HOME ALL STORIES LATEST NEWS COLUMNS OPINIONS EDITORIALS GUEST VIEWS SHORT TAKES DATA WATCH SPECIAL REPORTS ZEICHICK'S TAKE SD TIMES 100 EDITORS' BLOG

RSS FEEDS

FACEBOOK

TWITTER

WHITE PAPERS SPONSORED PROFILES JOB BOARD WEBINAR CENTER FREE SOFTWARE BZ RESEARCH ALMSHAREPOINT EVENTS CALENDAR PRINT/PDF EDITION PRINT/PDF BACK ISSUES

SUBSCRIBE TODAY CUSTOMER SERVICE EDITORIAL CALENDAR EDITORIAL BEATS GUEST VIEW GUIDE SD TIMES 100 GUIDE EVENTS CALENDAR ADVERTISING ARTICLE REPRINTS REPORT A BUG SITE MAP

ABOUT US BZ MEDIA NEWS BZ RESEARCH SYSMANNEWS SPTECHCON ESDC IPHONEDEVCON PRIVACY POLICY CONTACT US

Printable version

HOME >> OPINIONS

Most Read Latest News Blog Resources

Does Windows cost Microsoft opportunities?
Microsoft's decision to focus .NET on Windows is stifling innovation due to the specter of...

Mono brings .NET to Android
At Microsoft MIX, Mono will unveil the ability to port .NET applications to the Android op...

OSBC focus turns to best practices for open-source adoption
Businesses are no longer asking why they should adopt, but how do they use open source leg...

Maven Studio for Eclipse gets developers up to speed
Sonatype tool simplifies onboarding by giving developers a way to easily deploy fully conf...

nVidia updates CUDA tools
Latest version helps developers turn desktops and servers with high-end GPUs into more pow...

Scrum Planning Board adds automation to Axosoft OnTime
Illustrations are also included to assist Scrum-using developers a better view of what the...

Google Code turns 5
Google Code Turns 5, and adds a Paxos Algorithm to make the system more stable and reliable.

Test your Visual Studio 2010 know-how
Microsoft is offering free beta certification exams for Visual Studio 2010.

Microsoft lifts the hood on IE9
Microsoft is previewing IE9.

Overcoming Development Challenges with Open Source Open source software can help you with your application development challenges. It doesn’t...

Accelerate Services and the Cloud Business units, functional groups, and different divisions of companies across industries...

Enterprise Mashup Platforms for Today’s Increasingly Complex and Real-Time Context Enterprise Mashups offer your company a new way to connect data from inside and outside yo...

Technorati

Digg

Slashdot

Facebook

Friendfeed

Twitter

del.icio.us

Managing Web Service Security Risks

By Adam Kolawa

November 1, 2002 —

I worry that Web service security is much more critical and complicated than most people in the industry realize. Most of the current security discussions address identity authentication and message exchange privacy. These are undoubtedly critical security issues, but solving these problems will not guarantee security. In fact, I expect security to remain a huge menace even after these authentication and privacy issues are solved. Why? Because Web services' fundamental architecture opens the door for serious security breaches. Anyone who passes a Web service's first layer of defense not only can reach the parts of your application you made available, but also might be able to access and manipulate parts that you thought were private.

Web services' very nature allows users unprecedented access to the system's inner parts. While other types of applications have executables that act as a skin that covers and protects the application's inner functionality, Web services peel back this skin and actually expose the system's inner functionality to outside Web service clients. This is done by providing a public interface through which clients can invoke the service's methods. However, through this interface, clients can access and manipulate not only the exposed methods, but also any part of the application that can be accessed from the exposed methods.

If it's possible to wreak havoc on your system by executing methods anywhere within your Web service, you better be 100 percent certain that clients cannot reach these methods through the designated service entry points. Often, unexpected paths through an application provide clients access to areas that you thought were private. If the service is implemented in C or C++, these unexpected paths can stem from obvious sources such as buffer overwrites or general data corruption. However, even "safer" languages such as Java can be tricked into providing unexpected access to supposedly private methods.

While hackers can occasionally access the inner workings of a traditional application, it is markedly easier for hackers to do so with Web services, because Web services allow initial access into the application. If you have a traditional application, hackers trying to access the parts of the program you want to protect would have to do something comparable to picking the lock on your home's front door, then locating your private cash stash. With Web services, you hand the crook the key to the house and hope that he doesn't stumble upon something you don't want him to take.

At this point, it looks like your only feasible defense is to cut off access to private areas of the application by establishing security boundaries within the Web service. A solid security boundary will protect the private areas of the application like a vault protects the items locked within it-when you have such a boundary/vault, you can rest assured that whoever gains access to your service/house will not be able to touch the methods/items you are trying to protect. To ensure that your boundary is as secure as you think, you need to flood each exposed method with a wide variety of possible inputs, then verify that no possible inputs provide surprise bridges to "private" application areas.

Unless the industry develops an easy way to ensure Web service security, I fear that the security issues inherent in the very nature of Web services will make it difficult (though not impossible) to apply them in situations where security is of utmost importance. However, Web services can nevertheless be applied easily and profitably in many situations where security concerns are irrelevant. I predict that Web services will enjoy the most success and acceptance in the variety of possible implementations that do not involve security issues.

Adam Kolawa is chairman and CEO of Parasoft Corp.

Share this link: http://www.sdtimes.com/link/26833

IBM integrates Web application security Big Blue links WebSphere DataPower’s SOA Appliances with Tivoli Security Policy Manager to make security management easier.

RSA keynote: Lack of security in the cloud breeds distrust Experts say that until cloud security standards mature and are adopted more widely, adoption will be tepid

Fortify, HP give hybrid view of app security By correlating results of dynamic testing and static code analysis, Hybrid 2.0 offers improved vulnerability resolution

Add comment

Name*
Email*
Country

Comment
Preview

News on Monday
more>>
SharePoint Tech Report
more>>

Download Current Issue
ISSUE 3/15/2010 PDF

Need Back Issues?
DOWNLOAD HERE

Receive the print Edition?

Google Code turns 5
Google Code Turns 5, and adds a Paxos Algorithm to make the system more stable and reliable.
03/17/2010 11:16 AM EST

Test your Visual Studio 2010 know-how
Microsoft is offering free beta certification exams for Visual Studio 2010.
03/17/2010 11:08 AM EST

Microsoft lifts the hood on IE9
Microsoft is previewing IE9.
03/16/2010 01:10 PM EST