[WEB SECURITY] Web Service Security

Brett Knuth brett.knuth at healthdirect.org.au
Wed Nov 20 16:56:52 EST 2013


For what it's worth ......

We always take a risk based approach and map the possible threats to the web app depending on its specific components
Build an attack tree or a threat table XLS, an example below
Injection

SQL Injection

Web logs/application logs

HTTP request (GET/POST request, source IP, UserAgent, referrer, date/time)




Once documented and risk assessed we then vulnerability and pen test, remediating the most critical risk assessed

Brett Knuth
Security Manager

P. xxxxxxxxxxx  M. 0402 891 533 F. 02 9283 9180

MAIL. Suite 3, Level 19, 133 Castlereagh St Sydney NSW 2000

E. brett.knuth at healthdirect.org.au<mailto:brett.knuth at healthdirect.org.au>


[Health Direct Australia]


Please consider the environment before printing this email

Important notice: This message and any attachments are confidential and may contain legally privileged or copyright material. Any confidentiality or privilege is not intended to be waived or lost by mistaken delivery to you. If you are not the intended recipient, any unauthorised use is strictly prohibited. If you have received this email in error, please notify us and destroy the original transmission and any copies. It is your responsibility to check any attachments for viruses and defects before opening them or sending them on.



From: websecurity [mailto:websecurity-bounces at lists.webappsec.org] On Behalf Of Seth Art
Sent: Thursday, 21 November 2013 6:44 AM
To: Info Sec
Cc: websecurity at lists.webappsec.org
Subject: Re: [WEB SECURITY] Web Service Security

Info Sec,

That is a hard question to answer.  There are different types of Web Services, each type has multiple implimenations, and each implimetnation allows for different configuration options.

The security testing is different depending on type, the implimentation, and the configuration of each web service.

For a high level overview of Web Service Security, I have found the following document helpful:  http://csrc.nist.gov/publications/nistpubs/800-95/SP800-95.pdf

Some tools that you can use to test web services are:

Any web proxy (Burp Suite, Fiddler, ZAP, etc) - For all web services
SoapUI - for SOAP based web services where you have access to the WSDL
Oyedata - For RESTful web services that use OData

Good luck.  Hopefully someone else on the list can provide more information.

-Seth


On Tue, Nov 19, 2013 at 6:51 AM, Info Sec <infosecm at gmail.com<mailto:infosecm at gmail.com>> wrote:
Hi !,

I'm looking for resources help me to identify web service security issues, and how to fix them.

I just found OWASP Web Service Security Cheat Sheet talking about this matter.
I know that web service security issues is very similar to web applications, but there is always something you unaware of.


OWASP Web Service Security Cheat Sheet:
https://www.owasp.org/index.php/Web_Service_Security_Cheat_Sheet


Regards,


_______________________________________________
The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity at lists.webappsec.org<mailto:websecurity at lists.webappsec.org>
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org


______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20131120/e827fc0b/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 4759 bytes
Desc: image002.jpg
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20131120/e827fc0b/attachment.jpg>


More information about the websecurity mailing list