Web Services: Risks and Opportunities. By Candy Yee Man Chan ACC 626

(1)

By Candy Yee Man Chan

ACC 626

(2)

Web Services: Risks and Opportunities What are Web Services?

Web services are application components that communicate using open protocols. They are self-contained, self-describing and can be discovered using UDDI or be used by other applications. XML is the basis for Web services and it is a language which can be used between different platforms and programming languages but still expresses complex messages and functions. Currently, the HTTP protocol is the most used Internet protocol. Web services platform elements are as follows: SOAP (Simple Object Access Protocol), UDDI (Universal Description,

Discovery and Integration) and WSDL (Web Services Description Language).1 As a result, the invention of web services allows for software functionality over the Internet. For example, programs such as PHP, ASP, JSP, JavaBeans, and COM objects, etc, allows for the use of a program running on one server, and retrieve the response of that program for the use in another website, SAP service or other applications. Thus, web service is performed with the following procedure:

1) “The web service provider defines a format for requests for its service and the response the service will generate.

2) A computer makes a request for the web services across the network. 3) The web service performs some action, and sends the response back.”2

It is important to note that businesses are exposed to more risks and opportunities when it uses web services. Many organizations rush the process of setting up web services as they do not want to miss out on this new opportunity to expand. As a result, security features may not be carefully installed and businesses expose themselves to security breaches and identity fraud since web services involve sending transactions across the Internet between multiple applications, and this itself is a new risk to the business.

1

Refsnes Data. “Web Services Tutorial” W3Schools. 2008.

http://www.w3schools.com/webservices/default.asp (9 June 2008). 2

Patrick Cooney. “Understanding Web Services.” January 31, 2002.

(3)

However, companies can use web services as a new strategy to help them conduct business more efficiently. If web services are used efficiently, businesses will benefit drastically “from

leveraging and interacting with identity management infrastructure, and lead to increased business opportunities and reduced costs.” 3 Thus, web services can help business become more productive and will result in increased competitive advantage.4 This paper will discuss both the risk and benefits associated with the use of web services.

Security Concerns

Since web services involve transfer of information over the Internet, security has become an important area of concern. Web services security is important due to the following factors: 1) “The expansion of the boundary of interaction between communicating parties (from

Intranets to Internets).

2) Prior to establishing a business or human relationship, communicating partners are likely to be communicating and thus, security this gives rise to the importance of security

requirements of the communication technologies. For example, authentication, access control, non-repudiation, data integrity and privacy are becoming more important components of security requirements.

3) There is expected to be an increase of interactions between programs (communicating partners) as oppose to between humans and programs and thus, web services is expected to become more dynamic and instantaneous which aids the interactions between communication partners.

4) Users of web services will increase as more businesses functions use web services. As a result, the web services environment is expected to expand.”5

3

RSA, The Security Division of EMC. “RSA Security Helps Organizations Implement Secure Web Services to Achieve Competitive Advantage.” May 15, 2003. http://www.rsa.com/press_release.aspx?id=2543 (10 June 2008).

4 Ibid. 5

Sang Shin. “Secure Web services.” March 18, 2003. http://www.javaworld.com/javaworld/jw-03-2003/jw-0321-wssecurity.html (9 June 2008).

(4)

To address security issues, a set of mechanisms is provided by the Web Services Security specification (WS-Security), which aids web services developers to secure exchanges of SOAP messages. The WS-Security enhances the existing SOAP messaging function by providing quality protection by applying message integrity, confidentiality and single message authentication to SOAP messages, which can be combined in many ways to build various security models with the use of cryptographic technologies. A general-purpose mechanism for associating security tokens with messages is also provided by WS-Security, but there is no specific type of security token required by the WS-Security. To ensure messages have been originated from the appropriate sender and not modified in the transition, the use of XML Signature and security tokens is appropriate to ensure message integrity. Likewise, to ensure the confidentiality of SOAP messages, the application of XML Encryption and security tokens is needed to ensure message confidentiality.6 Security management for web services can be categorized into four groups:

1) “Authentication – Verifying that users are, in fact, who they claim. 2) Authorization – Entitling users to access certain application functions.

