What are the risks to Web Services

There are many methods for calculating security risk. Calculating risk around Web Services is difficult given that Web Services can be used for many different types of applications. Web Services can be used for simple enterprise application integration to complex B2B communication with partners and other third parties. We will examine one method by which to examine the security risk of Web Services.

Web Services Background

The goal of Web Services is to expose standardized interfaces to new and existing applications. No technology in the past has created such potential exposures to critical business applications. Web Services are standardized interfaces and therefore can be attacked in consistent ways. Hackers can more easily gain access to a standardized interface than a proprietary interface because more is known about the interface.
In addition, the adoption of Web Services has been increasing rapidly. While it has not hit the mainstream yet, all analyst predictions point to massive adoption in the coming years. Support in the vendor community has been growing faster providing further impetus for rapid growth.
In assessing the basic security risk of using Web Services, one must examine a couple of key areas. There are many ways to analyze security risk. One simple way is to look at the following formula:

Annualized Loss Expectancy = Annualized Rate of Occurrence x Single Loss Exposure

Each organization has different ways of calculating these variables. To illustrate, we’ll discuss each of
these variables.