Fortify warns of configuration weaknesses in SOA deployments

Fortify warns of configuration weaknesses in SOA deployments

Summary: Security code review specialists Fortify Software has issued a warning about major configuration weaknesses affecting SOA (service oriented architecture) deployments from IBM, Microsoft and Apache.According to Fortify, certain configurations of Apache Axis, Apache Axis 2, IBM WebSphere 6.

SHARE:

Fortify warns of SOA configuration weaknessesSecurity code review specialists Fortify Software has issued a warning about major configuration weaknesses affecting SOA (service oriented architecture) deployments from IBM, Microsoft and Apache.

According to Fortify, certain configurations of Apache Axis, Apache Axis 2, IBM WebSphere 6.1, Microsoft .NET Web Services Enhancements (WSE) 2.0 and Microsoft Windows Communication Foundation (WCF) can open doors to several classes of attacks -- weak authentication, weak encryption, vulnerability to replay attack, XPath injection, and many other significant security vulnerabilities.

"In addition, applications that have been secured for Web attacks may still be insecure to attacks through SOA. To be clear, the frameworks themselves are secure, but they have to be appropriately configured and used in order to avoid serious security issues," Fortify said in a statement.

Fortify warns of configuration weaknesses in SOA deploymentsSeparately, rival application security testing firm Veracode has announced a strategic investment and technology advancement agreement with In-Q-Tel, a deal that provides an entry for the Boston start-up to target government clients.

[ SEE: Dan Geer joins In-Q-Tel ]

With the strategic investment, Veracode says it will accelerate specific research areas for governmental, commercial and open source applications to further enhance its subscription-based application security solutions.

Veracode's flagship SecurityReview service is based on static binary testing technology and Web scanning analysis that assesses application security threats, including vulnerabilities such as cross-site scripting (XSS), SQL injection, buffer overflows and malicious code such as hidden backdoors without exposing a company's source code.

* Image credit: tanakawho's Flickr photostream (Creative Commons 2.0)

Topics: Software Development, Browser, Enterprise Software, Security, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

1 comment
Log in or register to join the discussion
  • SOA Applications

    This is interesting and fits in well with what I have seen in
    the industry. More and more companies are looking towards
    log management and event management applications to
    monitor their SOA applications. These applications are quickly developed and span rapidly within organizations,
    making them susceptible to virus attacks and internal break-
    ins.
    -- Thierry
    tcosta