3) Administration – Administering tools for centralized and/or distributed maintenance of user data and security policy.

4) Audits – Ensuring that security analysts have audit trails to determine who did what (including necessary logging mechanisms to record users’ actions).”7

In addition to tokens, web services security vulnerability models, classification of potential Grid and web services attacks as well as vulnerabilities models are important tools when dealing with web service security. These models describe the proper way of interactions between Grid and web services and provide an attack-resilient multilayer protection in a typical service-oriented architecture. These models can be used to form a basis for developing countermeasures against known vulnerabilities and security services design recommendations. Ongoing work is

6

IBM: Various Contributors. “Web Services Security.” April 5, 2002.

http://www.ibm.com/developerworks/library/specification/ws-secure/ (9 June 2008). 7

Mohan Bhatia. “Web Services Security.”Information systems Control Journal: Volume1 (2005): pg. 1-4. ISACA Journal. http://www.isaca.org/Content/ContentGroups/Journal1/20058/Web_Services_Security1.htm (10 June 2008).

(5)

constantly conducted to update middleware and operational security in the framework of the European Grid infrastructure deployment project (EGEE) and well as related coordination groups.8

Other Risks

Since web service transactions are executed across multiple loosely-coupled autonomous organizations, in order for businesses to efficiently manage web services, isolation is commonly relaxed. The resources of a transaction of a web service operation are locked once the jobs are completed, regardless if other operations are completed. Transactions that are unlocked early may give rise to the problem of data integrity as early unlocked resources can cause inaccurate outcomes and this has became a great concern. As a result, new mechanisms are being

introduced “to ensure the consistent executions of isolation-relaxing WS transactions.”9

Inconsistent states of transaction are effectively detected by these mechanisms with a notion of an end-state dependency and recover them to consistent states. An example of a mechanism is the new Web services Transaction Dependency Management Protocol (WTDP) which helps businesses manage web service transactions with little difficulty and without inconsistent data problems. WTDP can be easily integrated into existing web service transaction system as it is designed to be compliant with a representative web service transaction.10

Furthermore, poorly written CGI scripts are more vulnerable to standard attack on a website. Hackers or attackers of a website usually take advantage of security holes on the website including granting access to the file system or codes behind the site, including database passwords. Allowing unauthorized access to a company’s’ website, especially when web services are used to transfer sensitive data over the Internet, can have substantial legal and financial consequences for the company. Some people argue that the SOAP itself is a security

8

Yuri Demchenko, Leon Gommans, Cees de Laat, Bas Oudenaarde. “Web Services and Grid Security Vulnerabilities and Threats Analysis and Model.” Grid Computing. Issue 13-14 (Nov. 2005): pg. 262-267.

http://ieeexplore.ieee.org/iel5/10354/32950/01542751.pdf?arnumber=1542751 (10 June 2008). 9

Seunglak Choi, Hangkyu Kim, et al. “A framework for ensuring consistency of Web Services Transactions.” Information and Software Technology. Vol. 50, Iss. 7/8, (June 2008): pg.684. ABI Inform.

http://proquest.umi.com.proxy.lib.uwaterloo.ca/pqdweb?did=1474406951&sid=1&Fmt=2&clientId=16746&RQT= 309&VName=PQD (10 June 2008).

