Web Services are becoming more and more popular nowadays.
Just think about all the internet services you are personally using in your day
to day life. Social networks like Facebook allow you to log into thousands of
web sites using the credentials you already have. This is all done thanks to
the fact that many companies are exposing their
services to the public. Not to mention all other companies that need to exchange
information fast, without interacting with the companies they need the
information from. That is really beneficial, but also don’t you think it’s a
little bit risky? But of course it’s risky! You are sharing your personal
details with companies like Facebook and LinkedIn which despite the fact that they make
your life easier (or at least you think they do) have to also protect your
personal information.
Now think about it … you browse to a website which you come
to like and you want to register yourself there, but you notice the button
which says “log in with Facebook”. What do you do? Do you actually waste couple
of minutes from your time to create a new account, go to your email address to verify
it and then start browsing or you just use the functionality Facebook is
offering? Most of you will actually use that functionality (even I do it from
time to time) and when you think about it why not, right? Enough with the
boring stuff … Facebook is Facebook and you choose what to post there, so it
might not even be crucial for you if something is to happen with your
credentials. Let’s think about something more “spicy”. What about when you want
to buy something from eBay and you have to use your PayPal account to pay for
it? Guess how PayPal receives your transaction request from eBay to process
your payment and also how does PayPal contact your bank, if you do not have any
money in your PayPal at that point of time? That’s right via exposing web
services and using them as well. The question now is: “Why is it important to
properly secure Web Services?” I think the answer to that question applies to
anything that holds, transfers or handles any non-public information.
How would you feel if your bank account is charged 10 times
more than the price of the item you just bought from eBay, just because someone
was able to exploit the way PayPal handles requests via its web services? I am
not saying it can happen (or at least I hope so) … I am just making a point
here. All these valid points are someone’s everyday job. To think how to
protect all these beautiful technologies, which compose every bit of our daily
lives, from people trying to misuse them or even destroy them. This is not a
blog about psychology so I will just leave you with something I learned from
one of my mentors. He once told me that “If you are clever enough to be able to
exploit it, you should be clever enough to understand that you should not do
it!”
