SOA Plateau of Profitability

There's always been crazy SOA hype, but there's tons of good real world cases where its helped, Fundtech is a small software provider to the financial services world, they have some interesting SOA stories:

As an example of Global PAYplus-SP's innovative use of SOA, it now becomes possible to integrate full payments functionality into the corporate customer's online experience, thereby enhancing self-service, streamlining workflows, and significantly increasing straight through processing (STP). In what Fundtech calls STP@Source(TM), clients are engaged in the validation and enrichment of payment transactions, resulting in fewer exceptions and lower cost. Clients are empowered to make routing and pricing decisions resulting in a faster and more responsive service.

Part of what I find interesting here is that you can imagine that many large financial operations are not particularly well integrated, so they literally outsource some part of their integration. "Hey build an SOA for us" So how this played out in the real world:

I want to spend a few minutes discussing our recently announced transaction with Bank of America/Merrill Lynch. This is a very important strategic transaction and potentially [inaudible] for FUNDtech. By the same token, it may mean a difference in our prior system sales. That’s why we saw aspect of technology between what we will be delivering to Bank of America and the potential market to aid FUNDtech.

Until service architecture came to the scene there was a clear distinction between back office systems like payment systems and formed office systems like cash management systems. Each of the systems provided response specific functionality and [inaudible] was connected to the various other systems in the bank through hard wire interface.

Back up relations were supported by a series of systems. This means that a bank that wanted to improve certain functionality aspects of the system would often find need to invest large amounts of money directly to functionality in multiple systems. In this era the situation is very different.

The creation of cycle services of functionalities, it can be shown by the banking system in the bank. So for example, if we look at fees the banks charge the customers for high venue wire, one can create a service that can be shared by each of the cash management and the payments systems of the bank.

So that means that for the customer that wants to transfer $1 million from his account in the U.S. to his vendors in the U.K. we’ll be able to do in real time using the cash management system that he or she uses through the Originet console, the fees of wiring the funds and associated fees and select [inaudible] their needs.

This can be a new service that the bank can offer its customers as part of its cash management system using this service. It is scaled by the cash management system as well as other back office systems in the bank. It was so expensive to provide the cash management system which complicated the back end functionality.

While our existing market for new system stay the same, the new significant market opportunity for payment services is being created for FUNDtech. It means that we can now source our services with enhanced wire systems in the bank without the need to replace them.

And we know, replacing systems is a painful and expensive process and until now we couldn’t really offer much to bank who wanted to improve their systems that they had without replacing them in the short term. This should now change in the larger banks like Bank of America transaction.

In addition to our leadership position, by providing SAW based solutions, we continue to make strategic solutions for banks who want to ensure that they are using the best and the most modern technology which will provide them the long term competitive advantage.

Bank of America which we typically saw the important functionality and performance of its cash management systems and back end systems without replacing them in the short term. This project will last into 2011 and we believe that we have an opportunity to continue to grow in the bank in the years to come.

Just like the financial world you can imagine that insurance is not particularly well integrated and here too is a niche company called eBix that's building SOA based integrations for the insurance industry.

What do both of these have in common besides real business use cases? They both are having record breaking revenues and raising guidance. Fundtech has margins over 55% and is predicting a record q4. eBix has margins around 80% and just completed a record breaking quarter. So while I have not worked with either of these products, it looks like SOA is working pretty well for integrating real businesses. 

Vordel FTW!

I think security is about the only area of computing where the east coast has an advantage over the west coast, and if you keep going east from the eastern seaboard you wind up in Ireland, home of Web services company Vordel. I have used their tool Soapbox many times over the years and always recommend it to clients, it has many uses, and now its free!

Soapbox is essentially a tool that builds Web services clients, takes in message (e.g. XML) and the URL you are calling which is similar to Soapui and a number of other tools like curl, but Soapbox does several security-related things that make it very valuable.

