Security for Service Oriented Architectures (Paperback)

Introduction

Four Kinds of Architectures
Architecture
Infrastructure
Software Architectures
2.3.1 Key Principles
2.3.2 Presentation Layer
2.3.3 Business Layer
2.3.4 Data Layer
2.3.5 Workflow
2.3.6 Communications and Messaging
2.3.7 Service Layer
Service-Oriented Architecture
2.4.1 Distributed Computing and Services
2.4.2 Process-Oriented SOA
2.4.3 Web Services or an Externally Focused SOA
2.4.4 Enterprise Service Bus
Security Architecture
2.5.1 Construction of a Security Architecture
2.5.2 Risk Management
2.5.3 Organization and Management
2.5.4 Third Parties
2.5.5 Asset Management
2.5.6 Information Classification
2.5.7 Identity Management
2.5.8 Security Awareness and Training
2.5.9 Physical Security
2.5.10 Communications and Operations Management
2.5.11 Perimeters and Partitioning
2.5.12 Access Control
2.5.13 Authentication
2.5.14 Authorization
2.5.15 Separation of Duties
2.5.16 Principles of Least Privilege and Least Authority
2.5.17 Systems Acquisition, Development, and Maintenance
2.5.18 Confidentiality Models
2.5.18.1 Lattice Models
2.5.19 Nonrepudiation
2.5.20 Integrity Models
2.5.21 Service Clark?Wilson Integrity Model
2.5.22 Security Assessments and Audits
2.5.23 Incident Management
2.5.24 Business Continuity
2.5.25 Compliance
Data Architectures

Implementing and Securing SOA
Web Services
Extensible Markup Language
3.2.1 Signing XML
3.2.1.1 X ML Digital Signature
3.2.2 X ML Encryption
3.2.3 Key Management
3.2.3.1 Key Information
3.2.3.2 Location
3.2.3.3 Validation
3.2.3.4 Binding
3.2.3.5 Key Registration
3.2.4 X ML and Databases
3.2.4.1 A Database Query Language for XML
3.2.4.2 X ML Databases
3.2.5 UDDI
3.2.6 WSDL
SOAP
3.3.1 SOAP Roles and Nodes
3.3.2 SOAP Header Blocks
3.3.3 SOAP Fault
3.3.4 SOAP Data Model 9
3.3.5 SOAP Encoding
3.3.6 Bindings
3.3.7 Documents and RPC
3.3.8 Messaging
WS-Security
3.4.1 WS-Trust
3.4.2 WS-Policy
3.4.3 WS-SecureConversation
3.4.4 WS-Privacy and the P3P Framework
3.4.4.1 POLICIES
3.4.5 WS-Federation
3.4.5.1 Pseudonyms
3.4.5.2 Authorization
3.4.6 Authorization without WS-Federation
3.4.7 WS-Addressing
3.4.8 WS-ReliableMessaging
3.4.9 WS-Coordination
3.4.10 WS-Transaction
SAML
3.5.1 Assertions
3.5.2 Protocol
3.5.2.1 Assertion Query and Request Protocol
3.5.2.2 Authentication Request Protocol
3.5.2.3 Artifact Resolution Protocol
3.5.2.4 Name Identifier
Management Protocol
3.5.2.5 Single-Logout Protocol
3.5.2.6 Name Identifier Mapping Protocol
3.5.3 Authentication Context
3.5.4 Bindings
3.5.5 Profiles
3.5.6 Metadata
3.5.7 Versions
3.5.8 Security and Privacy Considerations
Kerberos
x509v3 Certificates
OpenID

Web 2.0
HTTP
REST
WebSockets

Other SOA Platforms
DCOM
CORBA
DDS
WCF
.Net Passport, Windows LiveID
WS-BPEL

Auditing Service-Oriented Architectures
Penetration Testing
6.1.1 Reconnaissance
6.1.2 I njection Attacks
6.1.3 Attacking Authentication
6.1.4 Attacking Authorization
6.1.5 Denial-of-Service Attacks
6.1.6 Data Integrity
6.1.7 Malicious Use of Service or Logic Attacks
6.1.8 Poisoning XML Schemas

Defending and Detecting Attacks
SSL/TLS
Firewalls, IDS, and IPS

Architecture
Example 1
Example 2
Example 3
Example 4

Bibliography

Index