News

WS-I issues new security guidelines

• By John K. Waters
• March 10, 2004

The Web Services Interoperability (WS-I) Organization has lent a hand to Web services architects and developers looking for security solutions with the release of a new report that identifies potential threats and outlines countermeasures based on common scenarios. The WS-I's Security Scenarios Working Group Draft is now available for public review on the WS-I Web site at http://www.ws-i.org.

The 48-page draft report describes challenges to ensuring data integrity, data confidentiality and message uniqueness; lists specific threats, such as message alteration, falsified messages, message replay and denial of service attacks; outlines countermeasures that utilize HTTPS and SOAP Message Security 1.0; and includes a number of usage scenarios and solutions that combine these technologies with the Message Exchange Patterns (MEPs) that have been used in WS-I deliverables such as the Basic Profile 1.0 Sample Applications.

"We're trying to take basic profiles like SOAP and make sure you can at least protect the messages," said committee member Eve Maler, standards architect at Sun Microsystems during a press conference at the recent RSA security conference in San Francisco.

The WS-I is an industry group organized to promote the interoperability of Web services across platforms, applications and programming languages. The group looks at proposed Web services specifications issued by industry standards bodies (OASIS, W3C, etc.) and defines how they can be used in real-world deployments. More than 170 companies have joined the WS-I since it was founded in 2002. IBM and Microsoft were among the founding members.

The WS-I's Basic Security Profile Working Group developed the security scenarios in the report from security specs issued by OASIS, according to Hal Lockhart, senior engineering technologist at BEA Systems and a member of the working group. Lockhart called the report "a very important step" in helping developers to implement security around Web services.

OASIS defines standards for a range of situations, Lockhart said. The purpose of the WS-I draft report, he noted, was to narrow the broad set of OASIS recommendations to better fit the needs of WS-I members. "The WS-I has taken the time to identify the major categories of threats, challenges and mechanisms, he said. "This activity will form the basis for the problems that the security profile will solve."

The two-year-old organization is also working on the Basic Security Profile, an interoperability profile involving transport security, SOAP messaging security and other security considerations implicated by the Basic Profile 1.0. That profile will reference existing specifications used to provide security, including the OASIS Web Services Security 1.0 spec, and provide clarifications and guidance designed to promote interoperability of those specifications, according to the WS-I. A Working Group Draft of the Basic Security Profile is expected to be delivered next quarter.

WS-I is requesting public comment from all interested parties. Feedback can be sent to [email protected]. "We want feedback," Lockhart said. "We want to know [whether developers] think this is the right set of scenarios, the right set of choices to make. We hope people will look at this document and feed back to us their reactions so that we'll know we are working on the right problems."