Fortify launches SOA bug tracker

gallery

Fortify Software has today unveiled a new a technique for identifying the security implications of using common web services and service oriented architecture (SOA) frameworks.

The application security vendor said it had developed the technique after studying five popular enterprise SOA frameworks, finding critical security concerns in all of them .

Apache Axis, Apache Axis 2, IBM WebSphere 6.1 and Microsoft .NET Web Services Enhancements (WSE) 2.0 and Microsoft Windows Communication Foundation (WCF) were all affected.

Although the SOA frameworks were found in themselves to be secure, certain configurations could lead to weak authentication, weak encryption, vulnerability to replay attack, XPath injection and the introduction of many other significant security vulnerabilities, Fortify said.

“To date, very few companies have been able to check for SOA-specific vulnerabilities in an easy and automated fashion,” said Brian Chess, Fortify Software co-founder and chief scientist.

The new security software capabilities introduced to identify these SOA configuration vulnerabilities have been added to Fortify’s 360 product.

The update uses source code analysis on a code base and dynamic security testing on a running application.

Jeremy Epstein, a SOA expert and consultant commented: “As SOA gets rolled out in large organisations, it’s critical that they realise security means more than just firewalls and SSL [secure sockets layer].”

Epstein added that techniques, like those developed and implemented in the Fortify product, were mandatory to protect critical business data and processes, especially in SOA implementations.

And research published late last year by the Sans Institute identified web services as a hacking target this year until developers learn to write more secure code.

Email to a friend

Print this page