Security Best Practices: Web Services
Web services are often used for important tasks operating on crucial data. Many web services need to be accessible from the Internet for their intended purpose. Therefore, they are interesting targets for criminals trying to attack them with different techniques.
In order to defend the data processed by web services and the availability of web services themselves security features need to be applied. The WS-Security standard defines such features. Most of the common web service frameworks support the “WS-Security” standard right away, for example Apache CXF.
In the following, a check list with configuration best practices that will help to develop and configure secure web services will be presented. Later an example will show how to enable the configuration on web services built with the CXF web service framework. The configuration in general aims to achieve the following four main goals:
- Integrity and Authenticity: The "WS-Security" standard allows to use signatures as defined in the XML Signature standard to secure certain parts of the SOAP messages. The signatures make sure that these parts have not been manipulated during transmission (integrity) and allow the author of the message to authenticate himself to the recipient (authentication).
- Confidentiality: In addition to signatures the "WS-Security" standard allows the application of XML Encryption to encrypt certain parts of the messages. This makes sure that the information included in these parts can only be read by the intended recipient of the message and remains secret to attackers and other possible parties.
- Freshness: Lastly the "WS-Security" standard defines the use of timestamps and nonces to make sure that messages are only valid for a short period of time and cannot be used for replay attacks.
- Availability: Attackers might try to influence the availability of web services in a negative way by executing Denial-of-Service (short: DoS) attacks. The different DoS techniques need to be prevented in order to ensure that the web service is available to clients and responds to their requests in reasonable time.
However, all goals might not be relevant for every web services. For example, confidentiality (and authenticity) might not be relevant for a web service simply providing weather information to clients.
The decision which goals are relevant and which security features should be enabled in order to achieve them needs to be made individually for every web service.