How to make Web services secure

Web application threats abound. If you use Web services with those applications, then there are other security issues you need to be aware of. In fact, some say Web services, if not secured properly, can pose security threats that extend beyond those of traditional Web applications. Those weaknesses, they say, result from some Web services' greatest strengths.

What are those weaknesses and how should you handle them? These articles, tips, books and other resources answer those questions and help you get a grip on how to protect and deploy secure Web services.

If you know of an article, tip, tool or code sample that should be included, send me an email with the information and I'll add it. -- Michelle Davidson, Site Editor.

TABLE OF CONTENTS
  [IMAGE] Web Services Security Basics
  [IMAGE] Web Services Threats and Vulnerabilities
  [IMAGE] Web Services Security Standards
  [IMAGE] SAML
  [IMAGE] Java and Web Services
  [IMAGE] .NET and Web Services
  [IMAGE] Securing XML
  [IMAGE] Web Services Security Tools
  [IMAGE] Other Useful Resources

• Definition: Web services
• Definition: Web Services Security (WS-S)
• Definition: Web Services Interoperability (WS-I)
• Definition: Security Assertion Markup Language (SAML)
• Definition: Extensible Markup Language (XML)
• Guide: OWASP Guide to Building Secure Web Applications and Web Services, Chapter 8: Web Services
• Article: Put Web services security on front burner
• Featured ...
  
  To continue reading for free, register below or login

  Requires Membership to View

  To gain access to this and all member only content, please provide the following information:

  Email Address:
  
  
  

  By joining SearchCIO-Midmarket.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.
  
  TechTarget cares about your privacy. Read our Privacy Policy
  To read more you must become a member of SearchCIO-Midmarket.com

  As an existing member of the TechTarget network please activate your SearchCIO-Midmarket.com account 

  By joining SearchCIO-Midmarket.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.
  
  TechTarget cares about your privacy. Read our Privacy Policy
  
  
  

  Digg This!     StumbleUpon     Del.icio.us

  
  
  
  

  RELATED CONTENT Data centers and infrastructure for the midmarket 10 tips for renegotiating your virtualization licensing contracts Management tools for virtualized servers: A look at the options Virtual server management vs. physical servers: What's the difference? Virtualization technology use spreading into desktops and storage Laying the groundwork for cloud computing services adoption in 6 steps Cloud computing tips for getting started with next-gen IT capabilities What do you know about data center outsourcing? Pricing out Windows Server 2008 for virtualization cost efficiency Data center strategy starts with the business Desktop and application virtualization: Lessons learned SOA and Web services for the midmarket Guide to building and managing a business process management strategy Virtualization management strategies ezine for CIOs FAQ: Business process management defined Evaluating a business process management solutions vendor: What to ask Cloud computing tips for getting started with next-gen IT capabilities SOA and Web services: What you need to know Enterprise application integration: Beyond SOA and into the cloud First SOA implementations should focus on business value Use cloud computing to drive IT innovation Google Apps highlights midmarket business benefits Information security management for the midmarket Mobile device management: From business apps to device security Test your knowledge: IT quizzes for midmarket CIOs Droid does, but will IT support it? Information security program revamp adds outsourcer oversight and more From data breaches to risk management frameworks: Test your knowledge The challenge of managing risk when IT budgets tighten Why cybersecurity awareness is everyone's responsibility Information technology management e-book downloads for midmarket CIOs 10 must-have steps for an effective SMB information security program Your IT security budget: How to get more bang for the buck

  RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

  
  
  Topic: Keeping Web services secure

• Article: Secure Web services a sound business practice
• Expert advice: Why do Web services impact security?
• Expert advice: Why are Web services more vulnerable than Web apps?
• Expert advice: Ajax's effect on Web services security
• Tip: How to overcome Web services security obstacles
• Tip: Securing Web services -- More than just Web application security
• Q&A: The pros and cons of securing Web services with SSL

• White Paper: Protecting Against Web Services Threats (PDF)
• White Paper: Anatomy of a Web Services Attack: A Guide to Threats and Preventative Countermeasures
• White Paper: XML Threats and Web Services Vulnerabilities: Understanding Risk and Protection
• Article: Web services pitfalls
• Article: WS-I Security Document Identifies Web Services Threats
• Article: Five things you need to know about Web services threats
• Weblog: Web services threat detection
• Blog: Web service security -- Threats and countermeasures: Part 1
• Blog: Web service security -- Threats and countermeasures: Part 2, Message replay protection
• Blog: Web service security -- Threats and countermeasures: Part 3, Message validation
• Blog: Web service security -- Threats and countermeasures: Part 4, Message protection -- sign and encrypt and encrypt signature
• Article: The Web services threat model
• Tip: Securing services: Locking down your SOA
• Expert advice: What is XPath Injection?
• Article: XML and Web services: Message processing vulnerabilities

