I attended InfoSecurity in London this week – huge show for companies involved in all aspects of information security.
Not something that seems to relate to SOA at first glance, but it turns out a number of vendors are waking up to a growing concern in SOA ranks – that web services may be a gift for hackers.
Apparently, the problem is all down to SOAP. Security companies produce loads of smart software and hardware that intercepts internet-based communications and looks for various types of threat signatures, for things like viruses, spyware, adware, trojans and general unwanted intrusions. These tools analyse traffic, but the problem is that few, if any, recognize the SOAP protocol today. So typically the SOAP packets are allowed through because the security software is blind to the information contained in them. On top of this, SOAP messages are often encrypted, making the problem even worse.
This thought is proving to be quite disturbing to a number of major companies. The issue is that in an SOA, web services provides a neat way to make back-end applications accessible to other parts of the business, partners or even the outside world, and what is more, the back office operation is where a lot of highly confidential, mission critical and sensitive information resides. So, if there is a way for someone to sneak in under the radar provided by network security tools, this represents a measurable risk that users feel must be addressed.
As far as I can see, there may be potential for exposure here, but I am hard pressed to think of a specific example of how this hole might be used maliciously. But then, there are a lot of extremely smart hackers out there who love a challenge! My view is that, regardless of how real this fear is, the first companies to come up with a solution to this perceived exposure will profit substantially based on a strong element of FUD (Fear, Uncertainty and Doubt). Perhaps what is needed is the SOA and netowrk security vendors to get together and start talking each other’s language.