'''This is a dual purpose page, covering the standard by the name of WS-Security, as well as security concerns for WebServices.''' ---- WebServicesSecurity (WS-Security) has been evolving for a few years and was adopted in Apr2004. See http://www.thestandard.com/article.php?story=20040409040946753 * in an interview elsewhere, it was acknowledge that the WS-Security standard has been taken on board by most vendors and hardware manufacturers. With this broad based support, there is now an end-to-end programming method. ''But it is still a building block for things to come. (meaning "unfinished")'' * original roadmap for WSS see http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwssecur/html/securitywhitepaper.asp An unsettling remark heard from http://www.computerworld.com/printthis/2004/0,4814,95197,00.html (ref A) * "XML standards are being constructed in bits and pieces, and that's the kind of event that leads to holes that someone didn't think about," See a 4 part article at OReilly site starting with http://webservices.xml.com/lpt/a/ws/2003/03/04/security.html WebServicesSecurity (WS-Security) is a higher level ExtensibleMarkupLanguage stack, and it will break if lower level protocols such as SimpleObjectAccessProtocol uses extensions that do not conform to requirements of ExtensibleMarkupLanguage (e.g. when DirectInternetMessageEncapulation is used for opaque data transmission). See a Apr03 writeup of a 2002 consultancy performed by IBM at http://www-128.ibm.com/developerworks/webservices/library/ws-security.html * in 2002 the WS-Security standard has yet to be ratified, but the example showed how other security technologies could be deployed in conjunction with the evolving WS-Security standard. ---- '''Security concerns for WebServices''' For SoapToolkit v2, Microsoft has an article on security at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsoap/html/soapsecurity.asp Another MS article on SOAP security at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnservice/html/service11212001.asp '''Standardization efforts''' ''Big guns back web services standards '' In Jul05 Oracle joined MS and IBM to back the WS-Trust, WS-SecureConversation, and WS-SecurityPolicy trough the OasisOrganization. However WebServicesFederation is not included in this arrangement. See http://www.vnunet.com/articles/print/2140082 "This is too bad. See below" * After WebServicesSecurity, MS and IBM had planned for two more set of higher level XmlSecurity stacks, the first set being WS-Policy, WS-Trust and WS-Privacy * The first set deal with "(ensuring) information has been certified or that it is understood how the information can be shared with others." * The second group includes WS-SecureConversation, see more at that page. ''Sorting out WebServicesSecurity standards'' Feb05 survey at http://www.computerworld.com/securitytopics/security/story/0,10801,99432,00.html OASIS, in Aug04, approved draft for review of SecurityAssertionMarkupLanguage (SAML), which is a protocol to be used by another OASIS offering, WebServicesSecurity. See http://www.xmlmania.com/news_article_1451-OASIS-Security-Services-TC-Releases-Approved-SAML-2.0-Committee-Drafts-for-Review.php '''Implementation aspects''' In Ref A above, one company uses two-way SecureSocketsLayer connections, and another uses XML security gateways for multiple partners ---- '''Advice from ''Experts'' ''' Develop safeguards against three common attack paths * SQL (SqlStringsAndSecurity) * Directory traversal * URL strings See ref at http://www.idevnews.com/TipsTricks.asp?ID=124 ---- '''Microsoft related material''' MicrosoftChannelNine has a security checklist at http://channel9.msdn.com/wiki/default.aspx/Channel9.WebServicesSecurityChecklist. * It appear to be word for word from a MS web page listed there ---- '''Resources''' ''No clear winner in .NET/J2EE security race'' * (2003 article) As far as InformationSecurity is concerned, DotNet and JavaTwoEnterpriseEdition platforms both "improving". See http://searchwebservices.techtarget.com/tip/1,289483,sid26_gci875342,00.html ''In a Lather About Security '' at http://www.xml.com/pub/a/2002/02/27/security-lather.html * (2002 article) discusses security for WebServices using major alternatives such as Soap, XmpRPC, etc. Mid 2005 search did not come up with a better alternative that is not tied to a single implemenation scheme. Anyone got better link? -- dl ''Webcast by BEA's Hal Lockhart on WebServicesInteroperabilityOrganization contribution to WebServicesSecurityProfile'' at http://education.sys-con.com/read/80876.htm * no slides from presentation available :( ---- Secure web servers are the equivalent of heavy armored cars. The problem is, they are being used to transfer rolls of coins and checks written in crayon by people on park benches to merchants doing business in cardboard boxes from beneath highway bridges. Further, the roads are subject to random detours, anyone with a screwdriver can control the traffic lights, and there are no police. -- Eugene Spafford ''That's great stuff. Looking for you to further enhance your analogy later. More seriously, can you create a HomePage here so I can beg and nag you for comments on SecurityForTheInsecureAndUnsure My Yahoomail account is dl UNDERSCORE australia and I hope to hear from you. Cheers from David '' -- dl DeleteWhenRead ---- '''Related pages''' XmlKeyManagementSpecification ---- CategoryWebServices CategorySecurity CategorySoa