Home

Oh, what a tangled web...

DotSec professionals are increasingly supporting the design, deployment and review of web services. Interestingly however, the term "web services" is often used inconsistently, and its meaning often depends upon the situation and the person using the term.

We attempt to use the following two terms consistently:

The term, "web applications" describes applications that use HTTP as the (application-layer) transport protocol, and whose operations have no other semantics aside from those defined by the POST, PUT, DELETE and GET HTTP methods. Accordingly, "web applications" often have human clients who interact with the application using a web browser; the application itself is usually based on a web server, servlet engine, etc., but may also include a middle tier (based on J2EE, CORBA or .Net, for example) and a data tier.
The term, "web services" describes applications that also use HTTP as the (application-layer) transport protocol, but whose operations have application-dependent semantics in addition to those defined by the POST, PUT, DELETE and GET HTTP methods. "Web services" do not usually have human clients, although a human user may be the original initiator of some action (such as a HTTP POST) that results in the subsequent invocation of the web service method.

The design and deployment of secure web services is interesting for a number of reasons, a number of which are discussed in more detail on the next page.

[Continue > ]

[ < Back to Services]

Web services

DotSec continues work on a range of projects associated with web services and WSS.

For example, DotSec has recently completed a vulnerability assessment of a major WS deployment for a National mining company. The target environment included web services that were designed to accept secured messages from authenticated clients, for subsequent processing in an n-tiered environment.

DotSec has also presented an audit of a range of WSS products. The audit considered a range of topics, including how SAML was used to support web-SSO and privilege management, and how messages were transported and secured between components.

Despite the fact that all the products claim to be based on OASIS and W3C standards, there are surprising differences in capability and design. This is particularly the case when authentication mechanisms and inter product-component security mechanisms are considered.

The lesson learned is that success in web services depends greatly on preliminary Proof-of-Concept testing.