Executive Guide to Web Services Security

Executive Guide to
Web Services Security
ABSTRACT
Businesses are rapidly adopting Web services to provide new levels of integration between applications. By comparison with earlier data-communications techniques, Web services are faster and cheaper to develop, quicker to deploy, and easier to adapt to emerging business needs.
Although these benefits are real, and more and more companies are adopting Web services for that reason, the same characteristics that make Web services quicker and cheaper to deploy, more robust and more flexible than older methods, also make them vulnerable to new kinds of security risks and opportunities.
This paper discusses the special security challenges posed by the use of Web services, and how to secure networks against them.
© 2006, Reactivity, Inc.WHITEPAPER
Contents
Special Advantages, Special Risks??????????????????????????????????????????? 3 Understanding XML Virus Attacks???????????????????????????????????????????????????8Making Sense of Standards ????????????????????????????????????????????????????? 4 Defending Denial of Service Attacks??????????????????????????????????????????????9Which Standard Fits Your Need???????????????????????????????????????????????????????5 Making the Architecture Work????????????????????????????????????????????????? 9Trust and Threats in the Web Services Paradigm???????????????????? 6 The Importance of Logging????????????????????????????????????????????????????????????10Malicious Intent or Human Error?????????????????????????????????????????????????????6 Conclusion???????????????????????????????????????????????????????????????????????????????? 10Defending Against Identity Attacks ???????????????????????????????????????????????6 About Reactivity?????????????????????????????????????????????????????????????????????? 10
© 2006, Reactivity, Inc. www.reactivity.com The Executive Guide to Web Services Security | WHITEPAPER
Special Advantages, Special Risks The universal nature of the Internet enables these unscrupulous users to intercept legitimate communications and connect The great advantage of the Internet is that it is universally to others' systems. Similarly, the standardization of Internet accessible. Because it consists of thousands of freely- protocols and data formats enables them to read, understand, communicating networks all over the world, the Internet and even forge communications between legitimate users.provides a communication infrastructure that reaches everyone, an infrastructure that a business can use without significant new capital investment. FedGovSimilarly, Internet standards define communication protocols and data formats that enable anyone to make network connections and transmit data, and rely on the fact that their Univmessages will be received and understood. BigCoInternet
When someone sends a message in a standard format using a Kwikstandard protocol, the protocol ensures that the message can Martbe delivered correctly, and the data format ensures that the receiver can read it. Mom
FedGovThe openness of XML and Web services lets you cost-effectively conduct strategic operations with customers and partners. However, openness cuts both ways.BigCoInternetUniv
FedKwikMartGov
Mom
BigCoInternetUniv
Unfortunately, these very advantages make Web services and other Internet technologies uniquely vulnerable to attack. KwikMartBecause the Internet reaches everyone, anyone can use it-not just honest people engaged in legitimate business, but vandals, Momcriminals and other abusers of the network.
© 2006, Reactivity, Inc. www.reactivity.com The Executive Guide to Web Services Security | WHITEPAPER
While standards-based solutions claiming to solve "the security effort in creating services; it's important that you choose the problem" flood the market, the problem encompasses more standards that best support your needs. The answers to these than security. Securing your Web services must take into questions can help you begin: account multiple connections to individual vendors, strategic . Which standards are the most established and reliable? partners, and customers. These connections are revenue Approved or still emerging?pipelines, so measures must assure security and enable rapid . Which standards are most beneficial to support for our customer acquisition. That's why stand... [download for more]