Although web services have their own unique setup, they are still inherently a web application and, therefore, still require all of the security controls discussed throughout this chapter to ensure they are secure.
Input and output validation is still a major issue within web services, which opens up attacks such as cross-site scripting and injection attacks. Default errors and stack traces are still often left available via misconfigured web servers allowing an attacker to enumerate sensitive information. Similarly, default files and directories are often left available, possibly opening up other avenues for attacks. These need to be either removed or contained by tight ACLs. Do not neglect proper logging, monitoring, and alerting for nonstandard requests since web services are still a target for attacks. Set up SSL and TLS versions and ciphers securely to ensure that encrypted communications channels can't be manipulated.
Web services can also implement additional security controls. Not embedding links to your private web service or WSDL file within your web applications is a step toward protecting the web service's visibility to the public. Preshared WSDL files among trusted partners is another step toward stopping an attacker from being able to enumerate the WSDL file from the web service and, therefore, leaves the attacker without the required information on how to access and attack the web service.
Some of the vulnerabilities introduced with web services that were previously discussed include DoS attacks to consume resources on the web server. You can use watchdog threads to monitor and terminate processes that either have a long execution time or are taking up more than their fair share of the system resources.
Another consideration around implementing a web service is the architecture needed to obtain the level of security required by the organization. These days, web services are often designed for private use between trusted parties, which may require an extranet network to be deployed to ensure private communications are guaranteed.
Was this article helpful?
Read how to maintain and repair any desktop and laptop computer. This Ebook has articles with photos and videos that show detailed step by step pc repair and maintenance procedures. There are many links to online videos that explain how you can build, maintain, speed up, clean, and repair your computer yourself. Put the money that you were going to pay the PC Tech in your own pocket.