Engineering Secure Web Services

Engineering Secure Web Services

Douglas Rodrigues (Universidade de São Paulo, Brazil), Julio Cezar Estrella (Universidade de São Paulo, Brazil), Francisco José Monaco (Universidade de São Paulo, Brazil), Kalinka Regina Lucas Jaquie Castelo Branco (Universidade de São Paulo, Brazil), Nuno Antunes (Universidade de Coimbra, Portugal) and Marco Vieira (Universidade de Coimbra, Portugal)
DOI: 10.4018/978-1-60960-794-4.ch016
OnDemand PDF Download:
No Current Special Offers


Web services are key components in the implementation of Service Oriented Architectures (SOA), which must satisfy proper security requirements in order to be able to support critical business processes. Research works show that a large number of web services are deployed with significant security flaws, ranging from code vulnerabilities to the incorrect use of security standards and protocols. This chapter discusses state of the art techniques and tools for the deployment of secure web services, including standards and protocols for the deployment of secure services, and security assessment approaches. The chapter also discusses how relevant security aspects can be correlated into practical engineering approaches.
Chapter Preview

Security Standards And Protocols For Web Services

Enabling information security in the Internet is a mandatory step for fostering business on the Web, especially if we consider systems based on Web services and SOA architectures. In its native form, Web services do not take into account security requirements, which, in most cases, are superficially met by developing security standards in the context of XML-based SOAP messages.

Multi-hop message routing between multiple Web services is commonly used to achieve scalability and also to bridge different protocols. Some technologies such as TLS/SSL – Transport Layer Security/Secure Sockets Layer were initially developed to guarantee the confidentiality between two parties (Dierks and Allen, 1999), (Freier et al., 1996), but they do not provide end-to-end security. To address this challenge, diverse security principles must be applied to different contexts, taking into account both point-to-point and end-to-end settings, as well as the associated considerations concerning the privacy of user information shared in this process. To enable security in this new environment, novel mechanisms have to be put on top of the ones already available at the transport and network layers of the TCP/IP stack. Standards such as XML, SOAP, UDDI and WSDL address the basics of interoperable services, but for secure Web services and SOA other rules must be added and approved (currently a de facto security standard for SOA architectures is not available).

Complete Chapter List

Search this Book: