I am a big fan of checklists in any relatively complex system that has to be delivered under time crunch, like say Web Services, the checklist can save your bacon. If you hired me to work on your project I would use this Web Services Security Checklist to verify standards, mechanisms, and implementation throughout the SDL
My partner Pat Christiansen likes to say that architecture artifacts are for communication as much as for engineering. A checklist is a simple artifact that helps ensure consistency throughout architecture, threat modeling, security design requirements, and building security implementation. It is easily understood. The Web Services Security Checklist I use has a list of security architecture concerns and then those are mapped across each interaction point so you can specify the Service Requester and Service Provider responsibilities at each point in the system. Also, you can trace the security mechanisms, standards, and implementation across multiple hops - so here is how we authN from browser to web server, here is how we authN from web server to app server and so on. Hope this is useful on your SOA, Rest, or just plain ol Web Services security projects.
Comments