First thing is that Soapbox supports a variety keystores, so you can use Openssl or your favorite tool to set up the keys, keystores and certs that you need. Then you can take a vanilla soap message

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<tns:Cities xmlns:tns="http://euro2008.dataaccess.eu" />
</soap:Body>
</soap:Envelope>

and add a signature and timestamp to it for authentication purposes

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Header>
  <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
    <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" Id="Id-0000012282ebfbbb-00000000002eb6e9-4"><dsig:SignedInfo><dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><dsig:Reference URI="#Id-0000012282ebfbbb-00000000002eb6e9-3"><dsig:Transforms><dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><dsig:DigestValue>bAfOw4sLP/PD/Fe/5VRkrJXnZiI=</dsig:DigestValue></dsig:Reference></dsig:SignedInfo><dsig:SignatureValue>N0VLGWgJDad52fvH7A3saVGc9rusFZlpAedEHh5HVGOnyEPAQy5+HD8OkvxTku+y
Og+M+P8ZY3OeTIZkNhoNzrVoRb1riPSr9znFRXFMImpTInOAncoEmcPtjs4XJ5vp
+e8gw5lr5gsvmcTafvUMfG+HDuyp+ZF8EFdm90bdeZ/2GIZ0WXqzL5yVQAhHlRiH
SLwcY5p5NmQvjimdMTMcPgc5ETfDAa1yKE/2hyFqn26fU6g/c5XYkp4xHULUIVP2
WZQlfkuHiGFSNCrVw68H/QTSOSl/s0lebWC3q+kCuTecQSml+hFbM4cZjvIVKUZJ
f1RUUsg1NGvtpHebx9/YQA==</dsig:SignatureValue><dsig:KeyInfo Id="Id-0000012282ebfbbb-00000000002eb6e9-5"><dsig:X509Data><dsig:X509Certificate>MIIC0TCCAbmgAwIBAgIGARqbOHiZMA0GCSqGSIb3DQEBBQUAMBgxFjAUBgNVBAMTDVNPQVBCb3hDb25maWcwHhcNMDgwNjE4MTAyODAwWhcNMTEwNjE4MTAyODAwWjAYMRYwFAYDVQQDEw1TT0FQQm94Q29uZmlnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApLw4QAWqVmEr+CEo8Fp8WPq9Oo7BdnNOtMT5sUp0IN4NVvKmdI8ju3HsbnXzI7csNDzK6Feo19J/XLZk/Lr3Q4bLmmD+bMLFljiIgQ89+Bwc3mtyT1Rr4WBQUKnF8+8y65m2RebySelzgWIeZM72JoThSw85VBtyHvjlQnTAnfwX0NV7mH+kbQDi0c4Q4UZhKWFfb5L2tbjcknsG0k4De07qIw+RsGipkuNoFyI6BwwC0IERv48sacL30nWAOZMNDkm4S61aAYuzfMZySzPseU6BUdIdYAnITgj4tHRJZ93OYnn6LObEkYxobyGi6SULtBQQYzHKgeeyvru2Z1L7nQIDAQABoyEwHzAdBgNVHQ4EFgQUjq3/y0NF+tlUqwLc8SP4uV4/PK4wDQYJKoZIhvcNAQEFBQADggEBABAkqI4elXT/+1RfJOavOy2sAtnr1XiLp1HYtkJV4BMmoouExG+jiEg9MU18dF3302JvbGk+nVw8g/80Tlx5jpWlU6UwVmuc4RZaWjj+NkUncniaWVdcCmgIsLfeIWrK6bWfQaylpj9t8Vl7q4ocrMg7R8tPizlliIfD+hH3aUVkTgvXsb9GTPYYAfLgHQYimDyXm5w1qqWv7Id7nZfzplP1N+cBbxEMT4SQ4QS72cnShDo+fz+pcjxF81VaYe4ag9DyHrMH1PKDsxO7kEGz9fAFQRfTw50ksnNrVqefAOBCRdvL1s/Awwpt1DPk44jtvY4NZRF2NsbAyLswPyntpAY=</dsig:X509Certificate></dsig:X509Data></dsig:KeyInfo></dsig:Signature><wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Id-0000012282ebfbbb-00000000002eb6e9-2"><wsu:Created>2009-07-16T09:36:59Z</wsu:Created></wsu:Timestamp>
  </wsse:Security>
  </soap:Header>

or perhaps you are more worried about confidentiality, taking the same vanilla soap message you can use XML encryption in Soapbox to generate

