NIST Guide to Secure Web Services
The National Institute of Standards and Technology has released a 128-page guide  to securing web services. It discusses
trust relationships, secure service-to-service exchanges, and threats such as denial-of-service attacks. It also covers
current and emerging standards, such as SAML, XACML and WS-Trust.Trusted Identity
for Web Services
Patrick Harding discusses user identity authentication using Security Assertions Markup Language (SAML), Web Services Security (WSS) and Web
Services Trust (WS-Trust).
 Mark
Colan, Jeff Carmichael, Rajiv Gupta, Thor Larholm and Gene Thurston
discuss web services security in video interviews and presentations at the SDSIC
Web Services conference at the San Diego Supercomputer Center.
A Guide to Building Secure Web Applications
This is a guide developed by the Open Web Application Security Project.
An Overview of Security in the .NET Framework
Dr. Demien Watkins (Project 42), Sebastian Lange (Microsoft)
This white paper describes the .NET role-based security
model and its primary abstractions (Principals and Identity). .NET Framework
provides code access security (evidence-based security).
An Overview
of Virus Activity in 2003
This is an informative summary by Kaspersky Labs of viruses, worms and security problems during 2003. It also discusses future concerns such as Trojan
programs and retroviruses.
J2EE and Web Services Security
Pankaj Kumar
This is Chapter 11 of J2EE Security for Servlet, EJBs, and Web
Services. It discusses security when developing Web services with Java, including
servlet security, SSL, Axis, and WSSec-compliant messages.
.NET
Security
"What about security?" seems to pop up in almost every
conversation about Web services. This article discusses the security
architecture of Microsoft's .NET framework.
Oracle SSL Update for CERT CA200326 and older SSL issues
This is an Oracle update about Open SSL vulnerabilities.
OVAL XML Specification Released
The final draft of the OVAL XML Specification is now
available. Mitre is promoting OVAL as a standard for characterizing system
vulnerabilities.
Packet Sniffing
Steve Gibson explains network monitoring using a sniffer.
Securing Web Services - Concepts, Standards and Requirements
This Sun Microsystems white paper explains issues related to securing web services from internal and external threats.
Security in a Web Services World: A Proposed Architecture and
Roadmap
This white paper presents a proposed web services security architecture from IBM and Microsoft. It layers web services security over SSL and
IP security, and uses technologies such as XML encryption,
X.509 certificates and Kerberos
tickets.
Serious Flaw in Linux
This article describes a vulnerability that gives users unlimited access privileges to a computer running
Linux.
SOAP
Security Issues
Bruce Schneier discusses the risks of using SOAP, such as passing commands
through firewalls.
Strong Names and Security in the .NET Framework
Keith Brown (DevelopMentor)
Strong names are a successor to Windows Globally Unique Identifiers
(GUID). To generate unique assembly names, .NET
CLR multiplies two large random prime numbers to produce a 1024-bit
RSA public key.
Web Services Security Kerberos Binding
This document describes how to use Kerberos security with web services security specifications. This is a draft document from IBM and Microsoft.
Web Services Policy Framework (WS-Policy)
WS-Policy provides a grammar for expressing properties of entities as policies. A policy is a collection of policy assertions. The
WS-Policy expression defines XML-based structures called policy expressions and a core grammar for expressing how policy assertions apply.
Web Services Secure Conversation Language
This WS-SecureConversation specification defines mechanisms for establishing a
security context, sharing contexts, and deriving session keys from contexts.
The A <SecurityContextToken> security token
represents a security context that can be embedded in the <Security> header block of a SOAP message header.
Web
Services Security (WS-Security)
This document explains key solutions for Web services security.
Web Services Security Kerberos Binding
This document describes how to use Kerberos security with web services security specifications. This is a draft document from IBM and Microsoft.
Web Services Security SOAP Message Security
This document SOAP enhancements to provide message integrity, message confidentiality, and single message authentication.
WS-Security provides a solution for associating X.509 certificates, Kerberos
tickets, and opaque encrypted keys with messages.
WebSphere and J2EE Security
This IBM Red Book is not specifically about Web services, but it discusses
security with a leading platform for Web services (IBM WebSphere).
WS-I Security Profile
This is a draft of the Basic Security Profile Security
Scenarios from the Web Services Interoperability Organization (WS-I). This
document describes Web services security challenges, threats and countermeasures.
XACML
1.0
The OASIS eXtensible Access Control Markup Language (XACML)
is an XML vocabulary for expressing authorization policies against objects that are themselves identified in XML.
Decryption Transform
for XML Signature
This document by the XML Encryption Working Group suggests a method
for verifying digital signatures in encrypted XML documents.
Digital
Signatures
Ed Simon, Paul Madsen, Carlisle Adams
This article is an excellent starting point for developers whose
applications require secure XML document processing.
Introduction to XML
encryption and XML signature
Murdoch Mactaggart
Helpful overview of XML digital signatures, encryption and other XML-related security resources.
Key Management Specification (XKMS)
Exchanging human-readable documents presents security challenges.
Solutions for secure XML processing includes digital
signatures and encryption. XKMS defines protocols for public key
handling. X-KISS describes a protocol
for a trust service. X-KRSS describes a web
service protocol for registering public keys.
XML-Digital Signatures
(DSIG)
This is a IETF/W3C specification for digitally signing XML documents.
XML Encryption Syntax and Processing
This W3C spec defines a process for encrypting data and producing a result in XML.
The data may be an XML element, document or arbitrary data.
CERT
The CERT® Coordination Center (CERT/CC) is a center of Internet security expertise, located at the Software Engineering Institute, a federally funded research and development center operated by Carnegie Mellon University.
Datapower XS40 XML Security Gateway
This gateway provides a hardware boost for XML and Web services
security processing. It can parse, validate schemas, encrypt, decrypt,
transform, verify signatures, control access, transform, and sign XML message
streams.
IBM XML Security Suite
This is a free IBM tool kit for Windows and Linux platforms. It provides an implementation of XML Encryption, W3C/IETF DSIG, and XML Access Control Language.
Internet
Security Systems' Proventia
Intrusion detection appliances that provide unified protocol analysis for 95 different protocols and pattern matching security algorithms. Inspect headers and payloads.
Java Web Services Developer Pack
Version 1.3 includes XML and Web Services Security v1.0 EA2.
OASIS Web Services Security
Technical Committee
This OASIS TC published several documents related to security: SOAP Message Security, Username Token Profile, X.509 Token Profile. It has also published schema files.
PacketStorm Security
PacketStorm is a web site dedicated to security. It has downloads of a variety of freely-downloadable tools.
PredatorWatch Auditor™
This rack-mountable appliance performs over two thousand vulnerability tests on each IP address.
Security Assertion Markup Language
Download a ZIP archive containing the SAML 1.1 specification. The complete document set includes the assertion schema, protocol schema, bindings and profiles.
XMLSec Library
Version 1.2.2 of the XMLSec Library is available. It includes a fix for a bug related to certificate serial number processing. XMLSec is a C library that supports Canonical XML, XML Signature and XML Encryption.
|
