SOAPbox is a handy tool for testing a Web Service. It does stress testing, functional testing, authentication testing (e.g. handling mutual SSL), and vulnerability assessment. The vulnerability assessment piece is provided by the "attack vector" feature. You can access the attack vector functionality in the SOAPbox product by following these steps:
Firstly if you don’t have it already, download a free copy of SOAPbox from http://www.vordel.com/products/soapbox/
Next, in the “Classic” mode of SOAPbox (selected using the tabs in the top-right), load in the WSDL of the service you want to test (using the icon shown in the “WSDL_Import” screenshot attached). This will allow you to load in a particular operation of the WSDL.
Press the green triangular “play” button on the SOAPbox toolbar to send the request through once, to make sure it is hitting the Web Service. You should see a response in the right-hand side “Response” area. Now, you have tested it without the security vectors being inserted.
Now, Switch over to the “Design Mode” in the SOAPbox. Make a new test suite and a test case. It should now look like the attached “SOAPbox-configured” screen.
Press on the test case and choose “Add SOAP Message”. You can copy and paste the example SOAP message in here, under the “Body content” tab. This is the SOAP message you’ll be automatically inserting security vectors into.
Next, use the tab at the bottom of the screen to choose “Security Vectors”. On the left you’ll see a list of Security Vectors to add, such as SQL Injection and XPath Injection, and on the right you’ll see a tree-view of the message. Drill into this tree-view of the message on the right of the screen and choose where to place security vectors in the message. Now you can send the message by once more pressing on the green triangular arrow again. You will see the test input and response now on the right-hand-side of the screen.
Tuesday, February 2, 2010
How to use SOAPbox to send attack vectors to a Web Service for vulnerability assessment / penetration testing
Monday, February 1, 2010
Looking back to 2009, and brokering the Cloud for 2010
I'm pleased to report that Vordel today announced "a record increase in annual revenues and net income for 2009 with overall revenues up almost 80% on the previous year. Vordel added an additional 32 enterprise customers to its global user base validating Vordel's position as the premier provider of SOA and Cloud Governance products".
You can read more details at the news outlets below:
If you read down through the news details, you can see that a key offering for Vordel in 2010 is the Cloud Service Broker. We are now seeing the category of the Cloud Service Broker begin to emerge, and it is as exciting as the early days of the XML Gateway. It is exciting to work with early adopters who are gaining an edge on their competition, and exciting to see analysts and journalists covering the sector. Linda Leung over at Data Center Knowledge has written a piece which pull together a very useful list of Cloud Brokers, and provides the following commentary based on Gartner:
You can read more details at the news outlets below:
If you read down through the news details, you can see that a key offering for Vordel in 2010 is the Cloud Service Broker. We are now seeing the category of the Cloud Service Broker begin to emerge, and it is as exciting as the early days of the XML Gateway. It is exciting to work with early adopters who are gaining an edge on their competition, and exciting to see analysts and journalists covering the sector. Linda Leung over at Data Center Knowledge has written a piece which pull together a very useful list of Cloud Brokers, and provides the following commentary based on Gartner:
This is a good overview of what Cloud brokers will be doing in 2010, as organizations continue to adopt Cloud-based services. Vordel is at the forefront of this. Watch this space...Gartner defines three opportunities for cloud brokers:
* Cloud Service Intermediation: Building services atop an existing cloud platform, such as additional security or management capabilities.
* Aggregation: Deploying customer services over multiple cloud platforms.
* Cloud Service Arbitrage: Brokers supply flexibility and “opportunistic choices” – and foster competition between clouds.
http://www.datacenterknowledge.com/archives/2010/01/22/cloud-computing-brokers-a-resource-guide/
Wednesday, January 27, 2010
AAA as Chess
These paragraphs by Gunnar Peterson in a larger blog post deserve a blog post of their own:
Chess has some lessons to teach us here. Chess has three main stages - the Opening(where vast analysis applied to the various opening strategies: the Sicilian, Ruy Lopez and so on), the Middle game (which is chaotic), and the End game (strategies to capture the opponent's King). Each stage in the game has a unique set of strategies that are related but separate from the other stage strategies.Following through the analogy - once the Opening game (authentication) has passed, then identity can survive in the chaotic Middle game by propagating verifiable identity (or attributes) in the transaction (which Gunnar covered back in 07). Then the End game is when, at the endpoint, a fine-grained authorization decision can be made based on identity and attributes. The key, like in chess, is not to only perfect the Opening game and then just hope for the best.
