Weak encryption creates SOA vulnerabilities

Brian Chess, co-founder and chief scientist of Fortify Software Inc., discusses why weak encryption creates SOA security concerns and how to go about identifying these issues before they are cause for greater business concern.

Weak encryption implementations create vulnerabilities in SOA applications as business data and transactions move back and forth via Web services, says Brian Chess, co-founder and chief scientist of Fortify Software Inc. Other common security issues Fortify has identified in SOA frameworks include weak authentication, vulnerability to replay attack, and XPath injection, he added.

Architects designing service-oriented architecture (SOA) applications need to find a way to be sure the security provisions in their model are actually working when the app goes live, says Chess.

"Nobody is going to tell you necessarily if it's broken," he explained. "If the functionality is there, people won't even know that it has major security problems built into it. And the security problems might not exist in the design. They might only exist in the implementation."

Architects need to know if the implementation is faithful to their design, Chess said. "It is a difficult but critical part of getting security right," he added.

Fortify's chief scientist points out the similar SOA security concerns about the unforeseen consequences of the dynamic interaction of Web services in SOA are expressed by Thomas Erl, author of books on SOA issues. "Because SOA offers the potential to create sophisticated and complex composite solutions," Erl writes, "agnostic services can be subjected to a variety of different usage scenarios, each of which can introduce unique security risks and requirements. In order to design effective service compositions therefore requires that services be prepared for a range of security challenges."

For its part, Fortify has released analysis and testing tools for its Fortify 360 product to provide architects, developers, and others involved in SOA development with ways to identify security vulnerabilities. The new tools do automated source code analysis on a code base and dynamic security testing on a running application, Taylor McKinley, Fortify 360 product manager.

"We have three analyzers," he explained. "One looks at your code statically. One looks at your running application dynamically. And one protects your application in real time."

The analysis and testing tools are designed for the SOA frameworks in use by Fortify's customers, Chess explained. Those released this summer cover:

  • Apache Axis
  • Apache Axis 2
  • IBM WebSphere 6.1
  • Microsoft .NET Web Services Enhancements (WSE) 2.0
  • Microsoft Windows Communication Foundation (WCF)
For more information
Microsoft, Liberty join for Web services identity interop

Best practices of the SOA development lifecycle

"If you have the Fortify 360 Suite and you're looking at analyzing code using our static analyzer when you're scanning one of these SOA frameworks, it will flag an issue and say you haven't properly encrypted this or you don't have a proper authentication within that SOA framework," McKinley explained.

The tools not only flag the vulnerability is also automatically provide the suggested fix for it, he added.

Dig deeper on SOA security tools

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchSoftwareQuality

SearchCloudApplications

SearchAWS

TheServerSide

SearchWinDevelopment

Close