XML Web Services & Security

Handy writes "Web Services (SOAP, .net, WSDL ^? , UDDI ^? ) create an even greater need for robust security. Exposed interfaces and fragmented administration coupled with a need for app-level security points to a greater need for a centralized managed security services model."

Duh...

[stoolpigeon]

This was an interesting read and I'm sure it is good info for tech managers- maybe if we keep hammering at them they will get it, but if you write code and you realize that we are connecting systems deeper and deeper - security becomes more and more of an issue. That seems to be a bit of a no brainer.

And all this talk of the computer is the network, and the future of tech and all this stuff - security is the linch pin to making it viable.

I think stability runs a very close second- especially as more critical systems become a part of this big electronic gestalt everyone dreams of- but if it is insecure, I know I wouldn't touch it w/a 10 ft. pole.

.

Confusing

[Dick+Click]

Good luck for anyone actually trying to implement a secure soap based app, what with the moving targets of XML Encryption, different ways to use XML Signatures, the need to incorporate WS Routing (and possibly WS-Security). I know these specs are likely to change soon.

"Paradigm" shift?

[sisukapalli1]

The drive to get business advantage from XML Web Services will cause turbulent times for IT managers. To successfully navigate these new issues, managers must change their mind set from "fragmented security systems focused on using network perimeter to shield closed business systems" to "consistent managed security systems focused on managing application level security for inherently distributed business systems".

Hmm... I know of a manager (very higher up), when asked about security implications of some assumptions in the design of a product (for web services), very confidently responsed, "They [customers] can always configure their firewall". *That* was the solution!

S

Maybe I'm missing something . . .

[MaxwellStreet]

I really don't know (flame gently if I'm being ignorant), but I'm hoping someone can explain this simply.

If https is secure... and xml/soap is http-based... what's the giant technical leap preventing https transmission of soap/xml packets?

Also, if you're doing business with say, a vendor of yours, what's stopping the both of you from encrypting the body of the soap messages on both sides by means of a PGP key or something?

I'm just curious as to why the issue seems to be reasonably solved with http web traffic, but isn't with SOAP...

Re:Maybe I'm missing something . . .

[swordfish666]

I stopped asking why 7 months ago when.

My Boss: "The company is alining its self with M$ and .NET?"
Silly Me: "Why? That's just silly talk."
My Boss: "It's the only way well get the M$/(NDA) Deal."
Silly Me: "Why? That's just silly talk."
My Boss: "Learn .NET or I'll find someone who will."
Silly ME: "OK."

1 month ago..
My Boss: "Everything has to be done via WebServices and SOAP but you can't rely on SSL for encryption."
Silly Me: "Why...OK"

I have spent the last 14 hours trying to read an XML file into memory, sign it, encrypt it and stick it in a SOAP envlope using C# then decrypt the message and check the signature. I'm half way there...

Re:Maybe I'm missing something . . .

[plumby]

The post that I was responding to was the one with the statements

You're talking about the wrong kind of security. Think "bugs" instead of "encryption".

and

The difference is that SOAP and other web services add the extra abstraction layer that offers one more place for the developer(s) to screw up. And it makes it one step harder for a sysadmin or developer to find problems.T

This was, as I understanding it, claiming that additional security risks were being introduced because of the extra complexity of using web services. I don't get how having a site offering a cgi-generated web page is in some way more secure than one offering the same thing via web services.

The statement The issue is that SOAP exposes backend functionality to the end-user (or end-developer). is disingenuous. All (useful) web sites offer backend functionality to the end user - what else are they there for? I'm currently making use of slashdots backend database by posting this message. A SOAP service does nothing more than offer the same service via a mechanism that is easy for another application, rather than another user, to talk to. Assuming that the interface is properly designed, it should expose precisely no more functionality, and create precisely no more security issues, than the equivilant cgi-generated page. What extra security holes would there be is slashdot offered a "post your comments" web service?

Secure web services was easy years ago.

The point of doing web services in XML across HTTP is that it is easy and can use established technologies. If you don't want anyone intercepting the message (channel-based security), that is what SSL is for and works trivially with any web server and client, and is built into Java.

Once you have a secure pipe, it doesn't take a genius to solve the additional security needs of 95% of the applications. Add a password here. Add a signature or message digest there. Do a calling card pattern. Most of what certain vendors are screaming for is huge overkill to highlight their own products that they would like to have people using instead of what is here today and works well.
These are the same people that kept RSA under restrictive patent for so many years. Just say no.

Rich DeMillo's article is much better

[Shirotae]

The article by Rich DeMillo (CNet news.com May 15, 2002) is much better. He gets to the underlying issue that we are patching up problems as they arise rather than paying any attention to understanding what we are really trying to achieve. In particular he says "The headlong rush to Web services is going to make things worse."

DeMillo has been around long enough to know what he is talking about, but I expect his wisdom to fall on deaf ears in today's instant gratification culture.