[Owasp-kansascity] Web Service

Evans, Arian Arian.Evans at fishnetsecurity.com
Mon Jan 31 12:31:06 EST 2005


> I am trying to determine how the security should be set-up for a web
> service.  A project has been initiated for the creation of a web service
> that will be using .NET.  This service will be (for a better word)
> anonymous that open for a number of application to access.
> The web service at first will be the communication between two different 
> applications one will be sending a MQ Series message to a database.  What I 
> guidance with is how to secure the web service or should the applications be 
> secured that use the web service.

Without more information, both. Web services are merely an XML window into
your application. It's an access medium like HTTP, however, it's harder to
secure (in terms of field validation) due to the dynamic nature of content.

Applications are completely contextual. Rarely are any two alike. While there
are boilerplate application security standards (like the BITS Roundtable standards)
I don't find them worth the time they take to read as you can fill out all the
check-boxes and still not solve a single security issue in your application.

> I would like to have some instruction on how this is
> being done at different sites or guided to some documentation 
> that might explain this concept.  I am not up-to-date with .NET.
> Can this be handled total within the .NET framework?

A number of people we are working with are looking at web service (XML)
firewalls. XML native security is poorly designed. Third party controls
offer a lot of benefits to the software architect including XML encryption,
signing, and acceleration since as most find out post web service
implementation, XML is _slow_.

.NET offers many native security controls, but the same holds true for .NET
web applications, which are usually insecure. Meaning, the controls are there
but people frequently don't use them (through ignorance or lack of time),
or implement them improperly.

Microsoft's newest cookbook "Improving Web Application Security: Threats and
Countermeasures" has a good chapter on the controls that can be used in .NET.
The book is available here as a free pdf download: 


(note: Outlook will break the text link so make sure you get the whole link)

Essentially you have to ask:
1. What methods are being exposed?
2. How are those methods being exposed?
3. How is access to those methods controlled?
4. Am I sure that I know what I've exposed? (e.g.-must fully test post-implementation)

Web services can often be worse than web applications, due to the fact that
less thought is usually put into security exposure on machine-to-machine
communications versus user-to-machine communications.


The information transmitted in this e-mail is intended only for the addressee and may contain confidential and/or privileged material. 
Any interception, review, retransmission, dissemination, or other use of, or taking of any action upon this information by persons or entities
other than the intended recipient is prohibited by law and may subject them to criminal or civil liability. If you received this communication 
in error, please contact us immediately at 816.421.6611, and delete the communication from any computer or network system.

More information about the Owasp-kansascity mailing list