The standards from those two organizations mostly deal with Web service message or description formats, which leaves Web services agnostic to the transport they use. In other words, SOAP messages can be transferred along different transport mechanisms such as HTTP and JMS. This property, combined with the open standards, vendor-neutral nature of Web services, makes Web services particularly attractive for integration and service-oriented architecture (SOA) initiatives internally and externally.
However, Web services, if not secured properly, can pose security threats that may extend beyond those of traditional Web applications. These weaknesses result from some Web services' greatest strengths:
- Web services are often deployed over HTTP, port 80. This allows the service provider and consumers to communicate across network boundaries without needing to poke special holes in corporate firewalls. Although that makes them easier to access, this practice relieves Web service traffic (usually SOAP XML messages) from the scrutiny of firewalls and network appliances, especially since most such appliances are often not aware of the Web services traffic disguised under HTTP.
- Typically, a Web service that is useful and reusable exposes the internal workings of the application much more than a traditional Web site or a point-to-point integration mechanism such as CORBA or RMI would. Such internal API exposure opens up more doors on denial of service, broken access control or other application-specific attacks. In a Web site, the business flow logic is usually constrained by the Web interface that exposes the functionality to the user, but in a Web service the message interaction scenarios are left to the consumers.
- Although core Web services technologies have reached a certain level of maturity, they are still relatively new. As with most new technologies, history shows that security issues are often overlooked early in the game. There are several Web services-specific vulnerabilities and concerns that need to be taken into consideration such as XML Bombs and XPath injections. Developers need to be aware of those threats in order to protect against them properly.
These factors do not mean that Web services are insecure or that you should not adopt them, but you should be aware of these issues so the risks can be mitigated. Web services security awareness, combined with proper design, development and testing practices, can certainly provide secure Web services.