They are built using a collection of protocols and standards such as XML, XML Schema, WSDL (Web Services Description Language) and SOAP (Simple Object Access Protocol), many of which are still evolving, and as with most new technologies, security issues are often overlooked in the early stages of adoption.
To learn how Web services operate, read Why Web services threats require application-level protection.
2. Answer: False
Web services face a lot of the same vulnerabilities that Web applications do, such as SQL injection and session theft, but unlike traditional Web page interfaces, Web service programs are far more open, often connecting to core enterprise applications and data.
To learn how to protect against Web services vulnerabilities, read Why Web services threats require application-level protection.
3. Answer: b. Content-borne threats
Additionally, your developers should also be educated on the additional XML-related attack vectors that Web services are vulnerable to, mainly:
- XML identity threats, updated versions of the traditional identity threats, such as authentication attacks and eavesdropping.
- Content-borne threats that use actual XML payloads to distribute XML viruses, SQL statements, Unix commands, etc.; and
- Operational attacks, including XML-level denial-of-service attacks and XML bombs.
To learn how to protect against Web services threats, read Why Web services threats require application-level protection.
4. Answer: d. WS-Security
Web services specifications like Web Service Security (WS-Security), which addresses enhancements made to SOAP messaging to protect the message integrity, message confidentiality and message authentication.
To learn more about Web services security specifications, read Why Web services threats require application-level protection.
5. Answer: d. All of the above
Keep abreast of the other new standards like XML-Encryption, XML-Schema and XML-Digital Signature that aim to secure Web services traffic. Incorporate these standards into your security policy where appropriate.
Dig Deeper on Web Services Security and SOA Security