Are there Web service security standards or risk assessment checklists?

As more organisations integrate business-critical functions with Web services, the security of those services becomes of greater importance. But are there Web service security standards whereby businesses can assess that security? Expert Neil O'Connor weighs in.

Is there a benchmark that can be used in a comprehensive security review of a Web service that accepts interaction via multiple interfaces (such as touch-screen kiosks and Web-based forms) in any industry?
Web services technology is growing in the enterprise sector, as companies begin to use Web services for business-critical functions to meet operational needs. For example, airlines, car rental companies, restaurants and hotels have adopted Web services in the form of online reservation applications to make booking an easy and fast process.

However, the deployment of Web services potentially can expose an organization to a variety of threats. These include:

  • Eavesdropping on messages en route, leading to disclosure of information;
  • Tampering with messages in transit to change transactions;
  • Denying the sending of a message, potentially leading to loss, and;
  • Denial-of-service attacks leading to operational disruption.
All the above can have serious consequences for an organisation, so there is a need for strong information security assurance.

Although there are Web services security standards, such as XML Signature (XML-Sig), XML Encryption (XML-Enc) and Web Services Security (WS-Security), they are not in themselves sufficient to ensure security is built into Web services because of their complexity and diversity. Rather, for the services to be truly secure, security has to be systematically identified, designed, tested, documented and incorporated in the Web services Software Development Life Cycle (SDLC). As a minimum, organisations should consider deploying SSL for data transfer confidentiality and use client-side certificates to validate claimed identities.

The Open Web Application Security Program Testing Framework (OWASP) provides a section dedicated to Web services security testing, but, as a broad and generic Web application security framework, it is not specifically tailored to Web services security. However, Web services operate on top of other systems and technologies, therefore the underlying infrastructure (network, operating system, servers) has to be firstly secured and hardened before proceeding with the Web services security assessment. Doing so will limit the Web service's exposure and reduce its attack surface. Although many application security principles can be generically applied to Web services, specific Web services demand closer attention, which is not included in generic Web application testing methodologies and risk assessment checklists. Web services often suffer from common Web application vulnerabilities such as SQL injection, command injection and information disclosure, not to mention unique XML/XPath parser vulnerabilities.

Web service security standards or Web services testing frameworks that can be incorporated in a comprehensive security review still need to be developed by the industry. In the meantime, however, organizations that deploy Web services should consider a variety of vulnerability management strategies, including reviewing the Web services's source code and ensuring Web services are running with the least required privileges and features. Adopting these strategies along with penetration testing from skilled, experienced consultants can provide assurance that a Web service is indeed secure and the risk of exposure is properly managed and mitigated.

Read more on Web application security