xmlhack: SOAP security discussion

Open source developer web site Advogato has been discussing SOAP, in response to Bruce Schneier's concerns about its security.

What concerns security expert Schneier is the ability of SOAP to penetrate firewalls:

Firewalls have good reasons for blocking protocols like DCOM coming from untrusted sources. Protocols that sneak them through are not what's wanted.

In the Advogato discussion, SOAP finds few friends save for Frederick Lundh, an implementor of both XML-RPC and SOAP libraries for Python. He writes:

in practice, SOAP is nothing more than an embellished CGI request ... that's no different from a CGI form ... if there's a hole in the *underlying* software, someone will come up with a way to use that. nothing new here.

Despite the conscious move away from pure HTTP transport in the most recent version (1.1) of the SOAP specification, it seems that SOAP's firewall-penetrating RPC possibilities remain one of its most dominating features, either for or against.

Jon Zeppieri notes that SOAP is larger than just RPC and that we will need new levels of security to deal with it:

The problem isn't that SOAP somehow magically makes HTTP (the actual protocol) less secure than it has always been, but that it is a considerably more sophisticated use of HTTP and therefore requires a more sophisticated security model than the one we normally apply to HTTP traffic. I think that is what Schneier is reacting to: letting distributed objects play in the security space that we normally reserve for simple document retrieval and catalog sales is not smart.

Web Security Gateway (Firewall/Intrusion Prevention) - Secures Web (HTTP/HTTPS/HTML/XML/SOAP) access to backend apps - Instantly shifts and offloads Web monitoring/management burdens - Monitors/controls Web message traffic, business activities, and user behaviors - User authentication/authorization/access control (AAA) policy center - Generates single sign-on (SSO) security tokens using SAML standard - XML-encryption/XML-signature for privacy, integrity, non-repudiation - Content filtering for viruses/worms, message schema/size/origin/DoS - Supports HTML/XML/SOAP, HTTP/HTTPS, WS-Security, SAML Central Management/Control/Monitoring - Centrally control, monitor, analyze, manage your apps, services, devices - Console logging, file logging, alerting, reporting, usage-pattern analytics - Central aggregation/correllation of events from all deployements - Central analysis for automated response with low rate of false alarms - Central configuration and administration using XML-based policy-files

Roboo - Secure Web Application Gateway - Automatically enables web (HTTP/HTTPS/HTML/XML) access to your apps - Instantly shifts/offloads 24x7 web security/monitoring/management burdens - Monitors/controls Web message traffic, business activities, and user behaviors - User authentication/authorization/access control (AAA) policy center - Generates single sign-on (SSO) security tokens using SAML standard - XML-encryption/XML-signature for privacy, integrity, non-repudiation - Content filtering for viruses/worms/spams, schema/size/origin/DoS - Supports HTML/XML/SOAP, HTTP/HTTPS, WS-Security, SAML - Automated control and response to in/out traffic based on policies - Console/file logging, alerting, reporting, auditing, usage-pattern analytics - Central aggregation/correllation/analysis of events for low false-alarm rate - Central management for flexible configuration and easy administration

Roboo: Web Applications/XML Web Services Security Gateway (Roboo - 20:54, 4 Feb 2004)

Roboo: Web Applications/XML Web Services Security Gateway - Automatically enables, protects and monitors web apps/services - Instantly shifts web security/monitoring/management burdens to Roboo - Monitors Web message traffic, business activities, and user behaviors - User authentication/authorization/access control (AAA) policy center - Generates single sign-on (SSO) security tokens using SAML standard - XML-encryption/XML-signature for privacy, integrity, non-repudiation - Content filtering for viruses/worms/spams, schema/size/origin/DoS - Supports HTML/XML/SOAP, HTTP/HTTPS, WS-Security, SAML - Automated control and response to in/out traffic based on policies - Console/file logging, alerting, reporting, auditing, usage-pattern analytics - Central aggregation/correllation/analysis of events for low false-alarm rate - Central management for flexible configuration and easy administration

SOAP Firewall, XML Firewall, SOAP/XML Firewall, XML/SOAP firewall (Roboo - 03:31, 3 Dec 2003)

Roboo: Automated Instant XML/SOAP Security - Automatically builds security gateway to protect web services/apps - Instantly shifts your SOAP/XML security burden to ready-to-use Roboo - Monitors request/response message traffic and business activities - Centralized authentication/authorization/access control (AAA) policy - Generates single sign-on (SSO) security tokens using SAML standard - XML-encryption/signature for privacy, integrity, non-repudiation - Traffic filtering and deep content analysis (schema/size/origin/DoS) - Supports XML web services security standard WS-Security - Load balancing and session state caching for server cluster/web farm - Logging, reporting, alerting, and service-usage business analytics - Centralized policy administration GUI tool for local or remote use

Roboo: SOAP Firewall, XML Firewall, SoapFirewall, XmlFirewall (Roboo - 20:16, 29 Sep 2003)

Roboo: SOAP Firewall, XML Firewall, SoapFirewall, XmlFirewall - Automatically builds a security gateway to protect XML web services - Instantly shifts your SOAP/XML security burden to ready-to-use Roboo - Monitors, inspects, controls request/response traffic streams - Centralized authentication/authorization/access control management - Generates single sign-on (SSO) security tokens using SAML standard - XML-encryption/signature for privacy, integrity, non-repudiation - SOAP/XML message traffic filtering and content analysis - Validates XML schema, message size/source/DoS (Denial of Service) - Log, alert, report, usage statistics, rules/patterns discovery - Centralized policy administration GUI for local or remote use - Supports XML web services security standards SAML, WS-Security

It is infeasible to expect application developers to be security experts too. So we must rely on external SOAP firewalls and XML gateways like Roboo, http://www.roboo.com Roboo: Web Services Security Solution - Firewall, Encryption, Signature, Intrusion Prevention

Check out SOAP firewall http://www.datapower.com/products/xs40.html and XML security gateway from DataPower, provides web services security with no code changes. Of course applications should also be secure, but often it is not practical to secure everything at the host itself. That's why traditional IP firewalls became necessary.

This is a bit unrealistic. There will always be hackers/theives/crackers. They will not go away. As software developers it is our responsibilty to secure our programs from unautorized/unintended use.

I have yet to see a way to fully secure the SOAP protocol. At this point all we can do is use SSL to encrypt our data across the wire, use our firewall software to deny all ip's to our webservice that we don't want to access our software interface (allow those that we do) and pass in a unique identifier to all functions validating security/access level/id.

Bottom line. Think about security before you begin coding, think about security while coding, and think about security after implementation. Be a hacker, think like a hacker, and maybe you will write a program that is difficult to hack.

To address security problems is to attack only symptoms of a much deeper problem.

The root of all these security problems is that people want to act maliciously. This is what we must stop.

(( random philosopher ))