Note: You are experiencing only the raw content of this site, without the intended layout and design. Either your browser has ignored the Cascading Style Sheet (CSS) files for this site, or you are using an outdated browser which does not support Web Standards. Learn more.

Home « Blogs

EDS' Next Big Thing Blog: Read and Respond to What the EDS Fellows Say About Technology

Read and respond to what the EDS Fellows have to say about the future of technology on EDS' Next Big Thing Blog on eds.com.

Securing Web Services – NIST’s Perspective

by Charlie Bess

There are a couple of areas related to web services and having a service oriented architecture that seem to come up as concerns again and again, those are governance and security. I’ve written about the governance issue before, but came across the NIST Guide to Secure Web Services.

In the introduction it states:

The security challenges presented by the Web services approach are formidable and unavoidable. Many of the features that make Web services attractive, including greater accessibility of data, dynamic application-to-application connections, and relative autonomy (lack of human intervention) are at odds with traditional security models and controls.”

If you’re in the process of architecting solutions around web services, it appears to be worth a review. It expects a minimal level of understanding of web services, and if nothing else provides a long list of references, risks and definitions in its appendices, to further your understanding.

Published Thursday, August 30, 2007 3:16 PM

Subscribe to this post's comments using RSS

Comments

# Posted by John Fowler Friday, August 31, 2007 8:54 PM

Thanks for the link.  That document provides a pretty good overview of the current kinds of attacks web services face (and what developers and administrators need to think about).

I noticed a couple of problems with it, though.  (I guess being interested in security makes you notice stuff like this.)  One is just a typo: in section A.2.2, they use printf where they should be using sprintf.  For the other, they seem a little over-confident in section A.2.5 about symbolic link issues not affecting Windows systems.  Sure, Windows doesn't have symbolic links in the same way UNIX/Linux does, but it does have "shortcuts," which can work almost the same way.  I just checked, and Windows has no problem with me creating shortcuts to files and directories I don't otherwise have access to.  If the underlying file access routines of your web service are "smart" enough to follow shortcuts, they can be exploited exactly the same way they describe using symbolic links.

(Granted, that won't be a problem for most systems offering web services anyway.  I just didn't like the "Hey, you're safe if you run Windows!" assertion.)

Post a New Comment

: required  
required  
optional
required  
Please only click Submit once.

Subscribe to EDS RSS Feeds

I would like to receive the EDS Newsletter