As service-oriented architectures fundamentally rework the way applications behave, it is forcing a rapid evolution of the way applications get secured in order to convince would-be adopters that change will not be accompanied by chaos.
This week saw a spate of new security initiatives hit the market, from a Web services edge device to security weaved into the business process chain to a method of testing new vulnerabilities like XPath injection.
The variety of the initiatives underscores the breadth of Web services security issues: widely-distributed applications require widely-distributed security.
"The barrier-based model for security is just woefully outdated," said Jason Bloomberg, an analyst at ZapThink. He argued that "there's a different mindset to securing messages. You have to think of content-level security."
Traditional application security approaches use firewalls at the network level. However, transport layers have no content awareness and can't identify the Trojan horses contained within the metadata or the packages of Web services.
SOA Software Inc. has looked to tackle content awareness with an edge proxy that intercepts incoming service packages, verifies the source of origin, de-encrypts the packages and signs the message using its own public key infrastructure.
"By catching messages with the edge devices and performing the verification at that level we're able to prevent end-run attacks attempting to contact services directly," said Ian Goldsmith, vice president for product marketing at the Santa Monica, Calif.-based company.
SOA Software also announced support for the Web Services Policy (WS-Policy) security standard, which enables outside parties to discover what security policies they must adhere to in order to communicate with a given Web service. Additionally, the XML VPN device can read the policy of an external Web service and automatically comply with it.
That kind of policy-security fusion lies at the center of the latest Web services security enhancements from Oracle Corp. Prakash Ramamurthy, vice president for server technologies at the Redwood Shores, Calif. company, noted that as formerly monolithic applications get broken into components and decoupled services, this also decouples those services from the security once provided in that monolithic structure.
"We need to assign these Web services an identity and then secure them," he said. That way, he explained, security initiatives can track a service package through every phase of its lifecycle.
Oracle's latest ties security in with the Business Process Execution Language (BPEL) standard. The Oracle BPEL Process Manager now integrates with the company's Web services security enhancements, making the security aware of process changes and the process aware of security requirements. Both policy gateways, designed to catch messages as they enter a service, and policy agents, designed to check security at a more granular level, are part of the package.
"This way you can enforce your security standards during deployment time," Ramamurthy said.
Yet Mark Curphey, senior director of consulting at the Foundstone Professional Services division of McAfee Inc., believes that Web services standards generate as many problems as they solve on the security side.
"As we've come up with standards to encapsulate Web services payloads, the attack payload has become standardized as well," he said.
To combat that, Santa Clara, Calif.-based McAfee has released a freely available tool called WSDigger, designed to identify vulnerabilities inside of Web services packages. It includes sample attack plug-ins for SQL injection, cross-site scripting and XPath injection attacks.
The plug-in framework allows for penetration testing, where the developer imitates an outside attacker without code-level knowledge of the target service.
"It finds the services you're exposing, gets all the ways you can interact with it and then you can drag an attack path onto it for testing," Curphey said. "Then you'd discover how much of your database you can drag out of there."
Overall, Curphey sees Web services security "about where Web application security was about three years ago." He stressed that "security specifications don't take care of all of the security issues out there."
Bloomberg agreed, saying, "Covering part of the problem doesn't really make you partially safe. The challenge for security is making sure you cover all the bases."