The Future of Web Applications: Web Services
Today's global Internet environment is a muddled mix of different operating systems, technologies, and protocolsall which are widely dispersed throughout the world. This mixture creates significant barriers for applications to communicate with each other. Web services technology was created in order to mitigate these barriers, using XML formats that allow applications to invoke application calls with one another. Using SOAP (Simple Object Access Protocol), Web services applications have more flexibility to communicate with one another, which increases the speed and functionality of communication transactions.
Although Web services have the potential to be very powerful for both application developers and users, they also can be a nightmare for security officers and system administrators. Additional security measures need to be in place because the Web services format was designed to bypass existing security measures, to be platform-independent, and to support any application call structure. In the rush to deploy and use Web services technology, companies face the real danger of exposing their systems to costly attacks.
The flexibility found in SOAP and other technologies makes communication among applications easy, but it also allows hackers to intercept and manipulate messages more easily. SOAP messages typically are transparent to firewalls, which helps them move more quickly through the network, but this negates an important element of perimeter protection and could expose unforeseen threats.
Applications continue to become more functional and flexible, which increases their value to business operations, but it also exposes many potential security problems. Progressive companies that look to take advantage of these emerging technologies may gain a significant competitive advantage, but they must be sure to address the accompanying security issues to avoid costly breeches to their information systems.
The Application Layer Security Threat
According to a recent report by Gartner, over 70 percent of Web attacks occur at the application layer. In addition, the FBI estimates that Web application attacks caused more than $300 million in damages in 2000. Hackers no longer need in-depth technical knowledge to gain access to the network or operating system. They simply use browser-based applications as an entry point to corporate information systems.
Operating systems, like all software products, contain bugsno matter how mature or well tested they are. Even if patches are applied immediately, local configurations and administrator mistakes may mean they don't solve the problem correctly and that vulnerabilities persist undetected.
Web Servers and Application Development Tools
As with operating systems, Web servers and surrounding development tools have known vulnerabilities and patches that are well publicized. While an operating system is a single entity whose complexity can lead to configuration mistakes, in the case of Web servers and development tools, a single page can be composed of many components. Each page is therefore exposed to multiple security threats because of flaws in the multiple products used.
The standard Web protocol, IP, was not designed to be secure, and neither were its companion protocols, TCP, UDP, ARP, etc. Anyone who can send packets to the network can target a system for attack. Often such attacks place Trojan horse programs on a system or exploit operating system vulnerabilities to disrupt services.
Contemporary development methodologies do not include security as a deliverable, measurable component of a project. Moreover, most encourage the utilization of existing "proven" modules from other developers, without care for the security implications or previous use of these modules. Often, protocols and industry standard recommendations are sacrificed on the altar of functionality.