SOA and Web services security hinge on XML gateways

XML security gateways could be the missing piece in most SOA deployments, says Tim Bond, a senior security engineer at webMethods .

Enterprises are moving forward with service oriented architecture (SOA) projects to reduce complexity and increase flexibility between systems and applications, but some security pros fear they're being left behind and must scramble to learn new ways to protect those systems from Web-based attacks.

"Some applications are exposed like never before," said Ian Lange, a senior security manager at an Ohio-based manufacturer implementing SOA. "We're introducing better ways for systems and applications to interact but we're also giving attackers new avenues to conduct their attacks."

Most network firewalls aren't designed to handle the latest Web services standards, resulting in new avenues of attack for digital security miscreants, said Tim Bond, a senior security engineer at webMethods Inc. In his presentation at the Infosec World Conference and Expo, Bond said a growing number of vendors are selling XML security gateways, appliances that can be plugged into a network and act as an intermediary, decrypting and encrypting Web services data to determine the authenticity and lock out attackers.

"It's not just passing a message through, it's actually taking action," Bond said. "It needs to be customized for each deployment, but it can be very effective in protecting from many attacks."

Bond said that most SOA layouts further expose applications by placing them just behind an outer layer of defense, rather than placing them within the inner walls of a company's security defenses along with other critical applications and systems. Those applications are vulnerable, because they're being exposed to partners, customer relationship management and supply chain management systems. Attackers can scan Web services description language (WSDL) -- the XML language used in Web service calls -- to find out where vulnerabilities lie, Bond said.

"The WSDL itself may expose structure such as file directories or open ports of a server where Web services reside," Bond said. "You're exposing the service endpoint proprietary API and this gives you more features, but it's riskier."

A whole market has grown around protecting WSDL, Bond said. Canada-based Layer 7 Technologies Inc. and UK-based Vordel are producing gateway appliances to protect XML and SOAP language in Web service calls. Reactivity, which was recently acquired by Cisco Systems Inc. and DataPower, now a division of IBM, also address Web services security.

Transaction values will be much higher and traditional SSL, security communications protocol for point-to-point communications, won't be enough to protect transactions, Bond said.

"You're network may be encrypted but your database won't be," he said. "You're now putting stuff that has real bottom line dollars for big customers right on the front line."

In addition to SQL-injection attacks, XML is potentially vulnerable to schema poisoning -- a method of attack in which the XML schema can be manipulated to alter processing information. A sophisticated attacker can also conduct an XML routing detour, redirecting sensitive data within the XML path, Bond said.

Security becomes complicated with distributed systems in an SOA environment, said Dindo Roberts, an application security manager at New York City-based MetLife Inc. Web services with active interfaces allow the usage of applications that were previously restricted to using conventional custom authentication. Security pros need new methods, such as an XML security gateway to protect those applications, Roberts said.

"Developers are building it out, so we've got to address it now," Roberts said. "Nobody's shown me a great model in terms of rolling this stuff out."


Click here to download a podcast for more information on SOA and security

Read more on Web software