Web services are almost irresistible. Every popular IDE makes them easy to build -- to unlock the data and business logic in legacy systems, to provision common functions that can be shared across multiple platforms, or to provide partner organizations direct access to information or applications. And by their nature, Web services helpfully describe themselves, allowing one system to find and interact with another with little or no human intervention.
Yet the very virtues that make Web services compelling -- their use of trusted ports and protocols, their ease in exposing back-end systems, their eagerness to describe exactly what services are offered and how to get at them, and their use of multiple intermediaries -- also make them a potential windfall for criminals crossing an enterprise's perimeter.
"You're taking all of these systems that you would never put on the Internet -- you would never hook your mainframe up to a DSL line -- but now you're exposing all their functionality through a Web service, and if you're not thinking about security when you do that, you're also exposing all those vulnerabilities," says Alex Stamos, principal partner at iSec Partners, a security consulting company.
Few organizations have fully grasped the situation, in part because Web services technology is still relatively new. Even enterprises that are implementing an SOA (service-oriented architecture) -- which provides a framework for building, running, and managing services -- seldom recognize the new security risks. Ultimately, the recognition that we need to tackle Web services' vulnerabilities is part of a growing awareness that security must be addressed in the code of applications, not just through firewalls and gateways.
The limits of trust
Topping the long list of excuses for not locking down Web services is the mistaken belief that the applications they expose are known only to internal personnel or trusted partners, rather than the world at large.
For instance, a Web app developer at a bank that provides online credit card processing may assume the SOAP interface he just implemented is invisible to all but the handful of customers who received his instructions on how the new service works.
"That's not true," says iSec's Stamos, who has come up with a simple white-hat hacking tool he says is remarkably good at identifying the Web services that lurk behind IP addresses and figuring out how to use them without authorization. "In fact, they all have these systems built in to Web services to advertise their presence, and people don't understand how pervasive those systems are," he says. Stamos estimates that as many as 400 of the Fortune 500 companies have at least one b-to-b Web service. "Almost none of them are going to be completely secure," he warns.
Another common reason for vulnerabilities is the belief that security is the other guy's responsibility, says Paul Henry, vice president of technology evangelism at Secure Computing, which provides gateway devices to help secure Web services. "Unfortunately, you'll have a team that's working on the front-end software, and a separate team on the back end," he explains. "Both assume the other has taken care of security." What's more, enterprises tend to design Web service applications from scratch rather than buying them from vendors that have put them through rigorous testing.
Then there's the multi-hop problem. Web services frequently pass messages through several intermediaries before they reach their final destination, undercutting technologies such as SSL, which secures connections only across the open Internet.
"The idea that you don't know where your message is going to go actually causes a lot of issues with Web services," says Rafat Alvi, senior architect in the office of the CTO at Sun Microsystems.
The verbosity of Web services, which are designed to be self-describing and self-discovering, also presents a problem for security professionals, says Danny Allan, director of security research at Watchfire, a provider of Web application security assessment products. "Web services notoriously give way more information in them than is typically expected," he says.