Web application threats abound. If you use Web services with those applications, then there are other security issues you need
Requires Free Membership to View
What are those weaknesses and how should you handle them? These articles, tips, books and other resources answer those questions and help you get a grip on how to protect and deploy secure Web services.
If you know of an article, tip, tool or code sample that should be included, send me an email with the information and I'll add it. -- Michelle Davidson, Site Editor.
| Web Services Security Basics | Table of Contents |
- Definition: Web services
- Definition: Web Services Security (WS-S)
- Definition: Web Services Interoperability (WS-I)
- Definition: Security Assertion Markup Language (SAML)
- Definition: Extensible Markup Language (XML)
- Guide: OWASP Guide to Building Secure Web Applications and Web Services, Chapter 8: Web Services
- Article: Put Web services security on front burner
- Featured Topic: Keeping Web services secure
- Article: Secure Web services a sound business practice
- Expert advice: Why do Web services impact security?
- Expert advice: Why are Web services more vulnerable than Web apps?
- Expert advice: Ajax's effect on Web services security
- Tip: How to overcome Web services security obstacles
- Tip: Securing Web services -- More than just Web application security
- Q&A: The pros and cons of securing Web services with SSL
| Web Services Threats and Vulnerabilities | Table of Contents |
- White Paper: Protecting Against Web Services Threats (PDF)
- White Paper: Anatomy of a Web Services Attack: A Guide to Threats and Preventative Countermeasures
- White Paper: XML Threats and Web Services Vulnerabilities: Understanding Risk and Protection
- Article: Web services pitfalls
- Article: WS-I Security Document Identifies Web Services Threats
- Article: Five things you need to know about Web services threats
- Weblog: Web services threat detection
- Blog: Web service security -- Threats and countermeasures: Part 1
- Blog: Web service security -- Threats and countermeasures: Part 2, Message replay protection
- Blog: Web service security -- Threats and countermeasures: Part 3, Message validation
- Blog: Web service security -- Threats and countermeasures: Part 4, Message protection -- sign and encrypt and encrypt signature
- Article: The Web services threat model
- Tip: Securing services: Locking down your SOA
- Expert advice: What is XPath Injection?
- Article: XML and Web services: Message processing vulnerabilities
| Web Services Security Standards | Table of Contents |
- Standards Organization: OASIS.org
OASIS (Organization for the Advancement of Structured Information Standards) is a not-for-profit, international consortium that drives the development, convergence, and adoption of e-business standards. - Article: Standards, tools vital to Web services security
- Library: Web Services Security Specifications Index Page
- Tip: Sorting out the Web services standards bodies
- Article: WS-Security 1.1 approved
- Featured Topic:Fast facts: WS-Security
- Article: A developer's roadmap to using WS-Security
- Expert Advice: What security concerns does WS-Security address?
- Expert advice: When to use WS-Security and SSL
- Expert Advice: Are SAML and WS-Security competitive specifications for Web services security?
- Tip: An inside look at federated identity, part one
- Tip: An inside look at federated identity, part two
- Article: Microsoft opts for WS-Federation over SAML
| SAML | Table of Contents |
- Article: SAML declares victory, closes in on a billion IDs
- Article: SAML demystified
- Tip: What's new with SAML?
- Tip: SAML 2.0 means business benefits
- Tip: SAML 2.0: The Holy Grail of identity management, part 1
- Expert Advice: Are SAML and WS-Security competitive specifications for Web services security?
- Webcast: Leveraging the Power of SAML
| Java and Web Services | Table of Contents |
- Web Site: Java Technology and Web Services
- Article: Web services security for Java
- Article: Web services security, Part 1
- Article: Web services security, Part 2
- Article: Web services security, Part 3
- Article: Web services security, Part 4
- Book: Java Web Services
- Article: Secure Web services
- Presentation: Securing your enterprise: Web application and Web services security (PDF)
- Article: Yes, you can secure your Web services documents, Part 1
- Article: Yes, you can secure your Web services documents, Part 2
- Tech Talk: Ted Neward on Web services and security
| .NET and Web Services | Table of Contents |
- Tip: ASP.NET authentication: Three new options for Web services
- Article: Building a universal Web services ID
- News: WS-Security Interop using WSE 2.0 and Sun JWSDP 1.5
- News: Role-based security with WSE 2.0
- News: Why WSE?
- News: MSDN TV: Indigo security in a nutshell (Interview)
- Article: A developer's roadmap to using WS-Security
- Blog: Certificate validation callbacks in Indigo
- Presentation: Attacking Web services: The next generation of vulnerable enterprise apps (PDF)
| Securing XML | Table of Contents |
- Learning guide: XML Security Learning Guide
- Expert advice: Distinguishing a faked XMLHTTP request from a real one
- Expert advice: How to protect against an XML bomb
- Tip: An emerging XML Web services security infrastructure
- Tip: XML-based attacks and how to guard against them
- Tip: An inside look at XML encryption
- Webcast: What's next for XML Web services security
| Web Services Security Tools | Table of Contents |
- Article: Standards, tools vital to Web services security
- Tip: Web services security vendors focus on access control, XML firewalls
- Tip: Securing Web services: A job for the XML firewall
- Product reviews: XML Gateways
- Blog: TrustedWebServices.org -- A collection of services and source code based on Safelayer's TrustedX WS technology
Tool Web sites
- From BEA Systems
- From DataPower
- From Forum Systems
- XWall Web Services Firewall
- Forum XRay Web Services Diagnostics
- Forum Sentry
- Forum Vulcon Web Service Vulnerability Containment
- Forum Presidio
- From Layer 7 Technologies
- From Parasoft
- From Ping Identity Corp.
- From Reactivity
- From RSA Security
- From Sarvega
- From SOA Software
- From Teros
- From Vordel
| Other Useful Resources | Table of Contents |
| Expert advice on Web services security Do you have a question about Web services security that you're having trouble getting answered? Web services security expert Rami Jaamour can help. Read advice he has given or submit your own questions. |
- Workshop: Developing Secure Java Web Services
- Web site: Web services security articles, advice, tips and Web links from SearchAppSecurity.com
- Web Site: SearchWebServices.com
- Web Site: SOA Pipeline
- Web Site: Developer.com Web services articles
- Book: Web Services Security
- Magazine: XML & Web Services Magazine
- Magazine: SOA Web Services Journal
Send in your suggestions
Are there other topics you'd like to see learning guides on? Send SearchAppSecurity.com site editor Michelle Davidson an e-mail at mdavidson@techtarget.com and let her know what they are.
This was first published in May 2006

Join the conversationComment
Share
Comments
Results
Contribute to the conversation