WEB SERVICES SECURITY

What is Web Services Security?

Web services are XML-centred data exchange systems that use the internet for A2A (application-to- application) communication and interfacing. The processes involve programs, messages, documents, and/or objects.

An application programming interface (API) is a computing interface which defines interactions between multiple software intermediaries. It defines the kinds of calls or requests that can be made, how to make them, the data formats that should be used, the conventions to follow, etc. There are two types of API – REST and SOAP.

Why Web Security Sevices is Required?

A Web service/API penetration testing is an authorised hacking attempt aimed at identifying and exploiting vulnerabilities in the architecture and configuration of it. The purpose of this test is to demonstrate the ways attackers can compromise a web service and gain access to an organisation’s virtual assets.

Almost all the major web application uses these technologies to communicate which is why it is important to undergo security assessment.

Methodology

  • Pre-Engagement

    In this section we will discuss about timelines, scoping, location, time of the day to test and other such requirement to start the assessment

  • Intelligence Gathering

    In this section we will perform active and passive information gathering. This will depend on the type of engagement, if it is External/Internal

  • Vulnerability Analysis

    Vulnerability testing is the process of discovering flaws in systems and applications which can be leveraged by an attacker. Proper checks will be done to identify any potential risk.

  • Exploitation

    The exploitation phase will involve taking all potential vulnerabilities identified in the previous phases of the assessment and attempting to exploit them as an attacker would.

  • Report

    Provide recommendation and conduct debrief of identified vulnerabilities

  • Revalidation

    Once the reported vulnerabilities are addressed, we will conduct another round of testing to confirm the fixes of identified issues.

Frameworks

null

OWASP

Open Web Application Security Project
null

PTF

Penetration Testing Framework
null

PCI DSS

Payment Card Industry Data Security Standard

Benefits For Your Organization

  • Gain insight into API related vulnerabilities.
  • Helps your company to develop secure authentication and authorization controls
  • Ensure compliance with PCI DSS and other security standards
  • Protect data transmitted between users and web services from being intercepted by a malicious attacker
  • Get actionable recommendations that developers can follow during development, or when implementing upgrades