Web services are well-entrenched in the enterprise, but the new security risks they pose are only beginning to be understood

Web services are almost irresistible. Every popular IDE makes them easy to build — to unlock the data and business logic in legacy systems, to provision common functions that can be shared across multiple platforms, or to provide partner organizations direct access to information or applications. And by their nature, Web services helpfully describe themselves, allowing one system to find and interact with another with little or no human intervention.

Yet the very virtues that make Web services compelling — their use of trusted ports and protocols, their ease in exposing back-end systems, their eagerness to describe exactly what services are offered and how to get at them, and their use of multiple intermediaries — also make them a potential windfall for criminals crossing an enterprise’s perimeter (see also "Web services security standards aren't enough").

“You’re taking all of these systems that you would never put on the Internet — you would never hook your mainframe up to a DSL line — but now you’re exposing all their functionality through a Web service, and if you’re not thinking about security when you do that, you’re also exposing all those vulnerabilities,” says Alex Stamos, principal partner at iSec Partners, a security consulting company.

Few organizations have fully grasped the situation, in part because Web services technology is still relatively new. Even enterprises that are implementing an SOA (service-oriented architecture) — which provides a framework for building, running, and managing services — seldom recognize the new security risks. Ultimately, the recognition that we need to tackle Web services’ vulnerabilities is part of a growing awareness that security must be addressed in the code of applications, not just through firewalls and gateways.