The most critical issue limiting the widespread deployment of Web services by organizations is the lack of understanding of the security risks involved as well as the best practices for addressing those risks. Development and IT managers want to know whether the security risks and the types of attack common for Web sites will be the same for Web services. Will existing enterprise security infrastructure already in place, such as firewalls and well-understood technologies like Secure Sockets Layer (SSL), be sufficient to protect their companies from Web service security risks?
Much of the experience companies have with security is with Web sites and Web applications. Both Web sites and Web applications involve sending HTML between the server and the client (e.g., Internet browser). Web services involve applications exchanging data and information through defined application programming interfaces (APIs). These APIs can contain literally dozens of methods and operations, each of which presents hackers with potential entry points to compromise the security and integrity of a system.
The decentralized and heterogeneous nature of Web services presents challenges in building and maintaining system-wide security. Not only is the architecture of Web services decentralized, but also the administration of the overall system. Moreover, monitoring and enforcing security policies across heterogeneous services, many of which are Web service-wrapped legacy applications that were not originally developed to be available over a shared public network, is increasingly challenging. These inherent characteristics of Web services present many opportunities for security lapses, and also make their detection more complex and lengthy.
As with other security measures, Web services security must address the issues around malicious intruders as well as non-malicious or unintentional attackers. Since Web services involve programmatic access and APIs, the potential for unintentional or accidental security breaches increases. Nonetheless, both forms of intruders are equally damaging and costly, and must be addressed through coherent security mechanisms.
In this chapter, we discuss security within the context of Web services and Web service-based applications. We begin by describing the critical security threats of Web services. Then, we move on to discuss best practices for addressing potential threats in the development of Web services as well as for detecting and eliminating intruders within deployed systems.