There is a need for a tool and service to analyze system or application configuration files and security based middleware components used in Service Oriented Architectures (SOA) system deployments primarily Web Services. The tool must be accessible via the internet. The tool and service is intended to be used by Security Consultants. The tool produces a report accessible via the internet and identifies gaps in the configuration that may or could cause security exposures before performing a vulnerability assessment. The report is accessible via the internet and can be downloaded through an encryption mechanism. The first release version will analyze exported configuration files of selected industry leading XML Firewalls and Gateways,i.e. IBM DataPower, Layer7 and CISCO Reactivity. Some of the applications selected will be open source applications. A typical analysis may include: replay protection, XML threat protection, schema validation, authentication and authorization, audit protection, SOAP validation, SAML validation, transmitting errors and other security artifacts analysis. If policies and rules exist they will be captured and analyzed.

The tool will be written in Java (multi-platform) and will not need access to a running system. The service will be offered in strict confidentiality, integrity and privacy.

Why the research is needed

The process of configuring security is complicated. In most environments it requires extensive security expertise and system knowledge. Some systems have adapters and embedded security. A combination of security settings can create vulnerabilities: some configuration files are complex and often hard to read. Too many security consultants spend an inordinate amount of time looking for configuration errors without the ability to keep track of configuration information that can be distributed throughout many configuration files. Therefore configuration attributes in a file may not map anything visible to the user interface as a security risk. In a large deployment the array of configuration checks and validations is very large. Security checks before a vulnerability assessment are even more complex when the security analyst has to analyze configurations of many middleware components in the environment..

Derrick Hyatt