middleware and me (part 1)
hack-fu by: rux0r
This post is the first in a series on the subject of enterprise messaging and in particular on IBM's flavour of it. The objective of these posts will be to remove some of the confusion about its purpose, the technologies and the methods of securing it. Hopefully this will help both security testers and other interested parties to feel confident about this important area of IT security.
When it comes to security testing a business application, how comfortable are you? The answer to that question will probably depend on a number of factors including the following: -
- Is it an internal or external test?
- What technologies are involved?
- What is the business process the application is used for?
Depending on the requirements for testing we might only be asked to look at the web front-end to the application. Or we might be asked to do an internal test of the entire application infrastructure. However, in reality there are lots of business applications that look like the following: -
So why is the big question mark in the middle of the picture? In reality that is a gap in most testing methodologies or in the requirements provided to testers by their clients. In reality the question mark could represent any of the following: -
- The bit of the process the client didn't ask to be tested.
- The part of the application I don't understand.
- The software products and solutions that don't appear in books on hacking or security testing.
- A cloud through which data passes that I don't need to understand.
Therefore, if we want to test a business application against its security requirements we have a big black hole. We know what the risks associated with the web application and database are? We know how to test the web server and database but what sits in the middle. In an enterprise environment the answer is usually as follows: -
So what is this mystical middleware that we hear so much about but never get to see? In the majority of cases it will involve a messaging or transport application whose responsibility it is to get data to the application that needs it. There are lots of such applications available including Microsoft Message Queuing (MSMQ), Sun Message Queue, IBM Websphere MQ and ActiveMQ.
So if these products exist, how do we test them? Unfortunately I can't provide an all encompassing answer for that question, but I can tell you all about one of these products, namely IBM's Websphere MQ. So whether you are interested in Websphere MQ itself, security testing in general or just the risks associated with messaging applications you should have a read of my new white paper on the subject:
Websphere MQ Security White Paper (mirror #1).
The white paper is the first of a series of documents that I intend to produce on the subject and covers a wide range of issues associated with both the product and messaging applications in general. All audiences are catered for, from those with managerial roles in IT through to integrators and security testers. I hope you find the document interesting and if you would like more information on the subject be sure to check out the slides from my Defcon presentation last year: MQ Jumping - Defcon 15 Presentation (mirror #1).
On the next part of this series of blog posts I will be talking about the security architecture of Websphere MQ, stay tuned 
Popularity: 8% [?]