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Header>
  <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
    <enc:EncryptedKey xmlns:enc="http://www.w3.org/2001/04/xmlenc#" Id="Id-0000012282eedda3-00000000002eb6e9-12"><enc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/><dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" Id="Id-0000012282eedda3-00000000002eb6e9-13"><dsig:X509Data><dsig:X509Certificate>MIIC0TCCAbmgAwIBAgIGARqbOHiZMA0GCSqGSIb3DQEBBQUAMBgxFjAUBgNVBAMTDVNPQVBCb3hDb25maWcwHhcNMDgwNjE4MTAyODAwWhcNMTEwNjE4MTAyODAwWjAYMRYwFAYDVQQDEw1TT0FQQm94Q29uZmlnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApLw4QAWqVmEr+CEo8Fp8WPq9Oo7BdnNOtMT5sUp0IN4NVvKmdI8ju3HsbnXzI7csNDzK6Feo19J/XLZk/Lr3Q4bLmmD+bMLFljiIgQ89+Bwc3mtyT1Rr4WBQUKnF8+8y65m2RebySelzgWIeZM72JoThSw85VBtyHvjlQnTAnfwX0NV7mH+kbQDi0c4Q4UZhKWFfb5L2tbjcknsG0k4De07qIw+RsGipkuNoFyI6BwwC0IERv48sacL30nWAOZMNDkm4S61aAYuzfMZySzPseU6BUdIdYAnITgj4tHRJZ93OYnn6LObEkYxobyGi6SULtBQQYzHKgeeyvru2Z1L7nQIDAQABoyEwHzAdBgNVHQ4EFgQUjq3/y0NF+tlUqwLc8SP4uV4/PK4wDQYJKoZIhvcNAQEFBQADggEBABAkqI4elXT/+1RfJOavOy2sAtnr1XiLp1HYtkJV4BMmoouExG+jiEg9MU18dF3302JvbGk+nVw8g/80Tlx5jpWlU6UwVmuc4RZaWjj+NkUncniaWVdcCmgIsLfeIWrK6bWfQaylpj9t8Vl7q4ocrMg7R8tPizlliIfD+hH3aUVkTgvXsb9GTPYYAfLgHQYimDyXm5w1qqWv7Id7nZfzplP1N+cBbxEMT4SQ4QS72cnShDo+fz+pcjxF81VaYe4ag9DyHrMH1PKDsxO7kEGz9fAFQRfTw50ksnNrVqefAOBCRdvL1s/Awwpt1DPk44jtvY4NZRF2NsbAyLswPyntpAY=</dsig:X509Certificate></dsig:X509Data></dsig:KeyInfo><enc:CipherData><enc:CipherValue>H2oySdBYPuYhoaWbVfuQzQWyZ9eMRylzGHF5LzWCSNrX90hBFjyzg3ufxUfAbRBS
pPdgCfd5edH63DFsiMnYBe4vY5010sLwvHP78M4uEZlA9tb8C2rXlvs7KJeUhhAa
XAXvexwD86UDk0ir6Gn0uhsvpbZndzVPuTSBhrB5kkaxuFyCnZZby1eZPuTOWWl3
/abt0fsGJjkB7xhkOEFDBwpU8VOBVX3NjEISiTX7MbKskNWNqI5vY7tAWqMqrB5g
kIxK8O8p+WjB4i9yQmMJiR63j3gKPXlgN0/wTtCDxe+AZwSv/jW2ORd0b+9w2Rq+
LqEZ0jcE33w5YrcmxgdsJQ==</enc:CipherValue></enc:CipherData><enc:ReferenceList><enc:DataReference URI="#Id-0000012282eedda3-00000000002eb6e9-11"/></enc:ReferenceList><enc:CarriedKeyName>Id-0000012282eedda3-00000000002eb6e9-10</enc:CarriedKeyName></enc:EncryptedKey>
  </wsse:Security>
  </soap:Header>
<soap:Body><enc:EncryptedData xmlns:enc="http://www.w3.org/2001/04/xmlenc#" Id="Id-0000012282eedda3-00000000002eb6e9-11" Type="http://www.w3.org/2001/04/xmlenc#Content" Encoding="UTF-8" MimeType="text/xml"><enc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/><dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" wsu:Id="Id-0000012282eedda3-00000000002eb6e9-14"><wsse:Reference URI="#Id-0000012282eedda3-00000000002eb6e9-12" ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"/></wsse:SecurityTokenReference></dsig:KeyInfo><enc:CipherData><enc:CipherValue>7omm3jasigXF6qd0jlhivSq5wxW0hA1YORHNV386euQBeAO5gksbbBfBIKSHlYHJ
SbgU/gY28Snmh5JAPxpHSjzRfCTEjwJ5/C3j1iD0yN8=</enc:CipherValue></enc:CipherData></enc:EncryptedData></soap:Body>
</soap:Envelope>

