Web Services Security Frame
- J.D. Meier,
Prashant Bansode, Paul Enfield
Frames are a lens for looking at Cloud Security. The frame is simply a collection of Hot Spots. Each Hot Spot represents an actionable category for information. Using Hot Spots, you can quickly find pain and opportunities, or key decision points. It helps us
organize principles, patterns, and practices by relevancy. For example, in this case, we use the Web Service Security Frame to organize threats, attacks, vulnerabilities and countermeasures.
|Auditing and Logging
||Auditing and logging refers to how security-related events are recorded, monitored, and audited.
||Authentication is the process where an entity proves the identity of another entity, typically through credentials, such as a user name and password.
||Authorization is how your service provides access controls for resources and operations.
||What information is configurable? How to protect configuration information? Configuration management refers to how your service handles database connections, administration and other configuration settings.
||Exception management refers to how you handle exceptions within your application, including fault contracts.
||Impersonation and delegation refers to how your service impersonates users and passes identity information downstream for authorization purposes.
||Message encryption refers to protecting a message by converting the contents to cipher-text using cryptographic methods.
|Message Replay Detection
||Message replay detection refers to identifying and rejecting messages that are re-submitted.
||Message signing refers to signing a message with a digital signature using cryptographic methods, to confirm the source of the message and detect if the contents have been tampered with (i.e. authentication and integrity of the message.)
||Sensitive data includes data integrity and confidentiality of your user and application data that you need to protect. This includes how you protect sensitive data from being stolen from memory, from configuration files or when transmitted over the network.
||A session refers to a series of related interactions between a client and your service.
||Message validation refers to how you verify the message payload against schema, as well as message size, content and character sets. This includes how your service filters, scrubs and rejects input and output before additional processing. Input and output
includes input from clients consuming the service as well as file-system input, as well as input from network resources, such as databases. Output typically includes the return values from your service or disk / database writes among others.