Although many teams leave security as an afterthought, it's very important to ensure your Web
apps are secure and your end users (and their data) are safe. Building safe Web applications means
using secure Web services. Development teams should be aware of the work of groups responsible for
Web services security standards, as such formats help ensure compatibility when working with
diverse organizations across different corporate firewalls.
OASIS and W3C are the two major organizations most active in Web services and SOA security standards and protocols. These two organizations have a similar approach to Web services security, but there are some differences in the way the concepts are expressed. When we look at the
This tip focuses on the W3C approach, and a future piece will round out the lesson by providing more information on the OASIS side of things.
The W3C Security Activity is broken into two branches – the Web Security Context Working Group and the XML Security Working Group. The XML and Web security groups have relatively long established guidelines for representing the signature of Web resources, digital content encryption, and key management.
The W3C's Web Security Context Working Group focused on user experience and on end user trust decisions. They wrapped up work on their user interface guidelines this August. These guidelines present rules and best practices aimed at ensuring that end-users make their online trust decisions under the safest and best informed conditions possible.
The user interface guidelines describe both acceptable and best-case procedures for handling Web security with a focus on Web user agents. The guidelines define a "Web user agent" as "any software that retrieves and presents Web content for users." Web user agents can be said to conform at a basic level (meaning they do everything the guidelines state must be done) or Web services can be said to conform at an advanced level (meaning they also do the things the guidelines state should be done).
The XML Security Working Group grew out of two distinct but similar groups that had been working on XML security for some time. They continue the W3C's work on signatures and encryption for XML. As of September the group has just recently published five drafts including XML Signature 2.0, Canonical XML 2.0, and XML Signature Best Practices.
XML Signature 2.0 specifies processing rules and syntax for XML digital signatures. The specification is intended to improve integrity services as well as authentication services. Canonical XML 2.0 is a major reworking of the previous version and is aimed at performance, hardware implementation and other issues. XML Signature Best Practices provides best practices around using XML signature. Specifically, the document relates to generally improving security and mitigating attacks as well as the use of XML signature in practice.
This was first published in November 2010