SAN MATEO, USA: Fortify Software Inc., the market leader in enterprise application security solutions for Business Software Assurance (BSA), unveils a technique for identifying the security implications of using common web services and service-oriented architecture (SOA) frameworks.
Fortify conducted a thorough study of the security of five popular frameworks and found critical security concerns with how the frameworks are commonly configured and used. As a result, Fortify built new capabilities into its product, Fortify 360, to identify these vulnerabilities using source code analysis on a code base and dynamic security testing on a running application. These new capabilities have been made available to all Fortify customers.
Brian Chess, Co-founder and Chief Scientist at Fortify Software, said: "To date, very few companies have been able to check for SOA-specific vulnerabilities in an easy and automated fashion. Because there hasn't been a solution to support finding SOA-specific vulnerabilities, most deployments out there are probably vulnerable."
Fortify's research revealed that certain configurations of Apache Axis, Apache Axis 2, IBM WebSphere 6.1 and Microsoft .NET Web Services Enhancements (WSE) 2.0 and Microsoft Windows Communication Foundation (WCF), can lead to weak authentication, weak encryption, vulnerability to replay attack, XPath injection, and many other significant security vulnerabilities.
In addition, applications that have been secured for web attacks may still be insecure to attacks through SOA. To be clear, the frameworks themselves are secure, but they have to be appropriately configured and used in order to avoid serious security issues.
Gunnar Peterson, an internationally recognized expert on SOA and Web services, said: "Service-Oriented Architecture represents a significant shift in how business applications are designed, developed and implemented. Companies are taking advantage of these new technologies at a rapid rate. According to Gartner, 'SOA was used, to some extent, in more than 50 percent of large, new applications and business processes designed in 2007. By 2010, we expect that more than 80 percent of large, new systems will use SOA for at least some aspect of their design.'"
However, when used incorrectly, SOA can introduce numerous security issues, increasing the risk of an incident occurring. Thomas Erl, internationally recognized expert on SOA and author of numerous books on the subject writes, "Because SOA offers the potential to create sophisticated and complex composite solutions, agnostic services can be subjected to a variety of different usage scenarios, each of which can introduce unique security risks and requirements. In order to design effective service compositions therefore requires that services be prepared for a range of security challenges."
Jeremy Epstein, SOA expert and consultant, said: "As SOA gets rolled out in large organisations, it's critical that they realize security means more than just firewalls and SSL. Software security, such as the techniques developed and implemented in the Fortify product, is mandatory to protect critical business data and processes, especially in SOA implementations."
Fortify enables a company to search for these SOA-specific vulnerabilities statically and dynamically. Statically, the Fortify 360 Source Code Analyzer will scan a code base and automatically identify these types of vulnerabilities. Dynamically, the Fortify 360 Program Trace Analyzer and Real-Time Analyzer can identify these vulnerabilities in a running application.