Abstract
In this modern era of enterprise computing, the enterprise application integration (EAI) is a well-known industry-recognized architectural principle that is built based on loosely coupled application architecture, where service-oriented architecture (SOA) is the architectural pattern for the implementation of EAI, whose computational elements are called as “services.” Though SOA can be implemented in a wide range of technologies, the web services implementation of SOA becomes the current selective choice due to its simplicity that works on basic Internet protocols. Web service technology defines several supporting protocols and specifications such as SOAP and WSDL for communication with client and server for data interchange. A new architectural paradigm has emerged in SOA in recent years called REpresentational State Transfer (REST) that is also used to integrate loosely coupled service components, named RESTful web services, by system integration consortiums. This SOA implementation does not possess adequate security solutions within it, and its security is completely dependent on network/transport layer security that is obsolete owing to latest web technologies such as Web 2.0 and its upgraded version, Web 3.0. Vendor security products have major implementation constraints such as they need secured organizational environment and breach to SOA specifications, hence introducing new vulnerabilities. Herein, we examine the security vulnerabilities of RESTful web services in the view of popular OWASP rating methodologies and analyze the gaps in the existing security solutions. We hence propose an adaptive security solution for REST that uses public key infrastructure techniques to enhance the security architecture. The proposed security architecture is constructed as an adaptive way-forward Internet-of-Things (IoT) friendly security solution that is comprised of three cyclic parts: learn, predict and prevent. A novel security component named “intelligent security engine” is introduced which learns the possible occurrences of security threats on SOA using artificial neural networks learning algorithms, then it predicts the potential attacks on SOA based on obtained results by the developed theoretical security model, and the written algorithms as part of security solution prevent the SOA attacks. This paper is written to present one of such algorithms to prevent SOA attacks on RESTful web services along the discussion on the obtained results of the conducted proof-of-concept on the real-time SOA environment. A comparison of the proposed system with other competing solutions demonstrates its superiority.
Similar content being viewed by others
References
Sheng Z, Xiaoqiang Q, Athanasios V, Claudia S, Scott B, Xiaofei X (2014) Web services composition: a decade’s overview. Inf Sci 280:218–238
AlShahwan F, Maha F, Godwin A (2016) Security framework for RESTful mobile cloud computing web services. J Ambient Intell Humaniz Comput 7:649–659
Sepulveda C, Rosa A, Jesus B (2015) QoS aware descriptions for RESTful service composition: security domain. World Wide Web 18(4):767–794
Fielding R (2000) Architectural styles and the design of network-based software architectures. Ph.D. Dissertation, University of California, Irvine
Xu B, Tianbo L, Xiaoqin W, Lingling Z, Xiaoyan Z, Wanjiang H (2013) A synthetic solution scheme for SOA security assurance. In: Proceedings of the international conference on security and management (SAM), computer engineering and applied computing (WorldComp)
Liu L, Wang D, Zhao J, Huang M (2013) SA4WSs: a security architecture for web services. In: Mustofa K, Neuhold EJ, Tjoa AM, Weippl E, You I (eds) Information and communication technology. Springer, Berlin, pp 306–311
Masood A (2013) Cyber security for service oriented architectures in a Web 2.0 world: an overview of SOA vulnerabilities in financial services. In: IEEE international conference on technologies for homeland security (HST), pp 1–6
Jacqui C, Marijke C (2010) Towards an information security framework for service-oriented architecture. In: IEEE information security conference. South Africa, pp 1–8
Kou H (2010) A study on the security mechanism for web services. In: Proceedings of the world congress on engineering and computer science, vol I, USA
Baghdadi Youcef (2013) A comparison framework for service-oriented software engineering approaches: issues and solutions. Int J Web Inf Syst 9(4):279–316
