You
are Here: Home: White Papers
|
| |
|
| ||
|  |
Web Services
- the next big thing in IT, but what about security?
Web Services - the next big thing in IT, but what about security? Web Services is a new and emerging technology designed to allow businesses to effectively communicate with one another without the inefficiencies of human interaction. Considered by many as the next revolution in the IT industry, Web Services allows for the creation of an application-to-application market place, where software from one company will communicate effectively and efficiently with software from another company. Web Services.org website describes the process in the following manner: "Through Web Services companies can encapsulate existing business processes, publish them as services, search for and subscribe to other services, and exchange information throughout and beyond the enterprise." (Web Services.org, website) The impact of Web Services implementation is staggering, and we are just beginning to see some of the world's most powerful organizations turn to Web Services for its power and efficiency. The United States federal government has recently outlined steps for how it plans to utilize Web Services. "Egov czar Mark Foreman told [US] federal information technology leaders that he views Web Services as a crucial component for extending government systems to the citizens, businesses and agencies…" (Joab Jackson, Reaching out online, Nov.4/02) The true power of Web Services is that it provides a universally accepted set of standards for placing most software services online. "Collected
under the title "Web Services," protocols such as Simple Objects Access
Protocol, or SOAP, and extensible markup language, XML, allow computer programs
to be accessed by people or other programs over the Internet as easily as Web
pages of text are today." (Joab Jackson, Reaching out online, Nov.4/02) To gather a better understanding of how Web Services could help to make daily business operations more efficient, envision the following business-to-business purchasing scenario: XYZ Construction Company wants to purchase building materials (sand, cement blocks, wood etc.). These materials are to be used in the development of a new housing project. In addition to locating building material suppliers, XYZ Construction Company also needs to identify additional third party services, such as transportation, financing, insurance etc. The conventional approach using the Internet is for XYZ Construction Company employee(s) to manually browse through several different supplier websites, locate relevant information and provide it to senior management. The Web Services application approach allows an XYZ employee to enter a 'shopping list' into the web services application and the system will do the rest. The Web Services application will collect a list of potential building materials suppliers, which is often done using a Web-based distributed directory called Universal Description, Discovery and Integration (UDDI). Once a list of potential building materials suppliers has been created, the Web Services applications will learn how to communicate with each of them through the information provided by Web Services Description Language (WSDL). Based on the Information defined by the WSDL structure, the Web Services application constructs the appropriate message stream to communicate with each of the listed services using Simple Object Access Protocol (SOAP) messages. The Web Services application will then collect, disseminate and format the responses in an order form, which contains all the elements necessary for the purchase and delivery of building materials to the construction site. (KaVaDo
Inc., Securing SOAP & Web Services White Paper, 2002) In the rush to take advantage of the awesome power and efficiencies of Web Services, businesses and organizations alike must concern themselves with security. Web services will "open up a whole new avenue for security vulnerabilities," says Bruce Schneier, Chief Technical Officer and Founder of Counterpane Internet Security Inc., Cupertino, California. "Typical administrators are not aware of the power of Web Services, so they keep them on the server. And this is the dream of the hackers who will use them to take control of the applications." (Yuval Ben-Itzhak, Chief Technology Officer, KaVaDo Inc.) Businesses or Organizations wishing to harness the power of Web Services are becoming increasingly more concerned with security. The challenges associated with securing Web Services are not unlike those of securing the Internet once it became a robust business tool.
Consequently,
hackers who attack the Web Services applications (or any web applications) will
effectively render traditional security measures (network firewalls, IDS etc.)
useless. The hacker community is continually sharing information and developing new tricks and tools that are designed to take full advantage of unsuspecting applications. Web Services applications are no different and as the deployment and utilization of Web Services continue to grow, new and different security threats, vulnerabilities and exposures will continue to emerge. "The perception
that Web Services is a 'new' technology and 'therefore must be secure' will compound
the problem by inducing a false sense of security… Organizations should not
think that just because Web Services has been implemented, HTTP vulnerabilities
have gone away. It is likely that many companies will continue to take their eyes
off the HTTP security ball and incidence of HTTP attacks will increase."
(KaVaDo Inc., Securing SOAP & Web Services White Paper, 2002) Web Services faces additional security issues over and above that of standard web based applications, as a uniform security policy governing encryption and authentication of the Web Services components (SOAP, WSDL and UDDI) has not yet been defined. In other words, some components of Web Services utilize encryption and digital certificates, while others do not. Furthermore, "It should not be forgotten that even
if authentication and encryption are implemented, they only assure identity and
privacy. They cannot stop malicious content from being submitted and they cannot
validate what the message is intending to do when it reaches the server."
(KaVaDo Inc., Securing SOAP & Web Services White Paper, 2002) Web Services Application Protection ProSoft Consulting Inc. (PSC) specializes in web application protection and is committed to helping organizations protect mission critical data from new and emerging threats. By offering products and services that should be implemented in conjunction with existing security products, PSC is confident it can help companies reduce the risk of using Web Services. ProSoft Consulting Inc. is equipped with products and services that are designed to help companies identify and protect against Web Services vulnerabilities. PSC has the capability to
help companies protect themselves from Web Services threats in the following ways: ProSoft Consulting Inc. Scanning tools have:
Once a security threat is blocked, PSC's protection tools have the capability to automatically generate a real-time notification that the threat has been averted and provide details of the type of attack attempted. Web
Services is an incredibly powerful tool that has the potential to revolutionize
the IT industry on the whole. ProSoft Consulting Inc's objective is to help companies
realize the full potential of Web Services, while minimizing or eliminating security
concerns.
| |
| |||||||||||||||||||||||||||||||||||||||||||||||
 | |||||||||||||||||||||||||||||||||||||||||||||||||||
 |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
