You do go ballistic, right?
If you don't, or if you do but you're not sure how to explain it to your co-workers, you've come to the right place. We expose the dark side of Web services, from the inherent insecurity of SOAP and XML to the inability to restrict function access to only authorized users. We also see some light at the end of the tunnel in the form of SAML and the WS-Security standard.
In "Enemy at the Gateway" we test WS-Security-compliant gateways from DataPower Technology, Forum Systems, Reactivity, VeriSign, Westbridge Technology and Xtradyne Technologies. All were integrated into our NWC Inc. applications lab and subjected to tests covering interoperability between .Net and J2EE, performance, encryption at document and subelement levels, XML validation, and authorization and authentication functions.
Although none of these products inspired us to do the happy dance, Forum Systems' Forum Sentry did make us sit up and take notice--and its rivals should pay attention as well: The 1U appliance met most of our expectations, and we'll be keeping our eye on future revs. If this device stays on track, it should grow into the archetype of what we believe a WS-Security gateway should be.
Many software components are required to host a SOAP service. And just as with any other computer application, more components mean more lines of code, which means more opportunities for security vulnerabilities. To protect yourself, you must know the probable avenues and methods an attacker may use.
The first path is through the server that implements the transport protocol, be it FTP, SMTP or HTTP. In the case of SOAP, this will be a full-fledged Web server, potentially open to a number of Web server attacks, including buffer and format string overflows, request canonicalization and denial of service.
To realize the benefits of cloud-native software, an application must actually be cloud-native—designed to run in the cloud, interacting with disaggregated cloud services, fully manageable as code—to deliver the expected benefits.
By combining resources and expertise, the AI-Enabled ICT Workforce Consortium will offer a blueprint for how industries can adapt to an AI-dominated future.
IT leaders should heed the guidance of cybersecurity insurance providers who think businesses should prioritize security education, incident preparedness, regular internal audits, and ongoing vulnerability scanning and patching.