A Chess match is not one side dictating rules and the other side simply moving, instead its a synthesis of each side trying various gambits that result in unique permutations from match to match. The nature and structure of these permutations are not possible to calculate effective beyond a certain point so pattern recognition must be used.
Coming full circle back to infosec, the best we can hope for is a good design that facilitates a good Opening game followed by a stream of events and logs that enable effective middle and end games. I think of AAA access control technologies as Opening Game strategies - many people think of Kerberos and other ticketing systems are security, but really they just establish the initial ruleset for operations, the real game begins once they're in place, in use, and under attack. The structure used at the opening does not dictate all or maybe even most of the events that occur in the middle and end game.
Thursday, January 21, 2010
Running the Vordel XML Gateway on Sun Solaris
Running the Vordel XML Gateway on Sun Solaris is very straightforward, in fact not much different than running on Windows or Linux.
First, download the SunOS version of the Vordel Gateway from here (you'll need a Vordel Extranet account first. If you're a Vordel partner or customer already then you'll have one. Otherwise email info@vordel.com to ask for one).
Decompress the installation package using a command like this, substituting the downloaded file name as appropriate:
Now run the Vordel XML Gateway once, and you will see the host-based license information. Email this to licenses@vordel.com and we'll issue you a license.
You're all set then to connect up to the Gateway and start working with policies.
Here are some case studies of Vordel's XML Gateway on Sun hardware:
First, download the SunOS version of the Vordel Gateway from here (you'll need a Vordel Extranet account first. If you're a Vordel partner or customer already then you'll have one. Otherwise email info@vordel.com to ask for one).
Decompress the installation package using a command like this, substituting the downloaded file name as appropriate:
prompt# gunzip -c |
You're all set then to connect up to the Gateway and start working with policies.
Here are some case studies of Vordel's XML Gateway on Sun hardware:
- The Spanish Government case study on the Vordel Website describes a case study of a Vordel XML Gateway deployed on Sun Solaris in front of Web Services which provide government services
- Mazda uses Vordel Gateways on Sun hardware for communications with car dealers and partners. The goal is to improve business efficiency at dealerships and head office by reducing the double keying of information, and to provide streamlined access to multiple sources of information via one interface. A full case study is available on the Vordel website.
Wednesday, January 20, 2010
XML - the soft underbelly of the Cloud
I'm giving a talk at the RSA Conference in March about the continuing usage of XML as an attack path into Cloud services. Many Cloud services include WSDLs and XML-consuming services. Although XML has now been around a long time, attacks making use of XML are surprisingly resilient (or many not surprising at all, given that SQL Injection has also been known about for a long time). The Cloud just provides a much larger attack surface.
As I've written before, a cloud service broker is the way option to augment security and compliance in front of the Cloud service itself. But, in order to protect the "soft underbelly of the Cloud", Cloud service providers themselves will realize in time that their corporate customers would like the broker effectively baked at the edge.
So, hope to see you at RSA! This year it's earlier than usual, at the start of March, in San Francisco's Moscone Center.
As I've written before, a cloud service broker is the way option to augment security and compliance in front of the Cloud service itself. But, in order to protect the "soft underbelly of the Cloud", Cloud service providers themselves will realize in time that their corporate customers would like the broker effectively baked at the edge.
So, hope to see you at RSA! This year it's earlier than usual, at the start of March, in San Francisco's Moscone Center.
Friday, January 15, 2010
All the Web’s an API
I've written a "guest view" article for SD Times about the usage of API Keys in Web/Cloud APIs. API keys seem like a simple way to manage access to a Web API, but if the authentication scheme is not secure then they are dangerously simple (or simply dangerous). A key part of Cloud security is effective management of API key based authentication.
