REAL SOA Security

2014

1. CCSW

   Your Software at My Service: Security Analysis of SaaS Single Sign-on Solutions in the Cloud

   Christian Mainka, Vladislav Mladenov, Florian Feldmann, Julian Krautwald, and Jörg Schwenk

   In Proceedings of the 6th Edition of the ACM Workshop on Cloud Computing Security, Scottsdale, Arizona, USA, Oct 2014

   Abs DOI Bib

   Software-as-a-Service (SaaS) is typically defined as a rental model for using a complex software product, running on a centralized computing platform, using a thin client (most frequently a web browser). As such, it is one of the major categories of Cloud Computing, besides IaaS and PaaS. While there are many economic benefits in using SaaS, each company must nevertheless enforce control over its own data processed in the Cloud. One of the most important building blocks of such an enforcement scheme is Identity Management (IdM), whereat the industry standard for IdM is SAML, the Security Assertion Markup Language. In this paper, we study the security of the SAML implementations of 22 SaaS Cloud Providers (SaaS-CPs) and show that 90% of them can be broken, resulting in company data exposure to attackers on the Internet. The detected vulnerabilities are exploited by a wide variety of attack techniques, ranging from classical web attacks to problems specific to XML processing.

   @inproceedings{mainkaYourSoftwareMy2014,
     title = {Your Software at My Service: {{Security}} Analysis of {{SaaS}} Single Sign-on Solutions in the Cloud},
     booktitle = {Proceedings of the 6th Edition of the {{ACM}} Workshop on Cloud Computing Security},
     author = {Mainka, Christian and Mladenov, Vladislav and Feldmann, Florian and Krautwald, Julian and Schwenk, Jörg},
     date = {2014-10},
     location = {Scottsdale, Arizona, USA},
     doi = {10.1145/2664168.2664172},
     url = {https://dl.acm.org/doi/10.1145/2664168.2664172},
     acmid = {2664172},
     eventtitle = {{{CCSW}}},
     pagetotal = {12},
     month = oct
   }