Fortify Software Addresses Security Vulnerabilities in Web Services and SOA Configurations
Develops and provides capability to reduce security risks to customers
"To date, very few companies have been able to check for SOA-specific vulnerabilities in an easy and automated fashion," says Brian Chess, Co-founder and Chief Scientist at Fortify Software. "Because there hasn't been a solution to support finding SOA-specific vulnerabilities, most deployments out there are probably vulnerable."
Fortify's research revealed that certain configurations of Apache Axis, Apache Axis 2, IBM WebSphere 6.1 and Microsoft .NET Web Services Enhancements (WSE) 2.0 and Microsoft Windows Communication Foundation (WCF), can lead to weak authentication, weak encryption, vulnerability to replay attack, XPath injection, and many other significant security vulnerabilities. In addition, applications that have been secured for Web attacks may still be insecure to attacks through SOA. To be clear, the frameworks themselves are secure, but they have to be appropriately configured and used in order to avoid serious security issues.
"Service-Oriented Architecture represents a significant shift in how business applications are designed, developed and implemented," says Gunnar Peterson, an internationally recognized expert on SOA and Web services. "Companies are taking advantage of these new technologies at a rapid rate. According to Gartner, "SOA was used, to some extent, in more than 50% of large, new applications and business processes designed in 2007. By 2010, we expect that more than 80% of large, new systems will use SOA for at least some aspect of their design."
However, when used incorrectly, SOA can introduce numerous security issues, increasing the risk of an incident occurring. Thomas Erl, internationally recognized expert on SOA and author of numerous books on the subject writes, "Because SOA offers the potential to create sophisticated and complex composite solutions, agnostic services can be subjected to a variety of different usage scenarios, each of which can introduce unique security risks and requirements. In order to design effective service compositions therefore requires that services be prepared for a range of security challenges."
"As SOA gets rolled out in large organizations, it's critical that they realize security means more than just firewalls and SSL," says Jeremy Epstein, SOA expert and consultant. "Software security, such as the techniques developed and implemented in the Fortify product, is mandatory to protect critical business data and processes, especially in SOA implementations."
Fortify enables a company to search for these SOA-specific vulnerabilities statically and dynamically. Statically, the Fortify 360 Source Code Analyzer will scan a code base and automatically identify these types of vulnerabilities. Dynamically, the Fortify 360 Program Trace Analyzer and Real-Time Analyzer can identify these vulnerabilities in a running application. This new robust set of capabilities includes over 80 vulnerability categories related to SOA security issues and was distributed to every Fortify customer as part of Fortify's Second Quarter 2008 Rulepack release. Fortify's quarterly rulepacks are developed by its industry leading Security Research Group, an internal team of experts that investigate how real-world systems fail, and provides expertise and solutions to effectively identify and fix pressing security issues.
To learn more about the vulnerabilities in SOA frameworks, the specific challenges and risks they create for an organization and how to address them with Fortify 360, join Gunnar Peterson and Fortify Software on July 31st at 1PM EST. Register here: https://www.sans.org/webcasts/show.php?webcastid=91958
About SOA Specific Capabilities
This new rulepack release increases the power of Fortify 360:
- Allows Fortify 360 to detect XPath Injection, XML Injection, weak XML schemas, and poorly configured uses of WS-Security in Apache Axis, Apace Axis 2, IBM WebSphere, Microsoft .NET WCF, and Microsoft .NET WSE 3. Details of these new vulnerability categories can be found at http://www.fortify.com/vulncat.
- Expands Fortify 360's ability to detect input from web service entry points, specifically, input from Apache Axis, Apache Axis 2, Apache Axiom, SOAP envelopes, and XML RPC calls.
Fortify Software, Inc
Fortify®'s Business Software Assurance products and services protect companies from the threats posed by security flaws in business-critical software applications. Its software security suite-Fortify 360-drives down costs and security risks by automating key processes of developing and deploying secure applications. Fortify Software's customers include government agencies and FORTUNE 500 companies in a wide variety of industries, such as financial services, healthcare, e-commerce, telecommunications, publishing, insurance, systems integration and information management. The company is backed by world-class teams of software security experts and partners. More information is available at www.fortify.com.