Evolving Security Standards and Practices for Web Services

By CIOReview | Wednesday, November 2, 2016

Web services are based on the Extensible Markup Language (XML) and SOAP (Simple Object Access Protocol) are deployed in Service Oriented Architectures (SOA) to allow data and applications to interact with each other without any hindrance or roadblocks. While these services do not provide web services security, the guidelines laid down them can be of great help in developing a robust and secure security umbrella. . In addition, authentication and authorization may be termed as the basic building blocks of any security cover. The irony of the matter is that many of the features that make web services an attractive proposition are completely at odds with the traditional security measures and thus pose a challenging task for software professionals. There are many security issues that are at core of the web services technology and are of paramount importance.

• Protection of confidential and highly sensitive data is of paramount importance.
• Availability in the face of Distributed Denial of Service (DDoS) attacks that exploit loopholes in the web service technologies.
• It is not a viable option to confine the SOAs within the boundaries of a network.
•  SOAP is transmitted over HTTP (Hyper Text Transfer Protocol), which has got no problems in permeating through various firewalls. This can be a really tough challenge for software professionals and developers.
• There can be an attacker or a malicious entity that sits sandwiched between the sender and the receiver and can access the information from either side and has the capability to alter it.  The attacker has also got the capability of sending modified or altered version of the data to both the sides, thus making it a very tricky affair.

As the growth of web services goes unhindered, advanced tools to monitor and provide security according to the needs of the customers becomes increasingly important. In the pursuit of web services security, there are two approaches that are highly effective. W3C (World Wide Web Consortium) takes an encryption based approach, while OASIS has gone for the token-based approach to ensure security. To thwart the risks and threats posed to web Services, a number of security standards and practices have been drawn up. These are given below:

• W3C XML Encryption is generally used to encrypt and decrypt the digital data. XML syntax is also there to represent the encrypted content and the information for decryption. This will help in encrypting only sensitive portion of the document that is highly prone to attacks.
• W3C XML Signature is used to provide integrity and signature assurance for the XML data and is highly efficient. There is also the XML signature, which lays out the syntax and rules for applying digital signatures to any XML data.
• W3C WS-Addressing is mostly used to detect any malicious or altered message that has been repeated or intentionally delayed. It’s very easy to detect a message that has been delayed or repeated, but it should not be confused with any authentic message repetition that takes place.
• Tokens play a vital role in unveiling the identity of the receiver as well as the sender. It  allows only the authorized users to access the web services.  Security tokens are of great help in providing a mechanism for imparting security information with a SOAP message.

Web services security is a relatively new field and the network architects and professionals should be alert and intelligent enough to take every contingency into account before opting for any security cover for the web services. They should also take ample care before deciding how to deploy the web services, so that it is not vulnerable to any outside threat.