The article is here:
http://www.sdtimes.com/GUEST_VIEW_ALL_THE_WEB_S_AN_API/By_MARK_O_NEILL/About_APIS_and_CLOUDCOMPUTING_and_SECURITY/34049
The article is here:
http://www.sdtimes.com/GUEST_VIEW_ALL_THE_WEB_S_AN_API/By_MARK_O_NEILL/About_APIS_and_CLOUDCOMPUTING_and_SECURITY/34049
Wednesday, January 13, 2010
Vordel is Hiring!
Vordel is currently hiring developers, support engineers, QA engineers, and technical writers. Here is the scoop:
Got your head in the clouds? Then Vordel has a job for you!
Got your head in the clouds? Then Vordel has a job for you!
Vordel is a world leader in the design, development and delivery of enterprise products to enable leading global corporations and governments control their SOA and Cloud-based computing environments. Customers include Allianz, ASR Nederland, BNP Paribas, Ericsson, Mazda, QPass, Telefonica, Telecom Italia Mobile, the European Union, Spanish Government, UK Government, US Federal and State Governments and many others.
Join our team and help build game-changing technology for the world's leading enterprises and national governments worldwide.
We're constantly on the look-out for the right kind of people to join our team and if you are passionate, dedicated and prepared work hard to achieve your goals then we can offer you a fulfilling career path.
Currently we have vacancies in the following areas:
Senior Development Engineers - Dublin, Ireland
Support Engineers - Dublin, Ireland
QA Engineers - Dublin, Ireland
Technical Writers - Dublin, Ireland
If you believe you have what it takes to make a difference then send your resume/CV to openvacancies@vordel.com
Vordel is an Equal Opportunities Employer.
Tuesday, January 12, 2010
Building Trust in the Cloud
Knowledge Management World has an interesting article this week on "Building Trust in the Cloud".
It is worth contrasting the Cloud Service Broker approach with previous "SOA Governance" approaches. With "SOA Governance", an organization would apply policies to its internal services. However, a business depends on more than just its internal services. The approach of the Cloud Service Broker is to apply control to all the services which a business depends upon. So, these are not only internal services, but also services in the Cloud.
Users of individual SaaS products have generally become confident that their vendor is proficient in maintaining security, ensuring that data is backed up and carrying out other support tasks. However, venturing more broadly into “the cloud,” where many applications may be used as services, is a different matter; establishing trust with numerous third-party suppliers is a complex process.The article goes on to describe some early adopters of the Vordel Cloud Service Broker. It gives an example of an organization applying control to services used in the Amazon cloud.
To help address the problem, Vordel introduced the Vordel Cloud Service Broker in November 2009. It manages multidomain cloud services by registering them in a single repository to facilitate monitoring and policy enforcement. Cloud Service Broker also optimizes performance by providing caching, acceleration and data transformation.
http://www.kmworld.com/Articles/ReadArticle.aspx?ArticleID=60342&PageNum=1
It is worth contrasting the Cloud Service Broker approach with previous "SOA Governance" approaches. With "SOA Governance", an organization would apply policies to its internal services. However, a business depends on more than just its internal services. The approach of the Cloud Service Broker is to apply control to all the services which a business depends upon. So, these are not only internal services, but also services in the Cloud.
Monday, January 11, 2010
Running the Vordel XML Gateway on Oracle VM
XML Gateways are generally available as hardware-only, software-only, or with the option of hardware or software. One of the great advantages of the software option is that it means the XML Gateway can be deployed in a virtualized environment. However, XML Gateways which are available as software but require a hardware card for performance are not good candidates for virtualization. Only if the Gateway has inherent acceleration capabilities, which are not hardware dependent, can be successfully virtualized without a loss in performance.
The following table shows the three different categories of XML Gateways, and their suitability for virtualization:
Since it is available as software as well as an appliance, the Vordel XML Gateway is well-suited to running in a virtualized environment. A purely hardware-based product, or a product which depends on a third-party hardware component such as a Tarari card for its performance, can't map to a virtualization environment. By contrast, the Vordel Gateway does not include hardware dependencies which would hobble it in the virtualization arena.
