What are Web services and why do they impact security?
Requires Free Membership to View
When you register, you'll receive targeted emails designed to keep you informed of the most relevant information on Agile development, application security, testing & QA, software requirements, and more.
Hannah Smalltree, Editorial Director
"Web services" is a fairly broad term applied to a set of technologies that conform to the basic idea that services that process and consume data should be able to communicate regardless of platform or implementation. Web services are used for many different purposes, and have the potential to be widespread throughout the industry and the Web. The common thread through Web services is XML, which organizes the data that is passed back and forth. There are Web services interoperability standards organizations, such as OASIS, WS-I and W3C, which provide common guidelines to promote shared standards of message formatting and delivery.
When it comes to Web service security, there is a broad range of issues to deal with. Web services are being used to replace previously proprietary inter-process communication schemes, such as RMI and EDI, as well as provide new means of distributing data on the Web (think AJAX and Web APIs). Besides traditional security concerns, such as verifying authentic users and guarding against potentially dangerous submitted data, Web services architects and developers must be very careful about the kinds of information they expose, the business processes they allow to be run and the potential security implications of providing what is essentially an API to a general, anonymous audience. That being said, all of the vendors who are pushing Web services are working to solve these problems. An organization's success in creating secure Web services typically boils down to how well the organization's security requirements are elucidated, designed for, and implemented.
When it comes to Web service security, there is a broad range of issues to deal with. Web services are being used to replace previously proprietary inter-process communication schemes, such as RMI and EDI, as well as provide new means of distributing data on the Web (think AJAX and Web APIs). Besides traditional security concerns, such as verifying authentic users and guarding against potentially dangerous submitted data, Web services architects and developers must be very careful about the kinds of information they expose, the business processes they allow to be run and the potential security implications of providing what is essentially an API to a general, anonymous audience. That being said, all of the vendors who are pushing Web services are working to solve these problems. An organization's success in creating secure Web services typically boils down to how well the organization's security requirements are elucidated, designed for, and implemented.
This was first published in January 2006