News

Startup puts Web services security in developers' hands

• By John K. Waters
• December 20, 2004

Our favorite security guru, Gary McGraw, has said it so often that it's almost a cliche: If you want secure systems, you've got to build security into the applications that run on them. A Rocklin, Calif.-based startup called Kenai Systems is now applying that maxim to Web services with what the company's founders believe are category-creating tools for developers.

'Developers are having to make the mindshift toward a services perspective,' says Jack Quinnell, Kenai's CTO. 'But they're really just beginning to see the security ramifications.'

'Because Web services are meant to be loosely coupled,' says Kenai president Byrren Yates, 'they expose interfaces, streamline connections, and accelerate business processes.

That's all good for business efficiency, but scary from a security perspective. It's conceivable that as your WSDL gets published, through UDDI or some other mechanism, others could create Web services tying back to your Web service without you knowing anything about it.'

As Web services technology matures and services proliferate, the security risks increase, says Yates. 'We saw something similar with internal company Web sites a few years ago,' he says. 'Everybody and his brother were throwing up a Web site. Web services will probably go through that same process internally, with people throwing up Web services to solve an immediate problem, but not necessarily thinking about the consequences internal to an organization.'

Billing itself as the industry's first Web services vulnerability assessment and management company, Kenai is marketing a set of inspection tools for Web services developers. Its flagship offering, eXamine 1.0, released in beta in October, is standalone tool that enables developers to import WSDL files and test them for compliance with industry standards, such as XML and SOAP, as well as their own internally-developed best practices. Kenai's eXamineST is an advanced Web services inspection tool designed to enable developers to import WSDL files and test them for compliance with WS-Security standards and for other Web services security vulnerabilities.

'The intent for the eXamine and eXamineST tools is that they predominantly focus on the development environment where developers may not have acquired a security background,' says Quinnell. 'What development folks want is something that helps them spend more time doing thorough inspection in security areas. Others want to test for appropriate functions and test for behavior when give it a set of values not expect to see.'

Although it was founded just a few months ago, Kenai has already signed a strategic distribution agreement with Forum Systems, a Web services security solutions provider focused on trust management, threat protection, and Information Assurance. Under the agreement, signed in October, Forum will distribute Kenai's eXamine 1.0 Web Services inspection tool.

'We believe that best practices in Web Services security begin during Web Services development,' Kenai's CEO Bill Kesselring said at the time. '[Our products] will help detect and eliminate Web Services vulnerabilities before they get out of control as well as enable the proper security controls to be enforced.'

Trial versions of eXamine 1.0 and eXamineST are available at www.kenaisystems.com.