<soap:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Id-0000012282ebfbbb-00000000002eb6e9-3">
<tns:Cities xmlns:tns="http://euro2008.dataaccess.eu"/>
</soap:Body>
</soap:Envelope>

Soapbox can also be used for REST and other types of web services, if you are building or supporting web services its invaluable to have a testing tool that allows you to swap out different security mechanisms, encoding types, and data quickly and easily. It took about 2 minutes 30 seconds for me to generate the above from a standing start (including Eclipse start up time ;-P). Grab a copy of Soapbox and see what you think, I will blog more about some other features later.

Using Threat Models

Threat models are a very good way to make implicit security threats and mechanisms, into explicit threats and mechanisms, so that you can write requirements, build, and test that they do the job you intend. As a starting point, I like to use a modified version of STRIDE, which among other things cleanly maps threat to mechanism. This way when starting a new project, for example with SOA Web services, you can identify where the standards will help you.

 

Threat	Mechanism	Example Standard
Spoofing	Authentication	WS-Security
Tampering	Digital Signature, Hash	WS-Security + XML Signature
Dispute	Audit Logging	None
Information Disclosure	Encryption	WS-Security + XML Encryption
Denial of Service	Availability Services	None
Elevation of Privilege	Authorization	None

Threat models are misunderstood, they are not about modeling threats. As defensive programmers, we have little to no control over threats, our job is to find and fix vulnerabilities. So why bother with threats and threat modeling at all then? It turns out that vulnerabilities are basically passive weaknesses, and the threat is the catalyst that exercises the vulnerability so that we can 1) identify it and 2) deal with it. 

So the end result of threat modeling is not a list of threats, but rather a list of countermeasures. And not just a generic list either. The active ingredient (threat) gives us a way to locate where the countermeasure can/should live in the architecture.

Further, if we are comparing approaches early in architecture/design phases of building software, the threat model is a structured back of the cocktail napkin way to compare/contrast approaches. For example if we are looking to build out a set of Web services and are choosing between SOA style (WS-*) and REST style, we may want to look at the readily available implemented standards that each software security stack supports

 

Threat	Mechanism	Example SOA Standard	Example REST Standard
Spoofing	Authentication	WS-Security	XML Signature (response only)
Tampering	Digital Signature, Hash	WS-Security + XML Signature	XML Signature (response only)
Dispute	Audit Logging	None	None
Information Disclosure	Encryption	WS-Security + XML Encryption	XML Encryption (response only)
Denial of Service	Availability Services	None	None
Elevation of Privilege	Authorization	None	None

Threat modeling gives a concrete structure to a fairly abstract subject like analyzing software security capabilities in services, but as you see its not about the threats its about the security architecture elements. This is just an illustrative example not a complete threat model, but it does give an effective, context-sensitive way to look at tradeoffs in security architecture. In this example, SOA/WS-* has potentially more coverage the security mechanisms work on both the request and response side. In the next series of posts, we'll look slicing and dicing the threat model a layer deeper and how we can use it secure our services.

Update: Using Attack Surface with Threat Models

Logging in the Age of Web Services

Here is the paper I co-wrote with Anton Chuvakin for IEEE Security & Privacy Journal. Among other things we look at the impact of the eventually consistent model's impact on our ability to record and review audit log events. We also use some of Anton's work on event logs and apply them to how to think about security events in Web services. Hopefully there are some ideas that you can apply to building an audit log system for your Web services.

