Security testing of orchestrated business processes in SOA

Service Oriented Architecture (SOA) has been widely used during the past decade due to its ability to seamlessly integrate various applications developed using different technologies. Web services based on open standards are the most commonly used technology to realize an SOA. Business processes are executed by appropriate orchestration of various services from different departments that belong to a single organization or from multiple organizations. Security is an important quality attribute that has to be built into any application that is developed using SOA. XML is the underlying technology for Web Service Description Language (WSDL), SOAP protocol and Business Process Execution Language (BPEL). It is highly probable that an attacker could inject malicious information into these XML files to modify the flow of the business process. Further, SOAP was not designed with security in mind, it is possible to tamper the SOAP messages while they are in transit. There exist a number of such potential vulnerabilities which lead to possible security breach in the individual services. In an orchestrated business process, there are possibilities of more vulnerabilities. One of the existing tools namely WS-Attacker is only capable of testing the security of individual web services alone. In spite of the widespread usage of SOA, currently there is limited automatic tool support for testing the security provided by an entire SOA application involving service orchestration. In this context, this paper focuses on designing and implementing a plug-in for WS-Attacker to analyze a few security vulnerabilities present in SOA business processes.