McAfee Shares Internal Web-Services Security Tool

The security company is releasing WSDigger, an open-source tool for Web services security analysis, to the enterprise community.

Security firm McAfee is offering one of its internal tools to the enterprise community for free, with the aim of increasing Web services security and protection.

Coming out of the companys security services group, Foundstone Professional Services, the WSDigger is an open-source tool that helps identify vulnerabilities in Web services implementations.

The tool is unique, said Foundstone Inc. consulting director Mark Curphey, because it finds holes and flaws in implementations that have already been built. Other security tools focus more intently on providing protections while implementations are under development.

For example, Kenai Systems Inc. introduced technology in December that provides vulnerability assessment of security problems with Web services in the development phase.

That technology allows developers to import WSDL (Web Services Description Language) files and test for compliance with the WS-Security (Web Services Security) specification.

By contrast, WSDigger can be employed on all implementations. "Its great for people [who want to] to test their services as theyre in the process of design, so they can design them the right way," he said. "But we felt there was a need for people whove already done the building to look for vulnerable spots."

WSDigger was created as a way for Foundstone and McAfee Inc. users to do security testing on their own Web services projects, and the company decided to release the testing framework as a way to help the larger community.

/zimages/3/28571.gifRead more here about McAfee reaching out to open source by providing enterprise support on the Linux platform.

"We dont believe security is a black art—it should be shared if possible," Curphey said. "And we know that theres been a great deal of interest in more tools for Web services protection."

WSDigger contains sample attack plug-ins for SQL injection, cross-site scripting, and X-PATH injection attacks. According to McAfee, it takes a "black box penetration testing" approach, which imitates a malicious user. The test does not draw on internal code, and operates as a Web service client.

Those who download the testing framework are also encouraged to customize the tool for tailored applications and share the enhanced tools with other users.

The need for more tools has become acute because of Web services standardization, Curphey said. Although standardizing the services has been a boon for developers, it has also been advantageous for attackers.

/zimages/3/28571.gifWS-I security document identifies Web services threats. Click here to read more.

"Attacks are standardized," he said. "Attackers know that if they create an X-PATH injection attack, for example, it will work on any implementation."

Additionally, Web services continue to gain traction in use throughout an entire software computing stack at many enterprises, IDC analyst Sandra Rogers has noted in a release. Because of this momentum, she stated, "regular and more sophisticated automated testing tools will be required to assure end-to-end processes are not compromised."

/zimages/3/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.