, web services have become a vital part of today's critical national and public sector infrastructure. With the industry wide adaptation of service-oriented architecture (SOA), web services have become an integral component of enterprise software eco-system, resulting in new security challenges. Web services are strategic components used by wide variety of organizations for information exchange on the internet scale. The public deployments of mission critical APIs opens up possibility of software bugs to be maliciously exploited. Therefore, vulnerability identification in web services through static as well as dynamic analysis is a thriving and interesting area of research in academia, national security and industry. Using OWASP (Open Web Application Security Project) web services guidelines, this paper discusses the challenges of existing standards, and reviews new techniques and tools to improve services security by detecting vulnerabilities. Recent vulnerabilities like Shellshock and Heartbleed has shifted the focus of risk assessment to the application layer, which for majority of organization means public facing web services and web/mobile applications. RESTFul services have now become the new service development paradigm normal; therefore SOAP centric standards such as XML Encryption, XML Signature, WS-Security, and WS-SecureConversation are nearly not as relevant. In this paper we provide an overview of the OWASP top 10 vulnerabilities for web services, and discuss the potential static code analysis techniques to discover these vulnerabilities. The paper reviews the security issues targeting web services, software/program verification and security development lifecycle.

Citation Keymasood_static_2015