OWASP Web Services Project How OWASP can become the leading destination for “Web Service Application Security” OWASP AppSec DC October 2005 Alex Smolen OWASP So Cal Chapter Copyright ©
Download
Report
Transcript OWASP Web Services Project How OWASP can become the leading destination for “Web Service Application Security” OWASP AppSec DC October 2005 Alex Smolen OWASP So Cal Chapter Copyright ©
OWASP Web Services Project
How OWASP can become the leading destination
for “Web Service Application Security”
OWASP
AppSec
DC
October 2005
Alex Smolen
OWASP So Cal Chapter
Copyright © 2005 - The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License.
The OWASP Foundation
http://www.owasp.org/
What are web services?
Web applications vs. web services
Examples of web services
Why web services?
OWASP AppSec DC 2005
2
Web Service Security
Transport Layer
SSL
Message Layer
WS-Security
XML Encryption, XML Signature, SAML,…
WS-*
Application Layer
OWASP Top Ten +
OWASP AppSec DC 2005
3
Additional Application Threats to Web Services
Parser Attacks
XML Bombs
External Entities
Backend Attacks
XPath, XQuery
XML Injection
Logical Attacks
OWASP AppSec DC 2005
4
Web Service Security Resources
OASIS
Microsoft, IBM, Sun, etc…
Books, blogs, articles
Why OWASP?
OWASP AppSec DC 2005
5
Current Projects
WebGoat 3.7
OWASP Guide
OWASP Testing Guide
OWASP AppSec DC 2005
6
Additional Ideas
WebScarab
Web service security landing page
FAQ
Tools for web service developers (?)
OWASP AppSec DC 2005
7
How You Can Help
Learn about Web Service Security
Join OWASP Web Services Mailing List
Work on OWASP Web Services Project Charter
Contribute to OWASP Web Services Projects
Contact me ([email protected],
[email protected])
OWASP AppSec DC 2005
8