LOS ANGELES -- It might be time to cut enterprise security officers some slack when it comes to their ultra conservatism
over Web services security.
Gartner Inc. research director Ray Wagner sounded the alarm Tuesday during the Application Integration & Web Services Summit 2004 that yet-untapped vulnerabilities in Web services-enabled enterprise applications from giants such SAP AG, PeopleSoft Inc., Oracle Corp. and others that could open a whole new front of woes that need defending.
"Off-the-shelf Web services interfaces are a major concern," Wagner said. "Open those Web services interfaces, and you're potentially letting in tens of thousands of new users and making it a huge target."
Wagner said security officers are quick to shoot down requests to expose Web services across an enterprise firewall, connect financials with Web services or open Web services interfaces bundled in applications.
"We project that Microsoft will have company very soon in the vulnerability space," Wagner said. "Regular patches may be required soon for PeopleSoft, SAP, Baan and others, just like for Microsoft. Caution here is good."
Wagner held up Microsoft's beleaguered Web server software IIS as an example. It's built with a relatively small code base and is intended for use on untrusted networks. It has been highly reviewed by the security community, yet in 2002, there were 25 major vulnerabilities found in the software.
PeopleSoft, by contrast, has a large code base intended for use on untrusted networks that has not been highly reviewed by the security community. Its security secrets remain a mystery.
Wagner urged that enterprises not be lax when securing Web services because they are vulnerable to many of the same security issues plaguing client-server installations, namely identity spoofing, malicious code insertion, XML denial-of-service attacks, invalid binary or URI inclusion and WSDL or UDDI attacks.
"XML Web services were designed to carry any traffic, including executables," Wagner said. They do so on TCP/IP ports for standard Web traffic, ports 80 for HTTP, and 443 for SSL. Traditional firewalls are rendered ineffective because they don't do deep-packet inspections. Consequently, insecure links to back-end databases and applications that deploy Web services are established.
The best remedy, Wagner said, is to follow a security road map that "goes slowly and securely."
He advised enterprises to first create a policy that limits the used of Web services to registered and secure deployments. Web services should also conform to Web services security standards, both in purchases of off-the-shelf software and in internally developed services. An internal review of current architecture is recommended. Enterprises should look for additional areas where Web services may fit. Wagner also advised companies to educate all parties taking part in a Web services deployment to secure best practices and any other relevant policies. Finally, enterprises need to monitor Web services inside and outside the firewall.
He also stresses that companies should deploy simple Web services internally first where low-value transactions are carried out that follow guidelines established by WS-I.
"A firewall and a Web server might be enough to do simple Web services," Wagner said. "You don't need to buy a lot to do Web services today."