OWASP (2013) Top 10 web application vulnerabilities. Report on the ten most critical web application security risks
Wang Shengwei, Zhengyuan Xu, Cao Jiannong, Zhang Jianping (2007) A middleware for web service-enabled integration and interoperation of intelligent building systems. Autom Constr 16(1):112–121
Kim SK, Han S-Y (2006) Performance comparison of DCOM, CORBA and web service. In: Parallel and distributed processing techniques and applications conference, pp 106–112
Henning Michi (2006) The rise and fall of CORBA. ACM Queue 4(5):28–34
Jones D (2015) Cost of cyber crime study: United States. Hewlett Packard Enterprise. http://www.ponemon.org/blog/2015-cost-of-cyber-crime-united-states. Accessed 1 Mar 2017
Symantec (2016) Internet security threat report, vol 21. https://www.symantec.com/security-center/threat-report Accessed 1 Mar 2017
WhiteHat Security (2016) Web applications security statistics report. https://www.whitehatsec.com/info/website-stats-report-2016-wp. Accessed 1 Mar 2017
National Vulnerability Database (2016) Vulnerability metrics, National Institute of Standards and Technology, USA. https://nvd.nist.gov. Accessed 1 Mar 2017
McAfee Labs (2016) Threats report. https://www.mcafee.com/au/resources/reports/rp-quarterly-threats-dec-2016.pdf. Accessed 1 Mar 2017
Hardt D (2012) The OAuth 2.0 authorization framework. RFC 6749 (Proposed Standard), http://tools.ietf.org/html/rfc6749. Accessed 1 Mar 2017
Recordon D, Drummond R (2006) OpenID 2.0: a platform for user-centric identity management. In: Proceedings of the second ACM workshop on digital identity management. ACM, pp 11–16
Russell M (2014) Secure RESTful interface profile security analysis and guidance. The MITRE Corporation, Bedford
Mladenov V, Christian M, Jorg S (2015) On the security of modern Single Sign-On Protocols: second-order vulnerabilities in OpenID connect. arXiv:1508.04324
Ibrahim B, Fadzil MH (2016) Construction of customizable SOA security framework using artificial neural networks. J Teknol 78(12–3):69–75
Gartner (2016) Top 10 strategic technology trends for 2016. http://www.itbusinessedge.com/slideshows/top-10-strategic-technology-trends-for-2016-08.html. Accessed 1 Mar 2017
Neha L, Jwalant B (2014) DDoS prevention on REST based web services. Int J Comput Sci Inf Technol 5(6):7314–7317
Lee H, Mayur R (2014) Defense against REST-based web service attacks for enterprise systems. Commun IIMA 13:57–68
Sungchul L, Ju-Yeon J, Yoohwan K (2015) Method for secure RESTful web service. In: 14th IEEE international conference on computer and information science (ICIS)
Orellana F, Marko N (2012) Distributed computing with RESTful web services. In: Seventh international conference on P2P, parallel, grid, cloud and internet computing (3PGCIC), pp 103–110
Serme G, Anderson S, Julien M, Yves R (2012) Enabling message security for RESTful services. In: IEEE 19th international conference on web services (ICWS), pp 114–121
Sudhakar A (2011) Techniques for securing REST. CA Technology Exchange, New York, p 32
Malisetti R (2011) Securing RESTful services with token-based authentication. CA Technology Exchange, New York, pp 43–48
Adamczyk P, Patrick S, Ralph J, Munawar H (2011) REST and web services: in theory and in practice. In: Wilde E, Pautasso C (eds) REST: from research to practice. Springer, New York, pp 35–57
Brachmann E, Gero D, Klaus S (2012) Simplified authentication and authorization for RESTful services in trusted environments. In: European conference on service-oriented and cloud computing. Springer, Berlin, pp 244–258
Pan G, Yongbin W (2012) Securing RESTful WCF services with XAuth and service authorization manager—a practical way for user authorization and server protection. In: Fifth IEEE international joint conference on computational sciences and optimization (CSO), pp 651–653
Pai S, Yash S, Sunil K, Radhika P, Sanjay S (2011) Formal verification of OAuth 2.0 using alloy framework. In: IEEE international conference on communication systems and network technologies (CSNT), pp 655–659
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Beer, M.I., Hassan, M.F. Adaptive security architecture for protecting RESTful web services in enterprise computing environment. SOCA 12, 111–121 (2018). https://doi.org/10.1007/s11761-017-0221-1
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11761-017-0221-1