OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only

NIST: Guide to Secure Web Services

  • 1.  NIST: Guide to Secure Web Services

    Posted 09-18-2007 19:03
    This August the National Institute for Standards and Technology of the
    US Federal Government (NIST) published a document entitled: Guide to
    Secure Web Services available here:
    http://csrc.nist.gov/publications/nistpubs/800-95/SP800-95.pdf.
    
    Its purpose and scope are stated in the introduction.
    
    "This publication seeks to assist organizations in understanding the
    challenges in integrating information security practices into SOA design
    and development based on Web services. This publication also provides
    practical, real-world guidance on current and emerging standards
    applicable to Web services, as well as background information on the
    most common security threats to SOAs based on Web services."
    
    Although NIST is a US Federal Agency, the document says:
    
    "This guideline has been prepared for use by Federal agencies. It may be
    used by nongovernmental organizations on a voluntary basis and is not
    subject to copyright. Attribution is desired and requested."
    
    Historically, NIST publications have had an impact which is much wider
    than the US Government, so I believe this document is of interest to
    everyone.
    
    My reaction to this document is mixed. On one hand, it provides an
    excellent overview of the Requirements, Standards and implementation
    issues relating to securing web services. On the other hand, reading
    quickly through the document I noticed numerous factual errors. There
    are also statements in the document which appear to have been written
    six months to a year ago.
    
    I am not talking about points of interpretation or emphasis upon which
    reasonable people might differ. I am talking about out and out factual
    errors such as: XML Signature requires the use of PKI or SAML does not
    permit encryption of assertions.
    
    Now I am well aware of the fact that I am rather poor at proofreading. I
    know from experience that if I can see a dozen errors in a document
    there are likely to be hundreds. Therefore I am urging everyone to read
    this document and comment on it to NIST. I am posting it to these lists
    as the document discusses standards developed by these TCs and well as
    the WSS TC which many of you were members.
    
    Hal