Monday, September 08, 2008

What's Big in SOA Security?

I got this question recently, so I thought it would be good to answer here as well. Basically, the question is, "With all the threats out there, which of them should SOA architects be concerned with?"

What I see most are the threats that are related to messaging in terms of access to the XML payload. In traditional applications, we have gotten pretty good at authentication (even though that is still hackable sometimes). However, in SOA with web massaging across HTTP/HTTPS, it is easier to find a point in the messaging process where the payload can be accessed. This can lead to a variety of attacks: malware, large payloads, XPath injection, etc.

In my SOA testing course (which is soon to be in an online format - stay tuned!), I describe the nature of these attacks. Most are similar to traditional attacks, except oriented to SOA. Take for example XPath injection. It is similar to SQL injection attacks, except is uses the XPath to gain access to data that is thought to be protected.

Keep in mind that SSL secures the message in transit only, while WS-Security maintains encryption until the message is processed. There are some other advantages of WS-Security over SSL, such as being able to specify securing only part of a message if you like. This can help reduce the performance cost of security.

What have you seen as the "big threats" in SOA security?


Mike Kavis said...

One big threat I see is that a single SOAP message may contain data for multiple service consumers.

For example, an order on Expedia may send a message to American Express, Delta, Marriott, and Fed Ex. To provide a seamless workflow, none of these consumers are required to login which requires a trust between them and Expedia. In addition, each consumer can only access the part of the SOAP message that is relevant to them. This is dangerous because only Amex is allowed to see the credit card. This is powerful stuff but if the proper security is not built in it can be a disaster. It also creates all sorts of testing challenges!

Randy Rice said...

Hi Mike,

Great comment with big implications for security and testing for sure. Thanks!