Security: standards aren't enough

Time to overhaul our ham-handed approach to Web services security.

A lot of people worry about the security of Web services transactions, and rightfully so. However, some experts are concerned that we're taking a ham-handed approach to Web services security, and worrying too much about the wrong types of threats. Such concern was voiced recently in a ZDNET commentary by Scott Morrison, director, architecture and security at Layer 7 Technologies.

"Web services expose higher-value transactions to attack, and therefore have a proportionately higher risk," he wrote. "Decoupling messages from the security measures 'baked in' to applications, platforms and transport protocols brings risk. We need to be aware of the dangers with the Web services model, and be concerned about the risks associated with deploying them, even within the relatively benign shores of our internal networks."

Morrison makes the point that we shouldn't waste our time and resources worrying about individual hacker attacks directed exclusively against your system. The real problems come from mass attacks which target all servers across the globe.  These include API attacks, including attachments, the biggest overlooked area, which attempt to crash your applications or directly exploit them for malicious purposes. Another threat is infrastructure attacks (including parser attacks, such as well-documented Web services provider weaknesses) that aim to deny access to services or paralyze your infrastructure. Then there's transaction attacks, which may insert bogus transactions or suppress legitimate ones.

Web services security standards help, but only so far, Morrison adds. The OASIS Web Services Security (WSS) model "provides a framework to implement message-based security that can defend against a number of well-known attacks. But it describes a means to secure messages; it doesn't necessarily tell you how to do it. Similarly, WS-I Basic Security Profile constrains and disambiguates OASIS WSS for the purposes of promoting interoperability, but it doesn't explicitly tell you how to make your messages secure."

The key to effective security is a centralized, consistent, infrastructure-based approach to security, not an application-by-application approach. Ironically, Morrison observes, "this is the antithesis of loose coupling - the reason for adopting Web services and SOA in the first place - where a security model is baked into the code; it defeats the best attempts to compose future applications. Web services security needs to be drawn out of individual applications and managed centrally and declaratively."