Samoa: Formal Tools for Securing Web Services

FS2PV (opens in new tab): A Cryptographic-Protocol Verifier for F#

FS2PV is a verification tool that compiles cryptographic-protocol implementations in a first-order subset of F# to a formal pi-calculus model. This pi-calculus model then can be analyzed using ProVerif to prove the desired security properties or to find security flaws. A blog entry (opens in new tab) explains the results of running FS2PV on a sample protocol.

Policy Advisor for WSE 3.0 (opens in new tab)

Policy Advisor is a security tool shipped in November 2005 as part of Web Services Enhancements 3.0 for Microsoft .NET (opens in new tab) (WSE 3.0). See the WSE 3.0 readme (opens in new tab), the Policy Advisor documentation (opens in new tab), and the Microsoft patterns and practices guide Web Service Security: Scenarios, Patterns, and Implementation Patterns for Web Services Enhancements 3.0 (opens in new tab). Policy Advisor examines the configuration and policy files for one or more WSE endpoints, highlights typical security risks, and provides some remedial advice. Moreover, it summarizes the associated trace files (when present), showing message flows between endpoints. This version is implemented as an XSL transform. Jason Hogg discusses and demonstrates the WSE 3.0 and the Policy Advisor in his MSDN Architecture Webcast on Web Services Security Patterns (opens in new tab), (March 16, 2006).

WSE Policy Advisor (opens in new tab) (for WSE 2.0)

WSE Policy Advisor is a security plug-in for Web Services Enhancements 2.0 for Microsoft .NET (opens in new tab)(WSE). It can be invoked either from the WSE Configuration Editor or as a stand-alone tool. It examines the policy files that configure WSE, summarizes their security properties, highlights typical security risks, and provides some remedial advice. Ensure you have installed SP2 or SP3 of WSE 2.0 before attempting to install WSE Policy Advisor. A paper listed in the next section describes the advisor in detail.

• Aaron Skonnard, PluralSight (opens in new tab): “Very nice. We need more tools like this that facilitate authoring and analyzing service contracts, especially during design and development.”
• Benjamin Mitchell, WSE expert (opens in new tab): “In combination with the WSE Settings add-in the Policy Advisor provides a great service for anyone wanting to understand and apply policy files, without having to get too focused on the XML angle brackets.”
• Savas Parastatidis, University of Newcastle (opens in new tab) “I too wanted to say how cool this tool is. I run it against a very old policy file I had written by hand for the secure version of the WS-GAF Registry service and it told me things that I had never imagined could have caused problems.”

TulaFale: A Security Tool for Web Services (opens in new tab)

TulaFale is a new specification language for writing machine-checkable descriptions of SOAP-based security protocols and their properties. TulaFale is based on the pi calculus (for writing collections of SOAP processors running in parallel), plus XML syntax (to express SOAP messaging), logical predicates (to construct and filter SOAP messages), and correspondence assertions (to specify authentication goals of protocols). Our implementation compiles TulaFale into the applied pi calculus, and then runs Blanchet’s resolution-based protocol verifier. Hence, we can automatically verify authentication and secrecy properties of SOAP protocols.

