It was notable to see that Fortify has begun to address the vastly underserved SOA security space. Fortify said it conducted research on the five most popular SOA frameworks -- Apache Axis, Apache Axis 2, IBM WebSphere 6.1, Microsoft .NET Web Services Enhancements (WSE) 2.0 and Microsoft Windows Communication Foundation (WCF) -- and concluded that certain configurations of each of these frameworks can lead to weak authentication, weak encryption, vulnerability to replay attack, XPath injection, and many other significant security vulnerabilities. In addition, applications that have been secured for Web attacks may still be insecure to attacks through SOA.
Fortify said the frameworks themselves are secure, but they have to be appropriately configured and used in order to avoid serious security issues. "To date, very few companies have been able to check for SOA-specific vulnerabilities in an easy and automated fashion," says Brian. "Because there hasn't been a solution to support finding SOA-specific vulnerabilities, most deployments out there are probably vulnerable."
Brian Chess is co-founder and chief scientist at Fortify Software, which applies enterprise-strength fixes against the range of security vulnerabilities that are the bane of our digital age. Brian Rothman recently posted an interview here at the ebizQ site with Brian on the topic of source code analysis.
Other security experts also weighed in on the security challenges faced with SOA as part of the Fortify announement: "Service-oriented architecture represents a significant shift in how business applications are designed, developed and implemented," says Gunnar Peterson, an internationally recognized expert on SOA and Web services. "Companies are taking advantage of these new technologies at a rapid rate. According to Gartner, 'SOA was used, to some extent, in more than 50% of large, new applications and business processes designed in 2007. By 2010, we expect that more than 80% of large, new systems will use SOA for at least some aspect of their design.'"
However, when used incorrectly, SOA can introduce numerous security issues, increasing the risk of an incident occurring. Thomas Erl, internationally recognized expert on SOA and author of numerous books on the subject writes, "Because SOA offers the potential to create sophisticated and complex composite solutions, agnostic services can be subjected to a variety of different usage scenarios, each of which can introduce unique security risks and requirements. In order to design effective service compositions therefore requires that services be prepared for a range of security challenges."
A new class of tools such as Fortify's need to be able to detect XPath Injection, XML Injection, weak XML schemas, and poorly configured uses of WS-Security in SOA frameworks. Tools need to be able to detect input from Web service entry points, specifically, input from Apache Axis, Apache Axis 2, Apache Axiom, SOAP envelopes, and XML RPC calls.
____________________________________________________________________
hi im doing project in SOA security ...
i need framework for SOA network security ....
and if any problem regarding this topic send me mail me ....
see u...
thanks regrads
devanathan
Good and wise people can secure many. If you are building for SOA, this is a great job!Congratulations! Business alarm systems is one way to promote security in the 'real moving world'..but with online matters..it's a challenging task.