A hacker’s dream?
I attended InfoSecurity in London this week – huge show for companies involved in all aspects of information security.
Not something that seems to relate to SOA at first glance, but it turns out a number of vendors are waking up to a growing concern in SOA ranks – that web services may be a gift for hackers.
Apparently, the problem is all down to SOAP. Security companies produce loads of smart software and hardware that intercepts internet-based communications and looks for various types of threat signatures, for things like viruses, spyware, adware, trojans and general unwanted intrusions. These tools analyse traffic, but the problem is that few, if any, recognize the SOAP protocol today. So typically the SOAP packets are allowed through because the security software is blind to the information contained in them. On top of this, SOAP messages are often encrypted, making the problem even worse.
This thought is proving to be quite disturbing to a number of major companies. The issue is that in an SOA, web services provides a neat way to make back-end applications accessible to other parts of the business, partners or even the outside world, and what is more, the back office operation is where a lot of highly confidential, mission critical and sensitive information resides. So, if there is a way for someone to sneak in under the radar provided by network security tools, this represents a measurable risk that users feel must be addressed.
As far as I can see, there may be potential for exposure here, but I am hard pressed to think of a specific example of how this hole might be used maliciously. But then, there are a lot of extremely smart hackers out there who love a challenge! My view is that, regardless of how real this fear is, the first companies to come up with a solution to this perceived exposure will profit substantially based on a strong element of FUD (Fear, Uncertainty and Doubt). Perhaps what is needed is the SOA and netowrk security vendors to get together and start talking each other’s language.
Steve
Recent Comments
November 1, 2010 (8:36) CICS and PHP - DON'T PANIC It's great to see transactional support of any kind for a cloud language... be it PHP or not (whi...
July 16, 2010 (12:41) Does Micro Focus Server for SOA miss the point? I think Micro Focus has done a tremodeous introduction of Web Service from a COBOL. May not be a ...
June 15, 2010 (6:14) CICS and PHP - DON'T PANIC Hi Steve, Well, we don't actually *demand* that you host the PHP in regions separate to those ru...
April 3, 2010 (12:27) AMQP - Great idea, but it will never work As someone who has worked on DDS from an implementation perspective as well as an OMG standards p...
December 12, 2009 (9:15) Did Teilhard's JuxtaComm patent wipe out IBM, Microsoft and SAP? Subsequent to my post, the Calgary Herald ran an article (http://www.calgaryherald.com/business/P...
December 10, 2009 (9:01) AMQP - Great idea, but it will never work Now, this is a late reply! @Thorlin. I looked at DDS before embarking on AMQP (I also looked a...
December 7, 2009 (2:40) Come in Texas East District Court, your time is up The important thing to remember about patents is that they're all about the claims. While the bu...
October 27, 2009 (9:08) BAM vs BI Good article. Thanks, Emil
October 23, 2009 (11:04) So Oracle got Sun - but why? Oracle has stepped up the rhetoric when it comes to its plans for Sun. In a message to Sun custom...
September 16, 2009 (1:15) IBM gets Cognos to fill the gaps IBM has two BAM solutions now Cognos Now! and Websphere Business Monitor. Why two BAM solutions f...