It was a lot of fun to work with someone with thinks as strategically and futuristically as Anton.

SOA Security architecture at EBS Building Society

From CSO interview with David Yeates, IT Head for EBS Building Society on why they use Vordel for Web services & XML Security services (emphasis added):

Dive deeper into how you reached the conclusion that the security architecture was needed. 
Yeates: Service-oriented applications are fundamentally different from traditional monolithic applications. Web services are dynamic, they look up, discover and bind to each other at run time. This means that the internal network has also to be considered a dirty environment. A process-driven development creates dynamic applications where business processes can be easily created and changed. This presents major change management, service management and compliance challenges for an organization. Transactional security becomes very complex, very fast.

If you run a Java application you can rely on the java security model, if you run a J2EE application or .Net application you can rely on those application containers for security services. However, if you are doing Web services, then you have no container to rely on. You must use something else for security policy enforcement and security policy decision making, so the XML Gateway architecture really buys you two things. First, you get a measure of protection from the internal dirty environment, and second you get a place to enforce policies, which you otherwise lack. 

One of the best architects I worked with made the case and bought a XML Gateway as a runtime API. Meaning a way to leverage the simplified APIs for SAML and WS-Security, so his developers didn't need to write them themselves. In other words the cost of the XML Gateway hardware was much less than the developers time to write it. Not to mention the opportunity cost, because it would need to be his best developers to write security standards wrappers. So he got the APIs at 50 cents on the dollar and got the accelerated hardware runtime for free. 

By the way, the article discusses the XML Gateway in the context of an SOA security architecture, but the same thins apply to REST which is usually deployed without security.

Imagine if you will...

IBM claims that Websphere has 35% market share. Let's assume you are one of the 2 million Websphere developers in the world, and you want to build some Web services to connect up your apps and data. Since you probably didn't take any secure coding training, where do you go to learn about how to secure your spanking new Websphere 6.1 Web service? Why the IBM Redbook of course. In there, here are some things you will find (emphasis added):

In the username token profile, the digest of the password is specified as a password type, but the password digest is not supported in WebSphere Application Server 6.1. Only the clear-text password can be inserted in a username token and should not be transferred over a non-secure network. Basic authentication should be used over the secure network, such as HTTPS or  intranet, or encryption should be applied to hide the user information. 

Clear-text password over the wire in the message - say it ain't so! One of the exercises we do in training is to examine 8 different SOAP messages with various security properties. We start with no security, just vanilla SOAP, then we do Username token with password hash, then Username token with cleartext password, then message encryption, and so on. The trend is that each message is stronger than the last but there is a trick the third message username token with cleartext password is less secure than the previous one Username token with password hash and arguably less secure than the first one vanilla SOAP with no token at all. 

let's look at the XML

Example 1. vanilla SOAP

<?xml version='1.0' encoding='UTF-8'?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<param0>Hello world</param0>

...

Example 2.  SOAP + WS-Security Username token password hash

<?xml version='1.0' encoding='UTF-8'?>
   <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
      <soapenv:Header>
         <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">
            <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-8533528">
               <wsu:Created>2008-03-18T19:01:21.710Z</wsu:Created>
               <wsu:Expires>2008-03-18T19:06:21.710Z</wsu:Expires>
            </wsu:Timestamp>
            <wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken-3692614">
               <wsse:Username>bob</wsse:Username>
               <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">E9rKWg/JSBzmaQufwyf0BRjcu3w=</wsse:Password>
               <wsse:Nonce>hpfLxX/d+VxD0qxfyX2uIA==</wsse:Nonce>
               <wsu:Created>2008-03-18T19:01:21.705Z</wsu:Created>
            </wsse:UsernameToken>
         </wsse:Security>
      </soapenv:Header>
      <soapenv:Body>

...

