Until now, the tools available to enforce security have included special-purpose XML firewalls or parsing appliances for detecting malware, and brokers and registries that enforce policy. These products focus on erecting security barriers at run time.
Last February, startup Kenai Systems introduced a testing tool aimed at catching security flaws in web services at development time. Its initial offering, eXamineST, provided tools for security specialists to design tests to check on vulnerabilities in payload, function, or authentication.
Now the company is releasing a simplified product for mainstream developers who are not security specialists. The new offering, eXamineXT, automates the process by supporting 20 security vulnerability test cases out of the box.
It also provides test authoring capabilities, and can import or export test cases with other XT users. With the XT tool, the developer picks a vulnerability from a menu, imports the WSDL (web service definition), and the tests are automatically generated.
The test cases include compliance checks with formal or de facto standards such as WS-Security and the WS-I Basic Interoperability Profile. Other checks cover improper SQL code that makes verboten calls to a relational database; incorrect XML schemas (data structures); and poorly formed XML expressions that conflict with polices or rules established for the service.
The tool can export the web service e and tests associated with it in a file, so other XT users can run the test and get updates of vulnerability definitions from Kenai. It supports SOAP with attachments and SSL encrypted client authentication.
The tool, initially priced at $800 per developer seat, is being sold direct and through Forum Systems, a partner that sells XML firewalls. It is available as a standalone product and as an Eclipse plug-in.
On the horizon, Kenai is looking to add more end-to-end capabilities that check vulnerabilities as a web services are aggregated in the wild. Additionally, the company is looking to add an additional layer of checks on the vulnerability of internal applications that are getting exposed to the outside world for the first time through web services.
