Service-Oriented Architecture Security
A.Y. 2023/2024
Learning objectives
The objective of the course is to illustrare the basic techniques for confidentiality and integrity of semi-structured and unstructured data.
On this basis, the objective of the course is to explore techniques and standards for authentication, identity management and user profile harvesting in Web services, and to survey and learn the authorization languages for access to network resources and Web services, as well as the methods for the acquisition and representation of assurance metadata, getting to know in depth the techniques and tools for assurance and service safety certification.
On this basis, the objective of the course is to explore techniques and standards for authentication, identity management and user profile harvesting in Web services, and to survey and learn the authorization languages for access to network resources and Web services, as well as the methods for the acquisition and representation of assurance metadata, getting to know in depth the techniques and tools for assurance and service safety certification.
Expected learning outcomes
At the end of the course, the student will be able to: manage the confidentiality, integrity and digital signature controls at service interfaces; manage the authorization policies and security of Web Services; to deal with the problems related to the assurance and certification of Web Services.
Lesson period: Second semester
Assessment methods: Esame
Assessment result: voto verbalizzato in trentesimi
Single course
This course can be attended as a single course.
Course syllabus and organization
Single session
Responsible
Lesson period
Second semester
Course syllabus
The course focuses on the following topics:
- Introduction to Service-oriented Architectures Security
- Cryptography and digital signature on semi-structured data
- Web Service Security
- WS-Security, WS-Trust
- WS-Secure Conversation, WS-Security Policy
- APIs and REST services security
- Malware attacks to web services
- From services to processes
- Processes security and secure orchestrations
- Base concepts of digital identity
- Technologies for digital identity management
- Digital identity management services
- OAuth 2.0
- Open ID
- Fine-grained authorization languages
- Base concepts of the architectures for evaluation and decision
- XACML and SAML
- XACML profiles for specific application sector
- Special purpose policy languages
- Assurance general concepts
- Services certification
- Security certifications: ISO 27000
- Threats modeling methodologies: STRIDE
- STRIDE-AI for data analysis pipelines
- Introduction to Service-oriented Architectures Security
- Cryptography and digital signature on semi-structured data
- Web Service Security
- WS-Security, WS-Trust
- WS-Secure Conversation, WS-Security Policy
- APIs and REST services security
- Malware attacks to web services
- From services to processes
- Processes security and secure orchestrations
- Base concepts of digital identity
- Technologies for digital identity management
- Digital identity management services
- OAuth 2.0
- Open ID
- Fine-grained authorization languages
- Base concepts of the architectures for evaluation and decision
- XACML and SAML
- XACML profiles for specific application sector
- Special purpose policy languages
- Assurance general concepts
- Services certification
- Security certifications: ISO 27000
- Threats modeling methodologies: STRIDE
- STRIDE-AI for data analysis pipelines
Prerequisites for admission
Knowledge of the Web technologies, of semi-structured data format, and of the main application protocols.
Teaching methods
The theoretical course consists of traditional lectures. During the course practical activities on web services programming will be organized.
Teaching Resources
Web site:
http://edamianisaos.ariel.ctu.unimi.it/v5/Home/default.aspx
Slides and notes
Additional documentation: C.A. Ardagna, E. Damiani, N. El Ioini "Open Source Systems Security Certification," Springer, 2008.
http://edamianisaos.ariel.ctu.unimi.it/v5/Home/default.aspx
Slides and notes
Additional documentation: C.A. Ardagna, E. Damiani, N. El Ioini "Open Source Systems Security Certification," Springer, 2008.
Assessment methods and Criteria
The exam is composed of a written test and the presentation of a project.
The written test, that will last one hour and half, will include questions and practical exercises based on course syllabus. The project activity, to be agreed with the Professor, will consist in the developing of an application implementing the security protocols studied during the course. The project can be made in groups up to three students.
When the student successfully passes the written test and after the presentation of the project, a final evaluation is computed, expressed in thirtieths, considering: the knowledge of the topics, ability of applying the learned knowledge to the resolution of a practical project, project quality, critical thinking skills, clarity of exposition, and property of language.
The written test, that will last one hour and half, will include questions and practical exercises based on course syllabus. The project activity, to be agreed with the Professor, will consist in the developing of an application implementing the security protocols studied during the course. The project can be made in groups up to three students.
When the student successfully passes the written test and after the presentation of the project, a final evaluation is computed, expressed in thirtieths, considering: the knowledge of the topics, ability of applying the learned knowledge to the resolution of a practical project, project quality, critical thinking skills, clarity of exposition, and property of language.
Educational website(s)
Professor(s)