Give your web service’s security your full attention:

Web services allow applications to expose programmatic interfaces that can be called by other “consumers” applications. They allow applications that are built on a wide variety of technologies to easily interface with each other.

Web services are often hosted on an internal network, but with the increasing popularity of mobile applications, many web services are being exposed to the Internet. Either way, securing these services is essential.

However, the security of web services is an often-ignored aspect of application security. Since they aren’t exposed in an application’s normal user interface, developers tend to pay less attention to their security. But many times they expose sensitive information and functionality, they offer hackers a secondary vector to attack the application and are therefore deserving of the same level of security attention as user-facing applications.

Thoroughly testing the security of web services requires a substantial amount of skill combined with a rigorous methodology.

Why you should trust us with the security of your web services:

  • We receive quality training and have significant application development experience, which is important because web services are essentially programmatic interfaces that are best understood by people with a strong software development background.
  • We have experience testing every major type of web service, including SOAP, REST and custom protocols, and can work with any form of authentication, from OAUTH tokens to client certificates and custom digital signatures.
  • Our rigorous web service testing methodology and tool-set allows us to efficiently gather the required testing information, learn about your services and perform a thorough security assessment.

Our methodology

Preparation

We make sure we have the following information from you before proceeding:

  • Web service name
  • Brief description of the web service and its purpose
  • Documentation for how to use the web service API
  • Endpoint URL(s) for testing the web service
  • Description of each web method available, with valid sample input data for each web method
  • WSDL or WADL if available
  • Credentials for each level of access to the web service, including client SSL certificates if required
  • Server-side source code for the web service (optionally)
  • Time windows for when the automated scanning portion of the penetration test can be run without risk of disrupting other users of the web service

Exploration

We manually explore the web service to verify that all methods can be called successfully and in order to gain an understanding of the functionality and sensitivity of the web service. Baseline requests are created for each transaction.

Automated Vulnerability Scanning

We use high-quality commercial vulnerability scanning tools to thoroughly scan the web service. This scanning process includes an authenticated application-level scan as well as an infrastructure-level scan. Custom scripts are written if needed to supplement the scan (e.g. to dynamically add a digital signature to each request).

Manual Penetration Testing

Experienced web application security professionals manually test the web service using our systematic testing process. This manual testing process covers all major aspects of web application security that would apply to a web service, including:

  • Authentication
  • Authorisation
  • Session Management (if applicable)
  • Input Validation / Output Encoding
  • Configuration
  • Sensitive Data Handling
  • Logical Vulnerability Checks

Report Preparation

We take the results of all the scanning, manual testing and (optionally) code review processes and compile a consolidated report, detailing all vulnerabilities uncovered during the testing process along with severity levels and recommendations for how to remediate each vulnerability that was identified.

Debriefing

We present all findings to you and your key stakeholders, answer all questions and provide remediation advice.

What You Get

  1. An actionable, custom-written Web Service Security Assessment Report, which describes the web service’s security posture and lists all vulnerabilities identified. For each vulnerability, we provide a custom risk rating and remediation advice that is tailored to your specific business and technical situation.
  2. Expert consultation throughout the remediation phase.