Securing Web Services


Web Service Security Architecture Diagram

Securing web services and reducing attacks against web applications is an in demand subject in the current market, with many services now moving online because of the “digital by default” agenda. The agenda states that all Government services that were offline and paper based should now be online unless there is a legitimate reason not to be. So, this includes applications for passports, driving licenses and even paying bills. This move to online services brings with it a multitude of benefits including ease of accessibility and management, however, it also opens the service up to large amounts of potential fraud and misuse. With that in mind, this article looks at the principles behind securing web services.

Securing the confidentiality of communications is the first step that must be taken when securing web services. Man in the middle attacks allow the attacker to position themselves between the user of the service and the web service itself, eavesdropping on all sensitive data sent backwards and forwards. The key to ensuring the confidentiality of data sent is through strong encryption techniques, such as well configured transport layer security (TLS).

Using appropriately configured TLS, the service provider must authenticate to the service consumer. For example, certificates should provide the authenticity of the service so that the consumer of the service obtains assurance that they are sending their sensitive data to a legitimate site. It is the responsibility of the user to ensure that they check that the service is utilising appropriate authentication and encryption controls to secure their data appropriately.

securing web services
Similarly to service authentication, the user should authenticate to the service. Client certificate authentication is recommended as stronger than basic authentication mechanisms, but in either scenario, the user must authenticate themselves to the service.

In addition to authentication and encryption mechanisms, the web application should protect itself and the data it processes from application based attacks. Content validation controls reduce the probability of XML bomb attacks, malformed XML entries or even SQL injection attacks. The application should validate any content against a defined schema to prevent web application attacks.

Finally, one of the biggest attacks against web services include denial of service attacks. On countless occasions, attackers have simply flooded the web server of a service supplier to prevent legitimate access and crash the service. Service providers must react to this on-going threat and enforce DoS protective techniques to validate oversized and reoccurring payloads. XML schema validatiors can be configured to reduce the threat of XML denial of service based attacks.

In conclusion, there are a multitude of web based attacks that can bring businesses to their knees if left unmitigated. A secure web application architecture with mitigating controls can dramatically reduce this risk and enable organisations to provide continued online functionality to their customers.

For further information, check out:

About Lee Hazell

Lee Hazell is a cyber security consultant with a keen interest in anything tech or security related. Follow Lee on .

Leave a Reply

Your email address will not be published. Required fields are marked *