NIST offers secure Web services tips

The National Institute of Standards and Technology has released for comment a draft of Guide to Secure Web Services.

NIST Special Publication 800-95 addresses security needs for networks in which automated Web services are being deployed in service-oriented architectures. Service-oriented computing uses protocols such as Extensible Markup Language and Simple Object Access Protocol to automatically access collections of software services.

As the publication points out, "many features that make Web services attractive ? are at odds with traditional security models and controls."

These features, including automatic access, dynamic application-to-application connections and the use of HTTP, mean that traffic passes through traditional perimeter defenses such as firewalls and intrusion detection systems without controls. Ensuring confidentiality, integrity and availability of Web services is a work in progress, with several standards organizations developing standards and practices.

NIST recommends a number of security measures for protecting Web services and the infrastructure they reside on, including:

• Using XML encryption to ensure confidentiality.
  
• Using XML signatures to ensure integrity.
  
• Using Security Assertion Markup Language and Extensible Access Control Markup Language for authentication and authorization.
  
• Using XML Key Management Services for public-key infrastructure.
  
• Using Web Services Security for end-to-end SOAP messaging security.
  
• Securing Universal Description, Discovery and Integration protocol entries by requiring authentication access.