XML Web Services & Security

Handy writes "Web Services (SOAP, .net, WSDL ^? , UDDI ^? ) create an even greater need for robust security. Exposed interfaces and fragmented administration coupled with a need for app-level security points to a greater need for a centralized managed security services model."

FLUFF, FLUFF, FLUFF

[newt_sd]

Not only is this article not saying a single new thing about web application security, the site at the end of the link only has 4 articles on it. This smells of advertising for a new site? Now I am not one to wear a tinfoil hat but I smell a conspiracy going on with news that isn't really news!!

Re:FLUFF, FLUFF, FLUFF

[Target+Drone]

This smells of advertising for a new site?

You may be on to something. I tried doing a search on Google for "Westbridge Technology" (the people who wrote the article) to find out more about them. I only got 2 hits with and a sponsored link to the Westbridge Technology home page. Westbridge Technology must be very new for the page to not show up in Google yet.

A whois search also reveals that xwss.org and westbridgetech.com belong to the same people.

And to top it all off Westbridge sells an XML message server. Just what you need to implement all the good stuff talked about in the article.

Conflict of Interest?

[floppy+ears]

The drive to get business advantage from XML Web Services will cause turbulent times for IT managers. To successfully navigate these new issues, managers must change their mind set from "fragmented security systems focused on using network perimeter to shield closed business systems" to "consistent managed security systems focused on managing application level security for inherently distributed business systems".

This article was written by Kerry Champion, president and Andy Yang, Senior Director of Product Management at Westbridge Technology, Inc., a provider of security and reliability infrastructure software for XML Web Services networks.
I'm not saying I disagree with their conclusion, but you always have to be suspicious when somebody comes out with an article that concludes that to be successful you have to use their product/service or something like it.

an important issue

[tps12]

I can't stress security enough. Too often we see the methodology of "write first, secure second."

No no no no. I'm sorry, that just won't cut it in today's world of scam artists. We need to be building in security on the server side from the ground up.

I am loath to resort to buzzwords, but "proactive" really describes just how I feel.

At my company we have met this challenge head-on by deploying a full server force of Mandrake Linux coupled with Apache 2. Apache 2 picks up where the original left off, with the added features of clones referring to Stormtroopers (as opposed to the original modular system). I find that our server compromises have decreased ~70% since making the switch from an IIS server farm.

I have also heard good things about BSD in regards to security and web apps. Great to see this finally getting the press it deserves.

SOAP Security Issues

[smallpaul]

Here is my take. And here is Bruce Schneier's..

SOAP = firewall bypass

[irritating+environme]

I fail to see why SOAP exists except to bypass firewalls, since firewalls exist to restrict what calls/ports/protocols can be made in TCPIP. What will happen in two years will be a "firewall" system for SOAP calls, followed two years later by a new protocol to bypass that security layer, billed in an exciting acronym. Repeat ad infinitum.

Maybe I'm missing something . . .

[MaxwellStreet]

I really don't know (flame gently if I'm being ignorant), but I'm hoping someone can explain this simply.

If https is secure... and xml/soap is http-based... what's the giant technical leap preventing https transmission of soap/xml packets?

Also, if you're doing business with say, a vendor of yours, what's stopping the both of you from encrypting the body of the soap messages on both sides by means of a PGP key or something?

I'm just curious as to why the issue seems to be reasonably solved with http web traffic, but isn't with SOAP...

You mean, like LDAP?

[GOD_ALMIGHTY]

It amazes me how much directory services are overlooked, even for this one simple use.
LDAP is made for doing centralized management. Be it user management or even configuration of services, it's built into every system and OpenLDAP is seriously robust. Just take the 10 minutes or whatever to figure out how to use LDAP and familiarize yourself with the most widely used schemas.

Using LDAP schemas is like going to create a user table in a database and having the table definition laid out for you. Also all applications should be able to follow the structure. Voila, portable services for applications.

Please, go familiarize yourself with LDAP. Not to mention SASL (RFC 2222) is meant as a system independent way of handling authentication and authorization. OpenLDAP, Cyrus IMAP and a number of other server apps handle SASL quite well, not to mention it's included in most distros.
IIRC, the Java Authentication and Authorization APIs also deal with SASL quite well.

The solutions to most of the problems that come up with 'Web Services' (a limited tool being forced on everything) have been solved by a simple trip to the IETF's RFC repository. Now you just need to use a language and environment that has libraries built for the RFC's. C or Java are your best bets, Perl comes in next, but I've found the libraries to be in various states of working, not something I'd bet my next project on.