Enterprises are moving forward with service oriented
architecture (SOA) projects to reduce complexity and increase
flexibility between systems and applications, but some security
pros fear they're being left behind and must scramble to learn new
ways to protect those systems from Web-based attacks.
"Some applications are exposed like never before," said Ian
Lange, a senior security manager at an Ohio-based manufacturer
implementing SOA. "We're introducing better ways for systems and
applications to interact but we're also giving attackers new
avenues to conduct their attacks."
Most network firewalls aren't designed to handle the latest Web
services standards, resulting in new avenues of attack for digital
security miscreants, said Tim Bond, a senior security engineer at
webMethods Inc. In his presentation at the Infosec World Conference
and Expo, Bond said a growing number of vendors are selling XML
security gateways, appliances that can be plugged into a network
and act as an intermediary, decrypting and encrypting Web services
data to determine the authenticity and lock out attackers.
"It's not just passing a message through, it's actually taking
action," Bond said. "It needs to be customized for each deployment,
but it can be very effective in protecting from many attacks."
Bond said that most SOA layouts further expose applications by
placing them just behind an outer layer of defense, rather than
placing them within the inner walls of a company's security
defenses along with other critical applications and systems. Those
applications are vulnerable, because they're being exposed to
partners, customer relationship management and supply chain
management systems. Attackers can scan Web services description
language (WSDL) -- the XML language used in Web service calls -- to
find out where vulnerabilities lie, Bond said.
"The WSDL itself may expose structure such as file directories
or open ports of a server where Web services reside," Bond said.
"You're exposing the service endpoint proprietary API and this
gives you more features, but it's riskier."
A whole market has grown around protecting WSDL, Bond said.
Canada-based Layer 7 Technologies Inc. and UK-based Vordel are
producing gateway appliances to protect XML and SOAP language in
Web service calls. Reactivity, which was recently acquired by Cisco
Systems Inc. and DataPower, now a division of IBM, also address Web
services security.
Transaction values will be much higher and traditional SSL,
security communications protocol for point-to-point communications,
won't be enough to protect transactions, Bond said.
"You're network may be encrypted but your database won't be," he
said. "You're now putting stuff that has real bottom line dollars
for big customers right on the front line."
In addition to SQL-injection attacks, XML is potentially
vulnerable to schema poisoning -- a method of attack in which the
XML schema can be manipulated to alter processing information. A
sophisticated attacker can also conduct an XML routing detour,
redirecting sensitive data within the XML path, Bond said.
Security becomes complicated with distributed systems in an SOA
environment, said Dindo Roberts, an application security manager at
New York City-based MetLife Inc. Web services with active
interfaces allow the usage of applications that were previously
restricted to using conventional custom authentication. Security
pros need new methods, such as an XML security gateway to protect
those applications, Roberts said.
"Developers are building it out, so we've got to address it
now," Roberts said. "Nobody's shown me a great model in terms of
rolling this stuff out."
Click hereto download a
podcast for more information on SOA and security