[iwar] [fc:Secure.Web.services.a.moving.target..By.Ephraim.Schwartz]

From: Fred Cohen (fc@all.net)
Date: 2002-01-23 06:44:39
Next message: Fred Cohen: "[iwar] [fc:17-year-old.hacker.penetrated.DND.network]"
Previous message: Fred Cohen: "[iwar] [fc:Bomber.Was.Online]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-Id: <200201231444.g0NEidk29730@red.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
From: Fred Cohen <fc@all.net>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Precedence: bulk
Date: Wed, 23 Jan 2002 06:44:39 -0800 (PST)
Subject: [iwar] [fc:Secure.Web.services.a.moving.target..By.Ephraim.Schwartz]
Reply-To: iwar@yahoogroups.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Secure Web services a moving target  By Ephraim Schwartz

InfoWorld, 1/22/02
<a href="http://www.infoworld.com/articles/hn/xml/02/01/17/020117hntarget.xml?0118frpm">http://www.infoworld.com/articles/hn/xml/02/01/17/020117hntarget.xml?0118frpm>

If attendees at the panel discussion on securing Web services came to be
reassured that their networks and data will be safe, they left the
session, held at the InfoWorld Next-Generation Web Services conference
Thursday, wiser and perhaps more troubled than ever.

Users must face the reality that Web services introduces three or four
more layers that need to be secure, which makes the problem more
complex, said Eduardo Fernandez, professor of Computer Science at
Florida Atlantic University, in Boca Raton, Fla., and a former security
expert for IBM, summarizing the problem for all the panelists.

"Now a hacker has more layers to attack, more choices, and we have more
to defend," Fernandez said.

Ted Shelton, chief strategy officer at Scotts Valley, Calif.-based
Borland Software, supported Fernandez's contention and added that Web
services are too simple to design without considering security. "Web
services need to have basic principles of security built in, and that
will cost," Shelton said.

Although some panelists talked of the future and what needs to be done,
Doug Cavit, CIO at Sunnyvale, Calif.-based McAfee.com, said the problem
is that "the train has already left the station."

Even within an enterprise, individuals can create Web services for their
colleagues because it has been made so easy to do. "It is going to be a
major operation to try and contain these, and that is where policy comes
in. A good security policy is as important as the right technology,"
Cavit said.

Borland's Shelton went even further and said that misuse of Web services
is an "enormous threat."

"As a CIO, I don't want users to decide to upgrade their own software on
their own. This creates a hole in the dyke," Shelton said.

Threats increase once a company goes beyond using Web services
internally and begins to deploy services to extranets or to the public
Internet, all agreed.

They also did not see any immediate solutions. Most, in fact, agreed
that widespread adoption of Web services will be slowed, if not put off,
until security issues are resolved.

A poll of the audience indicated as much. The majority of the several
hundred attendees said that their company's first adoption of any Web
service would be only for internal use.

But the panelists did make some predictions as to the technologies that
will be used to make Web services more secure.

Marc Beadles, chief architect at SmartPipes, said SSL (Secure Sockets
Layer) is still necessary but not enough. "If you didn't encrypt your
channel, you open yourself, but that is not sufficient," Beadles said.

Beadles said SOAP (Simple Object Access Protocol) is a good start
because it allows access in an "API-like fashion," but he also warned
the audience that although UDDI (Universal Description, Discovery, and
Integration) has promise as a way for an application to describe itself
and help insure reliability he added, "but remember, a description can
also lie."

Chad Dickerson, InfoWorld CTO and panel moderator, added, "Yes, and then
it becomes like a Trojan horse."

Kerberos, the panel agreed, will become a critical component for
authentication and authorization. "Kerberos will be the lingua franca
for authorization management," said Cavit from McAfee.

But Cavit also believes that in order for companies to protect
themselves, so-called "overlay networks" will spring up that separate
business-to-business transactions from the public Internet.

Fernandez said that he has looked at some of the working security
specifications coming out of Web services standards bodies. In some
cases, he said, the specifications appear to be unaware of previous
security issues that have been resolved but are not addressed in the new
Web services specifications.

"I can't criticize the specs because they are still not finished," he
said. "But from what I have seen, the standards themselves might end up
as the problem."

The discussion ended by holding up the dream of Web services next to the
reality.

All agreed that although Web services used internally will be the first
stage, its real benefits come from its ability to create an extended
enterprise. For that to become a reality, a single authentication scheme
must become a key component. The question is how to make each layer of
an application that has dozens of distributed components secure.

"This is the difference between a grand vision and the reality that
security has to be built into every layer of the infrastructure before
you get more distributed applications," Shelton said. "At the moment,
security, at least on the public Internet, is the wild, wild West."

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
Next message: Fred Cohen: "[iwar] [fc:17-year-old.hacker.penetrated.DND.network]"
Previous message: Fred Cohen: "[iwar] [fc:Bomber.Was.Online]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
This archive was generated by hypermail 2.1.2 : 2002-12-31 02:15:03 PST