LOGIN | REGISTER NOW | SUBSCRIBE
 
 
News on Monday
more>>
SharePoint Tech Report
more>>


   

 
 
Download Current Issue
ISSUE 3/15/2010 PDF

Need Back Issues?
DOWNLOAD HERE

Receive the print Edition?


 
blogs tab
ASP.NET MVC 2 Ships
ASP.NET MVC 2 has shipped.
03/12/2010 10:26 AM EST

Microsoft plans 'open' Silverlight analytics framework
Microsoft is going to announce a multipurpose analytics framework for Silverlight at MIX.
03/11/2010 09:51 AM EST

About CSS processing
Two sites that lead to a startling CSS conclusion.
03/10/2010 02:29 AM EST

 

Events calendar tab
SHARE
3/14/2010 to 3/18/2010
Seattle, Wa.
SHARE

Cloud Connect
3/15/2010 to 3/18/2010
Santa Clara, Calif.
TechWeb

Microsoft MIX10
3/15/2010 to 3/17/2010
Las Vegas
Microsoft

SharePointPro Summit & Expo
3/16/2010 to 3/19/2010
Las Vegas
Penton Media

TheServerSide Java Symposium
3/17/2010 to 3/19/2010
Las Vegas
TechTarget


 
print Printable version 
Most Read Latest News Blog Resources
Even with its success, .NET causes some consternation
Despite its popularity, the developer community believes that .NET isn't being fully serve...

Appcelerator dev environment targets Android, iPhone
This unified development environment compiles JavaScript into Objective-C or Java, and wil...

Eclipse creates new sub-projects for Mylyn
The sub-projects are designed to help organizations adopt agile ALM, and they will also br...

Digg!  Digg
Reddit  Reddit
Slashdot  Slashdot
Share on facebook  Facebook
Share on Twitter  Twitter

'Anyone…Could Change Anything'


Access overlooked as call center app wrapped as service

By Jennifer deJong
January 15, 2008 — 
It was a good idea: Get partners to process their own orders on the Web instead of doing the job for them. But when the small firm that provides shipping services for wineries embarked on its first SOA project, the application was nearly derailed by a serious security oversight.

“A horrific vulnerability showed up in the first hour of testing,” said Roger Thornton, co-founder and chief technology officer for application security tool maker Fortify. “Anyone connected to the system could change anything.”

The company, which Thornton did not name, did what many companies do: It took an existing call center application and “wrapped” it as a service. By SOA-enabling the application and making it available to its business-to-business customers—the wineries—the company sought to gain efficiencies. With its customers directly tied in, call center reps would no longer have to field orders that came in by fax and phone, typing in the who, what, when and where pertaining to wine shipments, said Thornton. “There were great business reasons to do [the project].”

But in its enthusiasm, the company failed to think through a crucial security issue: Who gets access to what information, and what changes are they authorized to make? As a result, it inadvertently authorized all of its customers to access and make changes to all account data on the system. In other words, they could view and update their own accounts, as well as those of all of the other customers.

Thornton said the security nightmare was a carryover from the application’s earlier incarnation, which allowed all call center reps to update all customer accounts. That level of access and authorization made sense for an application designed for internal use only, but not for one intended for outsiders, Thornton said. How did the company manage to overlook such a critical issue? “They implemented the application using the WS-Security family of standards,” Thornton said. “That gave them a false sense of security.”

WS-Security is important because it provides a standard way to implement security issues such as access control, authorization and encryption for Web services. But, of course, the standards don’t specify who should get access and update privileges, said Thornton. “So people think: ‘If I implement WS-Security, my system is secure.’”


Share this link: http://www.sdtimes.com/link/31653
 

Add comment


Name*
Email*  
Country     


  • Comment
  • Preview
Loading