• Solutions
  • Overview
  • SOA Governance
  • Root Cause Analysis
  • SOA Performance Monitoring & Alerting
  • Aligning SOA with Business Goals
  • SOA Security & Compliance
  • All Progress Solutions
• Products
  • Overview
  • Actional for SOA Operations
  • Actional for Continuous Service Optimization
  • Actional for Active Policy Enforcement
  • Actional for Sonic ESB Managment
  • Product Literature
  • All Progress Products
• Services
• Customers
• Partners
  • Overview
  • Partner List
  • Become a Partner
• Resources
  • Overview
  • White Papers
  • Webinars
  • Podcasts
  • SOA Blog
  • News Feeds
• Support
• News & Events
  • Overview
  • Press Releases
  • Media Coverage
  • Newsroom
  • Events
  • Workshops
  • Webinars
  • Awards
  • Quotes
  • Standards Leadership
• About Us
  • Overview
  • Leadership Team
  • Investor Relations
  • Careers
    • Overview
    • Search Jobs
  • Contact Us

Progress / Actional/Resources/White Papers

Web Services Risks — Understanding The Web Services Security Threat

With the increasing popularity of Web services, there is a crucial need to understand Web services risks, and the most prevalent Web services threats and best practices to mitigate these risks.

Register to download this white paper for free today.

Note: The items in BOLD are required fields. You must supply a valid email address to complete the registration.

First Name
Last Name
Company
Title
Job Category	[options] Architect Business Executive Business Manager Other Technical Executive Technical Manager Technical Staff
Industry	[options] Computer Software Consulting Distribution Education Financial Services Government Healthcare Insurance Manufacturing Other Retail Telecommunications Transportation Utilities
Email
Telephone
Address 1
Address 2
City
Country	-- United States Afghanistan Albania Algeria Andorra Angola Anguilla Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bosnia and Herzegovina Botswana Brazil Virgin Islands, British Brunei Darussalam Bulgaria Burkina Faso Burma Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Colombia Costa Rica Croatia Cuba Cyprus Czech Republic Congo, The Democratic Republic of the Denmark Djibouti Dominica Dominican Republic East Timor Ecuador Egypt El Salvador Eritrea Estonia Ethiopia Fiji Finland France Gabon Georgia Germany Ghana Greece Greenland Grenada Guadeloupe Guam Guatemala Guinea Guyana Haiti Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Israel Italy Ivory Coast Jamaica Japan Jordan Kazakhstan Kenya Kuwait Kyrgyzstan Lao People's Democratic Republic Latvia Lebanon Lesotho Liberia Libyan Arab Jamahiriya Liechtenstein Lithuania Luxembourg Macao Macedonia, The Former Yugoslav Republic of Madagascar Malawi Malaysia Maldives Mali Malta Mauritania Mauritius Mexico Micronesia, Federated States of Moldova Monaco Mongolia Montserrat Morocco Mozambique Namibia Nauru Nepal Netherlands New Caledonia New Zealand Nicaragua Niger Nigeria Niue Korea, Democratic People's Republic of Norway Oman Pakistan Panama Papua New Guinea Paraguay Peru Philippines Poland Portugal Puerto Rico Qatar Congo, The Democratic Republic of the Romania Russia Rwanda Saint Lucia Saudi Arabia Senegal Serbia and Montenegro Sierra Leone Singapore Slovakia Slovenia Somalia South Africa Korea, Republic of Spain Sri Lanka Sudan Suriname Swaziland Sweden Switzerland Syrian Arab Republic Taiwan Tajikistan Tanzania, United Republic of Thailand Togo Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Uganda Ukraine United Arab Emirates United Kingdom Uruguay Uzbekistan Vanuatu Venezuela Vietnam Western Sahara Western Samoa Yemen Yugoslavia Zambia Zimbabwe
State/Prov	-- - - -Argentina - - - Buenos Aires Capital Federal Catamarca Chaco Chubut Cordoba Corrientes Entre Rios Formosa Jujuy La Pampa La Rioja Mendoza Misiones Neuquen Rio Negro Salta San Juan San Luis Santa Cruz Santa Fe Santiago del Estero Tierra del Fuego Tucuman - - -Australia - - - Australian Capital Territory New South Wales Northern Territory Queensland South Australia Tasmania Victoria Western Australia - - -Brazil - - - Acre Alagoas Amapá Amazonas Bahia Ceará Distrito Federal Espirito Santo Goiás Maranhão Mato Grosso Mato Grosso do Sul Minas Gerais Pará Paraíba Pernambuco Piauí Paraná Rio de Janeiro Rio Grande do Norte Rôndonia Roraima Rio Grande do Sul Santa Catarina São Paulo Sergipe Tocantins - - -Canada - - - Alberta British Columbia Manitoba New Brunswick Newfoundland and Labrador Northwest Territories Nova Scotia Nunavut Ontario Prince Edward Island Quebec Saskatchewan Yukon - - -Ecuador - - - Azuay Bolivar Canar Carchi Chimborazo Cotopaxi El Oro Esmeraldas Guayas Imbabura Loja Los Rios Manabi Morona-Santiago Napo Orellana Pastaza Pichincha Sucumbios Tungurahua Zamora-Chinchipe - - -Japan - - - Aichi Akita Aomori Chiba Ehime Fukui Fukuoka Fukushima Gifu Gumma Hiroshima Hokkaido Hyogo Ibaraki Ishikawa Iwate Kagawa Kagoshima Kanagawa Kochi Kumamoto Kyoto Mie Miyagi Miyazaki Nagano Nagasaki Nara Niigata Oita Okayama Okinawa Osaka Saga Saitama Shiga Shimane Shizuoka Tochigi Tokushima Tokyo Tottori Toyama Wakayama Yamagata Yamaguchi Yamanashi - - -Mexico - - - AGS BC BCS CAMPEC CHIH CHIS COAH COL DF DGO GRO GTO HGO JAL MEX MICH MOR NAY NL OAX PUE QRO QUINTA SIN SLP SON TAB TAM TLAX VER YUC ZAC - - - Peru - - - Amazonas Ancash Apurimac Arequipa Ayacucho Cajamarca Callao Cusco Huancavelica Huanuco Ica Junin La Libertad Lambayeque LIMA Loreto Madre de Dios Moquegua Pasco Piura Puno San Martin Tacna Tumbes Ucayali - - - UK - - - Aberdeenshire Avon Ayrshire Bedfordshire Berkshire Buckinghamshire Cambridgeshire Carmarthenshire ChannelIslands Cheshire Cleveland Clwyd Cornwall CountyDurham Cumbria Denbighshire Derbyshire Devon Dorset Dyfed EastLothian EastSussex Essex Fife Gloucestershire Grampian GreaterLondon GreaterManchester Guernsey Gwent Gwynedd Hampshire Herefordshire Hertfordshire Humberside Invernesshire IsleofMan IsleofWight Jersey Kent Lanarkshire Lancashire Leicestershire Lincolnshire Merseyside Mid-Glamorgan Middlesex Monmouthshire Norfolk NorthEastSomerset NorthYorkshire Northamptonshire NorthernIreland Northumberland Nottinghamshire Oxfordshire Powys Renfrewshire Rosshire Scotland Shropshire Somerset SouthGlamorgan SouthGloucestershire SouthYorkshire Staffordshire Stirlingshire Suffolk Surrey Tyne&Wear Wales Warwickshire WestGlamorgan WestLothian WestMidlands WestSussex WestYorkshire Wiltshire Worcester ---USA--- AK AL AR AZ CA CO CT DC DE FL GA HI IA ID IL IN KS KY LA MA MD ME MI MN MO MS MT NC ND NE NH NJ NM NV NY OH OK OR PA RI SC SD TN TX UT VA VT WA WI WV WY
Postal Code

