Oh, what a tangled web...
DotSec professionals are increasingly supporting the design, deployment and review of secure web services.
XML is at the foundation of web services, and both XML and web
services are sometimes viewed as a panacea for a range of
security issues. DotSec understands that while XML and web
services are very useful in helping to solve some problems, they
are not technologies that should be applied universally without
carefully considering the business and functionality
requirements.
XML and web services do not provide new mechanisms that will strengthen an organisation's Intranet/LAN vulnerabilities. In fact, deploying web services over an environment that is not already strong in areas including authentication, privilege management and auditing is probably a recipe for disaster. DotSec can assist an organisations to address internal (Intranet/LAN) issues, with a view to embarking on web-services deployments.
Web services effectively trick the organisation's firewall. In
the past, a client would have connected to a web application on
port 80/443, and the firewall would have made policy-based
decisions, based on an understanding of the HTTP GET, POST, PUT
and DELETE methods. With the advent of web services, the traffic
arriving at a gateway on port 80/443 may contain web-service
method invocations, with a potentially unlimited set of
semantics. Although the firewall can parse the method contents
(in the payload), it cannot understand general application
semantics, and so application-layer security becomes critical in
the protection of online services. DotSec can provide a range of
secure-application design and review/assessment services.
Interestingly, the
term "web services" is often used inconsistently, and its meaning
often depends upon the situation and the person using the term.
We attempt to use the following two terms consistently:
- The term, "web applications" describes applications that use HTTP as the (application-layer) transport protocol, and whose operations have no other semantics aside from those defined by the POST, PUT, DELETE and GET HTTP methods. Accordingly, "web applications" often have human clients who interact with the application using a web browser; the application itself is usually based on a web server, servlet engine, etc., but may also include a middle tier (based on J2EE, CORBA or .Net, for example) and a data tier.
- The term, "web services" describes applications that also use HTTP as the (application-layer) transport protocol, but whose operations have application-dependent semantics in addition to those defined by the POST, PUT, DELETE and GET HTTP methods. "Web services" do not usually have human clients, although a human user may be the original initiator of some action (such as a HTTP POST) that results in the subsequent invocation of the web service method.