Annualized Rate of Occurrence (ARO)

One constant in the security realm is that companies and government agencies must expect to be attacked. Large organizations are attacked on a regular basis through ever new and creative means. In the recent 2004 Computer Security Institute and FBI survey, 100% of companies experienced attacks.
For externally facing Web Services, access to interfaces is simple. Because Web Services are designed to tunnel through existing network firewalls, hackers can quite easily get direct access to applications. In addition, because Web Services are self-describing, with WSDL’s that describe how to interact with Web Services, hackers have more information than ever on how to interact with specific application interfaces.
Many Web Services projects are internally focused which might provide a false level of comfort to security professionals. In the CSI/FBI study, almost 50% of security breaches were from internal sources. Whether it’s a recently fired employee or an unscrupulous trader or a compromised partner, there is significant risk from the inside. While there are varying statistics, internal attacks may be considered more harmful because the attacker typically has much more inside knowledge of the systems to cause the most damage while greatly reducing the chance of being detected.

Web Services are in the early stages now but in some surveys, over 60% of companies have Web Services already in production. Many of these implementations are grassroots efforts that escape the radar screens of the network operations and security staff – and therefore their policies. Existing technologies are neither XML-aware nor provide the proper enforcement protection increasing the security risk.