A new paper I co-authored with Howard Lipson at CERT is online "Security Concepts, Challenges, and Design Considerations for Web Services Integration". It is part of the DHS Build Security In site that describes best practices for development staff who want to actually build security services into the software they are developing. The paper is really two papers in one - the first part is on web services and their impact on security concepts, the second part deals with message level security (WS-Security, WS-Trust, WS-SecureConversation) to enable end to end security model for an integrated system, and the last part is on design considerations for security in Web Services.
For sure the most fun was collaborating with Howard Lipson, Patrick Harding, Tony Nadalin, Gary McGraw, Eric Newcomer, Brian Roddy, Andy Gordon, Pat Christiansen, Mark O'Neill, Pamela Curtis, Nancy Mead, Bob Ellison, and others. We got really helpful feedback and worked hard to incorporate it all into the paper.
Good work, dude. Keep it up - the sooner we have some good guidance on how to use WS-* properly, the better.
thanks,
Andrew
Posted by: Andrew van der Stock | December 21, 2006 at 10:31 AM
Hi there,
good article.
Is there a PDF version available ? I would like to have a hardcopy.
Thank you.
BR,
~A
Posted by: anjan bacchu | December 21, 2006 at 12:12 PM
I think your concept of firewalls needs some updating. There are firewall products that are application aware, and deal with the OWASP top 10 specifically input validation where the vast majority of attacks occur. Usurpation such as cross-site scripting, injection attacks, and even buffer overflows can be dealt with by certain firewall vendors. This notion of firewalls performing simply at layer three and four is outdated. A combination of secure coding practices and using application aware firewalls would be the best approach.
Posted by: Someguy | January 03, 2007 at 03:29 PM
Someguy: the paper is on Web services, not web apps per se, so while OWASP top ten - style attacks have some relevancy, what we are really looking at is XML. The vast majority of network firewalls have little to no ability to deal with XML in the request body.
More to the point Web services need an end to end security model which network firewalls are unable to provide.
This is not to say that network firewalls don't have a role, and that Web App Firewalls and other technologies are not an important part of the security architecture, firewalls of all sorts continue to evolve and some even get more effective. It remains a confusing marketplace. The Web App Firewall Evaluation Criteria is a very helpful tool to help sort out some of the main issues
http://www.webappsec.org/projects/wafec/
Unfortunately, many organizations try to use the firewall for things it was never designed for.
Posted by: Gunnar | January 03, 2007 at 03:52 PM