Keeping hackers out of your Web services

David Burgett Builder.com

Published: 14 May 2002 13:09 BST

With this promise, however, come new threats from hackers and information thieves.

In this article, we will discuss the seedier side of Web service security: keeping hackers out of your Web services. Although most of the normal security techniques usually applied to Web sites work equally well with Web services, additional concerns are unique to Web services. This article discusses how to address these concerns to ensure maximum security for your Web services.

Web service hackers
Before we delve into the security concerns unique to Web services, it is important to understand what type of hackers you are trying to keep out of your Web services. Although it is impossible to guess the motivations of potential Web service hackers, it is important to understand the different types of hackers that could be attacking your service. We are concerned with three primary types of hackers: the disruptor, the information thief, and the functionality thief.

The disruptor
The goal for this type of hacker is simply chaos. Disruptors will try to shut down your Web service, alter data on the Web server, and perform other malicious deeds simply for the satisfaction that they can be done. This type of hacking is annoying and can damage your business from a service availability standpoint, but its impact is usually minimised by diligent Web site monitoring and a good backup policy. The other types of potential Web service hackers can be much more damaging to your business and your company.

The information thief
The goal for an information thief is to gain unauthorised access to your company or customer information. This information can be used for many purposes ranging from credit card theft to corporate blackmail or espionage. Information thieves can be more dangerous to Web services than to standard Web sites, because many Web services are specifically designed to disseminate sensitive information. For example, if your company's Web service provides reports about your customers that include credit card information or addresses and phone numbers, a hacker can impersonate an authenticated user to steal this information and sell it to the highest bidder. Likewise, if your consulting firm provides reports about potential clients through a Web service, your competitors could hack the Web service to gain your list of leads for their own use. Although all Web sites are at risk for this type of hack, Web services are particularly vulnerable because you are publicly publishing a direct link to the information itself.