contents | business | |||||||
| Fortify Addresses Security Vulnerabilities in Web Services Fortify Software has introduced a technique for identifying the security implications of using common Web Services and service-oriented architecture (SOA) frameworks. Fortify conducted a thorough study of the security of 5 popular frameworks, and found critical security concerns with how the frameworks are commonly configured and used. As a result, Fortify built new capabilities into its product, Fortify 360, to identify these vulnerabilities using source code analysis on a code base and dynamic security testing on a running application. These new capabilities have been made available to all Fortify customers. Fortify's research has revealed that certain configurations of Apache Axis, Apache Axis 2, IBM WebSphere 6.1 and Microsoft .NET Web Services Enhancements (WSE) 2.0 and Microsoft Windows Communication Foundation (WCF), can lead to weak authentication, weak encryption, vulnerability to replay attack, XPath injection, and many other significant security vulnerabilities. In addition, applications that have been secured for Web attacks may still be insecure to attacks through SOA. To be clear, the frameworks themselves are secure, but they have to be appropriately configured and used in order to avoid serious security issues. Fortify enables a company to search for these SOA-specific vulnerabilities statically and dynamically. Statically, the Fortify 360 Source Code Analyzer will scan a code base and automatically identify these types of vulnerabilities. Dynamically, the Fortify 360 Program Trace Analyzer and Real-Time Analyzer can identify these vulnerabilities in a running application. This new robust set of capabilities includes over 80 vulnerability categories related to SOA security issues and was distributed to every Fortify customer as part of Fortify's Second Quarter 2008 Rulepack release. Fortify's quarterly rulepacks are developed by its industry leading Security Research Group, an internal team of experts that investigate how real-world systems fail, and provides expertise and solutions to effectively identify and fix pressing security issues. write your comments about the article :: © 2008 Networking News :: home page |