10 Ibid.

(6)

flaw since it has the ability to go through firewalls. However, “SOAP is no more insecure than any other application which POSTs XML files to a web server” because the client can only make SOAP calls, and not receive them.11 Thus, although the server is vulnerable, it does need to be secured because clients are safe unless the server (or its DNS address) have been subverted. Common types of website attacks are listed as follows:

1) Denial of Service to a server

2) Interception and manipulation of messages 3) Forged client requests

4) Forged server responses

5) Attempts to read the server file system/database 6) Attempts to write to the server file system/database12

After discussing some of the issues related to security of web services, it can be concluded that “securing a system is much harder than getting a system to work” as making the system

function involves elimination of bugs.13 It is important to note that from “a security perspective, no security holes can exist for a system to be secure: no matter how obscure it is, someone may find it and exploit it.”14 Thus, ongoing maintenance and testing is needed to uncover these security holes and they are to be addressed immediately when detected.

Prevention and Detection Techniques

Architects and developers must learn new technologies and consider new threats with exposing functionality on potentially hostile networks when designing, developing and deploying secure web services.15 There is lack of focus in the design and development methods of web services (which assists in specifying and running applications based on web services), although web services has become a major area of expansion in the academia and industry. As a result, the

11_{The Apache Software Foundation. “Web Service Security.” 2005.}

http://ws.apache.org/axis/java/security.html (9 June 2008). 12 Ibid. 13 Ibid. 14 Ibid. 15

Microsoft Corporation. “Web Service Security.” December 2005.

(7)

CP4WS (Context and Policy for Web Services) was developed, which is a context-based and policy-driven method for designing and developing composite web services. 16 Several steps are involved with CP4WS including user needs identification and web services behavior

specification and each step consists of a specific graphical notion the representation, description, and validation of the composition of web services.17

In order to minimize the effect of web service threats, businesses can set up application-level firewalls and examine XML-based messages. Firewalls can enforce XML structural rules, validate scheme, perform XML virus-checking as well as protect against XML denial-of-service attacks (XDoS). In addition, web service developers should educate on the additional XML-related attack vector that web services that are vulnerable to. Other rules that businesses can use to minimize potential risks associated with web services are as follows:

1) “Use PKI authentication for machine-to-machine communications and SSL for communication security.

2) Develop an ongoing list of resources that will provide you with information about current security problems and software updates relevant to your system and application software. 3) Upgrade your existing authentication and access control security policies to meet Web

services specifications to protect the message integrity, confidentiality and authentication. 4) Keep abreast of the other new standards like XML-Encryption and XML-Schema, which

aim to secure web services traffic and incorporate these standards into your security policy where appropriate.

5) Use a comprehensive guide on how to build secure Web services and Web applications.”18

Recall that web services use a universally accepted standard called XML as its language and protocols as its enterprise applications. Thus, the use of web services are expected to decrease application integration costs including custom integration costs when application-to-application

16

Zakaria Maamar & Djamal Benslimane. “A Context-Based and Policy-Driven Method to Design and Develop Composite Web Services.” International Journal of E-Business Research. Vol. 4, Iss. 3 (Jul-Sept, 2008): Pg. 77, 18 pgs. ABI Inform. http://proquest.umi.com/pqdweb?did=1475965411&sid=2&Fmt=2&clientId=16746&RQT=309&VName=PQD (10 June 2008). 17 Ibid. 18

Michael Cobb. “Why Web services threats require application-level protection.” October 12, 2006.

(8)

data exchanges are essential. Aggregate information and services from multiple back-end systems can be accomplished using web services as well, which simplifies routine task and gives businesses an increased economies of scale. However, as mentioned earlier, web services face a number of complex security issues since it involves aggregating information from multiple sources. As a result, the use of digital signatures and encryption is necessary when data is being transferred between multiple parties, along with the need of different level of securities for different applications. Trust in the identity of the application, the integrity of the data being communicated, privileges and access rights are important factors to consider when using web services. Thus, businesses need to carefully implement the development of standards for XML encryption and signatures as there is increase use of web services.19 Figure 1 in Appendix 2 “illustrates how SAML works with other XML security standards.”20

