Home

Oh, what a tangled web...

DotSec professionals are increasingly supporting the design, deployment and review of secure web services.

XML is at the foundation of web services, and both XML and web services are sometimes viewed as a panacea for a range of security issues. DotSec understands that while XML and web services are very useful in helping to solve some problems, they are not technologies that should be applied universally without carefully considering the business and functionality requirements.

XML and web services do not provide new mechanisms that will strengthen an organisation's Intranet/LAN vulnerabilities. In fact, deploying web services over an environment that is not already strong in areas including authentication, privilege management and auditing is probably a recipe for disaster. DotSec can assist an organisations to address internal (Intranet/LAN) issues, with a view to embarking on web-services deployments.

Web services effectively trick the organisation's firewall. In the past, a client would have connected to a web application on port 80/443, and the firewall would have made policy-based decisions, based on an understanding of the HTTP GET, POST, PUT and DELETE methods. With the advent of web services, the traffic arriving at a gateway on port 80/443 may contain web-service method invocations, with a potentially unlimited set of semantics. Although the firewall can parse the method contents (in the payload), it cannot understand general application semantics, and so application-layer security becomes critical in the protection of online services. DotSec can provide a range of secure-application design and review/assessment services. Interestingly, the term "web services" is often used inconsistently, and its meaning often depends upon the situation and the person using the term.

We attempt to use the following two terms consistently:

The term, "web applications" describes applications that use HTTP as the (application-layer) transport protocol, and whose operations have no other semantics aside from those defined by the POST, PUT, DELETE and GET HTTP methods. Accordingly, "web applications" often have human clients who interact with the application using a web browser; the application itself is usually based on a web server, servlet engine, etc., but may also include a middle tier (based on J2EE, CORBA or .Net, for example) and a data tier.
The term, "web services" describes applications that also use HTTP as the (application-layer) transport protocol, but whose operations have application-dependent semantics in addition to those defined by the POST, PUT, DELETE and GET HTTP methods. "Web services" do not usually have human clients, although a human user may be the original initiator of some action (such as a HTTP POST) that results in the subsequent invocation of the web service method.

Web services

DotSec continues work on a range of projects associated with web services and WSS.

For example, DotSec has recently completed a vulnerability assessment of a major WS deployment for a National mining company. The target environment included web services that were designed to accept secured messages from authenticated clients, for subsequent processing in an n-tiered environment.

DotSec has also presented an audit of a range of WSS products. The audit considered a range of topics, including how SAML was used to support web-SSO and privilege management, and how messages were transported and secured between components.

Despite the fact that all the products claim to be based on OASIS and W3C standards, there are surprising differences in capability and design. This is particularly the case when authentication mechanisms and inter product-component security mechanisms are considered.

The lesson learned is that success in web services depends greatly on preliminary Proof-of-Concept testing.