However, the deployment of Web services potentially can expose an organization to a variety of threats. These include:
- Eavesdropping on messages en route, leading to disclosure of information;
- Tampering with messages in transit to change transactions;
- Denying the sending of a message, potentially leading to loss, and;
- Denial-of-service attacks leading to operational disruption.
Although there are Web services security standards, such as XML Signature (XML-Sig), XML Encryption (XML-Enc) and Web Services Security (WS-Security), they are not in themselves sufficient to ensure security is built into Web services because of their complexity and diversity. Rather, for the services to be truly secure, security has to be systematically identified, designed, tested, documented and incorporated in the Web services Software Development Life Cycle (SDLC). As a minimum, organisations should consider deploying SSL for data transfer confidentiality and use client-side certificates to validate claimed identities.
The Open Web Application Security Program Testing Framework (OWASP) provides a section dedicated to Web services security testing, but, as a broad and generic Web application security framework, it is not specifically tailored to Web services security. However, Web services operate on top of other systems and technologies, therefore the underlying infrastructure (network, operating system, servers) has to be firstly secured and hardened before proceeding with the Web services security assessment. Doing so will limit the Web service's exposure and reduce its attack surface. Although many application security principles can be generically applied to Web services, specific Web services demand closer attention, which is not included in generic Web application testing methodologies and risk assessment checklists. Web services often suffer from common Web application vulnerabilities such as SQL injection, command injection and information disclosure, not to mention unique XML/XPath parser vulnerabilities.
Web service security standards or Web services testing frameworks that can be incorporated in a comprehensive security review still need to be developed by the industry. In the meantime, however, organizations that deploy Web services should consider a variety of vulnerability management strategies, including reviewing the Web services's source code and ensuring Web services are running with the least required privileges and features. Adopting these strategies along with penetration testing from skilled, experienced consultants can provide assurance that a Web service is indeed secure and the risk of exposure is properly managed and mitigated.
Related Q&A from Neil O'Connor
There are some best practices to follow when it comes to USB drive security. Learn what they are and how to protect your company from USB security ... Continue Reading
In this expert response, Neil O'Connor explains how to get the most out of the gap analysis process in your organization. Continue Reading
Expert Neil O'Connor shares a recent project that demonstrates how IP-enabled physical security may be changing the market. Continue Reading