• Enabling Business Agility and Reuse
  • Governing the Infrastructure
  • Improving Business Processes
  • Leveraging Information and Intelligence
  • Leveraging the Connected Web
  • Securing Enterprise Applications
  • Supporting Industry Solutions

Legacy Integration Syndicate This

Protecting Your Web Services Deployment

By Andre Yee, CTO, NFR Security , 07/19/2004

Print this article Email this article Talk Back! Write to Editor

It is widely acknowledged that security remains a key limiting factor in the broad adoption of Web services. In fact, I wrote about the challenge of Web services security in a prior ebizQ column. That article discussed trust issues between SOAP message consumers and producers, especially in a multi-point routing scenario. However, little has been written about the need to protect Web services deployments from hacker attacks.

Yet, as Web services integration becomes integral to core business processes, protecting Web services from such attacks will become more and more necessary. In this brief article, I want to highlight a couple of ways your Web services infrastructure may be compromised by hackers and what you can do to protect against these attacks.

XML Content-based Attacks

XML content-based attacks employ the technique of embedding malicious content within the XML document. This approach uses XML as a means of transmitting malicious code to the target host, as shown in Figure 1 below. This is akin to the way viruses and worms can sometimes be transmitted as part of an e-mail attachment.

By embedding malicious code within an XML document, the hacker can compromise the system through a number of common attack methods such as buffer overflows, SQL injections and command tampering.

Denial-of-Service (DoS) Attacks on XML Processors/Parsers

DoS attacks targeting Web services will often focus on exploiting poorly written XML processors or parsers. One attack method exploits a poorly written XML processor by having it handle a legitimate but exceedingly large XML document. In some cases, the XML processor will ultimately exhaust host system resources while attempting to handle the document, leading to a host DoS scenario.

A second attack method commonly known as "coercive parsing" exploits XML's document model support for nesting. The idea is to provide a deeply nested or recursively nested XML document such that the XML parser will fail. In each of these cases, the assumption is that many XML processors or parsers are written without taking into account the need to calibrate an upper limit to processing parameters or resource consumption.

Mitigating the Threat

Armed with a basic awareness of how Web services architectures can be compromised, what can we actually mitigate against these and other threats? Here are three basic steps you can take to immediately protect your Web services deployment:

  • Keep Patches Current: Just as with any operating system service, applying the latest patches related to Web services will minimize exposure to known vulnerabilities. An example of how Web services vulnerabilities can potentially have a pervasive effect is a SOAP vulnerability discovered earlier this year in Oracle 9i application server. Failure to apply the appropriate patch offered by Oracle would leave your Oracle 9i application server vulnerable to a DoS attack.
  • Invest in the Right Security Tools: Network security devices are often inadequate for securing Web services. Providing Web services protection coverage requires that firewalls or intrusion prevention systems (IPS) have the following attributes: First, tools must be effective at monitoring port 80 traffic since SOAP over HTTP is still widely implemented. Second, they must be able to perform full application layer inspection including the inspection of payload. These tools must be "XML-aware" or be customized as such through a scripting language. Many "traditional" tools fall short here because they only perform rudimentary application layer inspection or cannot be customized to handle XML documents. Finally, it is preferable for security tools to be managed by a common security console in order to reduce the management overhead. Specialized XML firewalls include products from Vordel and Reactivity. Products from "traditional" vendors worthy of consideration include Netcontinuum, Teros and NFR Security.
  • Perform Regular Security Audits: Security auditing should be conducted on a regular basis, preferably by a third-party security consulting company. The security audit should include vulnerability assessment, penetration testing, load testing and if possible, code reviews of in-house custom code. Especially when a Web service integration facilitates cross-enterprise transactions with partners, the additional benefit of being "certified" by an external reviewer will mitigate business and legal concerns regarding the security of the system.

1

Our Popular Webinars

Insurance: Discovering the Missing Link of Business Architecture

SOA Infrastructure for Any Economic Climate

Mobilizing the Enterprise: Using RIA and SaaS to Do More with Less

Adapt with Agility - Web 2.0 in your Application Infrastructure

Open Source SOA and the Management Challenge: The ROI and Reliability of Open Source Composite Applications

More Webinars

More Top Stories

Workflow and Integration Meet in the Middle With BPM Convergence Gold Club Protected

Federated Event Systems: The Event Web Gold Club Protected

What Microsoft Gains (and Faces) With Yahoo! Gold Club Protected

Progress Software Adds Web Services Management to Sonic With Actional Buy Gold Club Protected

Three New Trends in IT Governance Gold Club Protected

Web Services Distributed Management Passes Test Gold Club Protected

More Top StoriesTopic Archive

Related News

Amazon Web Services Releases SimpleDB to Public Review

SOA Supports SunGard's Latest Cloud Offering

Clerity Aims to Expose Mainframe Assets as SOA Assets

More News

  • ebizQ Update
  • Contribute

Please pardon our appearance while we work out the remaining kinks of our new site. If you happen to find a bug, please let us know at support@ebizq.net

ebizQ is very interested in what you have to say. To contribute an article, an opinion, or to become a blogger, please contact Peter Schooff.

  • Virtual Conferences
  • Webinars
  • Roundtables

SOA In Action

Nov 19, 2008

This conference will teach business leaders what to expect, and what to avoid, to make their SOA journey a success. SOA is a long journey, not a single project, and distributed architectures are inherently complex. Success requires new ways of working, creating more efficient cross organization processes, adopting new tools, and building new skills.Register

View All Virtual Conferences

Create a Center of Excellence in SOA Governance

Date: Dec 02, 2008
Time: 12:00 PM ET- (17:00 GMT)

REGISTER TODAY!

