By now, we are all pretty familiar with web applications.  The dot com era saw to that.  Businesses everywhere are incorporating web applications as an integral part of their public presence. Web applications themselves have evolved as well.  These once-basic systems have now grown into multi-tier, highly scalable applications used to manage complex business processes with a significant amount of our trust.

Today, applications are going even further.  A new breed of web application is emerging that allows businesses to interact with applications from other organizations across the Internet.  They utilize components called “web services”.  For example, imagine an online store that sells monogrammed socks.  The store must be able to authenticate users, but doesn’t want to go through the time and expense of implementing that process itself.  The application could connect to a web service provided by Microsoft Passport and use it to authenticate users.  The web service doesn’t even have to reside on a server within the organization.  It can be anywhere on the Internet.

Sounds easy, right?  In some regards, it really is.  Web services are so easy to implement that they often are implemented without the careful process that was used for the rest of the application.  Which leads to unwanted security risks.  In the example above, what would happen if an attacker could forge a response from the Microsoft Passport authentication service to the store application?  He could impersonate a user and change their monogrammed sock orders, and the store would never know the difference.  We certainly don’t want that, so here are a few guidelines on how to implement or make use of web services securely.

1.  Design for security
Whether you are planning on using someone else’s web service or creating one yourself, it is important to incorporate security practices and principles into the design from the beginning.  By taking the time to address security before it becomes a problem, you can avoid the costs of retrofitting the application with security or frantically responding to an incident.

2.  Learn how to spot the common web service security flaws
It isn’t possible to design or implement web services securely if you don’t know what the problems are.  Even developers well versed in web application security may need support when it comes to designing a secure web service.  Many of the potential risks are unique to web service architectures.  Plus less security-related functionality is currently supported by web services frameworks than in a typical web application.  These challenges can lead to security threats that the average web application developer may not consider.

For instance, because web services communicate using XML instead of HTML, they are often vulnerable to different types of injection attacks than other web applications.  Whereas HTML injection and cross site scripting are common problems elsewhere, web services are prone to injection attacks within the XML data structure.  These attacks may even target the application’s XML parser itself.

3.  Be aware of your exposure
Web services are designed to be easily used, and there are a lot of supporting technologies and standards to support this.  This includes a URL advertising the functionality available in a Web service.  This information, expressed in the Web Services Description Language (or WSDL) response, is generally published alongside the web service for use by connecting clients.  Depending on your implementation, you may not want this information to be available to everyone.  It may be created and published without any specific action on the part of the developer.  Microsoft’s Visual Studio, for example, creates a WSDL by default with every web service. Understand what application functionality is exposed by the web service and how this information is published.

4.  Check your work
Even when security is incorporated into the design process, incorrect security assumptions or flaws in the implementation can lead to exploitable vulnerabilities.  Prior to the deployment of any web service or application, have an internal or external security team perform a security assessment.  This check helps to not only reduce the likelihood of a costly security incident, but demonstrates your security commitment to customers and develops trust in your application.