Oracle VM is a great example of a Xen-based virtualization platform which is well-suited to running the Vordel XML Gateway. Setting up the Vordel XML Gateway on Oracle VM is straightforward. To run the Vordel XML Gateway on Oracle VM, I created a Vordel installation on an Oracle VM template running Oracle Enterprise Linux v5 with 1GB memory and 4GB hard drive.
I used Oracle VM Manager to spin up the template. Oracle VM Server then creates a virtual machine which (in this case) retrieves an IP address via DHCP and shows up on my network as 10.10.1.106. Now, I can access it just like any Vordel Gateway instance:
This means that I can now monitor the Vordel Gateway on Oracle VM:
I can manage its policies using Policy Studio, by connecting to the Oracle VM instance:
And I can test the Vordel Gateway on Oracle VM using SOAPbox:
To test the Vordel Gateway on Oracle VM, grab a copy of the Vordel Gateway and Oracle VM and get testing!
The following table shows the three different categories of XML Gateways, and their suitability for virtualization:
| Hardware only | Not suitable for virtualization |
| Software with reliance on hardware card for acceleration | Not suitable for virtualization |
| Software with no hardware dependencies | Suitable for virtualization |
Since it is available as software as well as an appliance, the Vordel XML Gateway is well-suited to running in a virtualized environment. A purely hardware-based product, or a product which depends on a third-party hardware component such as a Tarari card for its performance, can't map to a virtualization environment. By contrast, the Vordel Gateway does not include hardware dependencies which would hobble it in the virtualization arena.
Oracle VM is a great example of a Xen-based virtualization platform which is well-suited to running the Vordel XML Gateway. Setting up the Vordel XML Gateway on Oracle VM is straightforward. To run the Vordel XML Gateway on Oracle VM, I created a Vordel installation on an Oracle VM template running Oracle Enterprise Linux v5 with 1GB memory and 4GB hard drive.
I used Oracle VM Manager to spin up the template. Oracle VM Server then creates a virtual machine which (in this case) retrieves an IP address via DHCP and shows up on my network as 10.10.1.106. Now, I can access it just like any Vordel Gateway instance:
This means that I can now monitor the Vordel Gateway on Oracle VM:
I can manage its policies using Policy Studio, by connecting to the Oracle VM instance:
And I can test the Vordel Gateway on Oracle VM using SOAPbox:
To test the Vordel Gateway on Oracle VM, grab a copy of the Vordel Gateway and Oracle VM and get testing!
Tuesday, January 5, 2010
Congratulations to Burton Group
Looking down my blogroll earlier today, I see "A message from Jamie Lewis". Jamie is the CEO of Burton Group, and always worth listening to, especially at his Catalyst talks. So, I click on the link and read that Burton has been acquired by Gartner! Analyst consolidation continues into 2010...
Congratulations to all at Burton, especially Richard Watson who spoke at Vordel's conference last November, Anne Thomas Manes whose views on SOA are quite literally a matter of life and death, and Phil Schacter who has been tracking Vordel since 2001.
Congratulations to all at Burton, especially Richard Watson who spoke at Vordel's conference last November, Anne Thomas Manes whose views on SOA are quite literally a matter of life and death, and Phil Schacter who has been tracking Vordel since 2001.
Thursday, December 31, 2009
Who do you trust to meter the Cloud?
Tom Raftery at Greenmonk (the green shoot from Redmonk) has a great analysis of the disastrous use of smart meters by PG&E in Bakersfield, California.
He quotes SmartMeters.com that:
This after $2.2b (yes, billion) was spent on the project.
Tom Raftery goes on to say:
A Cloud Service Broker addresses these issues. It is not a coincidence that much Cloud Service Broker terminology carries over from the world of utilities - it is solving the same problem:
The lesson from the Bakersfield debacle is that customers of services, whether utilities or Cloud services, need real-time visibility of their usage, real-time visibility of costs, as well as an independent audit trail. In the Cloud world, this is provided by a Cloud Service Broker.
