Web Services

What Is It?

A web service, commonly referred to as an Application Programming Interface (API), is a resource that is data or action focused. It is a service which generally is not utilised by conventional end users but instead powers other services, be them compiled applications, web applications or third party services for developers to utilise. They generally do not have a frontend view but instead focus on exposing calls and functions that return data in responses or conduct actions such as updating data in your organisation for example.

Why Assess It?

There are many reasons to conduct a web services / API security assessment, five of which are below.

Data Exfiltration

Web services deal with data primarily, this means when there is a mechanism discovered to exfiltrate data it can be executed very quickly, leaving your organisation with a serious impact in a short space of time. As an example, with a web application results from a database search may be returned to the user in sections whereas with a web service it is common for all results in their entirety to be returned as the consuming application typically conducts the presentation.

Exposure

The risk level of exposed resources such as web services is high because their details are often shared with developers or freely published on organisations websites for partner developers to utilise. This means that any threat actor should be assumed to have a full working knowledge of what the web service can do and how to interact with it, resulting in it becoming a point of focus for them in their obtaining their objectives.

Security Reliance

Web services are consumed by other resources which then present the functionality to a user, this means that often security provisions in the web service itself are overlooked as the security enforcing controls are deployed into a web application. This can leave your web service open to vulnerabilities because a threat actor will communicate with it directly versus using the web application to achieve their objectives.

Differing Authentication

Authentication into web services differs, typically tokens are used and can have extended lifetimes meaning you are at greater risk of attack if that token is compromised. When this is paired with the fact the tokens typically are used by third parties who are not part of your organisation, the risk increases. In the case of internal to your organisation, usage is often reliant on another authentication provider to generate a token from a successful authentication and these tokens need to be generated and handled securely.

Avoid Penalties and Fines

Given the exposure of web services to threat actors and the likelihood of vulnerabilities being discovered, the impact of a breach could be severe. This impact would not be solely operational and reputational as various bodies can issue fines. The UK’s Information Commissioners Office (ICO) can issue fines up to £17.5m or 4% of global annual turnover, whichever is higher.

The Agility Cyber Approach

Like all our engagements, we want you to get the most out of your web services / API security assessment and we do this by:

Business Logic Flaws

Not all vulnerabilities are technical in nature. We strive to find the edge cases that a threat actor mindset can discover that have an impact on the web service, your organisation or a related system.

Multi-Faceted Assessment

We do not just look at the web service itself as it is residing on infrastructure linked to your organisation and the risks need to be viewed in combination and not in an isolated fashion. We check what the infrastructure is exposing, how it has been secured and the underlying components of the web service, such as if a service descriptor technology is in use as well as the server technology stack.

Threat Actor Simulation

We do not just run an application vulnerability scanner and report, we use prior knowledge and a deep understanding of security concepts to creatively find ways of subverting security controls in your web service against objectives that a real world threat actor would have.

Prioritised and Pragmatic Advice

We report what we find but we do not add issues to make the numbers up. We believe in identifying the patterns that affect your web service and helping you to fix their root cause, ensuring you get a higher return on investment from the assessment and in any remediation effort deployed by your teams.

Empathy with Developers

We know that having something you have put effort into undergo a security review is challenging and we go to great lengths to work alongside your developers and project managers to provide the best help possible, such as providing code snippets that can be used instead of just high level advice.

Benefits of Partnering with Agility Cyber

Mutually Invested

Our experts work with you, not against you. There are no egotistical celebrations when a serious issue is discovered, just rapid full disclosure with pragmatic suggestions for effective remediation followed by ongoing support.

Clarity and Simplicity

We always provide clarity, believe in simplicity and value your time. An example is rather than waiting until the engagement starts, we will conduct open source intelligence gathering activities before the scoping meeting to help us understand your organisations position and risk posture thus enabling us to ask better questions, securing you higher value and saving you time.

Full Consultancy

Our team, based in the UK, is technically exceptional but we pair that with business sense to discover, triage and help you remediate the full range of security issues.

Impartiality

We are impartial, we do not sell you products or the latest buzzword laden trending solution.

Outstanding Service

We have an industry leading turnaround, agility is in our name after all. Proposals are shared with you within 24 hours of the scoping meeting. Accurate and complete daily debriefs are given during every engagement. The report is shared within 5 working days at the latest.

Scroll to Top