Improving Web Services Security (Beta)

The patterns and practices team at Microsoft has been releasing beta’s of their new guide, ‘Improving Web Services Security.’

If you are a lead developer, or architect, and are working with web services (of any platform, but especially WCF) this should be required reading.

The guide does a great job first covering what you should care about, and look for with regards to security when designing web services.

The first section covers the fundamentals really well. What the threats are, and the related countermeasures. Don’t think that because your service in ‘internal’, and only called by consumers you provision that security isn’t important.

As each section delves into it’s topic, it relates back to a ‘Web Services Security Frame.’ This frame lists the different aspects you need to take into account as an architect for each component of what you are building.

I will list them here, so you get a sense for what they are covering:

Category
Description

Auditing and Logging
Auditing and logging refers to how security-related events are recorded, monitored, and audited.

Authentication
Authentication is the process where an entity proves the identity of another entity, typically through credentials, such as a user name and password.

Authorization
Authorization is how your service provides access controls for resources and operations.

Configuration Management
Configuration management refers to how your service handles database connections, administration and other configuration settings.

Exception Management
Exception management refers to how you handle exceptions within your application, including fault contracts.

Impersonation/Delegation
Impersonation and delegation refers to how your service impersonates users and passes identity information downstream for authorization purposes.

Message Encryption
Message encryption refers to protecting a message by converting the contents to cipher-text using cryptographic methods.

Message Replay Detection
Message replay detection refers to identifying and rejecting messages that are re-submitted.

Message Signing
Message signing refers to signing a message with a digital signature using cryptographic methods, to confirm the source of the message and detect if the contents have been tampered with (i.e. authentication and integrity of the message.)

Message Validation
Message validation refers to how you verify the message payload against schema, as well as message size, content and character sets. This includes how your service filters, scrubs and rejects input and output before additional processing. Input and output includes input from clients consuming the service as well as file-system input, as well as input from network resources, such as databases. Output typically includes the return values from your service or disk / database writes among others.

Sensitive Data
Sensitive data includes data integrity and confidentiality of your user and application data that you need to protect. This includes how you protect sensitive data from being stolen from memory, from configuration files or when transmitted over the network.

Session Management
A session refers to a series of related interactions between a client and your service.

 

A guide on web service security can scare people away. Your first thought is that it is a boring topic, with lots of details to slog through. Many security books I read just cover principles, and never give actual guidance. The guide finally comes through.

It’s also nice to see that some of the architecture I have used in the past fits some of the patterns included.

One section I will call out as an example, is in Chapter 07, Message and Transport Security.

It explains the differences (and pros/cons) of transport versus message security. What I like is that they provide some concrete guidance. For example,

Use transport security in the following scenarios:
• You are sending a message directly from your application to a WCF service and the message will not be routed through intermediate systems.
• Both the service and the client are located in an intranet.
Using transport security offers the following advantages:
• It provides interoperability, meaning that communicating parties do not need to understand WS-Security specifications.
• It may result in better performance.
• Hardware accelerators can be used to further improve the performance.
Using transport security has the following disadvantages:
• Security is applied on a point-to-point basis, with no provision for multiple hops or routing through intermediate application nodes.
• It supports a limited set of credentials and claims compared to message security.
• It is transport-dependent upon the underlying platform, transport mechanism, and security service provider, such as NTLM or Kerberos.

Chapter 05, Client Authentication and Service Authentication, covers a topic that I often get questions on. Namely, what pattern should an architect use regarding authentication and identity across the service boundaries. This guide covers the options, explains them well (with pictures!), and gives you the information you need to make the decision that is right for your project.

Many guides merely do an MSDN style breakdown of the options. An explanation without providing value. For example, sample code that breaks all best practices. In this guide, it explains an option, then tells you not to use it. I love it! Example:

Authentication Options with Message Security
The following authentication options are available when using message security:
None. When using this option, the WCF service does not authenticate the callers. This is not the recommended option from a security perspective – avoid using this option wherever possible.

Anyway, if you have ANYTHING to do with web services or WCF, this is a must read. I find the web version easier to navigate and read than the PDF version.

Comments

Post a Comment

Popular posts from this blog

Farewell

I don't often explicitly state that I work for Quick Solutions when I post to my blog. Others that work with me talk about QSI all the time. I do this because I want the articles to be what 'I' have to say about technology, not what QSI has to say. I started working for QSI in June of 2003. I was about to start my own consulting company, and they asked me to come in to help them start their solutions business (having built a high quality technical staffing business). I thought, why not? Getting to build what I want to build on someone else's dime definitely reduces my personal risk, and if it didn't work out, I could just pick back up the 'start my own company' thing. Nearly five years have passed, and we have built a great team. A team that is considered one of the leading development shops in our region. Each, and EVERY person on this team would be considered a rock star at any company. We have a great culture for the team, and a deep seated ownership
Read more

How does an Architect pack?

Today we are packing for the big move. Quick Solutions is moving to some new swanky office space, with an awesome new delivery center. The new center has wall to wall whiteboards, network projectors for group programming (pair programming is so 20th century), a game room, new open seating (shared workspace is the key to productivity), and lots of other new goodies. It is an amazing investment by the company, and shows their commitment to building the best team on the block. As we are packing, we started joking around (not that joking around is rare, and would have occurred regardless of the packing state). How does and architect pack? An architect doesn't pack anymore. He did that ten years ago. He goes to plenty of packing conferences, and has read a lot of books on packing. An architect will map out how the whole enterprise should pack, and even dictate what (clearly out of date) packing supplies and processes should be used. These processes will be the perfect match for some
Read more

Job security is a myth, and how IT Pros are Thriving

No matter how you slice it, the economy is definitely in a state of concern. Some call it a recession, some a depression, others it is a crash. Since all of those words are overloaded, I will choose to use the word Grapefruit to represent the current situation. How concerned you are with grapefruit depends on who you are, and your personal situation. It is these times of grapefruit when there is the most opportunity. Crazy, I know. But now is the time to start that crazy idea, to outmaneuver an opponent, or get desperate enough to take risks you normally wouldn’t take (personally, or as a company) during up times. All boats float in the high tide. Only great captains can navigate the low tide. There is no such thing as job security. Surprise. There just isn’t, it is a complete myth. ‘Job Security’ might have made sense two generations ago, but it just doesn’t work now. You make your own security, during good times, and during grapefruits. Through keeping your skills sharp, thro
Read more