by Luke Marshall
• July 8, 2020
SOAP security is one of the top concerns for businesses today as they face a growing number of expensive breaches and concerning vulnerabilities. Near the top of the list of these vulnerabilities are in APIs. The percentage of API vulnerabilities went up about 20% from 2018 to 2019. However, businesses are responding to the crisis with overwhelming rapidity, considering that in the two years before the number had increased by 80%. Among these APIs, around 15% are SOAP (Simple Object Access Protocol), making SOAP security extremely important.
SOAP APIs have unique security concerns compared to REST How are businesses closing the gap and improving API security for SOAP? How can you protect your business and your clients and secure your APIs from threats?
Did you know you can generate a full-featured, documented, and secure REST API in minutes using DreamFactory? Sign up for our free 14 day hosted trial to learn how! Our guided tour will show you how to create an API using an example MySQL database provided to you as part of the trial!
Create a REST API Now
This article will explain SOAP security, examine common risks and help you follow the best practices that can protect you from data breaches and security problems.
SOAP is a messaging protocol, meaning that SOAP security is primarily concerned with preventing unauthorized access to these messages and to users’ information. The main thing used to accomplish this is WS (Web Standards) Security.
WS Security is a set of principles that regulate the confidentiality and authentication procedures for SOAP messaging. WS Security-compliant measures include passwords, X.509 certificates, digital signatures and XML (Extensible Markup Language) encryption, among other things. XML encryption causes the data to be unreadable to unauthorized users.
Cyber security is on the list of top concerns of modern businesses. According to one source, the average monetary loss due to malware attacks on companies is $2.4 million. Up to 21% of files have no security measures or protections in place at all.
SOAP security protects oftentimes sensitive data that may otherwise fall into the wrong hands. It is a means of integrating security into the APIs infrastructure and protecting the interests of your clients.
DreamFactory brings additional safety to your data by building and monitoring APIs for you. We offer an API-as-a-service platform with rock-solid security measures.
There are many different kinds of cyber security vulnerabilities and attacks, and some are uniquely aimed at APIs. A few of these are code injections, DoS (Denial of Service), breached or leaked access/authorization, XSS (Cross-site Scripting) and session hijacking.
Code injections, using SQL or, in the case of SOAP, XML, introduce malicious code into the database or application itself. The only way to prevent these is with careful access control.
The majority of attacks, including code injections, start with breached or leaked access. Making sure SOAP messages get revealed only to the correct user is one important part of SOAP security.
A Denial of Service, or Distributed Denial of Service (DDoS) attack overwhelms and disrupts a web service with messages that are too many or too long. SOAP security includes measures that can make DoS attacks impossible by limiting the length and volume of messages.
Cross-site scripting is another form of code injection, but more specifically it occurs when someone injects malicious browser-side script into the web site through the web application.
Session hijacking is another failure of access control. It occurs when an unauthorized user obtains a session ID. The user then has full access to the application and/or another user’s account.
There are some basic things that you can add to SOAP to help prevent unauthorized access. In order to create a secure SOAP web service, you need to add a security layer through the SOAP header. You can find the steps to do this here.
What this does is add a security credential to the SOAP header. You add the username and password as variables so that each time you generate a SOAP message, you generate these as part of the header. This way, whenever the user calls the web service, it requires the password and username.
DreamFactory can do more than these basic security measures. Our SOAP services provide clients with REST-based access to their SOAP remote services. We generate secure and reusable APIs with no code, saving you time and worry.
What are some of the top SOAP security best practices that you should implement to ensure that your API is secure and your clients’ information is safe?
Some prime examples of the protections that SOAP can offer include regular testing, IAM (Identity and Access Management), request monitoring, input validation and redundant security standards.
You can perform various types of tests to ensure that your API will stand up to any possible threats and to find any vulnerabilities that attackers might exploit. These types of tests include fuzz testing and injection testing, among others.
You can use fuzz testing to determine how the API reacts to an unexpected input.
You can use injection testing to detect vulnerabilities where a hacker might introduce malicious code.
For fuzz testing, the user sends an unexpected input to the API to see if and when it breaks.
You can perform injection testing through injecting test ‘malicious’ code and seeing the results.
One example of this in action comes from PeachTech. The Peach Fuzzer tool helps various companies and government agencies avoid zero-day attacks through fuzz testing.
Identity and Access Management is one of the most basic and essential aspects of cyber security. It involves everything from passwords and usernames to advanced authentication techniques.
Well-used IAM prevents unauthorized users from accessing the application at the wrong time or stealing another user’s session token and hijacking the session.
There are platforms that can track what information and tools your web service sends to which members of your organization (RBAC, or Role-Based Access Control). Another part of IAM is single sign-on (SSO), which is fairly easy to add to your web service.
One example of this in action is AWS (Amazon Web Services). AWS implements IAM for SOAP in Amazon S3.
Monitoring requests and SOAP messaging for any abnormalities is another important part of security.
Request monitoring makes it much more likely that you will see and be able to solve vulnerabilities or data leaks quickly.
In order to monitor requests, you will require some kind of logging system that you can check on a regular basis for any irregularities.
One example of this in action is the Apache Software Foundation, which offers a SOAP monitor to check validity of requests and responses, among other things.
There are two aspects of input validation for SOAP: Schema compliance validation and SOAP response validation.
Schema compliance validation ensures that the message is in accordance with XML schema and the WSDL (Web Service Description Language).
SOAP response validation ensues that the response to your message is in the correct format.
You can use both of these to discover irregularities in the messaging or simply to avoid errors. They are basically built into SOAP itself.
One example of this in action is SoapUI, which offers services for validating messages according to SOAP and WSDL protocols.
WSDL, XML standards and SOAP standards overlap in many places. These redundant security standards give a level of insurance obtained by few other systems.
Redundant security standards mean that you have less chance of exposing data and more chance of discovering vulnerabilities before hackers exploit them.
Explore options for API management that implement multiple security standards and apply all of the best practices mentioned above.
One example of this in action is DreamFactory API management services, which can implement various security measures and standards for your SOAP security.
Ideal SOAP security requires professional help and monitoring on a regular basis. That is why companies have turned to DreamFactory.
We provide extensive SOAP services to help you secure and manage your APIs and SOAP messaging. For more information on how you can improve your SOAP security with DreamFactory, contact us today.
Join the DreamFactory newsletter list.