Next-Generation BI

Date: Dec 03, 2008
Time: 12:00 PM ET- (17:00 GMT)

REGISTER TODAY!
View All Webinars

Insurance: Discovering the Missing Link of Business Architecture


Date:Jan 14, 2009

Time:12:00 PM ET- (17:00 GMT)

REGISTER TODAY!
View All Roundtables
  • White Papers
  • Podcasts
  • Blogs

The Forrester Wave: Business Process Management for Document Processes

Read this Forrester report to see how vendors stack up regarding business process management. Forrester evaluated eight business process management...

Download Now

ebizQ also recommends

Dennis Byron: Revisiting Bill Miller of XAware, Open Source Data Integration Software

Almost a year after their first chat, XAware founder and CTO Bill Miller gives Dennis Byron an update on what's going on this year at XAware and how that "open source thing" is working out.

Listen Now

The Acceleration of SOA: iTKO Explains

Listen to Peter Schooff's podcast with Jason English, VP of Corporate Marketing for iTKO, where they offer a quick preview of ebizQ's upcoming SOA in Action Virtual Conference on Nov. 19.

Listen Now

Heading Off SOA Disillusionment With Progress

David Bressler provides Progress Software's customers and field teams with the expertise and experience to deliver SOA. In this podcast, Bressler gives an excellent introduction to ebizQ's Nov. 19 SOA in Action Virtual Conference, where he'll be a featured speaker.

Listen Now

Dennis Byron: VP of IONA/Progress Larry Alston on Functionality in OSS

Hear Larry Alston's unique perspective on the open source development model and how IONA is adopting a "functionality rules" open-source-as-a-tactic theme now that Iona is part of Progress.

Listen Now

Mike Rothman: Understanding Web 2.0 Attacks

In this podcast, Rothman flies solo and rants about Web 2.0 attack vectors, providing a primer on the types of attacks you're likely to see from social networks. Rothman also gives himself the "free association" treatment, discussing topics like Facebook and the impact of Web 2.0 on PCI.rnrnListen to or download the 11:39 minute podcast below:

Listen Now

Featured ebizQ Blog: SOA-Integration Industry Pulse

Most Recent ebizQ Blog Entries

More Blogs
  • Most Read
  • Most Discussed
  • Quick Guide

Building The Instantly Responsive Enterprise

Integrating BPM and CEP gives you intelligent business processes that can react to rapidly changing business conditions with continuous visibility. Learn More

Enterprise Linkage: New Change Management

Insurers need to think about creating "true linkage," which means linking business strategy to process to IT investments and thereby setting the foundation for true change. Learn More

The Invisible Hand of BI

To be effective, business intelligence technology must work behind the scenes to deliver relevant information when, where, and how it's needed. Learn More

Quick Guide: What is Enterprise 2.0?

A lot of people are talking about Enterprise 2.0 as being the business application of Web 2.0 technology. However, there's still some debate on exactly what this technology entails, how it applies to today's business models, and which components bring true value. Some use the term Enterprise 2.0 exclusively to describe the use of social networking technologies in the enterprise, while others use it to describe a web economy platform, or the technological framework behind such a platform. Still others say that Enterprise 2.0 is all of these things. Learn More

Quick Guide: What is BPM?

Learn More

Quick Guide: What is Event Processing?

Smart event processing can help your company run smarter and faster. This comprehensive guide helps you research the basics of complex event processing (CEP) and learn how to get started on the right foot with your CEP project using EDA, RFID, SOA, SCADA and other relevant technologies. Learn More

Product Spotlight

As you may know, technology is only part of an overall SOA governance solution. It is sometimes difficult to ensure visibility into all SOA assets and their relationships, end-to-end governance throughout the lifecycle of SOA assets, and analytics to help ensure organizations are reaping the rewards of their SOA investments. Download this spotlight report to review a solution to governing your SOA.

The Forrester Wave: Business Process Management for Document Processes

Read this Forrester report to see how vendors stack up regarding business process management. Forrester evaluated eight business process management suite (BPMS) suppliers best suited and most experienced for document-intensive processes across approximately 150 criteria. Download this paper to find out which BPM tools are right for your business.

Community Managers

David S. Linthicum

One of the founding fathers of modern distributed computing, David Linthicum is Community Manager for Information and Intelligence. This community covers BI, operational BI, MDM, and EII, among other topics.

Read David S. Linthicum's Blog
David S. Linthicum's Features:
Read More »

Peter Schooff

Peter Schooff is Managing Editor at ebizQ. Peter is also a popular blogger in the IT Security space, where he keeps an eye on security trends critical to protecting applications and locking down identities.

Read Peter Schooff's Blog
Peter Schooff's Features:
Read More »

Ronan Bradley

Financial services expert Ronan Bradley is Community Manager for Financial Services covering banking and capital markets.

Read Ronan Bradley's Blog
Ronan Bradley's Features:
Read More »

Joe McKendrick

Author and consultant Joe McKendrick is Community Manager for Enabling Business Agility and Reuse . This community focuses on SOA, EDA/CEP, ESB, Open Source, Event Processing, Web Services, Application and Web Servers, and Legacy Integration, among other topics.

Read Joe McKendrick's Blog
Joe McKendrick's Features:
Read More »

Deborah Smallwood

Top insurance industry advisors Deborah Smallwood and Cindy Maike are the Insurance Community Managers. Their focus is on transforming insurance companies into agile, business-driven enterprises where IT enables business value.

Read Deborah Smallwood's Blog
Deborah Smallwood's Features:
Read More »

David A. Kelly

With twenty years on the cutting edge of enterprise infrastructure, David A. Kelly is Community Manager for Governing the Infrastructure. This category includes IT governance, SOA governance, and compliance, risk management, ITIL, business service management, registries and more.

Read David A. Kelly's Blog
David A. Kelly's Features:
Read More »

View All Community Managers