Abstract: Web Services Risks — The Risk, The Threats and What You Can Do About It

Even though Web Services standards are only a few years old, the rapid ratification by standards bodies and the committed support by major vendors are unprecedented. Companies and government agencies have been rushing in, with many projects already in production. The question of Web services security, however, continues to be the leading issue and the top investment area for companies enabling Web Services. Is there a reason for this? Can existing technologies plug these security holes created by Web Services? Are the risks the same for all services – across the user base: internal employees vs. external users? Are the Web services dangers and risks more or less than with existing technologies? The benefits and ease of use make the adoption of Web Services a foregone conclusion. The real question that enterprises must ask themselves when adopting Web Services is: what are the reasonable and cost effective steps to mitigate Web services risks to an acceptable level for our organization?

There are many methods for calculating Web services risks. Calculating risk around Web Services is difficult given that Web Services can be used for many different types of applications. Web Services can be used for simple enterprise application integration to complex B2B communication with partners and other third parties. We will examine one method by which to examine the security risk of Web Services.

The goal of Web Services is to expose standardized interfaces to new and existing applications. No technology in the past has created such potential exposures to critical business applications. Web Services are standardized interfaces and therefore can be attacked in consistent ways. Hackers can more easily gain access to a standardized interface than a proprietary interface because more is known about the interface.

In addition, the adoption of Web Services has been increasing rapidly. While it has not hit the mainstream yet, all analyst predictions point to massive adoption in the coming years. Support in the vendor community has been growing faster providing further impetus for rapid growth.

In assessing the basic security risk of using Web Services, one must examine a couple of key areas. There are many ways to analyze security risk. One simple way is to look at the following formula:

Annualized Loss Expectancy = Annualized Rate of Occurrence x Single Loss Exposure

Each organization has different ways of calculating these variables. To illustrate, we'll discuss each of these variables.

Annualized Rate of Occurrence (ARO)

One constant in the security realm is that companies and government agencies must expect to Web services attacks. Large organizations are attacked on a regular basis through ever new and creative means. In the recent 2004 Computer Security Institute and FBI survey, 100% of companies experienced attacks.

For externally facing Web Services, access to interfaces is simple. Because Web Services are designed to tunnel through existing network firewalls, hackers can quite easily get direct access to applications. In addition, because Web Services are self-describing, with WSDLs that describe how to interact with Web Services, hackers have more information than ever on how to interact with specific application interfaces.

Many Web Services projects are internally focused which might provide a false level of comfort to security professionals. In the CSI/FBI study, almost 50% of security breaches were from internal sources. Whether it's a recently fired employee or an unscrupulous trader or a compromised partner, there is significant risk from the inside. While there are varying statistics, internal attacks may be considered more harmful because the attacker typically has much more inside knowledge of the systems to cause the most damage while greatly reducing the chance of being detected.

Issues and Answers

This white paper covers a great deal of territory with respect to Web services security issues and answers. The contents include the following sections:

• What are Web Services?
• The Web Services Network: Not Secured by Traditional Means
• Web Services Interface: Safety Issues
• Using Web Services and SSL
• Web Services Dangers
• Web Services Hacking: Examples
• Web Services Protection: What Can Be Done

"Under the Radar"

Web Services are in the early stages now but in some surveys, over 60% of companies have Web Services already in production. Many of these implementations are grassroots efforts that escape the radar screens of the network operations and security staff – and therefore their policies: just one more source of Web services risk.

For More Information

Learn how to protect your network against Web services risks: read the free white paper, XML Web Services Security: Going Production