Securing Web services requires out-of-box thinking

• Michael S. Mimoso, Senior News Editor
• Published: 21 Sep 2004 1:00

Everything that makes XML an attractive Web services and integration tool can also open dangerous pathways so hackers may gain access to critical services and back-office systems.

XML Web services are interfaces into applications, and attacks on the transport layer are different and potentially more dangerous than ubiquitous e-mail and network-aware worms. Because of its readable form, a crafty hacker can easily hijack an unsecured XML Web services message, inject malicious code, listen for and steal sensitive data or shut down a service.

THREATS TO XML TRAFFIC Reactivity CTO John Lilly identified three categories of attacks on XML traffic: - Identity threats: Attackers spoof a sender or receiver's identity by eavesdropping on an XML message and stealing a password, PKI certificate or other credential. Eavesdropping attacks also are used to steal credit card numbers. Attackers can also spoof a service and redirect messages. - Content-borne attacks: Also known as XML viruses or worms, these attack the applications that run Web services and often tunnel in unnoticed. SQL injection attacks and buffer overflow attacks are common content-borne attacks - Operational attacks: The most common operational attacks are XML denial-of-service attacks, which consume resources by forcing a message to do useless work. Some XDoS attacks are malicious, but most are inadvertent where a programming error causes a service to enter an infinite loop, consume all available resources and ultimately shut it down.

In the meantime, enterprises experimenting with internal Web services or are courageous enough to send them to business partners or customers are advised not to rely on traditional network defenses like routers, firewalls and load balancers. These tools work at the network layer and not the application layer.

A recent white paper from Waltham, Mass.-based ZapThink LLC points out that traditional firewalls inspect message packets, and while some can inspect the content of a message, those inspections are looking for established attack signatures. They can't read structured, meaningful XML traffic.

Enterprises are advised to add security like digital signatures, encryption and means of authentication to preserve the integrity of messages. Others could opt for an XML firewall or a software- or appliance-based tool that reads the content of XML messages, parses those messages and routes them according to whatever is defined in an enterprise's security policy.

Yet XML messages are bulky to begin with, and adding security measures to them, adds to the volume of network traffic. However, network administrators will have to learn to deal with this issue as ZapThink and others believe that XML traffic will account for 35% of network traffic by 2007, up from 3% today.

"The most important thing enterprises want is to be secure enough to get the business done [the way] they want to," said John Lilly, chief technology officer at Reactivity Inc., an XML and Web services security vendor in Belmont, Calif.

Lilly said companies that have exposed Web services to customers, partners and suppliers are more sensitive to security concerns.

"They recognize the external perimeter is disintegrating," Lilly said. "They recognize the need to encrypt data and the need to bring auditing and governance to Web services applications."

XML Web services messages require application-level security methodologies. ZapThink identified six requirements, including authentication and authorization, which confirms the sender is whom they claim to be and have permission to send and receive messages. Confidentiality of the message is also a must, in particular where large sums of money or sensitive data is being exchanged. The integrity of the message -- that it has not been altered in transport -- has to be guaranteed. A nonrepudiation element has to be included as well that assures both parties received the message and when it was sent and received. Finally, systems must be in place to defend against attacks.

Note: This article originally appeard on SearchWebServices.com.