A set of mechanisms is provided by the Web Services Security specification (WS-Security), which aids web services developers to secure exchanges of SOAP messages. The WS-Security enhances the existing SOAP messaging function by providing quality protection by applying message integrity, confidentiality and single message authentication to SOAP messages which can be combined in many ways to build various security models with the use of cryptographic technologies. A general-purpose mechanism for associating security tokens with messages is also provided by the WS-Security and no specific type of security token is required. To ensure

messages have been originated from the appropriate sender and not modified in the transition, the use of XML Signature and security tokens is appropriate to ensure message integrity. Likewise, to ensure the confidentiality of SOAP messages, the application of XML Encryption and security tokens is needed to ensure message confidentiality.21 Figure 2 and 3 in Appendix 3 illustrates “how authentication can be brokered between a service and its consumer using STS (Security Token Service)” and “how asymmetric encryption is performed.” when using multiple Internet web services.22

19

Daniel Murton. “Web services: Useful but dangerous?” SC Security magazine. February 01, 2003.

http://www.scmagazineus.com/Web-services-Useful-but-dangerous/article/30421/ (9 June 2008). 20

Sang Shin. “Secure Web services.” March 18, 2003. http://www.javaworld.com/javaworld/jw-03-2003/jw-0321-wssecurity.html (9 June 2008).

21

http://www.ibm.com/developerworks/library/specification/ws-secure/ (9 June 2008). 22

(9)

Currently, many businesses are adapting to Service Oriented Architecture (SOA) web services and exposing their internal system applications to outside parties beyond their firewalls with minimal security considerations, and this is a serious concern. As stated by Mamoon Yunus, the CTO of Forum Systems, “By deploying SOA Gateways such as Forum Sentry for protecting SOA deployments, and using tools such as Crosscheck's SOAP Sonar for ongoing SOA risk analysis, enterprises can lower their security risks without impeding their integration efforts.” 23

Benefits and Opportunities

Many corporations are dependent on its IT infrastructure to facilitate their business processes, reduce their business process lifecycle and manage resources. Thus, there is a need to integrate applications running within the business for data consolidation purposes so it can generate accurate system information, increase performance and better monitoring. Many middleware technologies are in place to support custom built systems and integrate applications to produce operational and management efficiency. However, systems integration within the companies is not enough; integration of applications must be enabled across business boundaries in order to meet the target of providing fast and flawless collaboration with business partners, customers and suppliers. Thus, cross exchange of information over the Internet is critical and at the same time securities issues over the Internet becomes a concern as “untrustable public network

infrastructure, prone to malicious attacks by professional and amateur intruders.”24 Businesses can use firewalls to secure company resources on their network and on the Internet by

establishing business roles, access rights and system policies. Firewalls at the network level contain many security features and is very useful for businesses to protect its resources when conducting online services.25

Furthermore, web-based ERP systems can also be used to solve business problems and manage real-world business processes – from simple office automation procedures to complicated supply

23

Wireless News. “Forum Systems to Present Webinar: Techniques in Attacking and Defending SOA Web Services.” June 9, 2008. ABI Inform.

24_{Bilal Siddiqui. “Web Services Security.” March 04, 2003.}

http://www.xml.com/pub/a/ws/2003/03/04/security.html (9 June 2008). 25

(10)

chain planning. 26 There are various advantages associated with web-based ERP systems because the system is distributed through interoperable, cross-platform and web service components that are “pluggable.” Businesses will increase efficiency and control when using the ERP as a

powerful workflow engine in the system because it manages the entire process event flow within businesses. The enterprise quality management system controls business processes and the ISO directives are accurately followed as a result. A real life illustrative example is the Greek Construction Manufacturing Enterprises who had problems assigning project tasks in form of lots to the enterprise resources so it can minimize resource idle time and delays in project preparation time. 27 With a simple and effective heuristic algorithm, the problem was solved easily and instantaneously.

