Secure web services
Owasp.org has produced a document with guidelines for the development of secure web services.
“Web Service, like other distributed applications, require protection at multiple levels:
• SOAP messages that are sent on the wire should be delivered confidentially and without tampering
• The server needs to be confident who it is talking to and what the clients are entitled to
• The clients need to know that they are talking to the right server, and not a phishing site (see the Phishing chapter for more information)
• System message logs should contain sufficient information to reliably reconstruct the chain of events and track those back to the authenticated callers
Source: OWASPGuide 2.0.1
Security is therefore both from web service and from the host system's perspective. Webservice should for example only act on calls that are within the rules. And receiving systems must be able to verify that the message is unchanged, and from the right sender. In order to manage security Barbir et.al. (Test and Analysis of Web Services, p. 400) list the following requirements:
• End-to-end security requirements; e.g. mutual authentication, authorization to have access to sources, data integrity and confidence, end-to-end integrity and confidence of messages, logging and Monitoring
• Encryption
• Transport layer security
• Message Level Security
The requirements above needs to be considered by architects of the system and the responsible for development when the system is developed. Read more at owasp.org