[Owasp-kansascity] Web Service

Fondekar, Kedar Kedar.Fondekar at fishnetsecurity.com
Mon Jan 31 12:32:19 EST 2005


Mike,

When people discuss Web services security, most of the discussion quickly turns to encryption and
authentication. I will make sure my Web service does not expose APIs of any legacy application
designed to run just on a trusted network.

I guess what you are looking out for is WS-Security, a widely supported proposal for securing Web
services. It has been accepted by the Organization for the Advancement of Structured Information
Standards (OASIS) as an official standard.

WS-Security describes enhancements to SOAP messaging to provide quality of protection through message
integrity and message confidentiality. As well, this specification defines how to attach and include
security tokens within SOAP messages. It provides a mechanism for specifying binary encoded security
tokens (e.g. X.509 certificates). These mechanisms can be used independently or in combination to
accommodate a wide variety of security models and encryption technologies.

The advantage of creating a new signature standard for Web services is that SSL protects only the
transmission-it doesn't actually protect the data. With XML signatures or SOAP Message Security, the
digital signature remains as part of the SOAP message and can be verified again.

As far as support in .Net is concerned:

WSE 2.0 simplifies the development and deployment of secure Web services by enabling developers using
Visual Studio .NET and the .NET Framework to more easily apply security policy, establish long-running
secure conversations, retrieve and validate security tokens and more.

Also RSA BSAFE(r) Secure-WS is a small, high-performance, commercial, platform-independent
implementation of WS-Security protocol. 
The RSA BSAFE(r) SDKs includes Interoperable and high performance implementations of web services
security standards including ws-security and XML DigitalSigning to enable the creation of secure web
services and XML messages.

I will also follow the following links...

http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss

http://msdn.microsoft.com/webservices/building/wse/default.aspx

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/THCMCh19.asp


Hope that helps...


Kedar Fondekar, MS, CCSA
Security Consultant
FishNet Security
 
Office: 816.421.6611
Direct: 816.701.2068
Cell: 913.980.6028
Toll Free: 888.732.9406
Fax: 816-474-0394
 
http://www.fishnetsecurity.com

 
 

-----Original Message-----
From: Mike.McNeive at bcbsks.com [mailto:Mike.McNeive at bcbsks.com] 
Sent: Friday, January 28, 2005 2:20 PM
To: owasp-kansascity at lists.sourceforge.net
Subject: [Owasp-kansascity] Web Service





I am trying to determine how the security should be set-up for a web
service.  A project has been initiated for the creation of a web service
that will be using .NET.  This service will be (for a better word)
anonymous that open for a number of application to access.  The web service
at first will be the communication between two different applications one
will be sending a MQ Series message to a database.  What I guidance with is
how to secure the web service or should the applications be secured that
use the web service.  I would like to have some instruction on how this is
being done at different sites or guided to some documentation that might
explain this concept.  I am not up-to-date with .NET.  Can this be handled
total within the .NET framework?


Thanks



-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
_______________________________________________
Owasp-kansascity mailing list
Owasp-kansascity at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/owasp-kansascity



The information transmitted in this e-mail is intended only for the addressee and may contain confidential and/or privileged material. 
Any interception, review, retransmission, dissemination, or other use of, or taking of any action upon this information by persons or entities
other than the intended recipient is prohibited by law and may subject them to criminal or civil liability. If you received this communication 
in error, please contact us immediately at 816.421.6611, and delete the communication from any computer or network system.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-kansascity/attachments/20050131/23ab21ee/attachment.html 


More information about the Owasp-kansascity mailing list