Securing Service Oriented Architecture

I am feeling great to announce that I will be speaking at c0c0n - Annual Information Security Day at here in India .

Below is the summary of the content which I will be delivering as part of Workshop. Please spread the news and make the event successful. Thanks in advance !

Audience

WCF/Web Services Developers and managers, SOAP Testers and managers, SOA, ESB Architects

Prerequisites

WCF Service development/SOAP Principles knowledge

Contents

  • SOA, ESB and WCF Basics
  • Understanding SOAP and Restful services
  • Creating proxies to consume WCF/Web services
  • Introduction to Web services and WCF services Security
  • Top 10 WCF Services/SOA Application Security Vulnerabilities
  • Attacks and Solutions - Fixing Common WCF Services/SOA Application Vulnerabilities
  • Secure Coding Principles from Patterns and Practices Security guide-multiple compilations
  • Threat Modeling
  • SOAP Security Testing

Demo

Takeaways

  • Upon completion of the course, participants will be able to:
  • Describe the Web/WCF Services Security problem
  • Describe the SOA top 10 vulnerabilities
  • Describe the WCF services threat classifications
  • Apply coding principles from Patterns and Practices – WCF Security Guide that will help secure their SOA based applications i.e. SecurityBindingElement, Detection of replay attacks etc.
  • Implement solutions to SQL Injection, Cross-site scripting and several other critical vulnerabilities
  • Describe best practices for integrating security in the Software Development Life-Cycle (SDLC)

Cloud Secuirty : Major Vulnerabilities

So I will be at c0c0n : The annual information security day conference here at India. As part of cloud technology research, I would love to take up session on "Security and Privacy risks in Cloud". Below is the content highlights. Please spread this news and make the event a great success.

1-   Agenda
Agenda of the session is to paper presentation and demo on cloud computing and its security risks and privacy issues around cloud service models. High level topics which paper will discuss are as below.
1-      Introduction to cloud
2-      Understanding Cloud Architecture
3-      Microsoft’s Cloud Offering and Road Map
4-      Solution envisioning with Microsoft Cloud Offering - Windows Azure
5-      Key areas of Cloud security
6-      Privacy concern Identity and Access Management
 
Later it will be followed by two demos:
 
1-      Exploitation of Azure Storage vulnerability and remediation
2-      Implementation of Access Control Service for Authentication and Authorization
 
2-   Key Security Risks:
Paper will explain the impact and remediation of below security risk attributes.
Auditing and Logging
• Disclosure of confidential information
• Denial of service (DoS)
Authentication
• Network eavesdropping
• Brute force attacks
• Cookie replay attacks
Authorization
• Elevation of privilege
• Disclosure of confidential data
• Token stealing
Communication
• Failure to encrypt messages
• Session replay
• Data tampering
Configuration Management
• Unauthorized access to configuration stores
• Retrieval of clear text configuration secrets
Cryptography
• Encryption cracking
• Loss of decryption keys
Input and Data Validation
• SQL injection.
·         Cross-site scripting.
•     XPath injection.
Sensitive Data
• Memory dumping.
• Network eavesdropping.
• Configuration file sniffing.
 
a.    Demo
We will explain SQL and XML Injection vulnerabilities of Microsoft’s cloud storage called Windows Azure Storage and how we can exploit them.
 
3-   Key Privacy issues:
1-      Concern on Datacenter privacy issue
2-       Access Control Service for stronger Authentication and Authorization(Identity and Access management)
a.    Demo
The demo will explain how to set up Claims Based Identity using Access Control for various Identity Providers (IdPs) like Windows Live, Google Accounts, Facebook, Twitter and ADFS 2.0. It will later explain how the Azure Service Bus is used to facilitate the communication between our on-premise application and a WCF service hosted on premise/on cloud.
 
4-   Result
The audience will understand
1-    Risks and privacy issues about the cloud computing and can leverage this knowledge for the betterment.
2-    Access Control Services for authentication/authorization and for Claims Based Authentication.
 A pdf copy of the paper and C# code will be shared with the audiences.
 

BizTalk Server 2006 to BizTalk Server 2010 Migration

<Content to be published>

HIPPA 4010 to 5010 migration in BizTalk Server

<Content to be published>

Creating BizTalk Unit test cases in Visual Studio 2010

<Content to be published>

Achieving Continuous Integration with BizTalk Server 2010 and TFS 2010

Finally I have been able to achieve continuous Integration in TFS 2010 for BizTalk Server 2010. It does below stuff.

The project has been released on CodePlex, please go and use it.

http://biztalkci.codeplex.com

1- Takes the latest from Source Control

2- Created the Build folders and labels the build version

3- Performs the Build

4- Executes the unit test

5- Creates the BizTalk MSI using BizTalk Deployment Framework

6- Deploys the BizTalk application on Build server.

Things to do: 

1- Deployment verification test

2- Remote deployment

Recipe for BizTalk CI: 

1- Modify the Deployment Template (xaml file) in TFS 2010 to add the activities for MSI creation and deployment

2- A powershell script to run the install and batch file for deployment.

3- A batch file to complete the BTDF MSI deployment in silent mode

Softwares Required: 

1- TFS 2010

2- VSTS 2010

3- BizTalk Server 2010

4- BizTalk Deployment Framework

I will shortly be creating codeplex project and will share the xaml, powershell and batch file. Till then:  

Please refer below link for Powerpoint presentation and video.

https://skydrive.live.com/redir.aspx?cid=93ff9fcc0f5d39d3&resid=93FF9FCC0F5D39D3!201&authkey=aSnNNH4J*Po%24

Cheers, Vishnu

 

 

BizTalk Server and SCOM

<Content to be published>

Trading Partner Management in BizTalk Server 2010

I presented the "Trading Partner Manegement in BizTalk Server 2010". This was a great session follwed by a session. You can view and download the presentation from below location.

https://skydrive.live.com/redir.aspx?cid=93ff9fcc0f5d39d3&resid=93FF9FCC0F5D39D3!197

Slide Show:

Consuming SharePoint Lists asmx services in BizTalk Server with Custom HTTP binding

<Content to be published>