Win a copy of Murach's Python Programming this week in the Jython/Python forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

web service security : question for Mr. Lai  RSS feed

 
Dave Knipp
Ranch Hand
Posts: 146
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Mr. Lai,
Hi was curious what your opinion is on how secure web services are. If they are publicly accessible, can this public access ever become a problem in the future? What are your experiences with this topic? Would be interesting to hear it from someone with alot of web service knowledge.
Thanks,
Dave Knipp
 
Ray Lai
author
Greenhorn
Posts: 17
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Dave Knipp:
If they are publicly accessible, can this public access ever become a problem in the future? What are your experiences with this topic?

Many web services in production are private, i.e. you can't access directly from public internet. Even if you can, they use tight encryption (e.g. HTTPS and XML encryption) and authentication mechanism. Majority of early adopters tend to use HTTPS in general. Anyway, there was no WS-Security 2-3 years ago - no standard way to protect SOAP messages; HTTPS appeared to be sufficient for RPC calls.
There are also some web services in production available in public internet. The examples cited in public include ASU, Jarna, Adobe, Comvia, POSC, TCPL, etc. My book ch 2 section 2.5 provides some details. I'm aware that some financial services using web services are typically using HTTPS, but some of them use web services for server-side processing to aggregate account information from the back-end, without allowing the client-side to invoke the services directly.
It's difficult to conclude whether this "first-generation" web services security is secure, because end-to-end security spans across different layers and technology stacks. Early generations of web services use HTTPS and XML encryption, which covers client-to-server interaction, and message-level protection. But they are not necessarily sufficient, as there are many risk areas behind the DMZ firewall, and between service components. For instance, message replay can be hazardous even though you have HTTPS and XML encryption.
It's true that when more web services are available in public, the security risk will increase as they become more accessible to hackers. However, provided that architects / developers have strong apps security design to cover all layers and stacks, I'm confident that it is still safe and secure to provide public web services. For instance, Liberty provides a good security framework for single signon and authentication services. This will be a strong component to building end-to-end web services security.
Many customers I met today seem to be happy with web services security using HTTPS and XML encryption. Some are still awaiting for the final WS-Security or any market standard to be finalized. Most of them are fully aware of the need for stronger end-to-end security. But some thought HTTPS and XML encryption are just fine. IMHO, as the public are getting more awareness of what web services are, their awareness and demand for end-to-end web services security will increase.
 
Consider Paul's rocket mass heater.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!