How to Secure Web Services

The next new (vulnerable) thing

November 01, 2003 — CSO — Securing Web services is easy: All you have to do is secure your Web server, secure every message flowing in and out of your server, secure every application that has anything to do with SOAP and XML, and secure the business operations and practices driving the whole thing.

OK, OK. So securing Web services isn't that easy. In fact, it's downright difficult. So, in the traditional fashion of software developmentwhere the market demands features now and security latermany businesses are tempted to deploy Web services that aren't tremendously secure (and many probably do).

In one sense, it could be argued that that isn't so terrible. Most of the potential security problems with Web services won't immediately be found by people with automated scanning tools if they're not yet trained to find the problems. But Web services security holes can be easily exploited by knowledgeable insiderspeople interested in hacking for revenge or monetary gain. The insider threat is always at least as serious as the anonymous hacker threat. So ultimately, it pays to properly secure these services.

Since Web services is built on top of a Web server, the first step in securing Web services is to secure the server itself. Vulnerabilities have been found during the past year in both Microsoft IIS and the Apache Web server. So no matter which Web server you run, make sure you have installed all of the necessary security updates.

Next, audit your server so there are no unauthorized or legacy CGI, ASP or PHP scripts. Confirm that raw scripts can't be downloaded by people on the Internet. If your Web service is based on a database, make sure that the scripts don't contain user names and passwords. Instead, put that information in a separate file that's read by each script when it starts up. Among other things, that will make changing your passwords on a regular basis easier.Making ConnectionsAfter you secure your Web server, you need to worry about how your Web services clients are going to connect to it. Are you going to be making anonymous Web services available over the Internet, or do you intend to use Web services for high-value transactions with your customers and suppliers? If money or business reputation or potentially confidential information is involved with your Web services, you'll almost certainly want to combine some form of authenticationto validate your incoming connectionswith some form of encryptionto prevent unauthorized snooping on the actual transactions.