SOA and Web services security hinge on XML gateways

XML security gateways could be the missing piece in most SOA deployments, says Tim Bond, a senior security engineer at webMethods .

Enterprises are moving forward with service oriented architecture (SOA) projects to reduce complexity and increase flexibility between systems and applications, but some security pros fear they're being left behind and must scramble to learn new ways to protect those systems from Web-based attacks.

"Some applications are exposed like never before," said Ian Lange, a senior security manager at an Ohio-based manufacturer implementing SOA. "We're introducing better ways for systems and applications to interact but we're also giving attackers new avenues to conduct their attacks."

Most network firewalls aren't designed to handle the latest Web services standards, resulting in new avenues of attack for digital security miscreants, said Tim Bond, a senior security engineer at webMethods Inc. In his presentation at the Infosec World Conference and Expo, Bond said a growing number of vendors are selling XML security gateways, appliances that can be plugged into a network and act as an intermediary, decrypting and encrypting Web services data to determine the authenticity and lock out attackers.

"It's not just passing a message through, it's actually taking action," Bond said. "It needs to be customized for each deployment, but it can be very effective in protecting from many attacks."

Bond said that most SOA layouts further expose applications by placing them just behind an outer layer of defense, rather than placing them within the inner walls of a company's security defenses along with other critical applications and systems. Those applications are vulnerable, because they're being exposed to partners, customer relationship management and supply chain management systems. Attackers can scan Web services description language (WSDL) -- the XML language used in Web service calls -- to find out where vulnerabilities lie, Bond said.

"The WSDL itself may expose structure such as file directories or open ports of a server where Web services reside," Bond said. "You're exposing the service endpoint proprietary API and this gives you more features, but it's riskier."

A whole market has grown around protecting WSDL, Bond said. Canada-based Layer 7 Technologies Inc. and UK-based Vordel are producing gateway appliances to protect XML and SOAP language in Web service calls. Reactivity, which was recently acquired by Cisco Systems Inc. and DataPower, now a division of IBM, also address Web services security.

Transaction values will be much higher and traditional SSL, security communications protocol for point-to-point communications, won't be enough to protect transactions, Bond said.

"You're network may be encrypted but your database won't be," he said. "You're now putting stuff that has real bottom line dollars for big customers right on the front line."

In addition to SQL-injection attacks, XML is potentially vulnerable to schema poisoning -- a method of attack in which the XML schema can be manipulated to alter processing information. A sophisticated attacker can also conduct an XML routing detour, redirecting sensitive data within the XML path, Bond said.

Security becomes complicated with distributed systems in an SOA environment, said Dindo Roberts, an application security manager at New York City-based MetLife Inc. Web services with active interfaces allow the usage of applications that were previously restricted to using conventional custom authentication. Security pros need new methods, such as an XML security gateway to protect those applications, Roberts said.

"Developers are building it out, so we've got to address it now," Roberts said. "Nobody's shown me a great model in terms of rolling this stuff out."


Click here to download a podcast for more information on SOA and security

Read more on Web software

SOA, Web services security gaining priority at large enterprises SAN FRANCISCO -- All enterprises will have to find tools to secure Web services as Web-based languages, such as extensible markup language (XML) will be gradually introduced into system architectures. In a recent interview conducted at the Burton Group Catalyst conference, Chris Haddad, director of technical architecture at Midvale, Utah-based Burton Group discussed the growing use of XML gateway appliances and other tools enterprises are using to secure service interactions. "Developers today have the tools to produce Web services and there are a multitude of unmanaged, unsecured Web services inside an organization's data center and across its application landscape," Haddad said. "Companies are realizing that they have to gain control of this environment." In this Q&A, Haddad talks about the evolution of SOA, the introduction of Web services and how early adopters are choosing to secure the Web-based messages being sent between applications and systems.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.