July 29th, 2008
Fortify warns of configuration weaknesses in SOA deployments
Security code review specialists Fortify Software has issued a warning about major configuration weaknesses affecting SOA (service oriented architecture) deployments from IBM, Microsoft and Apache.
According to Fortify, certain configurations of Apache Axis, Apache Axis 2, IBM WebSphere 6.1, Microsoft .NET Web Services Enhancements (WSE) 2.0 and Microsoft Windows Communication Foundation (WCF) can open doors to several classes of attacks — weak authentication, weak encryption, vulnerability to replay attack, XPath injection, and many other significant security vulnerabilities.
“In addition, applications that have been secured for Web attacks may still be insecure to attacks through SOA. To be clear, the frameworks themselves are secure, but they have to be appropriately configured and used in order to avoid serious security issues,” Fortify said in a statement.
Separately, rival application security testing firm Veracode has announced a strategic investment and technology advancement agreement with In-Q-Tel, a deal that provides an entry for the Boston start-up to target government clients.
[ SEE: Dan Geer joins In-Q-Tel ]
With the strategic investment, Veracode says it will accelerate specific research areas for governmental, commercial and open source applications to further enhance its subscription-based application security solutions.
Veracode’s flagship SecurityReview service is based on static binary testing technology and Web scanning analysis that assesses application security threats, including vulnerabilities such as cross-site scripting (XSS), SQL injection, buffer overflows and malicious code such as hidden backdoors without exposing a company’s source code.
* Image credit: tanakawho’s Flickr photostream (Creative Commons 2.0)
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.
For daily updates on Ryan's activities, follow him on Twitter.
Subscribe to Zero Day via Email alerts or RSS.
