Web Service Security (often abbreviated as WS-Security) refers to a suite of protocols and standards that ensure the protection and security of web services.
The cheat sheet below condenses insights extracted from the OWASP article about web service security. This table aims to offer a concise and user-friendly overview that can be swiftly referenced for a quick grasp of key points. For further information, please visit OWASP – Web Service Security
| Topic | Key Security Points |
| Transport Confidentiality |
• Protects against eavesdropping and man-in-the-middle attacks. • All communications must be encrypted using well-configured TLS. |
| Server Authentication |
• Use TLS for authenticating the service provider to the service consumer. • Verify server certificate details. |
| Client Authentication |
• Verifies user/system identity. • Basic Authentication should be over TLS. • Client Certificate Authentication using Mutual-TLS is recommended. |
| Transport Encoding | • Enforce the same encoding style between client and server. |
| Message Integrity |
• Integrity of data in transit is provided by TLS. • Use XML digital signatures for XML data. |
| Message Confidentiality |
• Encrypt sensitive data using a strong cipher. • Use strong data encryption, not just transport encryption for data at rest. |
| Authorization |
• Authorize web service clients. • Challenge-response Authorization mechanism for sensitive resources. • Limit access to administration functions. |
| Schema Validation |
• Validate SOAP payloads against their associated XML schema definition (XSD). • Define XSD constraints. |
| Content Validation | • Validate input content, including against malformed XML entities and XML Bomb attacks. |
| Output Encoding | • Ensure output to clients is properly encoded. |
| Virus Protection |
• Use Virus Scanning technology. • Regularly update virus definitions/rules. |
| Message Size | • Limit SOAP Messages to an appropriate size to prevent DoS attacks. |
| Availability | • Address resource limitations for CPU cycles, memory, open files, and processes. |
| Message Throughput | • Optimize for maximum throughput to prevent DoS-like situations. |
| XML DoS Protection |
• Protect against recursive and oversized payloads. • Implement protection against XML entity expansion. • Validate against overlong element names. |
| Endpoint Security Profile | • Ensure compliance with Web Services-Interoperability (WS-I) Basic Profile. |