Web application threats abound. If you use Web services with those applications, then there are other security issues you need to be aware of. In fact, some say Web services, if not secured properly, can pose security threats that extend beyond those of traditional Web applications.
Requires Free Membership to View
Those weaknesses, they say, result from some Web services' greatest strengths.What are those weaknesses and how should you handle them? These articles, tips, books and other resources answer those questions and help you get a grip on how to protect and deploy secure Web services.
If you know of an article, tip, tool or code sample that should be included, send me an e-mail with the information and I'll add it. -- Michelle Davidson, Site Editor.
| Web Services Security Basics |
- Definition: Web services
- Definition: Web Services Security (WS-S)
- Definition: Web Services Interoperability (WS-I)
- Definition: Security Assertion Markup Language (SAML)
- Definition: Extensible Markup Language (XML)
- Guide: OWASP Guide to Building Secure Web Applications and Web Services, Chapter 8: Web Services
- Article: Put Web services security on front burner
- Featured Topic: Keeping Web services secure
- Article: Secure Web services a sound business practice
- Expert advice: Why do Web services impact security?
- Expert advice: Why are Web services more vulnerable than Web apps?
- Expert advice: Ajax's effect on Web services security
- Tip: How to overcome Web services security obstacles
- Tip: Securing Web services -- More than just Web application security
- Q&A: The pros and cons of securing Web services with SSL
| Web Services Threats and Vulnerabilities |
- White Paper: Protecting Against Web Services Threats (PDF)
- White Paper: Anatomy of a Web Services Attack: A Guide to Threats and Preventative Countermeasures
- White Paper: XML Threats and Web Services Vulnerabilities: Understanding Risk and Protection
- Article: Web services pitfalls
- Article: WS-I Security Document Identifies Web Services Threats
- Article: Five things you need to know about Web services threats
- Weblog: Web services threat detection
- Blog: Web service security -- Threats and countermeasures: Part 1
- Blog: Web service security -- Threats and countermeasures: Part 2, Message replay protection
- Blog: Web service security -- Threats and countermeasures: Part 3, Message validation
- Blog: Web service security -- Threats and countermeasures: Part 4, Message protection -- sign and encrypt and encrypt signature
- Article: The Web services threat model
- Tip: Securing services: Locking down your SOA
- Expert advice: What is XPath Injection?
- Article: XML and Web services: Message processing vulnerabilities
| Web Services Security Standards |
- Standards Organization: OASIS.org
OASIS (Organization for the Advancement of Structured Information Standards) is a not-for-profit, international consortium that drives the development, convergence, and adoption of e-business standards. - Article: Standards, tools vital to Web services security
- Library: Web Services Security Specifications Index Page
- Tip: Sorting out the Web services standards bodies
- Article: WS-Security 1.1 approved
- Featured Topic:Fast facts: WS-Security
- Article: A developer's roadmap to using WS-Security
- Expert Advice: What security concerns does WS-Security address?
- Expert advice: When to use WS-Security and SSL
- Expert Advice: Are SAML and WS-Security competitive specifications for Web services security?
- Tip: An inside look at federated identity, part one
- Tip: An inside look at federated identity, part two
- Article: Microsoft opts for WS-Federation over SAML
| SAML |
- Article: SAML declares victory, closes in on a billion IDs
- Article: SAML demystified
- Tip: What's new with SAML?
- Tip: SAML 2.0 means business benefits
- Tip: SAML 2.0: The Holy Grail of identity management, part 1
- Expert Advice: Are SAML and WS-Security competitive specifications for Web services security?
| Java and Web Services |
[Return to Table of Contents] >
- Web Site: Java Technology and Web Services
- Article: Web services security for Java
- Article: Web services security, Part 1
- Article: Web services security, Part 2
- Article: Web services security, Part 3
- Article: Web services security, Part 4
- Ask the Expert: Secure Web services in J2EE
- Book: Java Web Services
- Article: Secure Web services
- Presentation: Securing your enterprise: Web application and Web services security (PDF)
- Article: Yes, you can secure your Web services documents, Part 1
- Article: Yes, you can secure your Web services documents, Part 2
- Tech Talk: Ted Neward on Web services and security
| .NET and Web Services |
- Article: Building a universal Web services ID
- News: WS-Security Interop using WSE 2.0 and Sun JWSDP 1.5
- News: Role-based security with WSE 2.0
- News: Why WSE?
- News: MSDN TV: Indigo security in a nutshell (Interview)
- Article: A developer's roadmap to using WS-Security
- Blog: Certificate validation callbacks in Indigo
- Presentation: Attacking Web services: The next generation of vulnerable enterprise apps (PDF)
| Securing XML |
- Learning guide: XML Security Learning Guide
- Expert advice: Distinguishing a faked XMLHTTP request from a real one
- Expert advice: How to protect against an XML bomb
- Tip: An emerging XML Web services security infrastructure
- Webcast: What's next for XML Web services security
| Web Services Security Tools |
- Article: Standards, tools vital to Web services security
- Tip: Securing Web services: A job for the XML firewall
- Product reviews: XML Gateways
- Blog: TrustedWebServices.org -- A collection of services and source code based on Safelayer's TrustedX WS technology
Tool Web sites
- From BEA Systems
- From DataPower
- From Forum Systems
- XWall Web Services Firewall
- Forum XRay Web Services Diagnostics
- Forum Sentry
- Forum Vulcon Web Service Vulnerability Containment
- Forum Presidio
- From NetBeans
- From Parasoft
- From Ping Identity Corp.
- From Reactivity
- From Sarvega
- From SOA Software
Other Useful Resources Expert advice on Web services security
Do you have a question about Web services security that you're having trouble getting answered? Web services security expert Rami Jaamour can help. Read advice he has given or submit your own questions.- Workshop: Developing Secure Java Web Services
- Web Site: SearchWebServices.com
- Web Site: SOA Pipeline
- Web Site: Developer.com Web services articles
- Book: Web Services Security
- Magazine: SOA Web Services Journal
Send in your suggestions
Are there other topics you'd like to see learning guides on? Send site editor Michelle Davidson an e-mail at mdavidson@techtarget.com and let her know what they are.This was first published in May 2006
Join the conversationComment
Share
Comments
Results
Contribute to the conversation