Ask the Expert

Assessing security of Web services, part one

What would you recommend as a way for a company to assess whether or not its Web services were secure?

    Requires Free Membership to View

The answer to this question will be a set of general guidelines for assessing the security of your Web services because the details of a securing a site is highly dependent on the individual business, e.g. the size of the business, the value of the resources to be protected, the type of access to be allowed to potential partners, suppliers and customers, etc.

I recommend a three-step approach to examining the security of your Web services:
  1. Perform a risk analysis of your companies assets
  2. Match the security that you are using for each class of assets against the value of the asset.
  3. Assess the security architecture of your site
These steps will require a non-trivial amount of work by you and your associates owing to the specific risk tolerance and asset valuation of your particular company. You will have to adapt the general security principals that I will lay out to the way your company uses and values the importance of its assets.

Turning to step #1, I would recommend starting out with three categories of risk, High, Medium and Low. You will probably expand these categories as you delve into the assessment but it is best to start out simply. High-risk assets are those that would cause very serious damage to your company if they were compromised. This might be the result of a bogus, large purchase order, i.e. financial risk, or disclosure of sensitive customer data, i.e. reputation risk. Medium risk assets are those whose compromise would hurt the bottom line or result in a temporary black eye but not be threatening to the survival of your company. Low risk assets are those whose compromise would have a negligible effect on your business. Some companies may have no high-risk assets, e.g. no individual transaction would have a devastating effect on the business, but this condition is rare. There are usually some critical assets to be protected. However, in general, most businesses have a small number of assets in the high-risk category.

I recommend starting your evaluation by concentrating on protecting your high-risk assets, then look at the security of the medium risk assets, putting aside work on the low risk assets until after you have examined and made any corrections to the first two categories.

Click to view part two of this answer.

This was first published in June 2003

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: