NIST offers secure Web services tips
- By William Jackson
- Sep 06, 2006
The National Institute of Standards and Technology has released for comment a draft of Guide to Secure Web Services.
NIST Special Publication 800-95
addresses security needs for networks in which automated Web services are being deployed in service-oriented architectures. Service-oriented computing uses protocols such as Extensible Markup Language and Simple Object Access Protocol to automatically access collections of software services.
As the publication points out, "many features that make Web services attractive ? are at odds with traditional security models and controls."
These features, including automatic access, dynamic application-to-application connections and the use of HTTP, mean that traffic passes through traditional perimeter defenses such as firewalls and intrusion detection systems without controls. Ensuring confidentiality, integrity and availability of Web services is a work in progress, with several standards organizations developing standards and practices.
NIST recommends a number of security measures for protecting Web services and the infrastructure they reside on, including:
- Using XML encryption to ensure confidentiality.
- Using XML signatures to ensure integrity.
- Using Security Assertion Markup Language and Extensible Access Control Markup Language for authentication and authorization.
- Using XML Key Management Services for public-key infrastructure.
- Using Web Services Security for end-to-end SOAP messaging security.
- Securing Universal Description, Discovery and Integration protocol entries by requiring authentication access.
A number of unmet security needs remain, including nonrepudiation for transactions, securing credentials, use of covert channels to access services, use of SOAP to distribute malicious code, denial-of-service attacks and poor design.
"To adequately support the needs of the Web Services based applications, effective risk management and appropriate deployment of alternate countermeasures are essential," the guide concludes. "Defense in depth through security engineering, secure software development and risk management can provide much of the robustness and reliability required by these applications."
Comments should be submitted by Oct. 30 to firstname.lastname@example.org
. Include "comments SP800-95" in the subject line.William Jackson is a staff writer for
Washington Technology's sister publication, Government Computer News
William Jackson is a Maryland-based freelance writer.