NIST: Special Publication 800-95 - Guide to Secure Web Services

Il 29 agosto 2007 il Computer Security Resourcer center (CSRC) del National Institute of Standards and Technology (NIST)  ha annunciato la disponibilità, sul suo sito web della "Special Publication (SP) 800-95, Guide to Secure Web Services" (pdf, 785 K, 128 pp; pdf zip, 548 K, 128 pp). Il documento illustra le modalità per garantire la sicurezza in ambito disegno e sviluppo di Service Oriented Architecture (SOA) per mezzo di servizi web. Il documento contiene sia linee guide sia esempi pratici.

Indice del documento

Executive Summary
1. Introduction
1.1 Authority
1.2 Purpose and Scope
1.3 Audience
1.4 Document Structure
2. Background to Web Services and Their Relationship to Security
2.1 Introducing Web Services
2.1.1 Web Service Discovery
2.1.2 Web Service Messaging
2.1.3 Web Portals
2.1.4 Web Service Roles, Modes, and Properties
2.1.5 Coordination: Orchestration and Choreography
2.2 Elements of Security
2.3 Web Services Security Dimensions
2.3.1 Secure Messaging
2.3.2 Protecting Resources
2.3.3 Negotiation of Contracts
2.3.4 Trust Relationships
2.3.5 Requirements for Secure Software
2.4 Meeting the Requirements for Securing Web Services
2.4.1 Secure Web Service Standards Stack
2.4.2 Relationship of Web Service Security Requirements to Standards
2.5 Core Services
2.6 Threats Facing Web Services
2.7 Common Risks Facing Web Services
2.8 Web Services’ Interfaces with Network/Infrastructure Security Architectures
2.9 Summary
3. Web Service Security Functions and Related Technologies
3.1 Service-to-Service Authentication
3.1.1 Service Chaining
3.1.2 WS-Security for Authentication
3.1.3 Security Concerns of WS-Security
3.2 Identity Management
3.2.1 Identity Management Architectures
3.2.2 Laws of Identity
3.2.3 Identity Management and Web Services
3.3 Establishing Trust between Services
3.3.1 Federation of Trust
3.3.2 Trust Federation Frameworks
3.4 Describing Web Services Policies (WS-Policy)
3.5 Distributed Authorization and Access Management
3.5.1 Authorization Models
3.5.2 Enforcing Least Privilege for Services
3.5.3 SAML
3.5.4 XACML
3.5.5 Role of XML Schema in Implementing Access Control
3.5.6 Use of Specialized Security Metadata for Access Control
3.6 Confidentiality and Integrity of Service to Service Interchanges
3.6.1 Transport Layer Confidentiality and Integrity: HTTPS
3.6.2 XML Confidentiality and Integrity
3.6.3 WS-Security for SOAP Confidentiality and Integrity
3.6.4 Role of XML Gateways in Integrity Protection
3.7 Accountability End-to-End throughout a Service Chain
3.7.1 Audit in the SOA Environment
3.7.2 Non-Repudiation of Web Service Transactions
3.8 Availability of Web Services
3.8.1 Failover
3.8.2 Quality of Service
3.8.3 Reliable Messaging
3.8.4 Handling Service Deadlock
3.8.5 Service Recursion
3.9 Securing the Discovery Service: Secure Interfaces to UDDI and WSDL
3.9.1 UDDI Structure
3.9.2 UDDI Operations
3.9.3 Secure Access to the Registry
3.9.4 Service Inquiry API
3.9.5 Service Publishing API
3.9.6 UDDI and WSDL
3.10 Summary
4. Human User’s Entry Point into the SOA: Web Portals
4.1 Proxy Agents
4.2 Using the Portal to Control User Authorization and Access to Web Services
4.3 Portal Interaction with the SOA’s Discovery Service
4.4 Summary
5. Secure Web Service-Enabling of Legacy Applications
5.1 Legacy Authentication to Web Services
5.2 Authorization and Access Control in Legacy Applications
5.3 Extending Non-Web Applications to Be Able to Participate in SOAs
5.4 Public Key Enabling Concerns Specific to Web Services and SOAs
5.5 Accountability for Legacy Application Transactions
5.6 Database Security Challenges in SOA Environments
5.7 Maintaining Security of Legacy Systems Exposed via Web Services
5.8 Summary
6. Secure Implementation Tools and Technologies
6.1 Web Services Developer Toolkits
6.2 XML Parsers
6.3 Languages for Secure Web Service Development
6.3.1 Procedural Languages
6.3.2 XML
6.4 Security Testing: Tools and Techniques
6.5 Summary
List of Appendices
Appendix A— Common Attacks Against Web Services
Appendix B— ebXML
Appendix C— Glossary
Appendix D— Acronyms and Abbreviations
Appendix E— Print Resources
Appendix F— Online Resources

Articoli collegati


  • Computer Security Resourcer center (CSRC)
  • National Institute of Standards and Technology (NIST)
  • Special Publication (SP) 800-95, "Guide to Secure Web Services", pdf, 785 K, 128 pp, pdf zip, 548 K, 128 pp