In addition, the development of Microsoft WS-Scan has also contributed efficiency of running business processes, which lead to substantial cost reduction for businesses. Microsoft WS-Scan assists in the industry wide standardization of networked multifunction device behaviours and capability representation and thus, is a significant contribution to the Printer Working Group (PWG). A widely adopted model of network printer behaviours and capabilities known as the PWG Semantic Model is being extended to include multifunction devices. However, in order to improve interoperability across operating environments and reduce implementation costs for device manufacturers, the entire business industry must maintain a consistent model for behaviours and capabilities of multifunction devices.28

Conclusions

Due to the efficiency web services provides, many companies are taking advantage of the new web-based system as “real-life Web services are emerging particularly in the B2B market...[and companies] such as Intel are driving the adoption of Web services in this area.”29 Therefore, the

26

CD Tarantilis, CT Kiranoudis, ND, Theodorakopoulos. “A Web-based ERP system for business services and supply chain management: Application to real-world process scheduling.” European Journal of Operational Research. Vol. 187, Iss. 3 (June 16, 2008): pg. 1310. ABI Inform.

27 Ibid. 28

Medical Imaging Business Week. “Microsoft Corp.; Microsoft Contributes Web Services Protocol to Broaden Interoperability.” June 12, 2008. ABI Inform.

http://proquest.umi.com.proxy.lib.uwaterloo.ca/pqdweb?did=1490264781&sid=3&Fmt=3&clientId=16746&RQT= 309&VName=PQD (24 July 2008).

29

(11)

emergence of E-businesses in recent years has also contributed to the expansion of web services. For example, many businesses “streamline their entire supply chain, improve collaboration and reduce support costs working with manufacturers, distributors, resellers, shippers and end-users.”30 As web services become more popular, it will become more affordable to everyone including small businesses. As a result, web services may prove to become a “great asset to site developers...[since is allows] access to a world of computing power and flexibility.”31 With the increase use of web services by businesses, ensuring secure communication between parties using web services will become more and more important. In this paper, the risks and

opportunities were discussed as well as the analysis of prevention and detection techniques to address web service securities. Anyone who may come in contact with web service, particularly CA practitioners who conduct audits on the company’s system, should be aware of these benefits and limitations associated with web services because there is growing trend that businesses are adapting web services to their business processes.

Appendix 1

The purpose of this report is to inform CA practitioners about web services. Since there has been a trend for many businesses to adapt to web services, by understanding how web services

function, practitioners can increase the efficiency and accuracy when conducting audits. There are many security issues that surround the use of web services as well as many ways to resolve security concerns. Also, data integrity is important when sending information over the Internet. Thus, by gaining more knowledge of how web services functions as well as security issues and

http://searchsoa.techtarget.com/expert/KnowledgebaseAnswer/0,289625,sid26_gci905444,00.html (24 July 2008).

30_Ibid.

31_{Patrick Cooney. “Understanding Web Services.” January 31, 2002.}

(12)

remedies associated with web services, CA practitioners will be able to incorporate them into their audit plans, and thereby improve the quality and reliability of their audit results. Although web services can benefit businesses greatly, it is important for business owners to understand the risks associated with the use of web services. This report is intended to provide both the CA practitioner as well as business owners about the implications of using web services.

Appendix 2

(13)

Source:

Shin, Sang. “Secure Web services.” March 18, 2003. http://www.javaworld.com/javaworld/jw-03-2003/jw-0321-wssecurity.html (9 June 2008).

Appendix 3

(14)

Source:

http://msdn.microsoft.com/en-us/library/aa480545.aspx (9 June 2008).

Figure 3 – Public key data encryption and decryption

Source:

http://msdn.microsoft.com/en-us/library/aa480545.aspx (9 June 2008). Bibliography

Bhatia, Mohan. “Web Services Security.”Information systems Control Journal: Volume1 (2005): pg. 1-4. ISACA Journal.

