Ravi Razdan has a piece on CNET about the Security of Web Services. This illustrates many of the security Problems people are having with not just Web Services, but with any application that is directly or indirectly available on the Internet:
But in their rush, an important data security issue is being ignored: Confidential information is vulnerable to malicious employees or hackers because customer data, which gets stored in applications or databases operated by the Web services provider, still exist in clear or unencrypted form....
... Most Web service providers deploy several methods to convince customers about the security of their information. These run the gamut, including multiple firewalls, intrusion detection, application and system portioning, encryption, biometrics tools, and even armed guards. In the end, however, they are all but useless since, according to the Internet Security Task Force, about 70 percent of business computer-security breaches are internal.
This is interesting because firewalls are exactly what most companies use to feel safe, but all it really takes is a unhappy employee or a user whithout their knowledge running a BackOrifice variant on their machine for a serious breach to occur. A good hacker who knows what he's doing could work out what's going on on your average CORBA based server and insert transactions into a trading system or perform SWIFT payments. However while no application can ever be made 100% secure, if we stop assuming that the firewall will protect us, it isn't all that hard to actually harden up an application. With the new standards coming into place it is made even easier, but it is our responsiblity as Application Developers to actually use them.
8:18:59 AM  comment []
|
|
