Kenai Systems Automates Web Services Vulnerability Testing
- By John K. Waters
The good thing about Web services is that they expose interfaces, streamline connections
and accelerate business processes. The bad thing about Web services is that they
expose interfaces, streamline connections and accelerate business processes.
It’s an old joke, but it underscores the inherent challenge of securing
applications and data that use this collection of protocols and standards we
call Web services to interact with other applications over the Internet.
For Kenai systems, Web services security is still fundamentally a development
issue. As the company puts it, “Web services vulnerabilities are exploited
in the deployment phase, but they are created in the development phase.”
“Web services, with their public interfaces, reliance on evolving Web
services standards, and heterogeneous architectures, present an unprecedented
array of security risks,” says Jack Quinnell, CTO at Kenai Systems. “Developers
are making the mindshift toward a services perspective. But they’re really
just beginning to see the security ramifications.”
Founded last year, Kenai (pronounced “keen eye”) has emerged as
a pioneer in the Web services vulnerability assessment and management market.
Its flagship offering, the eXamine 1.0 Web services inspection tool, was released
in beta last October. The company followed up with eXaminST, a tool to enable
security-savvy developers to import WSDL files and test them for compliance
with WS-Security standards and for other Web services security vulnerabilities.
eXaminST is intended for users with a high level of security expertise, says
Kenai CEO Bill Kesselring. “It allows for a lot of knob twisting,”
he says. Now the startup is reaching out to developers with a new tool, eXaminXT,
that automates the security testing process to deliver what Kesselring calls
“one-touch” Web services vulnerability testing.
“We’re talking about your average, highly intelligent developer
who just doesn’t have a lot of security expertise,” Kesselring says.
“We wanted to provide a way for that developer to be creative and productive
without having to worry about the mundane security stuff.”
eXamineXT ships with more than 20 Security Test Profiles, each designed to
automatically generate test cases for a particular Web services vulnerability.
The product can also import additional test profiles as they are released by
Kenai, enabling enterprises to keep up with the industry’s evolving knowledge
of vulnerabilities and the continuing development of Web services best practices.
The product supports SOAP with Attachments, including MIME and DIME, and SSL
client authentication. It provides a point-and-click GUI with a Workbench, Perspectives,
Views, Tabs and Shortcut Bar. It comes with authoring tools for creating customized
tests with SOAP Requests. And it supports integrated testing for, and reporting
on, WS-I Basic Profile conformance and WS-Security compliance.
Quinnell sees the tool coming into the development process relatively early,
just after the requirements have been codified. “By getting the security
folks involved early on, you can eliminate that traditional boomerang cycle,
where the service or application goes to QA, and QA says it’s still slushy
and kicks it back.”
A free 30-day trial of eXamineXT is available now for download at www.kenaisystems.com.
The final version, which will be available as a standalone tool and as an Eclipse
plug-in, is expected in July.
John K. Waters is a freelance writer based in Silicon Valley. He can be reached