'Anyone…Could Change Anything'
Access overlooked as call center app wrapped as service
By Jennifer deJong
January 15, 2008 —
It was a good idea: Get partners to process their own orders on the Web instead of doing the job for them. But when the small firm that provides shipping services for wineries embarked on its first SOA project, the application was nearly derailed by a serious security oversight.
“A horrific vulnerability showed up in the first hour of testing,” said Roger Thornton, co-founder and chief technology officer for application security tool maker Fortify. “Anyone connected to the system could change anything.”
The company, which Thornton did not name, did what many companies do: It took an existing call center application and “wrapped” it as a service. By SOA-enabling the application and making it available to its business-to-business customers—the wineries—the company sought to gain efficiencies. With its customers directly tied in, call center reps would no longer have to field orders that came in by fax and phone, typing in the who, what, when and where pertaining to wine shipments, said Thornton. “There were great business reasons to do [the project].”
But in its enthusiasm, the company failed to think through a crucial security issue: Who gets access to what information, and what changes are they authorized to make? As a result, it inadvertently authorized all of its customers to access and make changes to all account data on the system. In other words, they could view and update their own accounts, as well as those of all of the other customers.
Thornton said the security nightmare was a carryover from the application’s earlier incarnation, which allowed all call center reps to update all customer accounts. That level of access and authorization made sense for an application designed for internal use only, but not for one intended for outsiders, Thornton said. How did the company manage to overlook such a critical issue? “They implemented the application using the WS-Security family of standards,” Thornton said. “That gave them a false sense of security.”
WS-Security is important because it provides a standard way to implement security issues such as access control, authorization and encryption for Web services. But, of course, the standards don’t specify who should get access and update privileges, said Thornton. “So people think: ‘If I implement WS-Security, my system is secure.’”
Share this link: http://sdt.bz/31653
Most Read Latest News Blog Resources
Appcelerator Acquires Cocoafish to Add Instant Mobile Cloud Capabilities to its Industry Leading Titanium Platform
Appcelerator Offers Messaging, Social, Location and Storage Mobile Cloud Services to All Mobile App Publishers
|
|
Taking enterprise architecture to the business side
Startup Corso is bringing out a cloud-based planning platform that ties into business plans
|
|
ComponentOne Releases a Collection of 40+ UI Widgets Powered by HTML5 and jQuery
ComponentOne has announced the 2012 release of Wijmo: a kit of UI widgets for HTML5 and jQuery development
|
|
Top five apps to manage your workload
Web applications offer new ways to track your “to-do” lists
|
Taking enterprise architecture to the business side
Startup Corso is bringing out a cloud-based planning platform that ties into business plans
|
|
Top five apps to manage your workload
Web applications offer new ways to track your “to-do” lists
|
|
Not so fast when it comes to testing in the cloud
Developers face outsourcing, virtual lab management and mobile devices as obstacles
|
|
Xceed releases UX-focused suite for Microsoft’s WPF
"Blendables" helps match user experiences to developer visions
|
Are you at risk for burnout?
Burnout is a severe problem and it can strike at any time. Here's how to tell if you are nearing the edge.
|
|
Agility, mom, and apple pie
If we're to evaluate the state-of-the-art in software development, we should start with the values espoused in the Agile Manifesto.
|
|
RIM woos developers with free tablet
How do you get more apps ported to the BlackBerry PlayBook? By giving every developer a free tablet, of course!
|
|
GitHire: Use Headhunters to Find Your Perfect Programmer
Are you a hiring manager tired of scouring the job boards? Check out this new service that will find 5 people interested in your jobs.
|
The Hidden Costs of Software Licensing
Moving beyond paper-based software licensing to more flexible, software-based licensing is a business decision. There is a growing trend tow...
|
|
Case Study: You May Need a Development Mechanic
As a contractor for a major financial player in Germany, SOBEGE, a German-based consultancy specializing in embedded IT and web services, wa...
|
|
Ensuring Software Quality at a Major International Bank
One of the world’s leading international banks has adopted AgitarOne technology for delivering generated unit tests for their Java software...
|
|
Load Testing Adobe Flex Applications
Adobe Flex applications may be different from applications you’ve worked with before. For classic HTML web applications, the server does all...
|