He quotes SmartMeters.com that:
Bakersfield residents believe their new smart meters are malfunctioning because their bills are much higher than before. PG&E claims higher bills are due to rate hikes, an unusually warm summer, and customers not shifting demand to off-peak times when rates are lower.In the same story on smartmeters.com, State Senator Dean Florez, the Majority Leader in California, is quoted as saying “People think these meters are fraud meters. They feel they’re being defrauded. They’re getting no benefit from these things.”
http://www.smartmeters.com/the-news/682-lawsuit-filed-against-pgae-for-smart-meter-overcharges.html
This after $2.2b (yes, billion) was spent on the project.
Tom Raftery goes on to say:
One of the advantages of a smart grid is that the two way flow of information will allow utilities to alert customers to real-time electricity pricing via an in-home display. PG&E have not rolled out in-home displays with their smart meters, presumably for cost reasons. If they lose the class-action law suit, that may turn out to have been an unwise decision.There is a better way, however:
http://greenmonk.net/pge-smart-meter-communication-failure/
What PG&E should have is a system where customers can see their electrical consumption in real-time (on their phone, on their computer, on their in-home display, etc.) but also, in the same way that credit card companies contact me if purchasing goes out of my normal pattern, PG&E should have a system in place to contact customers whose bills are going seriously out of kilter. Preferably a system which alerts people in realtime if they are consuming too much electricity when the price is high, through their in-home display, via sms,Twitter DM, whatever.So what has this got to do with Cloud Computing? Quite a lot, actually. Customers of Cloud services right now depend on the "meters" being provided by the service providers themselves. Just like the PG&E customers in Bakersfield. This means that they depend on the service provider itself to tell them about usage and pricing. There isn't an independent audit trail of usage. The meter also locks the customer into the service provider.
http://greenmonk.net/pge-smart-meter-communication-failure/
A Cloud Service Broker addresses these issues. It is not a coincidence that much Cloud Service Broker terminology carries over from the world of utilities - it is solving the same problem:
Data transfer to cloud computing environments must be controlled, to avoid unwarranted usage levels and unanticipated bills from over usage of cloud services. By providing local metering of cloud services' usage, local control is applied to cloud computing by internal IT and finance teams.The Cloud Service Broker analyzes traffic and provides reports as well as an audit trail. Reports include usage information in real-time, per hour, per day, and per service. Reports are based on messages and based on data. Visibility is key. This is all independent of an individual Cloud service provider. It is easy to imagine how useful this would be in conjunction with Amazon's spot pricing (see a great analysis of Amazon's spot pricing by James Urquhart here).
http://www.vordel.com/solutions/cloud.html
The lesson from the Bakersfield debacle is that customers of services, whether utilities or Cloud services, need real-time visibility of their usage, real-time visibility of costs, as well as an independent audit trail. In the Cloud world, this is provided by a Cloud Service Broker.
Wednesday, December 30, 2009
What is a Security Token Service and what does it do?
The term Security Token Service is often bandied around, but clear examples of an STS in action tend to be lacking. Here is a video I've put together of an STS in action, including examples of the WS-Trust RequestSecurityToken / RequestSecurityTokenResponse messages.
The video shows the usage of an STS in conjunction with an XML Gateway (in fact the Vordel XML Gateway includes an STS built-in):
It also shows how SOAPbox can be used to call an STS using the RST/RSTR messages:
And we see the SAML assertions, returned from the STS, embedded into SOAP messages:
Check the video out for yourself at:
http://www.vordel.com/research/Security_Token_Service.html
The video shows the usage of an STS in conjunction with an XML Gateway (in fact the Vordel XML Gateway includes an STS built-in):
It also shows how SOAPbox can be used to call an STS using the RST/RSTR messages:
And we see the SAML assertions, returned from the STS, embedded into SOAP messages:
Check the video out for yourself at:
http://www.vordel.com/research/Security_Token_Service.html
Subscribe to:
Posts (Atom)