(15)

http://www.isaca.org/Content/ContentGroups/Journal1/20058/Web_Services_Security1.h tm (10 June 2008).

Choi, Seunglak, Kim, Hangkyu, et al. “A framework for ensuring consistency of Web Services Transactions.” Information and Software Technology. Vol. 50, Iss. 7/8, (June 2008): pg.684. ABI Inform.

http://proquest.umi.com.proxy.lib.uwaterloo.ca/pqdweb?did=1474406951&sid=1&Fmt=

2&clientId=16746&RQT=309&VName=PQD (10 June 2008).

Cobb, Michael. “Why Web services threats require application-level protection.” October 12, 2006. http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1220615,00.html (10 June 2008).

Cooney, Patrick. “Understanding Web Services.” January 31, 2002.

http://www.alistapart.com/articles/webservices (9 June 2008).

Data, Refsnes. “Web Services Tutorial” W3Schools. 2008.

http://www.w3schools.com/webservices/default.asp (9 June 2008).

Demchenko ,Yuri. Gommans, Leon. Laat, Cees de. Oudenaarde, Bas. “Web Services and Grid Security Vulnerabilities and Threats Analysis and Model.” Grid Computing. Issue 13-14 (Nov. 2005): pg. 262-267.

http://ieeexplore.ieee.org/iel5/10354/32950/01542751.pdf?arnumber=1542751 (10 June

2008).

http://www.ibm.com/developerworks/library/specification/ws-secure/ (9 June 2008

Maamar, Zakaria. Benslimane, Djamal. “A Context-Based and Policy-Driven Method to Design and Develop Composite Web Services.” International Journal of E-Business Research. Vol. 4, Iss. 3 (Jul-Sept, 2008): Pg. 77, 18 pgs. ABI Inform.

http://proquest.umi.com/pqdweb?did=1475965411&sid=2&Fmt=2&clientId=16746&RQ

T=309&VName=PQD (10 June 2008).

Medical Imaging Business Week. “Microsoft Corp.; Microsoft Contributes Web Services Protocol to Broaden Interoperability.” June 12, 2008. ABI Inform.

3&clientId=16746&RQT=309&VName=PQD (24 July 2008).

Merlo, Robert. “Is any industry really taking advantage of Web services today?” June 10, 2003. http://searchsoa.techtarget.com/expert/KnowledgebaseAnswer/0,289625,sid26_gci90544

(16)

http://msdn.microsoft.com/en-us/library/aa480545.aspx (9 June 2008).

Murton, Daniel. “Web services: Useful but dangerous?” SC Security magazine. February 01, 2003. http://www.scmagazineus.com/Web-services-Useful-but-dangerous/article/30421/ (9 June 2008).

RSA, The Security Division of EMC. “RSA Security Helps Organizations Implement Secure Web Services to Achieve Competitive Advantage.” May 15, 2003.

http://www.rsa.com/press_release.aspx?id=2543 (10 June 2008).

Shin, Sang. “Secure Web services.” March 18, 2003.

http://www.javaworld.com/javaworld/jw-03-2003/jw-0321-wssecurity.html (9 June 2008).

Siddiqui, Bilal. “Web Services Security.” March 04, 2003.

http://www.xml.com/pub/a/ws/2003/03/04/security.html (9 June 2008).

Tarantilis, CD. Kiranoudis, CT. Theodorakopoulos, ND . “A Web-based ERP system for business services and supply chain management: Application to real-world process scheduling.” European Journal of Operational Research. Vol. 187, Iss. 3 (June 16, 2008): pg. 1310. ABI Inform.

2&clientId=16746&RQT=309&VName=PQD (10 June 2008).

The Apache Software Foundation. “Web Service Security.” 2005.

http://ws.apache.org/axis/java/security.html (9 June 2008).

Wireless News. “Forum Systems to Present Webinar: Techniques in Attacking and Defending SOA Web Services.” June 9, 2008. ABI Inform.