Web Service Security (often abbreviated as WS-Security) refers to a suite of protocols and standards that ensure the protection and security of web services.
The cheat sheet below condenses insights extracted from the OWASP article about web service security. This table aims to offer a concise and user-friendly overview that can be swiftly referenced for a quick grasp of key points. For further information, please visit OWASP – Web Service Security
Topic
Transport Confidentiality
Server Authentication
Server Authentication
Transport Encoding
Message Integrity
Message Confidentiality
Authorization
Schema Validation
Content Validation
Output Encoding
Virus Protection
Message Size
Availability
Message Throughput
XML Denial of Service Protection
Endpoint Security Profile
Key Points
Protects against eavesdropping and man-in-the-middle attacks.
All communications with web services must be encrypted using well-configured TLS.
All communications with web services must be encrypted using well-configured TLS.
Use TLS for authenticating the service provider to the service consumer.
Verify server certificate details.
Verify server certificate details.
Verifies user/system identity.
Basic Authentication should be over TLS.
Client Certificate Authentication using Mutual-TLS is recommended.
Basic Authentication should be over TLS.
Client Certificate Authentication using Mutual-TLS is recommended.
Enforce the same encoding style between client and server.
Integrity of data in transit is provided by TLS.
Use XML digital signatures for XML data.
Use XML digital signatures for XML data.
Encrypt sensitive data using a strong cipher.
Use strong data encryption, not just transport encryption for data at rest.
Use strong data encryption, not just transport encryption for data at rest.
Authorize web service clients.
Challenge-response Authorization mechanism for sensitive resources.
Limit access to administration functions.
Challenge-response Authorization mechanism for sensitive resources.
Limit access to administration functions.
Validate SOAP payloads against their associated XML schema definition (XSD).
Define XSD constraints.
Define XSD constraints.
Validate input content, including against malformed XML entities and XML Bomb attacks.
Ensure output to clients is properly encoded.
Use Virus Scanning technology.
Regularly update virus definitions/rules.
Regularly update virus definitions/rules.
Limit SOAP Messages to an appropriate size to prevent DoS attacks.
Address resource limitations for CPU cycles, memory, open files, and processes.
Optimize for maximum throughput to prevent DoS-like situations.
Protect against recursive and oversized payloads.
Implement protection against XML entity expansion.
Validate against overlong element names.
Implement protection against XML entity expansion.
Validate against overlong element names.
Ensure compliance with Web Services-Interoperability (WS-I) Basic Profile.