Home

Secure web apps and services

The design and deployment of secure web services is interesting for a number of reasons:

XML is at the foundation of web services, and both XML and web services are sometimes viewed as a panacea for a range of security issues. DotSec understands that while XML and web services are very useful in helping to solve some problems, they are not technologies that should be applied universally without carefully considering the business and functionality requirements.

XML and web services do not provide new mechanisms that will strengthen an organisations Intranet/LAN vulnerabilities. In fact, deploying web services over an environment that is not already strong in areas including authentication, privilege management and auditing is probably a recipe for disaster. DotSec can assist an organisations to address internal (Intranet/LAN) issues, with a view to embarking on web-services deployments.
Web services effectively trick the organisation's firewall. In the past, a client would have connected to a web application on port 80/443, and the firewall would have made policy-based decisions, based on an understanding of the HTTP GET, POST, PUT and DELETE methods. With the advent of web services, the traffic arriving at a gateway on port 80/443 may contain web-service method invocations, with a potentially unlimited set of semantics. Although the firewall can parse the method contents (in the payload), it cannot understand general application semantics, and so application-layer security becomes critical in the protection of online services. DotSec can provide a range of secure-application design and review/assessment services.

[ < Back to Services]

Web services

DotSec is able to provide professional web-services and application security design, integration and implementation services.

For example, DotSec has recently completed a Web-SSO (Single Sign-On) implementation that included Kerberos-based SSO and smart card-based two factor authentication.

This work extended a previous LAN/Intranet SSO demonstration, for users in a heterogeneous Windows, Linux and Solaris environment.

Of course, while strong authentication is a key requirement for almost all web applications and services, integrated privilege management and access control is also very important. DotSec has demonstrated how SAML, the OASIS Security Assertions Markup Language can be used to support directory-based privilege management and access control for distributed web applications and services.

DotSec's web-applications and web-services security design, integration and implementation expertise is vendor and product-neutral; in this way, DotSec experts remain focussed only on obtaining the best outcome for our clients.