Web Services Security - Concerns And Advances

Tony Baer writes,The strengths of SOAP and XML are also their greatest weaknesses. As SOAP uses HTTP, designed to pass through firewalls, SOAP messages could provide attractive vectors for writers of all the evil malware that infects Windows PCs. As XML is wordy and easy to manipulate, it would be easy for hackers to design a payload that is so complex to parse that it could expose service providers denial of service attacks. In all likelihood, there have probably been few if any attacks up until now because the vast worlds of Outlook address books and category killer sites like Amazon or Yahoo present meatier targets for hackers. But as enterprises expose higher value transactions through SOAs and web services, attackers bent on economic destruction could shift their sights. The immediate question is whether the basic building blocks of web services – SOAP and XML – are in their own way just as vulnerable as Windows and Internet Explorer. In Windows and IE, the problems are endemic to the platform; for web services, the vulnerability is the distributed nature of web services, the accessibility of the core building blocks (XML can be read by non-programmers), and the lack of mechanisms, best practices, or standards outside of identification or message authentication. Compounding matters, because web services are standards based, they are well suited for interchangeability. You can replicate, aggregate, or disaggregate service requests or service content. And XML itself is very resource-intensive. XML and SOAP could present inviting targets for hackers. Tony Baer also warns, "sooner or later, hacks and malware will become reality, meaning that service requests are going to have to be vetted for threats far beyond requestor or message integrity".

My Take: Web Services will be trusted based on their origin and general fame, but there is no guarantee for the consumer. Certified software only proves the origin of the software and can guarantee a given functionality, there is no guarantee of the security of its contents. Naturally, vendors who develop their services carefully will be more trusted. As Web services are applied more broadly, as application topologies continue to evolve to support intermediaries such as firewalls, load balancers, and messaging hubs, and as awareness of the threats organizations face becomes more well understood, the need for additional security specifications for Web services grows clear. an integrated Web services security model and a set of specifications for realizing that model is needed and these should be arrived by extending and leveraging (rather than replacing) existing security technology and assets, will enable customers and organizations to more rapidly develop secure, interoperable Web services.