Improving Web Services Security (Beta)
The patterns and practices team at Microsoft has been releasing beta’s of their new guide, ‘Improving Web Services Security.’
If you are a lead developer, or architect, and are working with web services (of any platform, but especially WCF) this should be required reading.
The guide does a great job first covering what you should care about, and look for with regards to security when designing web services.
The first section covers the fundamentals really well. What the threats are, and the related countermeasures. Don’t think that because your service in ‘internal’, and only called by consumers you provision that security isn’t important.
As each section delves into it’s topic, it relates back to a ‘Web Services Security Frame.’ This frame lists the different aspects you need to take into account as an architect for each component of what you are building.
I will list them here, so you get a sense for what they are covering:
Category
Description
Auditing and Logging
Auditing and logging refers to how security-related events are recorded, monitored, and audited.
Authentication
Authentication is the process where an entity proves the identity of another entity, typically through credentials, such as a user name and password.
Authorization
Authorization is how your service provides access controls for resources and operations.
Configuration Management
Configuration management refers to how your service handles database connections, administration and other configuration settings.
Exception Management
Exception management refers to how you handle exceptions within your application, including fault contracts.
Impersonation/Delegation
Impersonation and delegation refers to how your service impersonates users and passes identity information downstream for authorization purposes.
Message Encryption
Message encryption refers to protecting a message by converting the contents to cipher-text using cryptographic methods.
Message Replay Detection
Message replay detection refers to identifying and rejecting messages that are re-submitted.
Message Signing
Message signing refers to signing a message with a digital signature using cryptographic methods, to confirm the source of the message and detect if the contents have been tampered with (i.e. authentication and integrity of the message.)
Message Validation
Message validation refers to how you verify the message payload against schema, as well as message size, content and character sets. This includes how your service filters, scrubs and rejects input and output before additional processing. Input and output includes input from clients consuming the service as well as file-system input, as well as input from network resources, such as databases. Output typically includes the return values from your service or disk / database writes among others.
Sensitive Data
Sensitive data includes data integrity and confidentiality of your user and application data that you need to protect. This includes how you protect sensitive data from being stolen from memory, from configuration files or when transmitted over the network.
Session Management
A session refers to a series of related interactions between a client and your service.
A guide on web service security can scare people away. Your first thought is that it is a boring topic, with lots of details to slog through. Many security books I read just cover principles, and never give actual guidance. The guide finally comes through.
It’s also nice to see that some of the architecture I have used in the past fits some of the patterns included.
One section I will call out as an example, is in Chapter 07, Message and Transport Security.
It explains the differences (and pros/cons) of transport versus message security. What I like is that they provide some concrete guidance. For example,
Use transport security in the following scenarios:
• You are sending a message directly from your application to a WCF service and the message will not be routed through intermediate systems.
• Both the service and the client are located in an intranet.
Using transport security offers the following advantages:
• It provides interoperability, meaning that communicating parties do not need to understand WS-Security specifications.
• It may result in better performance.
• Hardware accelerators can be used to further improve the performance.
Using transport security has the following disadvantages:
• Security is applied on a point-to-point basis, with no provision for multiple hops or routing through intermediate application nodes.
• It supports a limited set of credentials and claims compared to message security.
• It is transport-dependent upon the underlying platform, transport mechanism, and security service provider, such as NTLM or Kerberos.
Chapter 05, Client Authentication and Service Authentication, covers a topic that I often get questions on. Namely, what pattern should an architect use regarding authentication and identity across the service boundaries. This guide covers the options, explains them well (with pictures!), and gives you the information you need to make the decision that is right for your project.
Many guides merely do an MSDN style breakdown of the options. An explanation without providing value. For example, sample code that breaks all best practices. In this guide, it explains an option, then tells you not to use it. I love it! Example:
Authentication Options with Message Security
The following authentication options are available when using message security:
• None. When using this option, the WCF service does not authenticate the callers. This is not the recommended option from a security perspective – avoid using this option wherever possible.
Anyway, if you have ANYTHING to do with web services or WCF, this is a must read. I find the web version easier to navigate and read than the PDF version.
Comments