Post on 27-Jun-2015
description
SOA Testing: An Approach to Test the Security Aspects of SOA based Application
Presenter’s: Jaipal & UdayDate:4-Nov-09
SOA and its Industry acceptance
Testing Security Aspects of SOA Based Application
SOA and Enterprise Architecture have acommon goal of Aligning Business and ITobjectives
SOA is becoming the most sought aftersolution for any new EnterpriseArchitecture Design and its steady growthin acceptance is re-affirmed by Gartner’sHype Cycle.
2| SOA Testing
Challenges in Securing SOA environment
Testing Security Aspects of SOA Based Application
3| SOA Testing
Testing Security Aspects of SOA Based Application
4| SOA Testing
Security Infrastructure in SOA implementation
Client Application
WEB
SERVER
Web Service 1
Web Service 2
Web Service 3
Security Specification
Security Specification
Security Specification
Message Layer Security
Transport Layer Security
External -Security Token
Service
• Security Specifications are
WS-Security
WS-Secure Conversation
WS-Trust
WS-Federation
WS-Security Policy
WS-Security Standards and Open Source tools
SAML WS-Security XML-Encryption
XML-Signature
WS-SecureConver
sation
WS-Trust WS-SecurityPolicy
WS-Federation
SOAP UI
Push To Test
Web-Inject
WS-I Tools
Testing Security Aspects of SOA Based Application
Various Security Standards which the Web Services adhere too areSAML, WS-Security, XML-Encryption, WS-SecureConversation, WS-Trust,
WS-SecurityPolicy and WS-Federation
5| SOA Testing
Testing Security Aspects of SOA Based Application
6| SOA Testing
Web Services Security standards usage in a Scenario
Testing Security Aspects of SOA Based Application
7| SOA Testing
Proposed Solution
Testing Security Aspects of SOA Based Application
Solution Phase 1 – Test Assertion Document
SAML WS-SECURITYWS-SECURE
CONVERSATIONWS-TRUST
WS-SECURE POLICY
Element/Attribute Name Description Required/Optional/Recommended
Test Assertion Document Table <<optional>>
Identify Security Specifications
Test Assertion XML Document
8| SOA Testing
Testing Security Aspects of SOA Based Application
9| SOA Testing
Solution Phase 2 – Capture SOAP Messages
• Services communicate using SOAP Protocol
• SOAP message contains the security information
• Develop SOAP Monitor tool to capture request and response of services
Ex: 1) Request initiated for a web
service2) Services establish Security
Tokens with Security Context information
3) Data is exchanged after the Security Token is verified
Testing Security Aspects of SOA Based Application
Solution Phase 3 – Test Result Report
Test Result Report
10| SOA Testing
TestReq& RespXML
• Develop code to compare XML documents (similar to DOM or SAX parsers in Java)
• Compare SOAP header with TAD: done by the code developed to compare XML documents
• Generate the Test Result Report containing the status and descriptions
TAD/XML
Test Result Report FormatComparison Status
True Pass – Provide the description given in the<assertionDesription> element of TAD
False Fail - Provide the description given in the<failureMessage> and <failureDetailDescription>elements of TAD
Testing Security Aspects of SOA Based Application
11| SOA Testing
Conclusion
Reusable and audit ready artifacts are createdwhich are alive throughout the Testing lifecyclethus enabling better understanding of the systemlimitations
Maximized ROI : Streamlined Testingapproach brought in by very fewchanges in the testing lifecycle
Increased Agility: Customizable at anystage and applicable in any complicatedEnterprise Application Architecture
Reduced IT investment: Vendorindependent procedure implementablewith very little training imparted to theexisting team.
Testing Security Aspects of SOA Based Application
12| SOA Testing
Thank you