Are there Web service security standards or risk assessment checklists?

Are there Web service security standards or risk assessment checklists?

Is there a benchmark that can be used in a comprehensive security review of a Web service that accepts interaction via multiple interfaces (such as touch-screen kiosks and Web-based forms) in any industry?

    Requires Free Membership to View

    Login

    SearchSecurity.co.UK members gain immediate and unlimited access to breaking UK industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.co.UK today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.co.uk you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.co.uk is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

Web services technology is growing in the enterprise sector, as companies begin to use Web services for business-critical functions to meet operational needs. For example, airlines, car rental companies, restaurants and hotels have adopted Web services in the form of online reservation applications to make booking an easy and fast process.

However, the deployment of Web services potentially can expose an organization to a variety of threats. These include:

  • Eavesdropping on messages en route, leading to disclosure of information;
  • Tampering with messages in transit to change transactions;
  • Denying the sending of a message, potentially leading to loss, and;
  • Denial-of-service attacks leading to operational disruption.
All the above can have serious consequences for an organisation, so there is a need for strong information security assurance.

Although there are Web services security standards, such as XML Signature (XML-Sig), XML Encryption (XML-Enc) and Web Services Security (WS-Security), they are not in themselves sufficient to ensure security is built into Web services because of their complexity and diversity. Rather, for the services to be truly secure, security has to be systematically identified, designed, tested, documented and incorporated in the Web services Software Development Life Cycle (SDLC). As a minimum, organisations should consider deploying SSL for data transfer confidentiality and use client-side certificates to validate claimed identities.

The Open Web Application Security Program Testing Framework (OWASP) provides a section dedicated to Web services security testing, but, as a broad and generic Web application security framework, it is not specifically tailored to Web services security. However, Web services operate on top of other systems and technologies, therefore the underlying infrastructure (network, operating system, servers) has to be firstly secured and hardened before proceeding with the Web services security assessment. Doing so will limit the Web service's exposure and reduce its attack surface. Although many application security principles can be generically applied to Web services, specific Web services demand closer attention, which is not included in generic Web application testing methodologies and risk assessment checklists. Web services often suffer from common Web application vulnerabilities such as SQL injection, command injection and information disclosure, not to mention unique XML/XPath parser vulnerabilities.

Web service security standards or Web services testing frameworks that can be incorporated in a comprehensive security review still need to be developed by the industry. In the meantime, however, organizations that deploy Web services should consider a variety of vulnerability management strategies, including reviewing the Web services's source code and ensuring Web services are running with the least required privileges and features. Adopting these strategies along with penetration testing from skilled, experienced consultants can provide assurance that a Web service is indeed secure and the risk of exposure is properly managed and mitigated.

This was first published in September 2010

Back to top