• Bhargavan, C. Fournet, A. Gordon, and N. Swamy, Verified implementations of the Information Card federated identity-management protocol. In ACM Symposium on Information, Computer and Communication Security (opens in new tab) (ASIACCS’08), Tokyo, March 18-20, 2008.
• Bhargavan, C. Fournet, and A. Gordon, Verified Reference Implementations of WS-Security Protocols. In 3rd International Workshop on Web Services and Formal Methods (opens in new tab) (WS-FM 2006), pp88-106, Vienna, September 8-9, 2006. Volume 4184 of Springer LNCS, 2006.
• Bhargavan, C. Fournet, A. Gordon, and S. Tse, Verified Interoperable Implementations of Security Protocols. In 19th IEEE Computer Security Foundations Workshop (opens in new tab) (CSFW 2006), pp139-152, Venice, July 5-7, 2006. An extended version is available as Technical Report MSR-TR-2006-46, Microsoft Research, September 2007.
• Bhargavan, C. Fournet, A. Gordon, and G. O’Shea, An Advisor for Web Services Security Policies. In 2005 ACM Workshop on Secure Web Services (opens in new tab) (SWS 2005), November 11, 2005.
• Fournet, A. Gordon, and S. Maffeis, A Type Discipline for Authorization Policies. In 2005 European Symposium on Programming (opens in new tab) (ESOP 2005), pp141-156, April 6-8, 2005. An extended version is available as Technical Report MSR-TR-2005-01, Microsoft Research, September 2005.
• Bhargavan, R. Corin, C. Fournet, and A. Gordon, Secure Sessions for Web Services. In 2004 ACM Workshop on Secure Web Services (opens in new tab) (SWS 2004), Washington DC, October 29, 2004.
• Bhargavan, C. Fournet, and A. Gordon, Verifying Policy-Based Security for Web Services. In 2004 ACM Conference on Computer and Communications Security (opens in new tab) (CCS 2004), pp268-277, Washington DC, October 25-29, 2004. An extended version is available as Technical Report MSR-TR-2004-84, Microsoft Research, November 2005.
• Bhargavan, C. Fournet, A. Gordon, and R. Pucella, TulaFale: A Security Tool for Web Services. In International Symposium on Formal Methods for Components and Objects (opens in new tab) (FMCO 2003), pp197-222, Leiden. Volume 3188 of Springer LNCS, Revised Lectures, 2004.
• Bhargavan, C. Fournet, and A. Gordon, A Semantics for Web Services Authentication. In 2004 ACM Symposium on Principles of Programming Languages, pp198-209, Venice, January 14-16, 2004. An extended version is available as Technical Report MSR-TR-2003-83, Microsoft Research, February 2004. A journal version (opens in new tab) appears in Theoretical Computer Science 340(1):102-153 (June 2005).
• Gordon and R. Pucella, Validating a web service security abstraction by typing. In 2002 ACM Workshop on XML Security, pp18-29, Fairfax VA, November 22, 2002. An extended version is available as Technical Report MSR-TR-2002-108, Microsoft Research, December 2002. A journal version appears in Formal Aspects of Computing 17:277-318, 2005.

• Slides (opens in new tab) from the session on web services at CASSIS’05 (opens in new tab), Nice, March 8, 2005. The speakers were C. Fournet (Microsoft), P. Kearney (BT), M. O’Neill (Vordel), B. Pfitzmann (IBM), and A. Cremonini (University of Milan), and the session chair was A. Gordon (Microsoft).
• Channel9 interview of Samoa team members (opens in new tab), Lake Bill, Redmond, March 3, 2005.
• A. Gordon, Web Services and Security . Lecture course at FOSAD 2004 (opens in new tab), Bertinoro, September 6-11, 2004. (Revision of the 2003 course in Edinburgh.)
• J. Shewchuk Moving Forward: Web Services and Indigo (opens in new tab). Presentation, including TulaFale demo, at 2004 Microsoft Research Faculty Summit (opens in new tab), Redmond, August 2, 2004.
• A. Gordon, Secure Global Computing with XML Web Services: Theory and Practice . Lecture course at the EEF Global Computing Summer School (opens in new tab), Edinburgh, July 7-11, 2003.

Researchers

• Karthik Bhargavan, Microsoft Research
• Cédric Fournet, Microsoft Research

Interns

• Jesper Bengtson (opens in new tab), Uppsala (intern 2007)
• Ricardo Corin (opens in new tab), Twente (intern 2004)
• Sergio Maffeis (opens in new tab), Imperial (intern 2004)
• Riccardo Pucella (opens in new tab), Cornell (intern 2002 and 2003)
• Nikhil Swamy (opens in new tab), University of Maryland (intern 2006 and 2007)
• Stephen Tse (opens in new tab), U Penn (intern 2005)

