What would you recommend as a way for a company to assess whether or not its
Web services were secure?
Requires Free Membership to View
When you register, you'll begin receiving targeted emails from my team of award-winning writers. Our goal is to keep you informed on recent service-oriented architecture (SOA) and SOA-related topics such as integration, governance, Web services, Cloud and more.
Hannah Smalltree, Editorial Director
The answer to this question will be a set of general guidelines for assessing the security of
your Web services because the details of a securing a site is highly dependent on the individual
business, e.g. the size of the business, the value of the resources to be protected, the type of
access to be allowed to potential partners, suppliers and customers, etc.
I recommend a three-step approach to examining the security of your Web services:
Turning to step #1, I would recommend starting out with three categories of risk, High, Medium and Low. You will probably expand these categories as you delve into the assessment but it is best to start out simply. High-risk assets are those that would cause very serious damage to your company if they were compromised. This might be the result of a bogus, large purchase order, i.e. financial risk, or disclosure of sensitive customer data, i.e. reputation risk. Medium risk assets are those whose compromise would hurt the bottom line or result in a temporary black eye but not be threatening to the survival of your company. Low risk assets are those whose compromise would have a negligible effect on your business. Some companies may have no high-risk assets, e.g. no individual transaction would have a devastating effect on the business, but this condition is rare. There are usually some critical assets to be protected. However, in general, most businesses have a small number of assets in the high-risk category.
I recommend starting your evaluation by concentrating on protecting your high-risk assets, then look at the security of the medium risk assets, putting aside work on the low risk assets until after you have examined and made any corrections to the first two categories.
Click to view part two of this answer.
I recommend a three-step approach to examining the security of your Web services:
- Perform a risk analysis of your companies assets
- Match the security that you are using for each class of assets against the value of the asset.
- Assess the security architecture of your site
Turning to step #1, I would recommend starting out with three categories of risk, High, Medium and Low. You will probably expand these categories as you delve into the assessment but it is best to start out simply. High-risk assets are those that would cause very serious damage to your company if they were compromised. This might be the result of a bogus, large purchase order, i.e. financial risk, or disclosure of sensitive customer data, i.e. reputation risk. Medium risk assets are those whose compromise would hurt the bottom line or result in a temporary black eye but not be threatening to the survival of your company. Low risk assets are those whose compromise would have a negligible effect on your business. Some companies may have no high-risk assets, e.g. no individual transaction would have a devastating effect on the business, but this condition is rare. There are usually some critical assets to be protected. However, in general, most businesses have a small number of assets in the high-risk category.
I recommend starting your evaluation by concentrating on protecting your high-risk assets, then look at the security of the medium risk assets, putting aside work on the low risk assets until after you have examined and made any corrections to the first two categories.
Click to view part two of this answer.
This was first published in June 2003
