Q

Assessing security of Web services, part one

This Content Component encountered an error
What would you recommend as a way for a company to assess whether or not its Web services were secure?
The answer to this question will be a set of general guidelines for assessing the security of your Web services because the details of a securing a site is highly dependent on the individual business, e.g. the size of the business, the value of the resources to be protected, the type of access to be allowed to potential partners, suppliers and customers, etc.

I recommend a three-step approach to examining the security of your Web services:
  1. Perform a risk analysis of your companies assets
  2. Match the security that you are using for each class of assets against the value of the asset.
  3. Assess the security architecture of your site
These steps will require a non-trivial amount of work by you and your associates owing to the specific risk tolerance and asset valuation of your particular company. You will have to adapt the general security principals that I will lay out to the way your company uses and values the importance of its assets.

Turning to step #1, I would recommend starting out with three categories of risk, High, Medium and Low. You will probably expand these categories as you delve into the assessment but it is best to start out simply. High-risk assets are those that would cause very serious damage to your company if they were compromised. This might be the result of a bogus, large purchase order, i.e. financial risk, or disclosure of sensitive customer data, i.e. reputation risk. Medium risk assets are those whose compromise would hurt the bottom line or result in a temporary black eye but not be threatening to the survival of your company. Low risk assets are those whose compromise would have a negligible effect on your business. Some companies may have no high-risk assets, e.g. no individual transaction would have a devastating effect on the business, but this condition is rare. There are usually some critical assets to be protected. However, in general, most businesses have a small number of assets in the high-risk category.

I recommend starting your evaluation by concentrating on protecting your high-risk assets, then look at the security of the medium risk assets, putting aside work on the low risk assets until after you have examined and made any corrections to the first two categories.

Click to view part two of this answer.
This was first published in June 2003

Dig deeper on SOA security tools

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchSoftwareQuality

SearchCloudApplications

SearchAWS

TheServerSide

SearchWinDevelopment

Close