Web Services and SOAP

[2006-12-26 (opens in new tab)] JSON vs XML as a data interchange format [2006-12-05 (opens in new tab)] Lucovsky announces deprecation of Google’s SOAP Search API [2006-11-16 (opens in new tab)] Amazon: utility computing power broker [2006-11-08 (opens in new tab)] WS-Policy working draft [2006-05-04 (opens in new tab)] Web Services for Management [2006-05-01 (opens in new tab)] WS-I starts on Basic Profile 1.2, Basic Profile 2.0, and Reliable Secure Profile 1.0 [2006-03-15 (opens in new tab)] Toward Converging Web Service Standards for Resources, Events, and Management [2006-02-16 (opens in new tab)] Global Grid Forum and Enterprise Grid Alliance to merge [2005-12-31 (opens in new tab)] Dilbert on Web services standards [2005-11-28 (opens in new tab)] Paul Graham on Web 2.0 [2005-10-01 (opens in new tab)] Slides from PDC 2005 [2005-09-26 (opens in new tab)] Cool poster [2005-09-12 (opens in new tab)] The LINQ Project [2005-08-22 (opens in new tab)] Sabre replacing EDI with Web Services [2005-07-29 (opens in new tab)] Garden Point Service Language GPSL [2005-07-28 (opens in new tab)] UK ETF Report on GT4 [2005-07-26 (opens in new tab)] Some EJB history from Ted Neward [2005-07-14 (opens in new tab)] IDC: Web Services Consumption to Hit Stride [2005-06-23 (opens in new tab)] Calling SOAP Servers from JS in Mozilla [2005-06-13 (opens in new tab)] OC-SOAP – SOAP client for OCaml, using CDuce [2005-06-02 (opens in new tab)] IBM, HP, CA: Management Using Web Services: A Proposed Architecture and Roadmap [2005-05-25 (opens in new tab)] ICWS 2005 advance programme [2005-05-25 (opens in new tab)] Web Services Competency Workshop in a Box [2005-04-27 (opens in new tab)] Alternative software stacks for OGSA-based grids [2005-04-16 (opens in new tab)] AJAX with J2EE [2005-02-10 (opens in new tab)] Introducing Indigo: An Early Look [2005-02-04 (opens in new tab)] Amazon Web Services in Scheme [2005-01-14 (opens in new tab)] Real World Web Services [2004-12-08 (opens in new tab)] W3C published WS-Addressing working draft [2004-12-07 (opens in new tab)] Bosworth: Web services in the 21st century [2004-12-07 (opens in new tab)] CNET: Web services patents fetch $15.5 million [2004-12-03 (opens in new tab)] Don Box: a Universal Web Service [2004-12-03 (opens in new tab)] The BPEL Book [2004-12-02 (opens in new tab)] IBM CICS to support web services [2004-11-29 (opens in new tab)] Sapir on the Personal Service Builder concept [2004-11-25 (opens in new tab)] Web services patents for sale [2004-11-20 (opens in new tab)] Bosworth talk on Collaboration, Customization, and Communication [2004-11-18 (opens in new tab)] SoapMail refreshed for WSE2 [2004-11-16 (opens in new tab)] Five New Financial Web Services [2004-11-11 (opens in new tab)] Amazon offers WS-based message queues [2004-11-08 (opens in new tab)] WS-Coordination, WS-AtomicTransaction, and WS-BusinessActivity specs refreshed [2004-11-04 (opens in new tab)] NOAA’s National Weather Service [2004-11-01 (opens in new tab)] Interview: Keith Ballinger on WSE [2004-10-13 (opens in new tab)] LaMonica: EPL to complete with BPEL [2004-10-08 (opens in new tab)] WS-Management [2004-09-18 (opens in new tab)] Cabrera, Kurt, Box: “An Introduction to the Web Services Architecture and Its Specifications” [2004-09-15 (opens in new tab)] WS-MetadataExchange [2004-09-08 (opens in new tab)] SOAP-over-UDP [2004-09-03 (opens in new tab)] WS-Policy refreshed [2004-08-31 (opens in new tab)] WS-Eventing refreshed [2004-08-26 (opens in new tab)] W3C CR Message Transmission Optimization Mechanism (MTOM) [2004-08-24 (opens in new tab)] Amazon Web Services 4.0 [2004-08-24 (opens in new tab)] WS-I Basic Profile 1.1 [2004-08-20 (opens in new tab)] Devices Profile for Web Services refreshed [2004-08-10 (opens in new tab)] WS-Addressing submitted to W3C [2004-07-26 (opens in new tab)] Amazon: “We’ve just scratched the surface” [2004-07-06 (opens in new tab)] WSJ: “SOA and Web Services Go Mobile, Nokia-Style” [2004-06-23 (opens in new tab)] CNET: “eBay