At RSA conference this week, I gave two talks on building a margin of safety into your software. In various conversations during the week at least 25 different people brought up to me (unprompted) that they "just used SSL for security on their web services". Chris Walsh immediately picked up on the preposition that says it all - "security on your web services" instead of course security in your web services. Of the legions of vendors on display, I could count on one hand the ones that help you get security in web services or anything else for that matter.
The other matter of course is the notion that the defender gets to choose the security model and define its efficacy. I find this notion a network security centric view at best; its quaint yet dangerous out moded thinking.
Web services are the primary way to integrate whether its web server to ESB or mobile device to web server. The attack surface is typically comprised of the HTTP channel, some application methods like HTTP verbs URLs, URIs, and the data like XML.
If you put SSL on your web service, then what confidence, if any, should the recipient have in the Data and Method? Where did it originate? What is protecting it? Has it been tampered with? and so on. These are all open, unaddressed questions, and the real problem is that blithely stating "we use SSL on our web services" is at best an opening in the security chess match, its not the end game, its the beginning of the game and the attacker has the next move. If your only web service security is on the channel, then there are vast spaces for the attacker to operate in.
As the Cole Porter song goes -
Putting SSL on your web service and calling it good leaves acres of space for attackers to roam How does this all end? I think we know. In the 90s people wrote web apps with similarly naive network centric trust models, and then they started to discover that their opening move of SSL and firewalls did zippo to defend against XSS, SQL Injection and friends. The defender's opening move does not decide the game, particularly when its weakly mapped to only one part of the attack surface (the communication channel). It took a few years for attackers to find all those holes left open in the web apps, and web services have been the dominant integration technology for mobile and other areas for a few year now, its just a matter of time til the naive trust on SSL network security breaks down. If you want to get busy on solving problems now, consider getting down to the message level as quickly as possible,Give me land lots of land, under starry skies above
Don't fence me in
Let me ride through the wide open country that I love
Don't fence me in
Comments