Why Web services threats require application-level protection

Let's review how Web services function, why hackers have started to prey on them and what organizations can do to mitigate this threat.

How Web services function
Web services allow other Internet-connected programs to interact with them by making certain functionalities accessible to other applications. They can range from a complex customer relationship management (CRM) system to a simple stock quote feed. They are built using a collection of protocols and standards such as XML

BROWSE BY TAG Web Security Advisor,   Application and Platform Security,   Web Security Tools and Best Practices,   Web Services Security and SOA Security,   Application Attacks (Buffer Overflows, Cross-Site Scripting),   VIEW ALL TAGS

RELATED CONTENT Web Security Advisor DNS rebinding defenses still necessary, thanks to Web 2.0 New defenses for automated SQL injection attacks PCI compliance and Web applications: Code review or firewalls? Worst practices: Bad security incidents to avoid Web scanning and reporting best practices Social networking website threats manageable with good enterprise policy Enterprise security in 2008: Building trust into the application development process PCI DSS Section 6: A plan for tackling application security Making the case for Web application vulnerability scanners Preparing for uniform resource identifier (URI) exploits Web Services Security and SOA Security Information security book excerpts and reviews Security testing firm uncovers XML vulnerabilities Cryptographers say cloud computing can be secured Will cloud computing and virtualization save the day? MySpace, Facebook ignoring basic principles of security Kaminsky: DNS flaw capable of attacks on many fronts Kaminsky on DNS rebinding attacks, hacking techniques Which operating system can best secure an FTP site? IBM's Watchfire halts network research, focuses on Web apps How does identity propagation work? Application Attacks (Buffer Overflows, Cross-Site Scripting) Latest zero-day attacks only target IE 6, Microsoft says Social networking security: Twitter, Facebook hacker attacks climbing Web application attacks security guide: Preventing attacks and flaws How to stop buffer-overflow attacks and find flaws, vulnerabilities Preventing and stopping SQL injection hack attacks Distributed denial-of-service protection: How to stop DDoS attacks Prevent cross-site scripting hacks with tools, testing Firefox, Opera, Safari browsers top list of high risk software Information security book excerpts and reviews Quiz: How to build secure applications Application Attacks (Buffer Overflows, Cross-Site Scripting) Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary buffer overflow  (SearchSecurity.com) cache poisoning  (SearchSecurity.com) cyberterrorism  (SearchSecurity.com) dictionary attack  (SearchSecurity.com) directory harvest attack  (SearchSecurity.com) distributed denial-of-service attack  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) ping of death  (SearchSecurity.com) stack smashing  (SearchSecurity.com) SYN flooding  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

a>, XML Schema, WSDL (Web Services Description Language) and SOAP (Simple Object Access Protocol), many of which are still evolving, and as with most new technologies, security issues are often overlooked in the early stages of adoption.

Web services vulnerabilities
Web services face a lot of the same vulnerabilities that Web applications do, such as SQL injection and session theft, but unlike traditional Web page interfaces, Web service programs are far more open, often connecting to core enterprise applications and data. This significantly increases their risk profile and makes them a very attractive target. Web services are usually deployed over HTTP to allow cross-network communication without having to reconfigure firewalls. This could be problematic for networks that use older firewalls, since older firewalls cannot analyze Web service traffic that travels via HTTP.

Web services threat protection
To mitigate Web services threats, enterprises that run Web services should deploy application-level firewalls that can examine XML-based messages. There are some firewalls on the market today that can enforce XML structural rules and validate schema, perform XML virus-checking and protect against XML denial-of-service attacks (XDoS); if available, use them. Additionally, your developers should also be educated on the additional XML-related attack vectors that Web services are vulnerable to, mainly:

• XML identity threats, updated versions of the traditional identity threats, such as authentication attacks and eavesdropping.


• Content-borne threats that use actual XML payloads to distribute XML viruses, SQL statements, Unix commands, etc.; and


• Operational attacks, including XML-level denial-of-service attacks and XML bombs.

Here are some additional rules organizations can use to reduce potential Web services risks:

• At a bare minimum, use PKI authentication for machine-to-machine communications and SSL for communication security.
• Develop an ongoing list of resources that will provide you with information about current security problems and software updates relevant to your system and application software, since new infrastructure components are prone to vulnerabilities and must be continuously patched and updated.
• Upgrade your existing authentication and access control security policies to meet Web services specifications like Web Service Security (WS-Security), which addresses enhancements made to SOAP messaging to protect the message integrity, message confidentiality and message authentication.
• Keep abreast of the other new standards like XML-Encryption, XML-Schema and XML-Digital Signature that aim to secure Web services traffic. Incorporate these standards into your security policy where appropriate.
• Finally, find and use a comprehensive guide on how to build secure Web services and Web applications and use it when developing your services. These guides are available from the Open Web Application Security Project.

About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for SearchSecurity's Web Security School and, as a SearchSecurity.com site expert, answers user questions on application and platform security.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.