A little clarity around my previous post of transport-level security and message-level security.
I’ll first note that neither security approach is bound to the REST or SOAP style of component interaction. There is nothing in REST that mandates transport-level security or precludes message-level security. The same is true of SOAP. That said, secure systems implemented via REST or SOAP today tend to leverage the transport-level security mechanisms inherent to HTTP/HTTPS, and a few SOAP systems leverage some subset of WS-Security. But lets take the terms “REST” and “SOAP” off the table, they’re immaterial here.
The point of the previous post was that transport-level security (TLS) and message-level security (MLS) (in their purest forms) are equally credible, and the existence of MLS does not suddenly make TLS worthless. Nor is MLS any more or less better suited to addressing the problems of phishing, identity theft, or trust than TLS is. I do contend that TLS, in the form of SSL/TLS, while not perfect, is mature and of continued value. I further contend that MLS, in the form of WSS, is also imperfect and comparatively immature — not bad, mind you, just young. MLS security provides value that TLS doesn’t, and I’m glad we have it, but the inverse is also true.
But the biggest point I need to make is that the concerns addressed by TLS and MLS are only a small subset of the total number of security concerns. Furthermore, the total universe of security threats, from organized crime and information warfare to shoulder surfing and lost laptops, is far larger than the total universe of available countermeasures, which in turn is larger than the authentication, authorization, encryption, and integrity solutions enabled by TLS and MLS. You cannot secure against every conceivable threat. Organizations have finite resources, and thus must apply threat mitigation under the rubric of risk analysis. When designing a new system, security considerations should be held paramount. A proper risk analysis in the context of the application’s function, design, and user-base must be performed, and it may indicate, for instance, that TLS or MLS or some aspects of both should be used (again, both techniques have value). But the application design must also account for a seemingly infinite number of other attack vectors (XSS, SQL injection, buffer overflows, etc.), and a proper risk analysis is the only means to determine how many resources to allocate to each conceivable threat. And, of course, security concerns extend beyond the application boundaries to securing the physical data, securing private keys, password management practices, network security, physical security, and on and on and on.
As an aside, I find the The eBankingSecurity PDF referenced in Tim’s Web Application Security post of only marginal value. It outlines the many ways that malicious code can steal user credentials or make an untrustworthy site look trustworthy. The fundamental premise is that if a client machine is compromised, then the game’s up. This is very true, but what to do about it? The paper doesn’t say. And therein lies the flaw, there’s no risk assessment or recommendations for how to proceed. It’s good that banks have their consciousness raised and are made aware that some of the security features they’ve come up with are not 100% effective. But what should they do? Fold up shop and go home?
And “the never-mentioned weakness of SSL” is anything but. It requires that the black hats rewrite your host file and install a trusted root certificate of their own making. This is not a weakness of SSL, it’s a weakness of any system that is based on trust, which, ultimately, they all are, including WSS and PGP. I fail to see how any TLS or MLS system can protect against this. I mean once your machine is 0wn3d, its 0wn3d. It’s up to the vendors of operating systems and browsers and security software to make it as difficult as possible for this to happen. But ultimately it’s up to the user to be educated enough to keep his or her machine secure.
{ 3 } Comments
I’m going to chime in and extend this to say that good security is “too hard”.
Military grade authentication/encryption systems for what we do is an absolute overkill (reporting app with web-services back ends on an intranet), and yet if we do anything less, it’s not secure anyway, because a dedicated hacker can get in and get the crown jewels.
We use ssl and hashing some, but overall the security is hodgepodge, accumulated layers over years of initiatives that have left things in a worse state than no security at all.
Ultimately, the approach we take is to just watch everything. Yes we use automated tools as watchmen, and we watch those too. It’s easier to watch things that aren’t cryptic to the naked eye.
Security tool vendors, in my opinion, fail to address the “but how to we find out if a hacker _does_ break into the system” question. Between private keys, public keys, certificates, encapsulated encrypted payloads, there is nothing that stands out to the eye as being out of place. Unlike, for example, an standards web server log, on which all kinds of attacks can be spotted by a diligent human.
Ultimately, if a system does not allow a human with brain and eyes to supplement the software, it cannot be secured.
Finally, web services in production environments with mutliple database types, a hybrid os environment, and integration of very many issues ((x)html, css, dhtml, cross-browserness, differing sql dialects, stored procedures, different languages (Java, .Niet, pyhton, perl, php, ruby and plain old shell scripts, with ASP and VBS) piled up on top of win2k, xp, vista, win2k3, solaris 9 and all the IBM mainframe stuff I don’t even know enough to rant about ( I knowo there’s some COBOL in there), along with FTP, SSH, EDI and XML-RPC, and now SOAP, with different client machines setups, (Novell NAL, Citrix, and other beasts of the kind), you can imagine how hard it is to get anything to work well enough to be productionalized to 10,000 users. (sprinkle Oracle 10, MSSQL and mySQL, plus a couple wikis (twiki and mediawiki) for good measure.)
Add security on top of all that? Hello? Houston to Earth: We have a Problem.
Let me tell you how it all happens in the trenches of IT (in a fortune 200 no less): like it did in the trenches in France in 1917: With blood and gore and screams of agony through mind-numbing boredom punctuated with episodes of utter terror.
Things have to get simpler.
Christopher: Are you blogging? You should be.
Pete,
I have a 1.5 year old boy. Not enough time to blog.
Thanks though.
{ 3 } Trackbacks
[...] This morning Pete Lacey said, “There is nothing in REST that mandates transport-level security or precludes message-level security“. Guess what, it turns out that Pete is right. I’ll take it a bit further and say that WS-* and REST are both equally secure and insecure to exactly the same degree. [...]
[...] The REST vs WS wars continue. Pete Lacey has an insightful post on RESTful Security, and a further clarification: Clarity Around Security. [...]
Pete Lacey’s WS-Criticism…
In this interview, Pete Lacey, who recently became well-known in the SOA community because of a series of blog posts starting with a very funny one entitled S stands for Simple (which was covered at InfoQ as well), talks to InfoQ’s Stefan Tilkov …
Post a Comment