I am doing a public training class on Web Services security in NYC, March 10-11. All the details are here. There are still some slots available. Several people wrote to ask about what tools we use. This is a quick list of some of technologies, I have used in past classes, we may have some additional demos and tools by March, but this list is a pretty good start ;-P
Web Services frameworks
Apache CXF - very interesting open source Web services framework with support for JMS, SOAP, and Rest
Apache Axis & Axis2
.Net
Metro - interesting framework from Sun for interop with WCF
Identity
PingFederate - leading federation tool, we'll look at browser based SSO with SAML
PingFederate Web Services - we'll look at how to implement a STS in Web services
Bandit - Cardspace, authorization, and auditing
Security Services
VordelSecure - XML gateway, comprehensive web services security policy creation and enforcement, deploying decentralized security services
Apache Ramparts
modecurity
Testing
Soapbox - web services security testing
WebScarab - web services fuzzing
Static Analysis
Fortify SCA - how to scan your web services code for security bugs *before* you deploy
This is just a quick list, I may add some new tools before March. If you are using tools of these types in your company you may find it interesting to attend.
Hi Gunnar
Unfortunately, WebScarab is not really suited for fuzzing WebServices stuff at the moment. It assumes that anything that has a body is formatted using form-urlencoding.
You could possibly script it, but that would be a huge amount of work (basically duplicating the Fuzzer), and is probably not recommended.
Posted by: Rogan Dawes | February 01, 2008 at 01:56 AM
Hi Rogan,
We don't use it for soap web services, we use it for rest style web services which rely on HTTP Get
Posted by: Gunnar | February 01, 2008 at 07:46 AM
Hi Gunnar:
Great Job in putting this training together - it's imperative for SOA professionals to get serious about security early within the development lifecycle.
I would recommend that you look at SOAPSonar from Crosscheck Networks (http://www.crosschecknet.com). SOAPSonar covers comprehensive security testing with standards support such as WS-Trust, SAML, WS-Security, WS-Addressing, etc. It has comprehensive Functional, Performance, Interop and Vulnerability Testing through what they call "XSD Mutation."
You can use a 15-day trial version for free.
Good luck with this class - I will recommend it to my customers/prospects and post it on my blog http://soa-testing.blogspot.com.
Regards,
Mamoon
Posted by: Mamoon Yunus | February 01, 2008 at 08:00 AM
How about talking about use of SAML/XACML as built into BEA container? What about some mention of why WS-Federation is better than SAML?
Posted by: James | February 02, 2008 at 10:27 PM
Hi James,
We look at SAML/XACML in Bandit. I would like to add WS-Fed soon as well...
Posted by: Gunnar | February 02, 2008 at 10:56 PM