Sunday, October 21, 2007

SOA Security

The National Institute of Standards and Technology has released a 128-page guide to help organizations understand the security challenges of Web services in service-oriented architecture. Download link http://csrc.nist.gov/publications/nistpubs/800-95/SP800-95.pdf

Issues addressed in the publication include:

  • Confidentiality and integrity of data transmitted via Web services protocols.
  • Functional integrity of the Web services requiring the establishment of trust between services.
  • Availability in the face of denial-of-service attacks that exploit vulnerabilities unique to Web service technologies.

Web site dedicated to Service Oriented Security http://www.service-orientedsecurity.com/

California Enterprise Architecture Program issues SOA Security White Paper http://www.cio.ca.gov/caIT/pdf/SOA_Security_White_Paper.pdf

Free SOA Security E-Book http://www.team509.com/download/docs/security/hacking/McGraw.Hill.Osborne.Media.XML.Security.eBook-TLFeBOOK.pdf

BPM and Security from James McGovern http://duckdown.blogspot.com/2006/12/thoughts-on-bpm-and-security.html

Colin White on SOA Security and reuse http://colin.trematon.com/enterprise-business/soa-security-and-enterprise-reuse/

Most of these are courtesy of Garry E. Smith

2 comments:

  1. If you are on the search for architectural security patterns that make use of the baseline provided by NIST, please check out also :

    www.opensecurityarchitecture.com

    OSA distills the know-how of the security architecture community and provides readily usable patterns for your application. This is a free framework, developed and owned by the community, and licensed in accordance with Creative Commons Share-alike.

    ReplyDelete
  2. Hey thanks a lot for sharing such a nice and informative article.Really a very good resource and helpful.
    Service-oriented architecture (SOA) allows different ways to develop applications by combining services. The main premise of SOA is to erase application boundaries and technology differences. As applications are opened up, how we can combine these services securely becomes an issue. Traditionally, security models have been hardcoded into applications and when capabilities of an application are opened up for use by other applications, the security models built into each application may not be good enough.

    By the way for more information on Security courses check this link: http://www.eccouncil.org/certification.aspx

    ReplyDelete