Weak encryption implementations create vulnerabilities in SOA applications as business data and transactions move back and forth via Web services, says Brian Chess, co-founder and chief scientist of Fortify Software Inc. Other common security issues Fortify has identified in SOA frameworks include weak authentication, vulnerability to replay attack, and XPath injection, he added.
Architects designing service-oriented architecture (SOA) applications need to find a way to be sure the security provisions in their model are actually working when the app goes live, says Chess.
"Nobody is going to tell you necessarily if it's broken," he explained. "If the functionality is there, people won't even know that it has major security problems built into it. And the security problems might not exist in the design. They might only exist in the implementation."
Architects need to know if the implementation is faithful to their design, Chess said. "It is a difficult but critical part of getting security right," he added.
Fortify's chief scientist points out the similar SOA security concerns about the unforeseen consequences of the dynamic interaction of Web services in SOA are expressed by Thomas Erl, author of books on SOA issues. "Because SOA offers the potential to create sophisticated and complex composite solutions," Erl writes, "agnostic services can be subjected to a variety of different usage scenarios, each of which can introduce unique security risks and requirements. In order to design effective service compositions therefore requires that services be prepared for a range of security challenges."
For its part, Fortify has released analysis and testing tools for its Fortify 360 product to provide architects, developers, and others involved in SOA development with ways to identify security vulnerabilities. The new tools do automated source code analysis on a code base and dynamic security testing on a running application, Taylor McKinley, Fortify 360 product manager.
"We have three analyzers," he explained. "One looks at your code statically. One looks at your running application dynamically. And one protects your application in real time."
The analysis and testing tools are designed for the SOA frameworks in use by Fortify's customers, Chess explained. Those released this summer cover:
- Apache Axis
- Apache Axis 2
- IBM WebSphere 6.1
- Microsoft .NET Web Services Enhancements (WSE) 2.0
- Microsoft Windows Communication Foundation (WCF)
"If you have the Fortify 360 Suite and you're looking at analyzing code using our static analyzer when you're scanning one of these SOA frameworks, it will flag an issue and say you haven't properly encrypted this or you don't have a proper authentication within that SOA framework," McKinley explained.
The tools not only flag the vulnerability is also automatically provide the suggested fix for it, he added.