Web Services Vulnerability Assessment

Enterprises are aggressively deploying Service Oriented Architecture (SOA) to save costs and generate revenues by integrating with internal systems and with business partners. Web Services are the corner stone of building SOAs. To enable system-to-system communication, ERP, CRM, SCM and Database systems expose their internal business operations via Web Services. 

System-to-System communication within an enterprise is made possible through SOAP-based messaging. An Enterprise provider application advertises its interfaces through WSDLs that are consumed by the consumer applications to understand API calls accepted by the producer application. Once the interface is understood, the consumer application can send SOAP requests to the provider application.

Web Services can be best described through the use of an example.

A shop sells some products which automatically generates a request to a vendors distribution centre for a replenishment. The distribution centre confirms availability of the products and agrees to fulfil the order.

The web services aspect of this is the actual transfer of information between the two applications.

The shop and the distribution centre do not need to be in the same company or even the same country for information to be shared.

Exposing System internals via Web Services is essential for integrating disparate systems. However, a loosely defined WSDL interface can expose critical systems to a variety of vulnerabilities. Such vulnerabilities should be actively identified and remediated to mitigate risk without losing the benefits of integration. System-level interoperability compliance is essential to ensure that system-to-system communication is successful both within the enterprise and with business partners.

With this in mind it becomes clear as to why it is critical to ensure that these communication portals are secured. Particularly when considering that confidential company and account details may be accessible.