Seven Key Components of Effective Security for Web Services

By: Brian J. Stewart

Introduction

Web services are increasingly prevalent in modern computing, whether the services are part of a commercial SaaS solution, integration endpoints for internal enterprise applications, or exposing data or services for a commercial website. The focus of this article is on ensuring data and web service security. There are seven key components of effective web service security including:

1. Use industry standard authentication protocols
2. Leverage security frameworks
3. Implement adequate error handling
4. Ensure data parameter checking
5. Leverage IP restrictions
6. Ensure adequate logging
7. Follow best practices for any internet accessible server

These seven components will help prevent security breaches, ensure organization’s web services and data are protected, and facilitate the identification and resolution of security issues.

Component #1 – Use Industry Standard Authentication Protocols

Web service endpoints and data should be protected by authorization and authentication mechanisms. Unprotected or inadequately protected web services are susceptible to hacking or unauthorized access. This could expose data, comprise data integrity, and result in expenditures or loss of revenue by allowing nonpaying consumers to leverage the web services.

OAuth is the leading industry standard for web service authorization. It requires clients to specify Client Credentials that have been previously enabled by an administrator or through an automated portal. OAuth requires authorization and authentication which issues an Access Token. The valid Access Token then must be included within the header of subsequent web service invocations.

In addition, public facing web services can also leverage the identity management services from leading technology companies such as Facebook, Google, Microsoft, Twitter, Yahoo, and OpenID. This approach benefits consumers in that they do not need to remember another set of login credentials. It benefits the website in that they can defer the authentication mechanism to a trusted provider.

Lastly, it is also advisable to track all authentication attempts or minimally failed authentication attempts. Tracking all authentication attempts may not always be feasible based on web service invocation volume, but failures should be captured to identify hacking attempts.

Component #2 – Leverage Security Frameworks

There are several comprehensive security frameworks, such as Spring Security Framework for Java or Web API framework for .NET. These frameworks provide robust security, undergo significant peer security and code reviews, and are ‘battle tested’. These security frameworks often result in greater security and protection than ‘homegrown and custom security solutions’.

In addition, these comprehensive security frameworks will save significant development effort by leveraging the efforts of security experts, industry leaders, and world wide collaboration of the opensource development community.

Component #3 – Implement adequate error handling

Error handling is crucial to preventing and detecting security breaches. Careful consideration must be employed with error handling and it is important that error handling is consistent throughout all web services.

First and foremost, the stack trace should never be returned by a web service. Although useful with troubleshooting and debugging issues, the stack trace may reveal implementation details or valuable information that is useful for hackers.

Second, an error code and simple error message should be returned when an error occurs. Common error codes should be published in the web service API documentation. The error description should be short and concise, but also descriptive. In addition to the error code and error description, it is advisable to consider returning a unique error identifier. The identifier should be written to the log files along with the stack trace to further support troubleshooting and debugging.

Third, HTTP Status Codes should be set correctly by the web service. For example, never return a status code of 200 if a failure occurred. It is not sufficient to just set an error flag on the return object. This pattern, although common, does not indicate to a web service caller that a problem occured. It puts the burden of checking the return object on the caller.

Component #4 – Ensure data parameter checking

Robust data value and parameter checking should be employed to protect the web services and data integrity. This includes checking for null values, range checking, and byte checking (when applicable).

It is important to have no assumptions concerning the validity or trustworthiness of parameters, regardless of origin of web service request. Even an innocent mistake by an internal consumer or trusted partner can wreak havoc. For example, a web service consumer who specifies an incorrect parameter value may comprise data integrity or even web service availability. For example, it could result in data being modified or deleted that shouldn’t be,  a SQL injection attack, or Denial-of-Service (DOS) attack.

Component #5 – Leverage IP restrictions

The web services should be secured by an IP whitelist policy if possible. A whitelist policy restricts the accessibility of web services to only specific and pre-authorized IP addresses. Whitelist policies significantly limit the security risks by controlling access to the web service. The whitelist policy should be regularly reviewed to remove IP addresses that should no longer be permitted to access the web services.

IP whitelist policies are not always feasible. For example, web services may need to be accessible to unknown IP addresses or a large number of clients. In this scenario, organizations should implement manual blacklist policies where administrators can block IP addresses of hackers or consumers who improperly access web services. In addition, automated blacklisting of IP addresses when a hacking attempt occurs will greatly reduce the likelihood of a complete security breach.

Component #6 – Ensure adequate logging

One of the most important aspects of security is the logging of all activity. It is equally important that the log files are monitored regularly to identify any hacking attempts or security breaches. Too often logging is used as mechanim to understand the nature of successful security breach, rather than a tool that allows system administrators and developers to close security holes proactively.

Performance metrics, such as transaction processing time, size of requests, or number of requests should also be captured in log files or a tracking database to support future performance optimization and feature evolution.

The log files or tracking database should be regularly pulled from the server and archived to a non-internet accessible device to ensure log files are not purged or altered by hackers in the event of a security breach. Hackers often try to conceal a security breach. Erasing evidence of the security breach enables the security hole to remain open and the hacker to access data and systems at will.

Component #7 – Follow best practices for any internet accessible server

Industry best practices for internet accessible servers should be followed when implementing web services, this includes:

1. Securing web services using HTTPS
2. Ensuring the operating system contains latest service packs or patches
3. Ensuring the application server contains the latest software patches
4. Isolating web services that are accessible on the internet
5. Performing regular security audits and reviews
6. Logging and monitoring all activity
7. Backing up all servers and databases if applicable
8. Ensuring routers and firewalls contain latest software releases and patches
9. Having an independent third-party perform an annual review and penetration testing of the systems and network
10. Restricting access through effective firewall policies

Hosting the web services using a third-party hosting provider or cloud provider doesn’t eliminate the need for the above best practices. Companies need to thoroughly review the hosting companies or cloud providers, monitor security breaches, and most importantly not choose a provider solely based on cost. Lowest cost providers generally don’t prioritize security or operating system and application server patch maintenance. Companies also shouldn’t just assume the hosting or cloud provider adheres to best practices, it is up to the organization to ensure customer data and web services are secure and protected.

Conclusion

Web service security is crucial to protecting data, as well as preventing authorized usage and denial of service (DOS) attacks. The seven key components of effective web service security are:

1. Ensure services are protected by authorization and authentication
2. Leverage proven security framework and platforms rather than build custom security solutions
3. Implement adequate error handling to prevent and detect a security breach
4. Ensure data parameter checking to protect the web services and data integrity
5. Leverage IP restrictions including IP whitelists and blacklists to greatly reduce the likelihood of a security breach
6. Ensure adequate logging as a tool to proactively close security holes
7. Follow industry best practices for any internet accessible server

Additional Sources

1.  OAuth Standard. http://oauth.net/

2. Spring Security Framework. http://projects.spring.io/spring-security/

3.  Security, Authentication, and Authorization in ASP.NET Web API. http://www.asp.net/web-api/overview/security

 References

N/A