NIST SP 800 95, Guide To Secure Web Services
User Manual:
Open the PDF directly: View PDF
Page Count: 128 [warning: Documents this large are best viewed by clicking the View PDF Link!]
- Executive Summary
- 1. Introduction
- 1.
- 2. Background to Web Services and Their Relationship to Security
- 2.1 Introducing Web Services
- 2.2 Elements of Security
- 2.3 Web Services Security Dimensions
- 2.4 Meeting the Requirements for Securing Web Services
- 2.5 Core Services
- 2.6 Threats Facing Web Services
- 2.7 Common Risks Facing Web Services
- 2.8 Web Services’ Interfaces with Network/Infrastructure Security Architectures
- 2.9 Summary
- 1.
- 3. Web Service Security Functions and Related Technologies
- 3.1 Service-to-Service Authentication
- 3.2 Identity Management
- 3.3 Establishing Trust between Services
- 3.4 Describing Web Services Policies (WS-Policy)
- 3.5 Distributed Authorization and Access Management
- 3.6 Confidentiality and Integrity of Service to Service Interchanges
- 3.7 Accountability End-to-End throughout a Service Chain
- 3.8 Availability of Web Services
- 3.9 Securing the Discovery Service: Secure Interfaces to UDDI and WSDL
- 3.10 Summary
- 4. Human User’s Entry Point into the SOA: Web Portals
- 5. Secure Web Service-Enabling of Legacy Applications
- 5.1 Legacy Authentication to Web Services
- 5.2 Authorization and Access Control in Legacy Applications
- 5.3 Extending Non-Web Applications to Be Able to Participate in SOAs
- 5.4 Public Key Enabling Concerns Specific to Web Services and SOAs
- 5.5 Accountability for Legacy Application Transactions
- 5.6 Database Security Challenges in SOA Environments
- 5.7 Maintaining Security of Legacy Systems Exposed via Web Services
- 5.8 Summary
- 1.
- 6. Secure Implementation Tools and Technologies
- 6.1 Web Services Developer Toolkits
- 6.2 XML Parsers
- 6.3 Languages for Secure Web Service Development
- 6.4 Security Testing: Tools and Techniques
- 6.5 Summary
- Appendix A— Common Attacks Against Web Services
- A.1 Reconnaissance Attacks
- A.1.1 Code Templates
- A.1.2 Forceful Browsing Attack
- A.1.3 Directory Traversal Attack
- A.1.4 WSDL Scanning
- A.1.5 Registry Disclosure Attacks
- A.2 Privilege Escalation Attacks
- Appendix B— ebXML
- Appendix C— Glossary
- Appendix D— Acronyms and Abbreviations
- Appendix E— Print Resources
- Appendix F— Online Resources
- A.1 Reconnaissance Attacks