NIST issues guide to securing Web services
The National Institute of Standards and Technology has released a 128-page guide to help organizations understand the security challenges of Web services in
NIST Special Publication 800-95, 'Guide to Secure Web Services,' provides practical guidance on current and emerging standards applicable to Web services in addition to background information on the most common security threats to SOAs based on Web services.
The guidelines are hardware and software independent and do not address perimeter security devices, such as firewalls or access control tools.
Web services based on Extensible Markup Language, Simple Object Access Protocol and related open standards that are deployed in SOAs allow data and applications to interact through dynamic and ad hoc connections without human intervention.
Unfortunately, 'the security challenges presented by the Web services approach are formidable and unavoidable,' the publication states.
'Many of the features that make Web services attractive ' including greater accessibility of data, dynamic application-to-application connections and relative autonomy, or lack of human intervention ' are at odds with traditional
security models and controls.'
The Web service processing model requires the ability to secure SOAP messages and XML documents as they are forwarded on long and complex chains of consumer, provider and intermediary services.
These problems make the services subject to unique attacks in addition to variations on familiar attacks targeting Web servers.
William Jackson is a senior writer of GCN and the author of the CyberEye blog.