Security tips for Web Services

Posted by Joaquín Ruiz on 21st January 2015

Security tips for Web Services

What is a Web Service ?

A Web service is a method of communication between two electronic devices over a network. It is a software function provided at a network address over the Web with the service always on as in the concept of utility computing. The W3C defines a Web service generally as:

“a software system designed to support interoperable machine-to-machine interaction over a network.”

 

Why do we need to provide security to Web Services ?

The main feature of a Web Service is to allow you flexibility, accessibility and interoperability. This allows developers to abstract the business logic and focus on the development of the service without worrying about the security.

Fundamentally, Web Services operate on the same structure used by normal web applications. The beginning of the chain is a request forwarded by an application viewed in a web browser, which for Web Services is a SOAP request over HTTP. Since SOAP data is received by the server, but not sent to the client, one can understand that the threat is primarily aimed at the server itself. Web Services can be exploited to fulfil Buffer overflows, XML injections, and  Session Hijacking, among others.

 

For those reasons, I present these Security tips for Web Services

1. It is necessary to ensure that there is a mutual authentication between the client accessing Web services and the provider of such services.

2. It has to maintain a policy of authorizing to access to resources and, the most important, to access to operations and processes, in an environment in which you have to control the access by customers, suppliers, vendors…

3. Keep the customer identified. So the customer is once identified, it can access to different services in different systems, without having to identify itself again.

4. Check and ensure the confidentiality of the data exchanged, since SOAP is not able to encrypt information. It is necessary to secure the communication with some standard that creates a safe communication channel. The standard already firmly established to secure channels is SSL , and the encryption ofspecific parts of the XML document using XML encryption.

5. Should ensure data integrity, so that they are protected from potential attacks or accidental manipulation. In this field it is being used the standard XMLDSIG signatures, which allow the signing of specific parts of the XML document.

6. Check that operations are not repudiated, for which you need to keep XML signatures.

 

Below is a summary table with such elements of safety and the technologies that you can use:

Elements of Safety Safety mechanism
Services Authentication Http Authentication
SSL X509 Certificate
WS-Security Tokens
Authorization / Indentification SAML
Confidentiality SSL
WS-Encryption
Integrity SSL
WS-Singature
Non-repudiation WS-Signature
WS-Addressing

 




About the author:

Joaquín Ruiz is a Computer Engineer, Senior PHP Developer and Magento Certified Developer. Joki has more than 7 years of experience working with multiple PHP frameworks. He knows Magento, WordPress, Laravel, Yii.. like the back of his hand ;)