Robert Hurlbut Blog

Thoughts on Software Security, Software Architecture, Software Development, and Agility

Web Services Security talk

Friday, July 8, 2005 Comments

 .NET  Personal  Security  Service Orientation (SO)  Web Services 
Share:   Share on LinkedIn    Share on Twitter    Share on Facebook   

It's been a busy week, but I had a chance to attend a talk this week. By chance, I happened to catch the local OWASP (Open Web Application Security Project) Boston chapter meeting on Wendesday. The topic was "REST and Web Services Security" presented by Mark O'Neil. Mark is the author of Web Services Security. Mark is the CTO of Vordel, which puts out some nice web services security tools (some of them free!). Catch Mark's blog here (RSS).

What I enjoyed most about Mark's talk, and found most refreshing, was his focus on the "real" web services security that I don't hear at conferences and other places. Everyone focuses on WS-Security and friends, but not many talk about how to build the infrastructure of your code to be secure against real security threats common to web servers and other web-based applications. For example, SQL Injection can also be accomplished using web services just as much as it can with a web site. Also, for some reason, many companies aren't patching the servers that web services rely on as you would for other applications.

Mark also talked about the concepts of REST as well as the security implications if you use this method. Though simple in structure (use a GET/POST to a URL, retrieve XML) as you aren't bogged down by SOAP message/header constructs, you are open to attacks similar to normal web applications. Some examples of attacks are replay attacks, SQL Injection, ping of death, etc.

Look for his slides on the OWASP site and if you have a chance, attend one of Mark's interesting talks.

Share:   Share on LinkedIn    Share on Twitter    Share on Facebook