So Brian Chess and I gave a talk on "Breaking Web Services." The first slide said "we are not here to talk about standards like WS-*, we are here to talk about how web services are implemented in the real world."
The second slide said "Attackers break implementations not standards."
By this point you may get the hint that we are going to talk about implementations not standards. Not everyone did. We did a review of Saltzer and Schroeder vis a vis the new web services world, and I do this at the beginning of every training class that I do and so I always ask "how many people are familiar with this paper?" I have never seen more than 2 or 3 hands go up which was the case here. Everyone has just had things like Least Privilege and Complete Mediation ingrained into them without backtracking where they came from and wondering if they still apply.
Anyways we went into specific attacks against web services implementations. At which point, one person kept hollering that WS-Security "solved" this issue or that issue. This person was also one of the two hands that went up when we asked who had read Saltzer and Schroeder. And this brings me to my point, sure you can implement WS-Security in a robust fashion, but because it was deliberately built as a general purpose standard you can also blow your foot off. The fact is there is a lot of room for error. Brad Hill has been the most articulate on this point. So while the person with the argument for WS-Security being able to solve these issues was basically correct, he was also one of only 1% of the people who have read the paper!
Its not that standards people did bad work, they did very important work, but their reward for doing good work is more work - namely we need Lego blocks for security. Codified patterns for Web services authN, authZ, attributes, and so on. Not general purpose tooling. These systems really are not snowflakes, at least most of em aren't. I really wish the Data Powers, Vordels, Cisco Reactivitys, and others would ship with more Lego blocks enabled not open ended tooling only.
Another person, from a large software vendor stood up to criticize us saying "Geez, you guys are making this sound hard, you need to tell people that this stuff is easy."
Um, no? It should be easier, but I cannot say its easy right now. Anyway, these little contentious points aside it was a fun, new talk and great to work with Brian. I got to meet Pamela Dingle and I was sad I had missed her presentation on hacking the identity metasystem because I pro'lly could have rewritten a whole bunch of my presentation.
Comments