Improving Web Service Security: Guidance for WCF
Microsoft patterns and practices group has released a WCF Security Guide. The 689 pages compendium offers a general introduction to Web Service security fundamentals as well as in-depth knowledge about several security threads and appropriate counter-measures.
“Improving Web Service Security: Scenarios and Implementation Guidance for WCF” offers security guidance in many ways. It is available in HTML and as a downloadable PDF.
The guide is divided into four parts accompanied by a set of references sections:
- Part I – Security Fundamentals for Web Services
The first chapter gives a good overview of the main aspects of service-oriented architectures (SOA). Security threats, vulnerabilities, and attacks are explained in the context of an SOA and Web Service Security standards, principles, patterns, and necessary development activities are introduced.
Chapters two and three cover Web Service Security threats and countermeasures and design guidelines for Web services.
- Part II – WCF Security Fundamentals
This part introduces all features and options concerning WCF service security. Instead of merely presenting all options and providing sample code, this guide evaluates all options with respect to security issues and also tells you what options not to use or even to avoid completely.
- Part III – Intranet Application Scenarios
The next two parts cover best practices for designing services and configuring web server, application server, and database server in a scenario-based fashion. Part III presents scenarios in the intranet scope.
- Part IV – Internet Application Scenarios
Part IV presents scenarios in the internet scope.
All topics covered individually in part one to four relate to a single organizing frame. J.D. Meier, Principal Program Manager on the patterns & practices group, introduced the Web Service Security Frame on his blog:
The key to making principles, patterns, and practices more effective is to have an organizing frame. […] the power of the frame is that it's a durable, evolvable backdrop -- in other words, you can shape it to your own purposes.
The references sections consists of checklists, guidelines, best practices, Q&A, and step-by-step howtos.
The mix of thorough coverage of fundamental (web) service security aspects and reference sections, all in a scenario-based fashion is very appealing and simplifies understanding. The guide addresses the full range of developers and architects, from beginner to pro. Especially the Q&A and the howto sections are ideal for beginners who do not know their way around service security. The checklists, guidelines and best practices as well as part III and IV provide valuable information and reference for everyone.