HACKING EXPOSED WEB APPLICATIONS, 3rd Edition

If the history of interapplication communication repeats itself, the ease with which web services architectures publish information about applications across the network is only going to result in more application hacking. We've provided some concrete examples of such attacks in this chapter. At the very least, it's going to put an even greater burden on web architects and developers to design and write secure code. With web services, you can run but you can't hide especially with technologies like SOAP, WSDL, and UDDI opening doors across the landscape. Remember the basics of web securityfirewalls are generally poor defense against application-level attacks, servers (especially HTTP servers) should be conservatively configured and fully patched, solid authentication and authorization should be used wherever possible, and proper input validation should be done at all times. Developing specifications like WS-Security should also be leveraged as they mature. Onward into the brave new world of web services!