Attack Surface Reduction for Web Services based on Authorization Patterns

Roland H. Steinegger, Johannes Schäfer, Max Vogler, Sebastian Abeck
2014
During the design of a security architecture for a web application, the usage of security patterns can assist with fulfilling quality attributes, such as increasing reusability or safety. The attack surface is a common indicator for the safety of a web application, thus, reducing it is a problem during design. Today's methods for attack surface reduction are not connected to security patterns and have an unknown impact on quality attributes, e.g., come with an undesirable trade-off in
more » ... ity. This paper introduces a systematic and deterministic method to reduce the attack surface of web services by deriving service interface methods from authorization patterns. We applied the method to the Participation Service that is part of the KIT Smart Campus system. The resulting RESTful web services of the application are presented and validated.
doi:10.5445/ir/1000050251 fatcat:rmxqmju7q5er3cypp4clignj2i