Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Applications
    • Applications

    Here Be Dragons: Web Services Risks

    By
    Timothy Dyck
    -
    March 25, 2002
    Share
    Facebook
    Twitter
    Linkedin

      Anything that accepts input from a caller and then retrieves and returns business-critical data to the caller on the basis of that input should set off mental alarm bells. And that goes double for Web services, which need to be approached as warily as you would any dangerous beast.

      Generally speaking, eWeek Labs advises that early adopters take it slow with Web services rollouts, particularly with externally accessible Web services—the security infrastructure just isnt there yet.

      One of the core problems is the near-total lack of attention paid to security issues when the SOAP (Simple Object Access Protocol) 1.1 Web services specification standard was developed.

      Section 8 of the SOAP 1.1 World Wide Web Consortium Note, “Security Considerations,” (available at www. w3.org/TR/SOAP) states, “Not described in this document are methods for integrity and privacy protection. Such issues will be addressed more fully in a future version(s) of this document.”

      The next version of SOAP, Version 1.2, is in development but has the same blind spots.

      This sin of omission is the reason there is no consistency in how currently available Web services libraries implement security. Frighteningly, most libraries do not provide any security features, since none were required by the SOAP specification.

      Making It Work

      Security does need to be kept in perspective. When a business need exists, its the IT departments job to create or find the technology to satisfy that need, including applying security that will protect the organization and its partners. And there will certainly be a compelling business need for Web services at many organizations: They provide a unique combination of interoperability, accessibility and simplicity, and they will be at the center of future business-to-business networks.

      Even with the current immaturity of the standards, Web services can be deployed securely—with enough effort. However, we warn that, for the rest of the year at least, organizations will probably need to do more custom coding than they would like.

      The only close-to-straightforward way to deploy Web services security right now is to wrap services in a secure transport protocol.

      HTTPS, the encrypted version of HTTP, coupled with built-in Web server authentication techniques such as digest authentication, will be the most common option for the foreseeable future.

      However, inherent incompatibilities between the simple HTTP protocol and the sophisticated needs of business messaging make HTTP (and HTTPS) a poor fit for the security needs of Web services. HTTP is the most common approach simply because it is so universally supported.

      For internal use, HTTPS is a fine choice. However, for external use, especially for more critical services, we recommend instead using a message queue system such as IBMs MQSeries or Microsoft Corp.s Windows Message Queuing (a feature of Windows 2000 Server). These systems provide sophisticated delivery guarantees even across public Internet links, combined with built-in user authentication, encryption, message nonrepudiation and auditing features—in short, all the security features that SOAP lacks.

      As a second-best option for external connections, wed advise that sensitive Web services be offered only over IP Security- based VPN (virtual private network) links between the host organization and business partners. Combined with Web server user-level authentication, this approach provides network traffic isolation along with strong authentication and encryption. (SOAP data is passed as easy-to-capture text strings, so transport protocol encryption is particularly important.)

      A New Kind of Beast

      Web services published using a Web server are implemented through scripts or compiled programs that run when a matching HTTP request arrives, so its fairly straightforward to use the file access control tools provided by all the major Web servers to require some form of user authentication before the Web services program can be accessed.

      However, a dependency on HTTP also means that SOAP inherits HTTPs key security weaknesses: its statelessness and lack of delivery guarantees.

      HTTP provides no information about an ongoing conversation between a client and a server, which makes it considerably more difficult to build Web services that require two separate messages from a business partner rather than just one.

      For example, if Web server user authentication is not used, user authentication data such as user name and password will need to be included by the caller with every SOAP request.

      State of Standards

      There is important standards development work going on to define a full security framework around XML-based Web services, but this work is still in its early stages and will not be incorporated into Web services products for several months.

      The key efforts to watch are the W3Cs XML-Signature Syntax and Processing standard (which became a W3C recommendation Feb. 12), providing a way to sign, check the integrity of and verify sender identity of XML-based messages; the W3Cs XML Encryption Syntax and Processing standard (currently a W3C working draft), providing a way to encrypt XML data; and the W3Cs XML Key Management Specification (currently a W3C working draft), providing an XML-based interface to a public-key infrastructure.

      Even with a stronger framework, security will eventually be compromised. Damage limitation will depend on how defensively the system was configured.

      As with any code exposed to outside users, defensive coding practices are a must for Web services code: Perform existence, range and logical checks on all passed parameters before using them; run the Web server or script engine executing the code using a restricted operating system account; and use database log-ins that are limited to just the subset of data the Web service needs using database access control permissions.

      West Coast Technical Director Timothy Dyck can be reached at timothy_dyck@ ziffdavis.com.

      Also in this Special Report

      • Ignorance: The Hackers Best Friend
      • Security Roundtable
      • Threats to Come
      • Trail of Destruction: The History of the Virus
      • Community Builds Security: Labs Answers Your Security Questions
      • WLAN Hardening Checklist
      • Application Hardening Checklist
      • Operating System Hardening Tips
      Timothy Dyck
      Timothy Dyck is a Senior Analyst with eWEEK Labs. He has been testing and reviewing application server, database and middleware products and technologies for eWEEK since 1996. Prior to joining eWEEK, he worked at the LAN and WAN network operations center for a large telecommunications firm, in operating systems and development tools technical marketing for a large software company and in the IT department at a government agency. He has an honors bachelors degree of mathematics in computer science from the University of Waterloo in Waterloo, Ontario, Canada, and a masters of arts degree in journalism from the University of Western Ontario in London, Ontario, Canada.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×