Web services represent security's next battlefront

Web services security and compliance with the Payment Card Industry (PCI) Data Security Standards are top-of-mind customer concerns that the latest version of Watchfire's AppScan Web application vulnerability assessment software aims to address. Announced today, version 6.5 of AppScan and AppScan Developer Edition (DE) offers expanded security auditing coverage with integrated Web services scanning, as well as new compliance reports for PCI and the ISO 17799 and 27001 standards. The scanning tool also includes new advanced testing features designed to help auditors and penetration testers.

"We see Web services as the next battlefront after the easy applications are locked down," said Michael Weider, CTO of Watchfire Corp., in Waltham, Mass.

Now that organizations are moving from proof of concept to larger-scale deployment of Web services, "there has been an increase in questions and attention we've been getting from customers with respect to Web services security, " Weider said. "We will see increasing cases of security issues and Web services."

With all the protections organizations have put into place around the network, it's getting harder to compromise the network, Weider said, so hackers are now looking to the Web sites themselves and the Web applications. Once Web applications are shored up, he said, "hackers will shift toward the next frontier—Web services vulnerability."

And compliance with the WS-Security standard will not be enough, Weider said. "It's a starting point. It just means the Web service does what it's supposed to do, but innovative attacks can compromise Web services into doing what they're not supposed to do, and [hackers are] thinking of use cases that nobody would've thought of. This won't be solved by complying with the [WS-Security] standard."

"Since Web services involve machine-to-machine communications, it is very important to make sure that the operations associated with the Web services are correct," said Charles Kolodgy, a research director for the security products service at International Data Corp. (IDC) in Framingham, Mass. "Even if you build to WS-Security you will need to validate that it has been done correctly."

AppScan 6.5 delivers a Web Services Explorer that lets users examine the different methods incorporated in the Web service, manipulate input data and examine feedback from the service. AppScan analyzes the WSDL file and simulates application-to-application interactions. It provides a range of SOAP tests as well as supports JavaScript Execution and Parsing and Flash parsing.

Weider said Web services face a lot of the same vulnerabilities as Web applications, such as SQL injection, but up to this point Web services scanning has been "underfocused on." Hovever, he added, "with the growth of more people interacting with Web services applications and trading partners, it's most risky where you put the Web service out on the Internet and allow people to freely use it."

At the same time that Web services are gaining momentum, the credit card industry has been increasing its focus on application security with the PCI standard. "PCI has had a huge impact on the security industry. It's a recognition that application security is one of biggest security issues facing anyone collecting credit card information online," Weider said. "It's definitely having a big impact on the vendor community in terms of growing attention to security issues and automated tools to help with vulnerabilities."

Consequently, organizations have been looking for help from vendors like Watchfire, particularly with Section 6 of the requirements which deals with developing and maintaining secure systems and applications, Weider said.

Auditors and penetration testers also need more advanced automated tools for their jobs, Weider said, so AppScan 6.5 also includes a Token Analyzer that provides various tests for Web application session tokens to determine how secure the application is against session theft. And the AppScan's new Authentication Tester is a brute force testing utility that detects weak username-password combinations that could be used to gain access to a Web application.

Application vulnerability assessment tools like AppScan are part of a broader security vulnerability management (SVM) software market that is projected to grow from $1.37 billion in 2005 to $3.10 billion in 2009, according to IDC. Within this market, the application vulnerability assessment subcategory represented $61.4 million in 2005 and is projected to reach $145.3 million by 2009, with a compound annual growth rate of 25%. Currently, Watchfire holds a 26.7% percent worldwide market share in application vulnerability assessment software, according to IDC.

AppScan 6.5 is available now, with pricing starting at $15,000 per license and $1,500 per license for the Developer Edition.

This article originally appeared on SearchAppSecurity.com.