Last week I did a SANS webcast with Jacob West from Fortify on Web Services and SOA Security issues. I also did another SANS Webcast on Web services security way back in 2005. I went back and looked at the 2005 slides and its really scary how the issues are still there. Again we see developers making hellacious progress and security treading water (in a moving stream). From 2005:
Many (most?) classic Information Security mechanisms are not as relevant in securing Web Services:
- Firewalls:SSL
- SSL
- Session based access control
- Policies & mechanism domains are blurred by integration and decoupling
- Lack of end to end visibility
I realize that security is a system level issue and it takes a long time to change things at that level, but what's more concerning to me is that the typical infosec mindset remains the same. Should we be surprised by rampant phishing and fraud? I am frankly surprised the numbers are so low given the opportunities that the attackers have via the glacial pace of security improvements. Its been three years since that list and I could write the same exact one today for SOAP, REST, SOA, Web 2.0 whatever. Maybe the main reason, beyond failure of imagination, why infosec is so far behind developers is that infosec lacks tools. Developers automate everything possible. Security doesn't. The most promising thing about static analysis is not the ability to find everything, its the ability to find many important things in an automated way. Infosec needs to stop giving people fish and teaching people to fish. Look at Fortify's vulncat site which has a Taxonomy of Coding Errors. Fortify's Seven (plus one) pernicious kingdoms are:
- Input Validation and Representation
- API Abuse
- Security Features
- Time and State
- Errors
- Code Quality
- Encapsulation
- *. Environment