Web Service Security Cheat Sheet by Husell

This is for data at rest. Integrity of data in transit can easily be provided by TLS.
When using public key crypto­graphy, encryption does guarantee confid­ent­iality but it does not guarantee integrity since the receiver’s public key is public. For the same reason, encryption does not ensure the identity of the sender.
Rule: For XML data, use XML digital signatures to provide message integrity using the sender’s private key. This signature can be validated by the recipient using the sender’s digital certif­icate (public key).

Rule: TLS must be used to authen­ticate the service provider to the service consumer. The service consumer should verify the server certif­icate is issued by a trusted provider, is not expired, is not revoked, matches the domain name of the service, and that the server has proven that it has the private key associated with the public key certif­icate (by properly signing something or succes­sfully decrypting something encrypted with the associated public key).

Transport confid­ent­iality protects against eavesd­ropping and man-in­-th­e-m­iddle attacks against web service commun­ica­tions to/from the server.
Rule: All commun­ication with and between web services containing sensitive features, an authen­ticated session, or transfer of sensitive data must be encrypted using well configured TLS. This is recomm­ended even if the messages themselves are encrypted because TLS provides numerous benefits beyond traffic confid­ent­iality including integrity protec­tion, replay defenses, and server authen­tic­ation. For more inform­ation on how to do this properly see the Transport Layer Protection Cheat Sheet.

This is for data at rest. Integrity of data in transit can easily be provided by TLS.
When using public key crypto­graphy, encryption does guarantee confid­ent­iality but it does not guarantee integrity since the receiver’s public key is public. For the same reason, encryption does not ensure the identity of the sender.
Rule: For XML data, use XML digital signatures to provide message integrity using the sender’s private key. This signature can be validated by the recipient using the sender’s digital certif­icate (public key).

User authen­tic­ation verifies the identity of the user or the system trying to connect to the service. Such authen­tic­ation is usually a function of the container of the web service.
Rule: If used, Basic Authen­tic­ation must be conducted over TLS, but Basic Authen­tic­ation is not recomm­ended.
Rule: Client Certif­icate Authen­tic­ation using TLS is a strong form of authen­tic­ation that is recomm­ended.

SOAP encoding styles are meant to move data between software objects into XML format and back again.
Rule: Enforce the same encoding style between the client and the server.