Kenai Systems Automates Web Services Vulnerability Testing

The good thing about Web services is that they expose interfaces, streamline connections and accelerate business processes. The bad thing about Web services is that they expose interfaces, streamline connections and accelerate business processes.

It’s an old joke, but it underscores the inherent challenge of securing applications and data that use this collection of protocols and standards we call Web services to interact with other applications over the Internet.

For Kenai systems, Web services security is still fundamentally a development issue. As the company puts it, “Web services vulnerabilities are exploited in the deployment phase, but they are created in the development phase.”

“Web services, with their public interfaces, reliance on evolving Web services standards, and heterogeneous architectures, present an unprecedented array of security risks,” says Jack Quinnell, CTO at Kenai Systems. “Developers are making the mindshift toward a services perspective. But they’re really just beginning to see the security ramifications.”

Founded last year, Kenai (pronounced “keen eye”) has emerged as a pioneer in the Web services vulnerability assessment and management market. Its flagship offering, the eXamine 1.0 Web services inspection tool, was released in beta last October. The company followed up with eXaminST, a tool to enable security-savvy developers to import WSDL files and test them for compliance with WS-Security standards and for other Web services security vulnerabilities.

eXaminST is intended for users with a high level of security expertise, says Kenai CEO Bill Kesselring. “It allows for a lot of knob twisting,” he says. Now the startup is reaching out to developers with a new tool, eXaminXT, that automates the security testing process to deliver what Kesselring calls “one-touch” Web services vulnerability testing.

“We’re talking about your average, highly intelligent developer who just doesn’t have a lot of security expertise,” Kesselring says. “We wanted to provide a way for that developer to be creative and productive without having to worry about the mundane security stuff.”

eXamineXT ships with more than 20 Security Test Profiles, each designed to automatically generate test cases for a particular Web services vulnerability. The product can also import additional test profiles as they are released by Kenai, enabling enterprises to keep up with the industry’s evolving knowledge of vulnerabilities and the continuing development of Web services best practices.

The product supports SOAP with Attachments, including MIME and DIME, and SSL client authentication. It provides a point-and-click GUI with a Workbench, Perspectives, Views, Tabs and Shortcut Bar. It comes with authoring tools for creating customized tests with SOAP Requests. And it supports integrated testing for, and reporting on, WS-I Basic Profile conformance and WS-Security compliance.

Quinnell sees the tool coming into the development process relatively early, just after the requirements have been codified. “By getting the security folks involved early on, you can eliminate that traditional boomerang cycle, where the service or application goes to QA, and QA says it’s still slushy and kicks it back.”

A free 30-day trial of eXamineXT is available now for download at The final version, which will be available as a standalone tool and as an Eclipse plug-in, is expected in July.

About the Author

John K. Waters is a freelance writer based in Silicon Valley. He can be reached at [email protected].