This project is read-only.

Web Services Security Tasks

- J.D. Meier, Prashant Bansode, Paul Enfield.

Task lists are a compilation of expected activities of customers with this technology. We attempt to determine the areas that will likely need the most guidance and prioritize them here.

Hot Spots

  • Auditing and logging
  • Authentication
  • Authorization
  • Communication
  • Message and Data Validation
  • Deployment Considerations
  • Exception Management
  • Message Protection
  • Message Replay Detection
  • Sensitive Data
  • Session Management

Auditing and logging

  • How to identify the sink for logging and auditing.
  • How to identify the operations and events to be logged.
  • How to log authentication and authorization events.
  • How to secure to log files / store.
  • How to archive log information.
  • How to handle log failures.
  • How to avoid storing sensitive information in log files.


  • How to use windows authentication in a web service.
  • How to use username password authentication in a web service.
  • How to use certificate authentication in a web service.
  • How to manage user accounts securely.
  • How to use WS security with SOAP messages.
  • How to use secure sessions.


  • How to identify trust boundaries within the web service layers for authorization.
  • How to decide granularity of authorization settings.
  • How to choose authorization strategy for your web service.
  • How to use resource authorization.
  • How to use roles authorization.


  • How to decide communication protocol for the web service.
  • How to reliably handle unreliable or intermittent communication.
  • How to use dynamic URL behavior with configured endpoints for maximum flexibility.
  • How to validate endpoint addresses in messages etc.
  • How to handle asynchronous calls etc.
  • How to decide message communication patterns like one-way or two-way etc.

Message and Data Validation

  • How to identify trust boundaries within Web service layers for message and data validation.
  • How to design your validation strategy to constrain, reject, and sanitize malicious input.
  • How to efficiently and securely validate input data.
  • How to validate all messages received by the service interface.
  • How to handle data and message validation failures

Deployment Considerations

  • How to use least privilege account for running the service.
  • How to use certificates to enable secure communication using SSL.
  • How to handle encryption keys securely in production.
  • How to secure configuration sections containing sensitive data

Exception Management

  • How to choose exception management strategy.
  • How to scrub exception message for secure exception handling.
  • How to deal with sensitive information when handling the exception.
  • How to deal with unhandled exceptions.
  • How to use SOAP Fault elements or custom extensions to return exception details to the caller.
  • How to design fault contracts to allow services to declare known faults for each operation

Message Protection

  • How to choose between message security and transport security.
  • How to use message security.
  • How to use message security.
  • How to sign and encrypt part of the message.
  • How to avoid tampering of messages and parameter

Message Replay Detection

  • How to detect message replay.
  • How to handle message replay.

Sensitive Data

  • How to protect message confidentiality and integrity.
  • How to design service to protect parts of the message with partial encryption.
  • How to secure metadata in an endpoint to be consumed by service clients.
  • How to use transport security

Session Management

  • How to configure message throttling to avoid denial of service attacks.
  • How to design services per session mode.
  • How to configure memory limits to avoid denial of service attacks.
  • How to configure service for reliable messaging with reliable session and ordering of messages.
  • How to implement structured exception handling and state management to avoid state corruption.

Last edited Aug 22, 2009 at 1:01 AM by paulenfield, version 2


No comments yet.