Web Services Security

This is a dual purpose page, covering the standard by the name of WS-Security, as well as security concerns for WebServices.


WebServicesSecurity (WS-Security) has been evolving for a few years and was adopted in Apr2004. See http://www.thestandard.com/article.php?story=20040409040946753

An unsettling remark heard from http://www.computerworld.com/printthis/2004/0,4814,95197,00.html (ref A) See a 4 part article at OReilly site starting with http://webservices.xml.com/lpt/a/ws/2003/03/04/security.html

WebServicesSecurity (WS-Security) is a higher level ExtensibleMarkupLanguage stack, and it will break if lower level protocols such as SimpleObjectAccessProtocol uses extensions that do not conform to requirements of ExtensibleMarkupLanguage (e.g. when DirectInternetMessageEncapulation? is used for opaque data transmission).

See a Apr03 writeup of a 2002 consultancy performed by IBM at http://www-128.ibm.com/developerworks/webservices/library/ws-security.html


Security concerns for WebServices

For SoapToolkit v2, Microsoft has an article on security at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsoap/html/soapsecurity.asp

Another MS article on SOAP security at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnservice/html/service11212001.asp

Standardization efforts

Big guns back web services standards

In Jul05 Oracle joined MS and IBM to back the WS-Trust, WS-SecureConversation, and WS-SecurityPolicy? trough the OasisOrganization. However WebServicesFederation? is not included in this arrangement. See http://www.vnunet.com/articles/print/2140082 "This is too bad. See below"

Sorting out WebServicesSecurity standards Feb05 survey at http://www.computerworld.com/securitytopics/security/story/0,10801,99432,00.html

OASIS, in Aug04, approved draft for review of SecurityAssertionMarkupLanguage (SAML), which is a protocol to be used by another OASIS offering, WebServicesSecurity. See http://www.xmlmania.com/news_article_1451-OASIS-Security-Services-TC-Releases-Approved-SAML-2.0-Committee-Drafts-for-Review.php

Implementation aspects

In Ref A above, one company uses two-way SecureSocketsLayer connections, and another uses XML security gateways for multiple partners


Advice from Experts

Develop safeguards against three common attack paths

See ref at http://www.idevnews.com/TipsTricks.asp?ID=124


Microsoft related material

MicrosoftChannelNine has a security checklist at http://channel9.msdn.com/wiki/default.aspx/Channel9.WebServicesSecurityChecklist.


Resources

No clear winner in .NET/J2EE security race

In a Lather About Security at http://www.xml.com/pub/a/2002/02/27/security-lather.html Webcast by BEA's Hal Lockhart on WebServicesInteroperabilityOrganization contribution to WebServicesSecurityProfile at http://education.sys-con.com/read/80876.htm


 Secure web servers are the equivalent of heavy armored cars.
 The problem is, they are being used to transfer rolls of coins
 and checks written in crayon by people on park benches to merchants
 doing business in cardboard boxes from beneath highway bridges.
 Further, the roads are subject to random detours, anyone with a
 screwdriver can control the traffic lights, and there are no police.
                               -- Eugene Spafford

That's great stuff. Looking for you to further enhance your analogy later. More seriously, can you create a HomePage here so I can beg and nag you for comments on SecurityForTheInsecureAndUnsure? My Yahoomail account is dl UNDERSCORE australia and I hope to hear from you. Cheers from David -- dl DeleteWhenRead


Related pages

XmlKeyManagementSpecification


CategoryWebServices CategorySecurity CategorySoa


EditText of this page (last edited November 3, 2005) or FindPage with title or text search