Security's big picture: Trust in Web services?

Where does the real solution to enterprise security lie? Some suggest it could be in the golden egg much vaunted for everything from a B2B revolution to an economic recovery: Web services.

The picture is dire. Reported vulnerabilities were up 124 percent from 2000 to 2001, and recent problems have gotten more costly, too. The Melissa virus took four days to cause $400 million in damages in 1998, while Code Red only took a few hours to cause $2.62 billion in damages, according to statistics quoted by Andrew Briney, editor-in-chief of Information Security, who moderated a panel on the future of IT security at Comdex Monday.

Other speakers included Art Covellio, CEO of RSA Security; Gene Hodges, president of Network Associates; Dan MacDonald, vice president of Nokia Internet Communications; Tom Noonan, CEO of Internet Security Systems; Bruce Schneier, author of best-selling security books and CTO of Counterpane Systems; and John Weinschenk, VP of enterprise services group for Verisign. All were equally dismal on the prospects for keeping security in check.

"It's a philosophical change we need. We always thought we needed to make the network safe. We need to realize we can't do that," Schneier said. The panelists spoke about hopes for virtual patches, safer code, and overall, blamed the heuristic evolution of the Internet: Users scrambled to adopt the exciting new technology, implementing security pell-mell along the way as problems arose.

Specifically, the most maligned issue on the panel was the sheer size of Windows programs, and the impossibility of keeping up with patches. ".Net will be worse, because it will be bigger. Complexity is the enemy. That's why we're losing," Schneier added, provoking cheers and clapping whenever he criticized Microsoft's approach.

Bill Gates talked up Microsoft's big investments in Windows .Net Server in his keynote panel Sunday night. But aside from sending thousands of engineers off to safe-code boot camp (which has yet to show tangible results), what is Microsoft really doing to help? The company's contribution to Comdex security news was small. Mike Nash, vice president of Microsoft's Security Business Unit said that beginning this Wednesday, the company adds a fourth level to its rating system of vulnerabilities; instead of marking them low, moderate, and critical, some alerts will now also be marked "important"--indicating that they should be taken care of right away, but aren't exactly "critical." Both alerts will now create pop-up screens in the professional and consumer versions of Windows XP.

But that isn't going to make the problem of patches go away. "There are just too many patches. I get a letter with 20 or 30 of them a week. At least five or six would affect me. If I was a sys admin I would have to do one every day of the week. And you know [patches] always break stuff," said Schneier. "A lot of people talk about these vulnerabilities like they're the weather--inevitable. But they're mistakes," he said, bemoaning the lack of foresight developers have had in trying to create secure code.Is there anything the industry can do besides sit and await brilliance from graduates of Microsoft's safe-code boot camp?

The panelists had a few suggestions:

• "We need to speak more in real terms" said MacDonald. Differentiating worms from viruses, and using too much technical jargon is holding progress back.
• "We need to focus on the real criminals--not the hackers--the people trying to extort. We focus too much on the vandals," according to Schneier.
• "Awareness and understanding at a senior management level has to change," said Noonan. Though a shift has already occurred, and CEOs are being made more accountable, there's still a ways to go.
• "Everyone here has to do one thing: The next time you buy software, go after the vendor and ask what it has built in," suggested MacDonald.

But the most intriguing suggestion was that security's real savior may be in Web services, something that the panelists only hinted at. Web services will mark a paradigm shift in software, something that could allow programmers and vendors to rethink security from the ground up.

"Security is ready for that kind of Darwinian change," said Noonan. Panelists suggested the idea that the machine-to-machine communication enabled by Web services--especially when it reaches the "universal" level and extends to computers not just within an organization but beyond the firewall--will force huge changes in security.

"Think about it: You can write a program that skims a couple of bucks off every transaction. That's the real danger in Web services. It's going to be an inside job," said Noonan.

The discussion on specifics didn't go much further, because the panelists were embroiled in discussing whether Web services will take off before or after security issues are resolved. According to a study from Evans Data Corp., 98 percent of IT managers say they'll develop Web services-enabled applications by 2004. But according to a study by BEA Systems, 48 percent of those companies say unresolved security issues are keeping them from adopting Web services.

While most panelists agreed that security issues are indeed holding adoption back, MacDonald and Schneier predicted that Web services would take off regardless of perceived risk.

And judging from the amount of unauthorized SOAP traffic that's already going on inside corporate networks, they just might be right. Companies need to put the brakes on Web services and take a long, hard look at how to build in safety--otherwise, we may indeed be depending on graduates from Microsoft's school of Web services safety a few years down the line.

Is it too late to think through security for Web services? TalkBack below or e-mail us.