Security Testing of SOA Systems
Computer Science Department
Florida Institute of Technology
Service-Oriented Architecture (SOA) is a paradigm that organizes and uses distributed computing capabilities to bring together a technical solution to a business problem. However, despite the large and increasing dependency on SOA by the enterprise, testing SOA systems is still a nascent and immature field. In particular, testing those systems from a security perspective is an essential yet underserved activity.
SOA has its own specific characteristics and attributes that raise unique challenges to SOA testing and make some of the techniques used in testing SOA applications different from traditional software testing techniques.
SOA is often implemented using Web services, which have two main flavors: traditional SOAP services, and the newer lightweight ReSTful services. Either case, they inherit a lot of characteristics from common traditional Web applications, and are susceptible to similar security vulnerabilities. In fact, many of the known Web systems vulnerabilities and attacks are also applicable to SOA; for example, SQL injections, buffer overflows vulnerabilities, and session hijacking. As a result, many of the techniques used to test Web security can also be used in Web services testing.
Security testing can be done by simulating what a hacker might do to breach the system security. This may be done by using a list of well-known attacks, or quick tests, trying to reveal a potential one of well-known security vulnerabilities. This is usually followed up with a series of exploratory tests to find the best way to exploit the vulnerability with maximum impact. This kind of testing is usually referred to as penetration testing. Fuzzing is also a technique that is commonly used for security testing using a random or semi-random generation of tests.
Some SOA testing tools are advertised that they come with a library of automated penetration attacks that can allegedly make security testing fast and easy. We will show that these pre-built automated security tests tend to be ineffective without active human role in the design and evaluation of the tests. In fact, effective security testing has to be done in a (highly) exploratory style.