In addition to validating the credentials of a consumer, producers must validate the document structure against the expected schema. Web services are as vulnerable to data-layer attacks, such as SQL injection, as were their form-based predecessors. Most well-designed XML schemas not only specify the format of the document, but detail the type of data expected. If the schema specifies an integer as the type for an element, for example, only numeric data should be allowed. If the length of string input is designated, documents with nonconforming elements should be rejected. Validation of user input should be a requirement for any application, and Web services are no exception.
If a document, or elements thereof, has been digitally signed, it is further expected that the certificate is validated and a CRL (certificate-revocation list) consulted. If the certificate is not found in a CRL, it is wise to verify the certificate through the chain of issuers, all the way to the CA (certificate authority). Encrypted elements must be decrypted and, again, validated. Once the request has been found to be acceptable, you should use the consumer's credentials to determine whether the client is authorized to access the service and operation being requested. Only then should the request be processed.
Note that validation of input and certificates should be integral steps in secure application development in any Web environment, not just Web services.
The Bodyguards
Securing Web services is a team effort--a dual-pronged attack is needed. A well-designed Web services architecture will include both a single point of entry at the network level and a fine-grained level of control at the service level.
To realize the benefits of cloud-native software, an application must actually be cloud-native—designed to run in the cloud, interacting with disaggregated cloud services, fully manageable as code—to deliver the expected benefits.
By combining resources and expertise, the AI-Enabled ICT Workforce Consortium will offer a blueprint for how industries can adapt to an AI-dominated future.
IT leaders should heed the guidance of cybersecurity insurance providers who think businesses should prioritize security education, incident preparedness, regular internal audits, and ongoing vulnerability scanning and patching.
