Introduction

Web Services are becoming more and more popular nowadays. Just think about all the internet services you are personally using in your day to day life. Social networks like Facebook allow you to log into thousands of web sites using the credentials you already have. This is all done thanks to the fact that many companies are exposing their services to the public. Not to mention all other companies that need to exchange information fast, without interacting with the companies they need the information from. That is really beneficial, but also don’t you think it’s a little bit risky? But of course it’s risky! You are sharing your personal details with companies like Facebook and LinkedIn which despite the fact that they make your life easier (or at least you think they do) have to also protect your personal information.

Now think about it … you browse to a website which you come to like and you want to register yourself there, but you notice the button which says “log in with Facebook”. What do you do? Do you actually waste couple of minutes from your time to create a new account, go to your email address to verify it and then start browsing or you just use the functionality Facebook is offering? Most of you will actually use that functionality (even I do it from time to time) and when you think about it why not, right? Enough with the boring stuff … Facebook is Facebook and you choose what to post there, so it might not even be crucial for you if something is to happen with your credentials. Let’s think about something more “spicy”. What about when you want to buy something from eBay and you have to use your PayPal account to pay for it? Guess how PayPal receives your transaction request from eBay to process your payment and also how does PayPal contact your bank, if you do not have any money in your PayPal at that point of time? That’s right via exposing web services and using them as well. The question now is: “Why is it important to properly secure Web Services?” I think the answer to that question applies to anything that holds, transfers or handles any non-public information.

How would you feel if your bank account is charged 10 times more than the price of the item you just bought from eBay, just because someone was able to exploit the way PayPal handles requests via its web services? I am not saying it can happen (or at least I hope so) … I am just making a point here. All these valid points are someone’s everyday job. To think how to protect all these beautiful technologies, which compose every bit of our daily lives, from people trying to misuse them or even destroy them. This is not a blog about psychology so I will just leave you with something I learned from one of my mentors. He once told me that “If you are clever enough to be able to exploit it, you should be clever enough to understand that you should not do it!”