I am starting a series of entries that aim to provide an overview to major threats related to web service security. My goal is to not only inform people of what some major threats are but also stimulate some discussion and pointers to other threats that people consider interesting.

Before I start I have created this introductory section to ensure there is a common understanding of terminology like threats and vulnerabilities. For a detailed description take a look at JD Meier's blog (http://blogs.msdn.com/jmeier/archive/2005/10/10/478999.aspx), but in short I will standardize on the following definitions:

  • Threat - An undesired events. Eg – Data tampering
  • Vulnerability - A weakness that can allow a threat to be realized? Eg – unsigned messages on an insecure transport
  • Attack - How to take advantage of the weakness? Eg – compromise an intermediary or device over which the message flows
  • Countermeasure - How to protect against a threat? Eg – XML signature

Over the next couple of weeks I will pull together the different threats and then roll them out onto the https://www.threatsandcountermeasures.com/ wiki... so please ensure you post comments to my entries and definitely point to additional threats that you think should be considered.