Recent Posts

Blogroll

Blog powered by TypePad

« Toto, its not 1995 any more | Main | Digital Cash in Iraq »

SANS Webcast: Security for Web Services and SOA

Last week I did a SANS webcast with Jacob West from Fortify on Web Services and SOA Security issues. I also did another SANS Webcast on Web services security way back in 2005. I went back and looked at the 2005 slides and its really scary how the issues are still there. Again we see developers making hellacious progress and security treading water (in a moving stream). From 2005:

Many (most?) classic Information Security mechanisms are not as relevant in securing Web Services:

  • Firewalls:SSL
  • SSL  
  • Session based access control
  • Policies & mechanism domains are blurred by integration and decoupling
  • Lack of end to end visibility 

I realize that security is a system level issue and it takes a long time to change things at that level, but what's more concerning to me is that the typical infosec mindset remains the same. Should we be surprised by rampant phishing and fraud? I am frankly surprised the numbers are so low given the opportunities that the attackers have via the glacial pace of security improvements. Its been three years since that list and I could write the same exact one today for SOAP, REST, SOA, Web 2.0 whatever. Maybe the main reason, beyond failure of imagination, why infosec is so far behind developers is that infosec lacks tools. Developers automate everything possible. Security doesn't. The most promising thing about static analysis is not the ability to find everything, its the ability to find many important things in an automated way. Infosec needs to stop giving people fish and teaching people to fish. Look at Fortify's vulncat site which has a Taxonomy of Coding Errors. Fortify's Seven (plus one) pernicious kingdoms are:

  • Input Validation and Representation
  • API Abuse
  • Security Features
  • Time and State
  • Errors
  • Code Quality
  • Encapsulation
  • *. Environment
These vulns are then integrated to find security bugs in a variety of frameworks - Axis, Axis2, Websphere and .Net. The tools give security people a richer understanding about the actual state of security in their web services, the ability to communicate and debate design improvement tradeoffs with developers, and cogent advice on how to address the issues. 

It would be fantastic if the list of security issues in 2011 is different from the one 2005 that we are still stuck with.

August 04, 2008 in Security |

Comments

It was a pleasure hearing Gunnar speak on such a relevant topic. We're excited to be contributing to an area that's seeing explosive adoption in the enterprise software industry.

Posted by: Jacob West | August 05, 2008 at 01:55 PM

The comments to this entry are closed.