NIST is pleased to announce the public comment release of draft Special Publication (SP) 800-95, Guide to Secure Web Services. SP 800-95 provides detailed information on standards for Web services security. This document explains the security features of Extensible Markup Language (XML), Simple Object Access Protocol (SOAP), the Universal Description, Discovery and Integration (UDDI) protocol, and related open standards in the area of Web services. It also provides specific recommendations to ensure the security of Web services-based applications.
Writing in Network World, M. E. Kabay extracts from the NIST report:
Perimeter-based network security technologies (e.g., firewalls, intrusion detection) are inadequate to protect SOAs [Service Oriented Architectures] … SOAs are dynamic, and can seldom be fully constrained to the physical boundaries of a single network. SOAP … is transmitted over HTTP, which is allowed to flow without restriction through most firewalls. Moreover, TLS [Transport Layer Security], which is used to authenticate and encrypt Web-based messages, is unsuitable for protecting SOAP messages because it is designed to operate between two endpoints. TLS cannot accommodate Web services’ inherent ability to forward messages to multiple other Web services simultaneously.
The NIST document includes a number of recommendations, the five of which Kabay highlights:
- Replicate data and services to improve availability.
- Use logging of transactions to improve accountability.
- Use secure software design and development techniques to prevent vulnerabilities.
- Use performance analysis and simulation techniques for end-to-end quality of service and quality of protection.
- Digitally sign UDDI entries to verify the author of registered entries.
The NIST document definitely warrants consideration for anyone developing Web services.