Web Services Security Assessment

Get a comprehensive web services infrastructure evaluation

Next Steps:


Web services have revolutionized application development and how IT organizations operate, much the same way that client-server and web-based applications did in the past. They offer businesses a new, standardized way of integrating disparate applications and systems between suppliers, partners, and customers. With Web 2.0, web services have become commonplace as technologies such as AJAX and JSON gain traction.

Security is a major concern affecting web services just like any other application types. The existing traditional network security infrastructure is inadequate to satisfy the security needs that XML and web services require. Foundstone offers a comprehensive Web Services Security Assessment to identify threats, vulnerabilities, and risks associated with your organization's web services infrastructure.

Every customer and web service has unique network security requirements based on their business needs and operational environment. The process begins by systematically identifying and documenting security needs. Next, threat modeling is performed to help recognize and prioritize potential threats. We then assess the security aspects of design and implementation, including confidentiality, integrity, trust relationships, and authentication using security standards like XML signatures, XML encryption, SAML, and WS-Security.

Key Benefits

  • Find holes in production web services before the hackers
  • Perform security quality assurance as applications move into production
  • Understand risks and the potential impact on your business
  • Rely on a detailed and well-established manual testing methodology for accuracy and effectiveness
  • Secure transfer knowledge of testing techniques, issues, and remediation
  • Understand how traditional countermeasures may not be effective in web services as compared to web applications


The methodology looks for XML content-based attacks, next generation web services attacks, and application infrastructure threats like SQL injection and denial of service (DoS). Web services security offerings include:

  • Threat modeling
  • Black box assessments
  • White box assessments
  • Perimeter product reviews (XML firewalls)
  • Architecture reviews

Web Services Threats:

  • XML content attacks
    • Coercive parsing
    • External entity
    • Parameter tampering
    • XPath and XQuery
    • Recursive payload
    • Oversized payload
  • Web services attacks
    • WSDL scanning
    • Schema poisoning
  • Infrastructure attacks
    • Information enumeration
    • Authentication and authorization
    • Input validation (SQL/XSS)
    • Error handling
    • Web server/network layer