Return-Path: <sentto-279987-4366-1011797049-fc=all.net@returns.groups.yahoo.com> Delivered-To: fc@all.net Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Wed, 23 Jan 2002 06:47:07 -0800 (PST) Received: (qmail 19353 invoked by uid 510); 23 Jan 2002 14:44:05 -0000 Received: from n32.groups.yahoo.com (216.115.96.82) by all.net with SMTP; 23 Jan 2002 14:44:05 -0000 X-eGroups-Return: sentto-279987-4366-1011797049-fc=all.net@returns.groups.yahoo.com Received: from [216.115.97.166] by n32.groups.yahoo.com with NNFMP; 23 Jan 2002 14:44:09 -0000 X-Sender: fc@red.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-8_0_1_3); 23 Jan 2002 14:44:08 -0000 Received: (qmail 93985 invoked from network); 23 Jan 2002 14:44:08 -0000 Received: from unknown (216.115.97.171) by m12.grp.snv.yahoo.com with QMQP; 23 Jan 2002 14:44:08 -0000 Received: from unknown (HELO red.all.net) (12.232.72.98) by mta3.grp.snv.yahoo.com with SMTP; 23 Jan 2002 14:44:08 -0000 Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id g0NEidk29730 for iwar@onelist.com; Wed, 23 Jan 2002 06:44:39 -0800 Message-Id: <200201231444.g0NEidk29730@red.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL3] From: Fred Cohen <fc@all.net> X-Yahoo-Profile: fcallnet Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Wed, 23 Jan 2002 06:44:39 -0800 (PST) Subject: [iwar] [fc:Secure.Web.services.a.moving.target..By.Ephraim.Schwartz] Reply-To: iwar@yahoogroups.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Secure Web services a moving target By Ephraim Schwartz InfoWorld, 1/22/02 <a href="http://www.infoworld.com/articles/hn/xml/02/01/17/020117hntarget.xml?0118frpm">http://www.infoworld.com/articles/hn/xml/02/01/17/020117hntarget.xml?0118frpm> If attendees at the panel discussion on securing Web services came to be reassured that their networks and data will be safe, they left the session, held at the InfoWorld Next-Generation Web Services conference Thursday, wiser and perhaps more troubled than ever. Users must face the reality that Web services introduces three or four more layers that need to be secure, which makes the problem more complex, said Eduardo Fernandez, professor of Computer Science at Florida Atlantic University, in Boca Raton, Fla., and a former security expert for IBM, summarizing the problem for all the panelists. "Now a hacker has more layers to attack, more choices, and we have more to defend," Fernandez said. Ted Shelton, chief strategy officer at Scotts Valley, Calif.-based Borland Software, supported Fernandez's contention and added that Web services are too simple to design without considering security. "Web services need to have basic principles of security built in, and that will cost," Shelton said. Although some panelists talked of the future and what needs to be done, Doug Cavit, CIO at Sunnyvale, Calif.-based McAfee.com, said the problem is that "the train has already left the station." Even within an enterprise, individuals can create Web services for their colleagues because it has been made so easy to do. "It is going to be a major operation to try and contain these, and that is where policy comes in. A good security policy is as important as the right technology," Cavit said. Borland's Shelton went even further and said that misuse of Web services is an "enormous threat." "As a CIO, I don't want users to decide to upgrade their own software on their own. This creates a hole in the dyke," Shelton said. Threats increase once a company goes beyond using Web services internally and begins to deploy services to extranets or to the public Internet, all agreed. They also did not see any immediate solutions. Most, in fact, agreed that widespread adoption of Web services will be slowed, if not put off, until security issues are resolved. A poll of the audience indicated as much. The majority of the several hundred attendees said that their company's first adoption of any Web service would be only for internal use. But the panelists did make some predictions as to the technologies that will be used to make Web services more secure. Marc Beadles, chief architect at SmartPipes, said SSL (Secure Sockets Layer) is still necessary but not enough. "If you didn't encrypt your channel, you open yourself, but that is not sufficient," Beadles said. Beadles said SOAP (Simple Object Access Protocol) is a good start because it allows access in an "API-like fashion," but he also warned the audience that although UDDI (Universal Description, Discovery, and Integration) has promise as a way for an application to describe itself and help insure reliability he added, "but remember, a description can also lie." Chad Dickerson, InfoWorld CTO and panel moderator, added, "Yes, and then it becomes like a Trojan horse." Kerberos, the panel agreed, will become a critical component for authentication and authorization. "Kerberos will be the lingua franca for authorization management," said Cavit from McAfee. But Cavit also believes that in order for companies to protect themselves, so-called "overlay networks" will spring up that separate business-to-business transactions from the public Internet. Fernandez said that he has looked at some of the working security specifications coming out of Web services standards bodies. In some cases, he said, the specifications appear to be unaware of previous security issues that have been resolved but are not addressed in the new Web services specifications. "I can't criticize the specs because they are still not finished," he said. "But from what I have seen, the standards themselves might end up as the problem." The discussion ended by holding up the dream of Web services next to the reality. All agreed that although Web services used internally will be the first stage, its real benefits come from its ability to create an extended enterprise. For that to become a reality, a single authentication scheme must become a key component. The question is how to make each layer of an application that has dozens of distributed components secure. "This is the difference between a grand vision and the reality that security has to be built into every layer of the infrastructure before you get more distributed applications," Shelton said. "At the moment, security, at least on the public Internet, is the wild, wild West." ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2002-12-31 02:15:03 PST