Security Testing in SOAs: Techniques and Tools

  • Nuno AntunesEmail author
  • Marco Vieira


Web Applications and Services are often deployed with critical software bugs that may be maliciously exploited. The adoption of Service Oriented Architectures (SOAs) in a wide range of organizations, including business-critical systems, opens the door to new security challenges. The problem is that developers are frequently not specialized on security and the common time-to-market constraints limit an in depth test for vulnerabilities. Additionally, research and practice shows that the effectiveness of existing vulnerability detection tools is very poor. This highlights the need for tools capable of efficiently detecting vulnerabilities in SOAs. This chapter discusses these problems and proposes new techniques and tools to improve services security by detecting vulnerabilities in a SOA in an automated manner.


Service oriented architectures Services Security testing Software vulnerabilities Vulnerability detection Command injection vulnerabilities Penetration testing Static code analysis 


  1. 1.
    Acunetix: 70 % of websites at immediate risk of being hacked!
  2. 2.
    Acunetix: Acunetix web vulnerability scanner.
  3. 3.
  4. 4.
    Antunes, N., Laranjeiro, N., Vieira M., Madeira, H.: Effective detection of SQL/XPath injection vulnerabilities in web services. In: 2009 IEEE International Conference on Services Computing (SCC 2009) (2009)Google Scholar
  5. 5.
    Antunes, N., Vieira, M.: Comparing the effectiveness of penetration testing and static code analysis on the detection of sql injection vulnerabilities in web services. In: 15th IEEE Pacific Rim International Symposium on Dependable Computing. IEEE Computer Society, Shanghai, pp. 301–306 (2009)Google Scholar
  6. 6.
    Antunes, N., Vieira, M.: Defending against web application vulnerabilities. IEEE Comput. 45(2), 66–72 (2012)Google Scholar
  7. 7.
    Antunes, N., Vieira, M.: Detecting SQL injection vulnerabilities in web services. In: Fourth Latin-American Symposium on Dependable Computing, LADC’09. IEEE Computer Society, Washington (2009)Google Scholar
  8. 8.
    Antunes, N., Vieira, M.: Enhancing penetration testing with attack signatures and interface monitoring for the detection of injection vulnerabilities in web services. In: 2011 IEEE International Conference on Services Computing (SCC) (2011)Google Scholar
  9. 9.
    Ayewah, N., Pugh, W.: A report on a survey and study of static analysis users. In: Proceedings of the 2008 Workshop on Defects in Large Software Systems. ACM, Seattle (2008)Google Scholar
  10. 10.
    Chappell, D.A., Jewell, T.: Java Web Services. O’Reilly & Associates, Inc., Sebastopol (2002)Google Scholar
  11. 11.
    Christensen, E., et al.: Web service definition language (WSDL) 1.1.
  12. 12.
    Fonseca, J., Vieira, M., Madeira, H.: Testing and comparing web vulnerability scanning tools for SQL injection and XSS attacks. In: 13th Pacific Rim International Symposium on Dependable Computing (PRDC 2007). Melbourne, Australia (2007)Google Scholar
  13. 13.
    Fortify Software: Fortify 360 software security assurance.
  14. 14.
    Freedman, D.P., Weinberg, G.M.: Handbook of walkthroughs, inspections, and technical reviews: evaluating programs, projects, and products. Dorset House Publishing Co., New York (2000)Google Scholar
  15. 15.
    Howard, M., Leblanc, D.E.: Writing Secure Code. Microsoft Press, Redmond (2002)Google Scholar
  16. 16.
  17. 17.
  18. 18.
  19. 19.
    Jovanovic, N., Kruegel, C., Kirda, E.: Pixy: a static analysis tool for detecting web application vulnerabilities (Short Paper). In: IEEE Symposium on Security and Privacy. IEEE Computer Society, Berkeley/Oakland (2006)Google Scholar
  20. 20.
    Laranjeiro, N., Vieira, M., Madeira, H.: Experimental robustness evaluation of JMS middleware. In: IEEE International Conference on Services Computing, SCC’08. IEEE, Honolulu (2008)Google Scholar
  21. 21.
    Laranjeiro, N., Vieira, M., Madeira, H.: Improving web services robustness. In: IEEE 7th International Conference on Web Services (ICWS 2009), Los Angeles (2009)Google Scholar
  22. 22.
    Richardson, L., Ruby, S.: RESTful web services. O’Reilly Media, Inc., Sebastopol (2007)Google Scholar
  23. 23.
    Scovetta, M.: Yet another source code analyzer.
  24. 24.
    Singhal, A., Winograd, T., Scarfone, K.: Guide to secure web services: recommendations of the national institute of standards and technology. Report, National Institute of Standards and Technology, US Department of Commerce (2007)Google Scholar
  25. 25.
    Stuttard, D., Pinto, M.: The web application hacker’s handbook: discovering and exploiting security flaws. Wiley Publishing, Inc., Indianapolis (2007)Google Scholar
  26. 26.
    University of Maryland: FindBugsTM—find bugs in java programs.
  27. 27.
    Vieira, M., Antunes, N., Madeira, H.: Using web security scanners to detect vulnerabilities in web services. In: IEEE/IFIP International Conference on Dependable Systems & Networks, 2009, DSN’09, Estoril (2009)Google Scholar
  28. 28.
    Wagner, S., Jürgens, J., Koller, C., Trishberger, P.: Comparing bug finding tools with reviews and tests. In: Testing of Communicating Systems (2005)Google Scholar
  29. 29.
    Williams, J., Wichers, D.: OWASP top 10. OWASP Foundation (2010)Google Scholar

Copyright information

© Springer-Verlag Italia 2013

Authors and Affiliations

  1. 1.Department of Informatics EngineeringUniversity of CoimbraCoimbraPortugal

Personalised recommendations