WS-I Security Scenarios Public Draft
WS-I Publishes Web Services Security Interoperability Guidelines
Security Scenarios Outline Challenges, Threats and Countermeasures
San Francisco, CA, USA. February 25, 2004.
Today, at the thirteenth annual RSA Conference, the world's leading e-security event, the Web Services Interoperability Organization (WS-I) announced the availability of the first Security Scenarios Working Group Draft for public review. Developed by the WS-I Basic Security Profile Working Group, the Security Scenarios document identifies security challenges and threats in building interoperable Web services and countermeasures for these risks. The news was announced today during a media event at RSA featuring Web services security experts from the WS-I Basic Security Profile Working Group.
"The development of the Security Scenarios Working Group Draft is an important step in furthering the progress of Web services and driving customer adoption," said Paul Cotton, Chair of the WS-I Basic Security Profile Working Group. "By enabling Web services architects and developers to identify potential security challenges and threats, they can more easily ensure the successful deployment of their Web services projects and achieve greater levels of interoperability."
"Enterprises that deploy Web services without mature strategies for security will be vulnerable to cyberattacks," said Ray Wagner, Research Director, Information Security Strategies at Gartner. "Web services security decisions are complex, and interoperability is a key challenge. WS-I's guidance, including the Security Scenarios and the forthcoming Basic Security Profile, could be an important factor in the success of enterprises' Web services security initiatives. WS-I can provide much-needed clarity for the practical and pragmatic use of Web services security standards."
Security Challenges, Threats and Countermeasures
The Security Scenarios document describes several security challenges, threats and countermeasures in building interoperable Web services, as well as usage scenarios and solutions, including:
Challenges: describes several security challenges, including ensuring data integrity, data confidentiality and message uniqueness
Threats: outlines 10 threats on these challenges, such as message alteration, falsified messages, message replay and denial of service attacks
Countermeasures: recommends how technologies like HTTPS and OASIS Web Services Security: SOAP Message Security 1.0 can be used to counter some of these threats
Usage Scenarios and Solutions: describes how these technologies can be used with the Message Exchange Patterns (MEPs) that have been used in WS-I deliverables such as the Basic Profile 1.0 Sample Applications
The Security Scenarios Working Group Draft is now available on the WS-I website at www.ws-i.org. WS-I is requesting public comment from all interested parties to ensure quality and broad applicability. Feedback should be sent to email@example.com.
Work Continues on Basic Security Profile
WS-I is also currently working on the Basic Security Profile, an interoperability profile involving transport security, SOAP messaging security and other security considerations implicated by the Basic Profile 1.0. The Basic Security Profile is intended to compose with other WS-I profiles and will reference existing specifications used to provide security, including the OASIS Web Services Security 1.0 specification, and provide clarifications and guidance designed to promote interoperability of those specifications. A Working Group Draft of the Basic Security Profile is expected to be delivered next quarter.
WS-I is an open industry organization committed to promoting consistent and reliable interoperability among Web services across platforms, applications and programming languages. The organization unites a diverse community of Web services companies by providing guidance, recommended practices and supporting resources for developing interoperable Web services. Since its formation in February 2002, more than 170 companies have joined WS-I. For more information, please visit http://www.ws-i.org, or e-mail firstname.lastname@example.org.
Public Relations Contact
Tel: +1 (408) 307-1236
Meet WS-I at RSA Conference
February 23-27, 2004
Moscone Convention Center, San Francisco
Prepared by Robin Cover for The XML Cover Pages archive. See other details in "WS-I Releases Public Working Draft Document on Security Scenarios." General references in "Web Services Interoperability Organization (WS-I)."