Developing a Web Service Security Framework

Developing a Web Service Security Framework

Yangil Park (University of Wisconsin, USA) and Jeng-Chung Chen (National Cheng-Kung University, Taiwan)
DOI: 10.4018/978-1-60566-026-4.ch170
OnDemand PDF Download:
$37.50

Abstract

Web Service (WS) is an open standard software component that uses Extensible Markup Language (XML) functions to access and exchange data via networks in communicating with other WSs. In business transactions, Web Service Description Language (WSDL) is used to describe data and deliver all parameters, return values, and types. However, the convenience of using WSDL in business transactions also lets hackers snoop and analyze data easily. In addition, the lack of Web Service standards at present makes the security issue even more serious in business transactions using WS. This article proposes a high-level security model for the security problems of the applications. Unlike other studies in the field, this study is dedicated to provide a total solution consisting of technological, organizational, and managerial aspects when using WS. Therefore, the understanding and development of business behaviors is essential in this study. It first introduces current uses of WS. Then definitions of WS, WS security, and WS policy are reviewed. Finally, a WS security model is proposed and explained in the following examples.
Chapter Preview
Top

Background

The Internet is becoming a global common platform where organizations and individuals communicate with each other to carry out various commercial activities and to provide value-added services (Wang, Huang, Qu, & Xie,, 2004). According to the World Wide Web Consortium (W3C, 2004), Web service means that an application program can be described and invoked, and made use of Uniform Resource Identifier (URI) to distinguish via XML. The application program interfaces define ways of contacting and supporting other application programs in order to urge directly through the protocol conforming to the Internet with the information of XML form. Web service technology allows users to customize services according to their own needs. This allows businesses to interact more accurately and efficiently with customers, cooperative enterprises, and suppliers.

According to a recent Gartner survey, 10 percent of midsize businesses cited using Web services for some production applications, while 47 percent of midsize stated that they plan to deploy Web services (Browning & Anderson, 2004). Also, Gartner Dataquest predicted that Web services will grow from $56 billion worldwide in 2003 to $283 billion worldwide in 2007 (Varbusiness, 2005). By then, Web services will take hold as a competitive differentiator in business relationships and product innovation (Andrews, 2003; Fensel and Bussler, 2002). Enterprises that want to remain competitive will need to use Web services to provide commonly requested data to their partners (Andrews, 2003) and, therefore, Web service technology will no longer offer a competitive advantage to enterprises. It is necessary for them to become competitive (Wiseth, 2004).

When an enterprise has some basic Web services, the high-level functional demands such as the service security, the service composition, and the service semantics will increase, and they are critical to the success of deploying Web services (Wang, et al., 2004). Presently, service-oriented architectures use the Web services to work on the business transaction based on the Web Service Description Language (WSDL). During the process of digital data delivery hackers are capable of obtaining the parameters. This data can be decoded and analyzed, which could cause a threat to a business. Communication over Web services is done by using a Simple Object Access Protocol (SOAP) that is associated with other programs that are built on XML. SOAP transfers everything over the HTTP, allowing data to pass through firewalls via a TCP port. This enables information to travel through firewalled ports, but this kind of firewall penetration also adds another security concern.

Key Terms in this Chapter

Port: A number from 0 through 1023 used to identify a network service on an IP network.

B2B (Business-to-Business): Refers to one business communicating with or selling to another.

Security Policy: A security policy is a generic document that outlines rules for computer network access. It determines how policies are laid out and some of the basic architecture of the company security environment.

HTTP (HyperText Transfer Protocol): Protocol used to transfer hypertext requests and information between servers and browsers.

Web Service Description Language (WSDL): Used to describe data and deliver all parameters, return values, and types.

Security: Freedom from risk or danger; safety.

TCP (Transmission Control Protocol): TCP ensures that all data arrive accurately and 100% intact at the other end. Web AU13: Reference appears to be out of alphabetical order. Please check Service: An open standard software component that uses XML functions to access and exchange data via networks to communicate with other Web Services.

Complete Chapter List

Search this Book:
Reset