SOA Security, Best Practices and Tools - overview
Service Oriented Architectures involve the deployment of systems distributed across multiple heterogenous platforms. Each SOAP component must be configured securely, and each composed application must also be secured. The SOA Security, Best Practices and Tools Project has been actively involved in the definition of Web Services Security through participation in OASIS Web Services Security Technical Committee, OASIS Web Services Secure Exchange Technical Committee and WS-I Basic Security Profile Working Group. The project is now starting development of security analysis tools to help practitioners with secure deployment of applications based on best practices for SOA security.
The complexity involved in deploying secure SOA systems is difficult to manage. Application and platform specific security analysis must be performed with great attention to detail. Aspects of the overall security configuration is buried in many corners of each platform and component. Examining each configuration option to ensure the overall system security is a time consuming and error prone process. It requires expertise in each deployment platform and application domain.
Currently the SOA Security, Best Practices and Tools Project is building tools that check the security configuration of each system component and platform against a set of best practices that we are developing concurrently with the tools. The tools enable security analysts to concentrate on application specific security concerns. Eventually we hope to provide tests for many commonly used execution platforms and component solution patterns. We are working with IBM Global Services and customers to determine priorities for implementation of the tools. We intend to place useful tools into the hands of practitioners as soon as possible and to enhance them over time to cover a broader array of potential security configurations. It is our expectation that these tools will improve the quality of SOA security analysis and enhance the productivity of the SOA security practitioners.
Some publicationsMichael McIntosh, Paula Austel. Web services: XML signature element wrapping attacks and countermeasures. Proceedings of the 2005 workshop on secure web services, pp. 20-27. ACM Workshop on Secure Web Services, colocated with the ACM conference on Computer and Communication Security 2005. (pdf)
Hyen V Chung, Michael McIntosh, Paula K Austel, Masayoshi Teraguchi. Web services security: Sign and encrypt any element in a SOAP message. IBM Developerworks. (html)