|
|
Rubrik: World-wide News/Products & News Security
Vulnerabilities in Web Services and SOA Configurations Fortify
Software Develops and Provides Capability to Reduce Security Risks to Customers (
Anzeige
"To
date, very few companies have been able to check for SOA-specific
vulnerabilities in an easy and automated fashion," says Brian Chess,
Co-founder and Chief Scientist at Fortify Software. "Because there
hasn’t been a solution to support finding SOA-specific vulnerabilities, most
deployments out there are probably vulnerable." Fortify’s
research revealed that certain configurations of Apache Axis, Apache Axis 2,
IBM WebSphere 6.1 and Microsoft .NET Web Services
Enhancements (WSE) 2.0 and Microsoft Windows Communication Foundation (WCF),
can lead to weak authentication, weak encryption, vulnerability to replay
attack, XPath injection, and many other significant
security vulnerabilities. In addition, applications that have been secured
for Web attacks may still be insecure to attacks through SOA. To be clear,
the frameworks themselves are secure, but they have to be appropriately
configured and used in order to avoid serious security issues. "Service-Oriented
Architecture represents a significant shift in how business applications are
designed, developed and implemented," says Gunnar
Peterson, an internationally recognized expert on SOA and Web services. "Companies
are taking advantage of these new technologies at a rapid rate. According to
Gartner, "SOA was used, to some extent, in more than 50 percent of
large, new applications and business processes designed in 2007. By 2010, we
expect that more than 80 percent of large, new systems will use SOA for at
least some aspect of their design." However,
when used incorrectly, SOA can introduce numerous security issues, increasing
the risk of an incident occurring. Thomas Erl,
internationally recognized expert on SOA and author of numerous books on the
subject writes, "Because SOA offers the potential to create
sophisticated and complex composite solutions, agnostic services can be
subjected to a variety of different usage scenarios, each of which can
introduce unique security risks and requirements. In order to design
effective service compositions therefore requires that services be prepared
for a range of security challenges." "As
SOA gets rolled out in large organizations, it's critical that they realize
security means more than just firewalls and SSL," says Jeremy Epstein,
SOA expert and consultant. "Software security, such as the techniques
developed and implemented in the Fortify product, is mandatory to protect
critical business data and processes, especially in SOA
implementations." Fortify
enables a company to search for these SOA-specific vulnerabilities statically
and dynamically. Statically, the Fortify 360 Source Code Analyzer will scan a
code base and automatically identify these types of vulnerabilities.
Dynamically, the Fortify 360 Program Trace Analyzer and Real-Time Analyzer
can identify these vulnerabilities in a running application. This new robust
set of capabilities includes over 80 vulnerability categories related to SOA
security issues and was distributed to every Fortify customer as part of Fortify’s Second Quarter 2008 Rulepack
release. Fortify’s quarterly rulepacks
are developed by its industry leading Security Research Group, an internal
team of experts that investigate how real-world systems fail, and provides
expertise and solutions to effectively identify and fix pressing security
issues. (Fortify: ra) |
||
|
