HOME ALL STORIES LATEST NEWS COLUMNS OPINIONS EDITORIALS GUEST VIEWS SHORT TAKES DATA WATCH SPECIAL REPORTS ZEICHICK'S TAKE SD TIMES 100 EDITORS' BLOG

RSS FEEDS

FACEBOOK

TWITTER

WHITE PAPERS SPONSORED PROFILES JOB BOARD WEBINAR CENTER FREE SOFTWARE BZ RESEARCH ALMSHAREPOINT EVENTS CALENDAR PRINT/PDF EDITION PRINT/PDF BACK ISSUES

SUBSCRIBE TODAY CUSTOMER SERVICE EDITORIAL CALENDAR EDITORIAL BEATS GUEST VIEW GUIDE SD TIMES 100 GUIDE EVENTS CALENDAR ADVERTISING ARTICLE REPRINTS REPORT A BUG SITE MAP

ABOUT US BZ MEDIA NEWS BZ RESEARCH SYSMANNEWS SPTECHCON ESDC IPHONEDEVCON PRIVACY POLICY CONTACT US

Printable version

HOME >> SPECIAL REPORTS

Most Read Latest News Blog Resources

Does Windows cost Microsoft opportunities?
Microsoft's decision to focus .NET on Windows is stifling innovation due to the specter of...

Mono brings .NET to Android
At Microsoft MIX, Mono will unveil the ability to port .NET applications to the Android op...

Maven Studio for Eclipse gets developers up to speed
Sonatype tool simplifies onboarding by giving developers a way to easily deploy fully conf...

nVidia updates CUDA tools
Latest version helps developers turn desktops and servers with high-end GPUs into more pow...

Scrum Planning Board adds automation to Axosoft OnTime
Illustrations are also included to assist Scrum-using developers a better view of what the...

Google Code turns 5
Google Code Turns 5, and adds a Paxos Algorithm to make the system more stable and reliable.

Test your Visual Studio 2010 know-how
Microsoft is offering free beta certification exams for Visual Studio 2010.

Microsoft lifts the hood on IE9
Microsoft is previewing IE9.

Overcoming Development Challenges with Open Source Open source software can help you with your application development challenges. It doesn’t...

Accelerate Services and the Cloud Business units, functional groups, and different divisions of companies across industries...

Enterprise Mashup Platforms for Today’s Increasingly Complex and Real-Time Context Enterprise Mashups offer your company a new way to connect data from inside and outside yo...

Technorati

Digg

Slashdot

Facebook

Friendfeed

Twitter

del.icio.us

'AnyoneCould Change Anything'

Access overlooked as call center app wrapped as service

By Jennifer deJong

January 15, 2008 —

It was a good idea: Get partners to process their own orders on the Web instead of doing the job for them. But when the small firm that provides shipping services for wineries embarked on its first SOA project, the application was nearly derailed by a serious security oversight.

“A horrific vulnerability showed up in the first hour of testing,” said Roger Thornton, co-founder and chief technology officer for application security tool maker Fortify. “Anyone connected to the system could change anything.”

The company, which Thornton did not name, did what many companies do: It took an existing call center application and “wrapped” it as a service. By SOA-enabling the application and making it available to its business-to-business customers—the wineries—the company sought to gain efficiencies. With its customers directly tied in, call center reps would no longer have to field orders that came in by fax and phone, typing in the who, what, when and where pertaining to wine shipments, said Thornton. “There were great business reasons to do [the project].”

But in its enthusiasm, the company failed to think through a crucial security issue: Who gets access to what information, and what changes are they authorized to make? As a result, it inadvertently authorized all of its customers to access and make changes to all account data on the system. In other words, they could view and update their own accounts, as well as those of all of the other customers.

Thornton said the security nightmare was a carryover from the application’s earlier incarnation, which allowed all call center reps to update all customer accounts. That level of access and authorization made sense for an application designed for internal use only, but not for one intended for outsiders, Thornton said. How did the company manage to overlook such a critical issue? “They implemented the application using the WS-Security family of standards,” Thornton said. “That gave them a false sense of security.”

WS-Security is important because it provides a standard way to implement security issues such as access control, authorization and encryption for Web services. But, of course, the standards don’t specify who should get access and update privileges, said Thornton. “So people think: ‘If I implement WS-Security, my system is secure.’”

Share this link: http://www.sdtimes.com/link/31653

Change Manager blends roles of DBAs, developers Embarcadero's first post-acquisition version of CodeGear's Change Manager aims to combine the activities of developers and database administrators. It can hold numerous schemas in memory and examine the effects of changes on the whole database, among other abilities.

Unified change management helps IT and developers Changes in a company's internal software can cause anxiety, so it is a sound idea to join together the schedules of both the development and IT sides. This, along with adhering to best practices and consistent training, can ease everyone's jobs.

AmberPoint Governance System searches for changes in app environments The company’s new SOA solution design provides visibility into all life-cycle stages by linking with other management systems

Add comment

Name*
Email*
Country

Comment
Preview

News on Monday
more>>
SharePoint Tech Report
more>>

Download Current Issue
ISSUE 3/15/2010 PDF

Need Back Issues?
DOWNLOAD HERE

Receive the print Edition?

Google Code turns 5
Google Code Turns 5, and adds a Paxos Algorithm to make the system more stable and reliable.
03/17/2010 11:16 AM EST

Test your Visual Studio 2010 know-how
Microsoft is offering free beta certification exams for Visual Studio 2010.
03/17/2010 11:08 AM EST

Microsoft lifts the hood on IE9
Microsoft is previewing IE9.
03/16/2010 01:10 PM EST