NIST releases recommendations for securing Web services

The National Institute of Standards and Technology has released for comment a draft of Guide to Secure Web Services.

Special Publication 800-95 addresses security needs for networks in which automated Web services are being deployed in service-oriented architectures. Service-oriented computing uses protocols such as Extensible Markup Language and Simple Object Access Protocol to automatically access collections of software services.

As the publication points out, 'many features that make Web services attractive . . . are at odds with traditional security models and controls.'

These features, including automatic access, dynamic application-to-application connections and the use of HTTP, mean that traffic passes through traditional perimeter defenses such as firewalls and intrusion detection systems without controls. Ensuring confidentiality, integrity and availability of Web services is a work in progress, with several standards organizations developing standards and practices.

NIST recommends a number of security measures for protecting Web services and the infrastructure they reside on, including:

  • Using XML encryption to ensure confidentiality.

  • Using XML signatures to ensure integrity.

  • Using Security Assertion Markup Language and Extensible Access Control Markup Language for authentication and authorization.

  • Using XML Key Management Services for public-key infrastructure.

  • Using Web Services Security for end-to-end SOAP messaging security.

  • Securing Universal Description, Discovery and Integration protocol entries by requiring authentication access.

A number of unmet security needs remain, including nonrepudiation for transactions, securing credentials, use of covert channels to access services, use of SOAP to distribute malicious code, denial-of-service attacks and poor design.

'To adequately support the needs of the Web Services based applications, effective risk management and appropriate deployment of alternate countermeasures are essential,' the guide concludes. 'Defense in depth through security engineering, secure software development and risk management can provide much of the robustness and reliability required by these applications.'

Comments should be submitted by Oct. 30 to [email protected] Include 'comments SP800-95' in the subject line.

About the Author

William Jackson is a Maryland-based freelance writer.


  • Records management: Look beyond the NARA mandates

    Records management is about to get harder

    New collaboration technologies ramped up in the wake of the pandemic have introduced some new challenges.

  • puzzled employee (fizkes/

    Phish Scale: Weighing the threat from email scammers

    The National Institute of Standards and Technology’s Phish Scale quantifies characteristics of phishing emails that are likely to trick users.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.