Example 3. SOAP + WS-Security USername token with cleartext password

<?xml version='1.0' encoding='UTF-8'?>
   <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
      <soapenv:Header>
         <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">
            <wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken-15828664">
               <wsse:Username>bob</wsse:Username>
               <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">bobpassword</wsse:Password>
            </wsse:UsernameToken>
         </wsse:Security>
      </soapenv:Header>
      <soapenv:Body>

...

In example 1, we have a payload but really no way to offer AAA services, in example 2, we have a shot at authN, in example 3 we pass the password in cleartext, in effect shipping the dynamite and detonator in the same truck! Now we are not only vulnerable to replay attacks as in the previous 2, but have introduced a spoofing risk for anyone who can read the message to impersonate the service identity that was used throughout the system and at best we gain a very weak authN method username/password. That's why in my view its worse than example 1, vanilla SOAP doesn't give you much for AAA but at least its not adding huge identity risks in your system through non-protection of both the credential and the secret!

But the Websphere story doesn't stop there.

As described in “Authentication” on page596, identity assertion (IDAssertion) is available in WebSphere Application Server 6.1. In a secure environment, such as an intranet or SSL, it is useful to only send the client (caller) identity without credentials (such as password) together with other trusted credentials (such as the intermediary server identity). 

Inranet and SSL - Ladies and Gentlemen - your 2009 Security Architecture! I really don't want to bash IBM, and in fairness WAS supports X.509 and other strong standards if you are serious, no question that in certain areas they have done excellent work, but come on people this 2009, this kind of guidance has got to stop.

Hacking things together to work is fine and all, developers have been doing it forever, but let's not do it under the rubric of "security" and oh while we are at it, let's revisit our risk assumptions about tokens, identity, SSL and the "intranet" (which seems a whole lot more like the Internet to me these days). Misuse of Web services security standards was precisely the focus of the talk Brian Chess and I gave at RSA last year.  

WS-EncouragingSecurityProgress

Kelvin reports on a finding from Forrester (wow two Forrester links in teh same day), I don't have access to the whole report, but here is the summary

Current use of WS-Security doubled over the past two years: Now 30% of enterprises pursuing service-oriented architecture (SOA) use WS-Security as part of their SOA and Web services security strategy. Forrester believes that this gives WS-Security critical mass to sustain its place in the SOA landscape, especially considering that another 16% plan to adopt WS-Security. This also provides a foundation for adoption of other SOAP-based Web services security specifications. REST-based services still don't have standard profiles for interoperable security, which means that when security requirements are part of the picture, SOA architects should carefully consider where and how they use REST.

A couple of points on this, this number matches my overall experiences. I see a lot of SOA and Web services that start with weak or no security relying on SSL and a prayer. WS-Security, SAML and friends are often added in Phase 2 and Phase 3 so it speaks to the overall maturity. So that is some good news. Mark O'Neill had a good post recently on this as well.

Next, unfortunately saying you are using WS-Security doesn't mean all that much. As Brian Chess and I talked about in our RSA talk last year, the spec leaves ample room to shoot yourself in the foot at design time and that's even before you get to implementation. You can use weak token types, lack integrity, open up information disclosure, replay and a host of other vulns, all while still being WS-Security compliant, depending on the profile.

This is not necessarily a critique of WS-Security just putting some more specifics around what is allowable behavior. Our ask at RSA was to add more constraints and not leave so much up to the designer.

Finally, to the point on REST security, REST requires that you build your own message level security from scratch and implement it on both ends. Not impossible but you are reinventing the WS-Security wheel.

Mark O'Neill on PKI and SOA

+1 for Mark O'Neill on this post:

...SOA is Dead... reminds me of another Three letter Acronym which 
Was declared dead. Back then, eight years ago, it was PKI which was declared dead. There are similarities with SOA. In the case of PKI, there was a tendency towards what in France are called "grands projects", ie large complex deployments. The "full blown PKI", with its CA, RA, hardware stores, etc etc, was a classic example of this. Banks and governments were seduced by this, and often built out architecture for the sake of architecture. What was missing from PKI? The focussed applications. It is hard not to see the analogy with SOA "grands projects", complete with UDDI, etc.

