In-Depth

Web services not a draw for virus writers, yet

• By Tony Baer
• May 1, 2005

Given recent history, are Web services the logical next target for virus writers? The jury is still out on the matter. When asked at a recent financial services industry Web services conference whether there have been any documented reports of Web services virus or malware attacks, replies from conference goers ranged from “none that have been made public” to claims that actual threats have been identified in the labs.

The threat of malware and viruses in Web services is essentially a case of old wine in new bottles, according to Ray Wagner, Gartner Group’s research vice president for information security. “You have the same vulnerabilities, but there’s a new hole to exploit.”

For one thing, there is the psychology of virus writers, whose egos are fed by their ability to disrupt the lives of tens of millions of Windows users, rather than a few obscure Web services servers. On the other hand, as the financial value of transactions conducted via Web services increases, it could prove an attractive draw for criminals who are driven by economic motives. “I’m not convinced there will be major epidemics,” Wagner says, adding that it would take inside knowledge of highly complex transaction systems to mount an effective financial shakedown attack. Further, he expects perimeter defenses eventually will be able to inspect HTTP and SOAP messages.

Back to feature: Web Services: Careful, It’s a Circus Out There...