Spire Security and Forum Systems today issued the industry's first advisory to comprehensively identify a new breed of Web services-related threats. Forum and Spire Security have illustrated these vulnerabilities to make executives aware that every business is at risk.
Web services is becoming the dominant model among Fortune 1000 and small- to mid-sized businesses to simplify information sharing for collaborative business applications such as customer service and supply chains. This traffic flows freely within and between networks without any security guard.
"The flexibility of Web services that is driving its adoption is also creating its greatest exposure. Companies are publicly publishing their WSDL documents as a handbook to connect with each other. But these documents also provide a handbook to attacking your business," said Mamoon Yunus, CTO of Forum Systems.
The detection and prevention of the misuse and abuse of Web services is still an unaddressed issue in the growing market for Web services security. As is common with new technology, much work has been done with Web services to design trust mechanisms through standards, yet there has been relatively little work in defining the nature and types of threats.
"As attackers learn about the characteristics of the Web services world, they will -- and already are -- attacking the individual components. It is necessary to consider the entire threat profile of Web services in order to ensure that the functional capabilities are protected," said Pete Lindstrom, research director for Spire Security.
The top ten most likely techniques will target multiple Web services components and will fall into five comprehensive categories:
Vulnerability discovery, such as "WSDL scanning": Like a thief searching for an open window or unlocked door. In the Web services world, the thief can then publish and even sell your weaknesses to others.
Probing attacks, such as "parameter tampering" and "replay attacks": Brute force attacks, like a thief jumping over the fence and then running back out, stealing bits and pieces of information.
"Coercive parsing," "recursive payloads," "oversize payloads" and "routing detours" attacks: Specific attacks that includes denial of Web service. Like a thief cutting the wires to a core system of a house -- the XML parser -- in order to gain access.
"External reference attack": Specific attacks that target business-to- business collaboration. Inadvertently letting a stranger into your house who you think is a friend.
Malicious content, such as "schema poisoning" and "SQL injections": Broad and worst type of attacks that include virus infected XML documents. Like a thief delivering a package with a bomb in it. Can result in stolen identities, sensitive information leaks, fraudulent transactions and systems being put off line.
Spire Security recommends adding Web services security firewalls with XML Intrusion Prevention (XIP) to stop or block malicious or abnormal behaviors as a means to better lock down enterprise applications without limiting the benefits of Web Services.
Spire Security conducts market research and analysis of information security issues and requirements.
Forum Systems delivers a suite of dedicated, layered Web Services security solutions for government agencies, financial institutions, and e-business.