In the meantime while PKI was being declared dead, VeriSign had created their own PKI in the "cloud", (which they never called a PKI). Savvy organizations started to focus on the applications (chiefly SSL) and outsourced the PKI itself to the Cloud (VeriSign) to deal with key issuance, certificate expiry management, etc. VeriSign did very well out of this. While "PKI" became a dirty word, VeriSign prospered with a cloud PKI. Who is the VeriSign in the SOA analogy? Amazon. Without ever calling their services, or indeed their services hosting platform, an "SOA", they have build the successful SOA in the cloud.

And what is the equivalent of SSL, ie the simple and useful application of the techhology? The answer this time is REST, SaaS, and the direct EDI-style XML messaging which we have seen many Vordel customers successfully use. 

By the way, whatever about SOA, I don't agree that SOAP (and the many WS-* technologies) is dead. *building it from scratch* is dead, but any glance under the hood of Microsoft .NET shows it is very much alive and is becoming more and more a core part of Windows (just as Microsoft build PKI into Windows server products quite successfully and quietly). And it is not a case or "either / or" SOAP or REST: XML Gateways (such as Vordel's) do a very successful job of mediating between the two.

We know Microsoft is light years ahead of the Java community on security, I wonder when we will see the Java folks at Sun and IBM catch up to where Microsoft is now on message level security?

Like PKI, the "grands projects" approach to SOA is dead. But that opens up the opportunity for focussed applications, for cloud providers, and for XML Gateways which, through protocol mediation, make the "SOAP vs REST" debate moot.

Heck, Mark I don't care for grand projects either, I am a bottom up guy 98% of the time, I am not picky and would be happy with people put in authN and authZ whichever service style they choose. 

I guess the thing I come back to is that people built out web apps for 5 or more years before people finally started thinking about XSS, SQL Injection and stuff, so we are on about 5 or 6 years of people building Web services, maybe soon the herd (outside of Redmond) will start figure out where the vulns are at?

SOA Security in Real Life

I started off my last article on SOA Security this way:

When I park my car in the garage, I lock it. Why? Well, although I would hate for someone to steal my snow shovel and hockey sticks, my car is much more valuable to me. Security is about managing risk, specifically protecting valuable assets like my car. I have a higher level of protection on my car than on my garage. In dollar terms, the contents of my garage are orders of magnitude less valuable than my car. I could spend a lot of money fortifying my garage, and that would add some security to my car while it is parked there, but it is not a cost-effective investment. First, my car is the asset of value, and second the garage - no matter how well protected it is - doesn't move. 

Car manufacturers know this, insurance companies know this, consumers know this. Even media publishers know, yet in the common enterprise, programmers and architects seem to roam in ignorance. Your average download of a Michael Bolton song carries a far higher level of security than valuable user data, like passwords, social security numbers, and credit card details. Why do we keep protecting critical data with point-to-point security solutions (like SSL) that protect the transmission channel, but leave the valuable assets being transported wide open everywhere else? This is a critical question that needs to be answered in order to successfully add an effective layer of security to an SOA.

Well guess what happened last weekend? I always do lock my car in the garage, but last week I came home with an armful of holiday cheer and forgot. I went out to the garage over the weekend and noticed that a local knucklehead who could see that the car was unlocked tried to jimmy the lock on my garage door, and busted off a piece of wood before giving up (probably when they saw the sign that said the garage was monitored).

The response of the police actually further supports my assertion that security is about assets not threats. I called the police and said someone tried to jimmy my garage door. They said its a holiday weekend, call back on Monday and get a case number. This disturbed me not at all. All they are going to do is record a threat (or security event) metric anyway.

Now in a hypothetical scenario if my car was compromised it would have been a completely different response from both me and the police; why is it different urgency? Not because of the threat and intent which  were similar in both scenarios, but its the fact that the asset was put into motion that's what makes it important.

For infosec what do we learn? Infosec is spending waaayyyy too much time and money protecting garages and not enough protecting assets.

Web services talk at OWASP

The video from my OWASP AppSec Conference talk on OWASP Top Ten for  Web services  is online here.

OWASP is consistently the most interesting and practical security conference, its probably the closest thing we have to a true software security conference. Sure, we could use a few more builders, but I still think its the best we have right now.