WS-I: Best Security Practices for Web Services

SAN FRANCISCO — The Web Services Interoperability Organization (WS-I) released its first Security Scenarios Working Group Draft for public review today.

The draft document identifies security challenges and threats to security with Web services and outlines best practices for dealing with them.

Enterprises building Web services must ensure data integrity, data confidentiality and message uniqueness while dealing with threats like falsified messages and denial of service attacks, according to the draft.

The paper recommends ways technologies such as HTTPS and SOAP Message Security 1.0 can be used to counter the threats. The document includes scenarios describing how such technologies can be used with Web services Message Exchange Patterns.

The WS-I, formed two years ago, is sort of a clean-up batter for other standards organizations. Its charter includes a mandate to take Web standards defined by other organizations and narrow them down to a set of choices that will provide the least likelihood of interoperability problems, said Rich Salz, chief security architect for DataPower and a member of the Basic Security Profile Working Group. “We cherry-pick the best parts of other technologies,” he said.

Hal Lockhart, senior engineering technologist principal for BEA Systems, called the WS-I approach a pragmatic one. “The idea is to profile how to properly use those standards to achieve what people want to do,” he added.

“We’re trying to take basic profiles like SOAP (simple object access protocol) and make sure you can at least protect the messages,” said committee member Eve Maler, standards architect for Sun Microsystems.

She said the working group is focused tightly on signing and encrypting messages while making sure the channels through which they flow are also protected and that tasks that can be accomplished in a reasonable timeframe.

While the Organization for the Advancement of Structured Information Standards (OASIS) defines standards for a broad range of situations, said BEA’s Lockhart, the WS-I tries to respond to immediate needs of its members.

Today’s draft release is an important step, he added. “The WS-I has taken the time to identify the major categories of threats, challenges and mechanisms. This activity will form the basis for the problems that the security profile will solve.” The idea is to determine which are the sensible combinations of technology and mechanisms and how they can best be combined.

While the working group takes feedback on the document, which is posted on the WS-I Web site, the committee will work on developing the Basic Security Profile, which governs interoperability for Web services using a variety of security methods, including SOAP messaging security and the OASIS Web Services Security 1.0 spec.

Ray Wagner, research director for information security strategies for tech research company Gartner , said his firm’s advice to clients is to understand all the standards.

“But the best way to do that is to at least start with the WS-I basic security profile. They give you something to actually measure against.”

News Around the Web