• Standards Organization: OASIS.org
  OASIS (Organization for the Advancement of Structured Information Standards) is a not-for-profit, international consortium that drives the development, convergence, and adoption of e-business standards.
• Article: Standards, tools vital to Web services security
• Library: Web Services Security Specifications Index Page
• Tip: Sorting out the Web services standards bodies
• Article: WS-Security 1.1 approved
• Featured Topic:Fast facts: WS-Security
• Article: A developer's roadmap to using WS-Security
• Expert Advice: What security concerns does WS-Security address?
• Expert advice: When to use WS-Security and SSL
• Expert Advice: Are SAML and WS-Security competitive specifications for Web services security?
• Tip: An inside look at federated identity, part one
• Tip: An inside look at federated identity, part two
• Article: Microsoft opts for WS-Federation over SAML

• Article: SAML declares victory, closes in on a billion IDs
• Article: SAML demystified
• Tip: What's new with SAML?
• Tip: SAML 2.0 means business benefits
• Tip: SAML 2.0: The Holy Grail of identity management, part 1
• Expert Advice: Are SAML and WS-Security competitive specifications for Web services security?
• Webcast: Leveraging the Power of SAML

• Web Site: Java Technology and Web Services
• Article: Web services security for Java
• Article: Web services security, Part 1
• Article: Web services security, Part 2
• Article: Web services security, Part 3
• Article: Web services security, Part 4
• Book: Java Web Services
• Article: Secure Web services
• Presentation: Securing your enterprise: Web application and Web services security (PDF)
• Article: Yes, you can secure your Web services documents, Part 1
• Article: Yes, you can secure your Web services documents, Part 2
• Tech Talk: Ted Neward on Web services and security

• Tip: ASP.NET authentication: Three new options for Web services
• Article: Building a universal Web services ID
• News: WS-Security Interop using WSE 2.0 and Sun JWSDP 1.5
• News: Role-based security with WSE 2.0
• News: Why WSE?
• News: MSDN TV: Indigo security in a nutshell (Interview)
• Article: A developer's roadmap to using WS-Security
• Blog: Certificate validation callbacks in Indigo
• Presentation: Attacking Web services: The next generation of vulnerable enterprise apps (PDF)

• Learning guide: XML Security Learning Guide
• Expert advice: Distinguishing a faked XMLHTTP request from a real one
• Expert advice: How to protect against an XML bomb
• Tip: An emerging XML Web services security infrastructure
• Tip: XML-based attacks and how to guard against them
• Tip: An inside look at XML encryption
• Webcast: What's next for XML Web services security

• Article: Standards, tools vital to Web services security
• Tip: Web services security vendors focus on access control, XML firewalls
• Tip: Securing Web services: A job for the XML firewall
• Product reviews: XML Gateways
• Blog: TrustedWebServices.org -- A collection of services and source code based on Safelayer's TrustedX WS technology

Tool Web sites

• From BEA Systems
  • BEA AquaLogic Enterprise Security
  
  
• From DataPower
  • XS40 XML Security Gateway
  
  
• From Forum Systems
  • XWall Web Services Firewall
  • Forum XRay Web Services Diagnostics
  • Forum Sentry
  • Forum Vulcon Web Service Vulnerability Containment
  • Forum Presidio
  
  
• From Layer 7 Technologies
  • SecureSpan Product Suite
  • SecureSpan Gateway
  • SecureSpan Bridge
  • SecureSpan Manager
  
  
• From Parasoft
  • SOAtest
  
  
• From Ping Identity Corp.
  • PingTrust
  
  
• From Reactivity
  • Reactivity Gateways
  • XML Security Gateways
  
  
• From RSA Security
  • RSA BSAFE Secure-WS
  
  
• From Sarvega
  • Sarvega XML Guardian Security Products
  
  
• From SOA Software
  • XML VPN
  
  
• From Teros
  • Web application firewalls
  
  
• From Vordel
  • VordelSecure XML gateway
  • VordelDirector

• Workshop: Developing Secure Java Web Services
• Web site: Web services security articles, advice, tips and Web links from SearchAppSecurity.com
• Web Site: SearchWebServices.com
• Web Site: SOA Pipeline
• Web Site: Developer.com Web services articles
• Book: Web Services Security
• Magazine: XML & Web Services Magazine
• Magazine: SOA Web Services Journal

Send in your suggestions
Are there other topics you'd like to see learning guides on? Send SearchAppSecurity.com site editor Michelle Davidson an e-mail at mdavidson@techtarget.com and let her know what they are.