sold on web services” [2004-05-04 (opens in new tab)] Jeff Schlimmer “A Technical Introduction to the Devices Profile for Web Services” [2004-04-05 (opens in new tab)] Webber Parastatidis “Why WSDL Is Not Yet Another Object IDL” [2004-04-01 (opens in new tab)] CNET: “Services-oriented architecture gains support” [2004-04-01 (opens in new tab)] Pat Helland “Metropolis” [2004-03-30 (opens in new tab)] WS-Addressing refreshed [2004-03-09 (opens in new tab)] Reliable Messaging in a Service Oriented Architecture [2004-02-25 (opens in new tab)] CNET: “Microsoft places bet on Whitehorse” [2004-02-17 (opens in new tab)] Web Services Dynamic Discovery (WS-Discovery) Specification Released [2004-01-28 (opens in new tab)] Coordinating Web Services Activities with WS-Coordination, WS-AtomicTransaction, and WS-BusinessActivity [2004-01-20 (opens in new tab)] CNET: “Web services shakeout looming” [2004-01-20 (opens in new tab)] Globus: “The WS-Resource Framework” [2004-01-14 (opens in new tab)] Bob Sutor: “A Web services wish list” [2004-01-07 (opens in new tab)] Forrester: “Ten tips for killer Web services” [2004-01-06 (opens in new tab)] WS-Eventing: allows services to subscribe to or accept subscriptions for event notification messages [2003-12-31 (opens in new tab)] CNET: “Web Services: 2003 in Review” [2003-12-22 (opens in new tab)] BusinessWeek: “Reprogramming Amazon” [2003-12-19 (opens in new tab)] CNET: “Amazon–the Web Services bellwether” [2003-12-08 (opens in new tab)] CNET: “CA enters Web services management” [2003-11-20 (opens in new tab)] MS & HP: slides for Gartner Application and Integration Conference [2003-11-18 (opens in new tab)] OGSI.NET 2.0 announced [2003-11-07 (opens in new tab)] MS & Vodafone: “Mobile Web Services Technical Roadmap” [2003-10-28 (opens in new tab)] MIT ShuttleTrack web service [2003-10-27 (opens in new tab)] Don Box: “A Guide to Developing and Running Connected Systems with Indigo” [2003-10-01 (opens in new tab)] CACM 46(10) “Service Oriented Computing” [2003-09-30 (opens in new tab)] Hao He: “What is Service-Oriented Architecture?” [2003-09-24 (opens in new tab)] SOAP interface to microsoft.com [2003-08-26 (opens in new tab)] Werner Vogels “Web Services are not Distributed Objects: Common Misconceptions about Service Oriented Architectures” [2003-08-12 (opens in new tab)] Savas Parastatidis et al: “A Grid Application Framework based on Web Services Specifications and Practices (v1.0)” [2003-07-10 (opens in new tab)] Applied XML Developers Conference 2003 West [2003-07-10 (opens in new tab)] Panel: “Bill of Rights for Web Services” [2003-06-24 (opens in new tab)] W3C: SOAP Version 1.2 [2003-06-17 (opens in new tab)] WS-I testing tools for conformance to BP 1.0 [2003-06-09 (opens in new tab)] Hull Benedikt Christophides Su “E-Services: A Look Behind the Curtain” [2003-05-22 (opens in new tab)] CNET: Amazon updates Web services tool [2003-05-08 (opens in new tab)] CNET: W3C brushes up SOAP standard [2003-04-01 (opens in new tab)] Yasser Shohoud: “RPC/Literal and Freedom of Choice” [2003-03-01 (opens in new tab)] ACM Queue: “A Conversation with Adam Bosworth” [2003-02-26 (opens in new tab)] Frank Leymann: BTW2003 keynote [2003-02-05 (opens in new tab)] Fifth Birthday of XML [2002-08-26 (opens in new tab)] Serge Abiteboul: EDBT lectures [2002-07-15 (opens in new tab)] W3C: WSDL Version 1.2 [2002-06-06 (opens in new tab)] W3C: Web Service Description Usage Scenarios [2002-05-20 (opens in new tab)] Sahai Graupner Kim “The Unfolding of the Web Services Paradigm ” [2002-04-30 (opens in new tab)] Sam Ruby: “Google’s Genius” (on using SOAP) [2002-04-18 (opens in new tab)] xmlhack: “Amazon goes REST, Google goes SOAP” [2001-04-04 (opens in new tab)] Don Box: “A Brief History of SOAP” [2000-10-01 (opens in new tab)] Steve Burbeck: “The Tao of e-business services” [2000-03-01 (opens in new tab)] Don Box: “A Young Person’s Guide to SOAP” [1999-09-25 (opens in new tab)] Dave Winer: “Dave’s History of SOAP” [1998-02-27 (opens in new tab)] Dave Winer: “RPC over HTTP via XML”

