News on Monday
more>>
SharePoint Tech Report
more>>

Download Current Issue
ISSUE 7/1/2009 PDF

Need Back Issues?
DOWNLOAD HERE

Receive the print Edition?

A knockout blow for Borland?
MicroFocus has upped its offer for Borland Software to $1.50, hoping to chase off a mystery suitor also pursuing the ALM vendor.
07/06/2009 12:26 PM EST

Is the mystery Borland suitor Serena?
Borland software is considering an offer from another company after a preliminary deal with MicroFocus. Is Serena the new company?
06/30/2009 01:55 PM EST

Windows 7 - An eBayer's dream product?
Windows 7 pre-orders can make people money on eBay.
06/29/2009 03:48 PM EST

Microsoft Worldwide Partner Conf.
7/13/2009 to 7/16/2009
New Orleans
Microsoft

OSCON (Open Source Convention)
7/20/2009 to 7/24/2009
San Jose
O'Reilly Media

XBRL Technology Workshop & Summit
7/28/2009 to 7/30/2009
Santa Clara
XBRL US

ACM SIGGRAPH
8/3/2009 to 8/7/2009
New Orleans
ACM SIGGRAPH

OpenSource World (formerly LinuxWorld)
8/12/2009 to 8/13/2009
San Francisco
IDG World Expo

HOME ALL STORIES LATEST NEWS COLUMNS OPINIONS EDITORIALS GUEST VIEWS SHORT TAKES DATA WATCH SPECIAL REPORTS ZEICHICK'S TAKE SD TIMES 100 EDITORS' BLOG

RSS FEEDS

FACEBOOK

TWITTER

WHITE PAPERS JOB BOARD WEBINAR CENTER FREE SOFTWARE BZ RESEARCH ALMSHAREPOINT EVENTS CALENDAR PRINT/PDF EDITION PRINT/PDF BACK ISSUES

SUBSCRIBE TODAY CUSTOMER SERVICE EDITORIAL CALENDAR EDITORIAL BEATS GUEST VIEW GUIDE SD TIMES 100 GUIDE JOB BOARD EVENTS CALENDAR ADVERTISING REPORT A BUG SITE MAP

ABOUT US BZ MEDIA NEWS BZ RESEARCH SYSMANNEWS SPTECHCON PRIVACY POLICY CONTACT US

Printable version

HOME >> SPECIAL REPORTS

Most Read Latest News Blog Resources

Kapow automates website data retrieval
Kapow Technology's Web Data Server 7.0 can be used to create modules that navigate through...

Telerik looks to boost 3D for Silverlight
In a new release of its RadControls component suite, the company introduced a 3D charting ...

Oracle's Fusion 11g lays groundwork for ERP platform
Fusion's components are standards-based and integrated, but some abilities are lost if non...

Zoho implements Twitter-like project management
An update to Zoho Projects brings a new project dashboard and the ability to import from M...

Telerik looks to boost 3D for Silverlight
In a new release of its RadControls component suite, the company introduced a 3D charting ...

Oracle's Fusion 11g lays groundwork for ERP platform
Fusion's components are standards-based and integrated, but some abilities are lost if non...

A knockout blow for Borland?
MicroFocus has upped its offer for Borland Software to $1.50, hoping to chase off a mystery suitor also pursuing the ALM vendor.

Is the mystery Borland suitor Serena?
Borland software is considering an offer from another company after a preliminary deal with MicroFocus. Is Serena the new company?

Windows 7 - An eBayer's dream product?
Windows 7 pre-orders can make people money on eBay.

“Smart” Software Compiles for Fast Continuous Integration So you’ve decided to pursue a more agile approach to software development and are now face...

Enterprise Continuous Integration Maturity Model Five levels, from Introductory to Novice, Intermediate, Advanced and Insane – it sounds li...

Lower Development Costs Without Staff Reductions or Outsourcing This white paper describes typical reactions to falling budgets and common problems they c...

Technorati

Digg

Slashdot

Facebook

Friendfeed

Twitter

del.icio.us

'AnyoneCould Change Anything'

Access overlooked as call center app wrapped as service

By Jennifer deJong

January 15, 2008 —

It was a good idea: Get partners to process their own orders on the Web instead of doing the job for them. But when the small firm that provides shipping services for wineries embarked on its first SOA project, the application was nearly derailed by a serious security oversight.

“A horrific vulnerability showed up in the first hour of testing,” said Roger Thornton, co-founder and chief technology officer for application security tool maker Fortify. “Anyone connected to the system could change anything.”

The company, which Thornton did not name, did what many companies do: It took an existing call center application and “wrapped” it as a service. By SOA-enabling the application and making it available to its business-to-business customers—the wineries—the company sought to gain efficiencies. With its customers directly tied in, call center reps would no longer have to field orders that came in by fax and phone, typing in the who, what, when and where pertaining to wine shipments, said Thornton. “There were great business reasons to do [the project].”

But in its enthusiasm, the company failed to think through a crucial security issue: Who gets access to what information, and what changes are they authorized to make? As a result, it inadvertently authorized all of its customers to access and make changes to all account data on the system. In other words, they could view and update their own accounts, as well as those of all of the other customers.

Thornton said the security nightmare was a carryover from the application’s earlier incarnation, which allowed all call center reps to update all customer accounts. That level of access and authorization made sense for an application designed for internal use only, but not for one intended for outsiders, Thornton said. How did the company manage to overlook such a critical issue? “They implemented the application using the WS-Security family of standards,” Thornton said. “That gave them a false sense of security.”

WS-Security is important because it provides a standard way to implement security issues such as access control, authorization and encryption for Web services. But, of course, the standards don’t specify who should get access and update privileges, said Thornton. “So people think: ‘If I implement WS-Security, my system is secure.’”

Share this link: http://www.sdtimes.com/link/31653

Change Manager blends roles of DBAs, developers Embarcadero's first post-acquisition version of CodeGear's Change Manager aims to combine the activities of developers and database administrators. It can hold numerous schemas in memory and examine the effects of changes on the whole database, among other abilities.

Unified change management helps IT and developers Changes in a company's internal software can cause anxiety, so it is a sound idea to join together the schedules of both the development and IT sides. This, along with adhering to best practices and consistent training, can ease everyone's jobs.

News Briefs: February 1, 2009 TopCoder launches its annual TopCoder Open, Adobe creates the full version of its LiveCycle ES Developer Express, and former Red Hat COO Tim Buckley is named the executive chairman of the board of directors of rPath.

Add comment

Name*
Email*
Country

Comment
Preview

HOME SITE MAP CURRENT ISSUE BACK ISSUES SUBSCRIBER SERVICES ABOUT US CONTACT US BZ MEDIA

'Anyone&#133;Could Change Anything'

Access overlooked as call center app wrapped as service

By Jennifer deJong

Related Articles

Add comment

'AnyoneCould Change Anything'