How to Secure Web Services

The next new (vulnerable) thing

Web services are increasingly being used for complicated business negotiations, transactions and even outsourced information processing. Already some Web services provide credit rating, credit scoring and loan application processing. Typically these are business-to-business applications that are used to enable consumer-facing Web servers operated by commercial banks.Subject to ChangeAlas, as companies use Web services for increasingly complex business transactions, they're going to be covered by negotiated legal agreements written in English. And, like all legal agreements, they'll be subject to change. That can mean problems for companies that want to rely on information exchanged over Web services. In other words, a credit score of 580 might mean something different in January than it did last July.

Is the fact that different Web services results can have differing interpretations a security issue? Probably not. But in all likelihood, that issue is going to be solved using the same mechanism as many security issuesthat is, through the use of digital signatures.

For example, a Web services request would include the URL of the legal agreement under which the request is made, and perhaps a cryptographic hash or digital signature of that agreement, just so that the client and the server can both be in harmony as to which legal agreement is in force. Such issues will become even more important as companies begin to use the same Web services to offer different services to different partner organizations under different terms and conditions.

Many SOAP (simple object access protocol) and XML security issues are being addressed by the World Wide Web Consortium's XML Signature and XML Encryption projects, and by the Organization for the Advancement of Structured Information Standards SOAP Message Security standard. Essentially, these standards provide for a uniform way of assigning time stamps to messages, to prevent replay attacks; of computing cryptographic hashes of SOAP messages, to protect their integrity; of digitally signing the messages, to establish their authorship; and of encrypting the messages, to prevent eavesdropping as the messages are sent over the Internet.

Observant readers will note that several of the goals of the standardspecifically encryption and digital signaturesare already provided by Web servers that require SSL encrypted client-side certificates. The advantage of creating a new signature standard for Web services is that SSL protects only the transmissionit doesn't actually protect the data. With XML signatures or SOAP Message Security, the digital signature remains as part of the SOAP message and can be verified again. You can find out more information about these standards at www.w3.org and www.oasis-open.org.