Tutorial T5 – Web Services Security, Techniques and Challenges

Dr. Anoop Singhal, NIST
Mr. Gunnar Peterson, Arctec Group

Tuesday, December 9th, Full Day

The advance of Web services technologies promises to have far-reaching effects on the Internet and enterprise networks. Web services based on the eXtensible Markup Language (XML), Simple Object Access Protocol (SOAP), and related open standards, and deployed in Service Oriented Architectures (SOA) allow data and applications to interact without human intervention through dynamic and ad hoc connections. Web services technology can be implemented in a wide variety of architectures, can co-exist with other technologies and software design approaches, and can be adopted in an evolutionary manner without requiring major transformations to legacy applications and databases.

The security challenges presented by the Web services approach are formidable and unavoidable. Many of the features that make Web services attractive, including greater accessibility of data, dynamic application-to-application connections, and relative autonomy (lack of human intervention) are at odds with traditional security models and controls. Simply put – when you empower developers, you empower attackers. Difficult issues and unsolved problems exist, such as the following:

  1. Confidentiality and integrity of data transmitted via Web services protocols in service-to-service transactions, including data that transits intermediary (pass-through) services.
  2. Functional integrity of the Web services themselves, requiring both establishment in advance of the trustworthiness of services to be included in service orchestrations or choreographies, and the establishment of trust between services on a per transaction basis.
  3. Availability in the face of denial of service attacks that exploit vulnerabilities unique to Web service technologies, especially targeting core services, such as discovery service, on which other services rely.

Perimeter-based network security technologies (e.g., firewalls, intrusion detection) are inadequate to protect SOAs due to the following reasons:

  • SOAs are dynamic, and can seldom be fully constrained to the physical boundaries of a single network
  • SOAP protocol is transmitted over HTTP, which is allowed to flow without restriction through most firewalls. Moreover, TLS, which is used to authenticate and encrypt Web-based transactions, is not a silver bullet for protecting SOAP messages because it is designed to operate between two endpoints. TLS cannot accommodate Web services' inherent ability to forward messages to multiple other Web services simultaneously.

The SOA processing model requires the ability to secure SOAP messages and XML documents as they are forwarded along potentially long and complex chains of consumer, provider, and intermediary services. The nature of Web services processing makes those services subject to unique attacks, as well as variations on familiar attacks targeting Web servers.

Ensuring the security of Web services involves implementation of new security models based on use of authentication, authorization, confidentiality, and integrity mechanisms. This tutorial will discuss how to implement those security mechanisms in Web services. It also discusses how to make Web services and portal applications robust against the attacks to which they are subject. The following is a summary of some of the topics that will be discussed

  1. WS-Security
  2. XML Security using XML Encryption and XML Signatures
  3. Threats facing Web Services
  4. Policy and Access control using WS-Policy, XACML and SAML
  5. Security Management using WS-Trust
  6. PKI for Web Services using XKMS
  7. Secure Implementation Tools and Techniques
  8. Recommendations for Web Services Security


Participants should be familiar with concepts of network security and Web applications

About the Instructors

Dr. Anoop Singhal is currently a Computer Scientist in the Computer Security Division at NIST. He has several years of Research experience at George Mason University, AT&T Labs and Bell Labs. As a Distinguished Member of Technical Staff at Bell Labs he has led several software projects in the area of Databases, Web Services and Network Management. He is a senior member of IEEE and he has published more than 20 papers in leading conferences and journals. He received his Ph.D. in Computer Science from Ohio State University, Columbus Ohio in 1985. He has given talks on Web Services Security in conferences such as ACSAC 2006 and RSA 2007.

Gunnar Peterson is a Managing Principal at Arctec Group. He is focused on distributed systems security for large mission critical financial, financial exchanges, healthcare, manufacturer, and insurance systems, as well as emerging start ups Mr. Peterson is an internationally recognized software security expert, frequently published, an Associate Editor for IEEE Security & Privacy Journal on Building Security In, an Associate Editor for Information Security Bulletin, a contributor to the SEI and DHS Build Security In portal on software security, and an in-demand speaker at security conferences. He maintains the 1 Raindrop blog with loosely coupled thoughts on software, security and the systems that run on them at http://1raindrop.typepad.com