It's been a busy week, but I had a chance to attend a talk this week. By chance, I happened to catch the local OWASP (Open Web Application Security Project) Boston chapter meeting on Wendesday. The topic was "REST and Web Services Security" presented by Mark O'Neil. Mark is the author of Web Services Security. Mark is the CTO of Vordel, which puts out some nice web services security tools (some of them free!). Catch Mark's blog here (RSS).
What I enjoyed most about Mark's talk, and found most refreshing, was his focus on the "real" web services security that I don't hear at conferences and other places. Everyone focuses on WS-Security and friends, but not many talk about how to build the infrastructure of your code to be secure against real security threats common to web servers and other web-based applications. For example, SQL Injection can also be accomplished using web services just as much as it can with a web site. Also, for some reason, many companies aren't patching the servers that web services rely on as you would for other applications.
Mark also talked about the concepts of REST as well as the security implications if you use this method. Though simple in structure (use a GET/POST to a URL, retrieve XML) as you aren't bogged down by SOAP message/header constructs, you are open to attacks similar to normal web applications. Some examples of attacks are replay attacks, SQL Injection, ping of death, etc.
Look for his slides on the OWASP site and if you have a chance, attend one of Mark's interesting talks.