Web Services Security

[2006-09-06 (opens in new tab)] Invoking WSE 3.0 Secure Web Services from Windows Workflow Foundation [2006-06-19 (opens in new tab)] Windows Live ID [2006-02-26 (opens in new tab)] IBM/Novell pursuing Higgins Project as response to InfoCard [2006-02-20 (opens in new tab)] OASIS members approve WS-Security 1.1 [2006-02-20 (opens in new tab)] Security for REST Web Services [2006-02-16 (opens in new tab)] CA address web services security [2006-01-23 (opens in new tab)] WS authorization [2006-01-17 (opens in new tab)] Policies in WSE3 [2006-01-09 (opens in new tab)] Burton: Put Web services security on front burner [2005-12-22 (opens in new tab)] PingSTS – An Early Preview [2005-12-20 (opens in new tab)] Ping Identity has WS-Federation toolkit for Apache [2005-12-14 (opens in new tab)] Scenarios, Patterns, and Implementation Guidance for Web Services Enhancements (WSE) 3.0 [2005-11-03 (opens in new tab)] Sessions: Objects, Components, Web Services [2005-10-26 (opens in new tab)] OASIS WS Secure Exchange TC formed [2005-10-05 (opens in new tab)] WSE 3.0 October CTP released [2005-09-22 (opens in new tab)] Kenai announce eXamineXT test tool for web services security [2005-09-09 (opens in new tab)] MSN search APIs: can MS out-Google Google? [2005-09-06 (opens in new tab)] IBM: securing SO apps [2005-08-01 (opens in new tab)] Stamos/Stender: Attacking Web Services, Blackhat 2005 [2005-07-26 (opens in new tab)] Black Hat edition of OWASP Guide [2005-07-26 (opens in new tab)] Enterprise Grid Alliance identifies grid security risks [2005-07-14 (opens in new tab)] Trust, SecureConversation, SecurityPolicy submitted to OASIS [2005-07-13 (opens in new tab)] WS-SecurityPolicy (July 2005, version 1.1) [2005-07-11 (opens in new tab)] DOS attack on web service [2005-07-11 (opens in new tab)] Pen Test Tool – WSDigger [2005-06-27 (opens in new tab)] RSS security? [2005-06-16 (opens in new tab)] Securing Web Services with mod_security [2005-06-10 (opens in new tab)] Vulnerability assessment tool for web services [2005-06-03 (opens in new tab)] Microsoft WS-I Basic Security Profile 1.0 Sample Application [2005-06-03 (opens in new tab)] WSE 3.0 June CTP [2005-06-01 (opens in new tab)] UIUC AMPol project for web services security [2005-05-13 (opens in new tab)] Web Single Sign-On Interoperability Profile [2005-05-12 (opens in new tab)] Kim Cameron “Laws of Identity” [2005-05-12 (opens in new tab)] Microsoft Identity Metasystem [2005-05-05 (opens in new tab)] DIMACS Workshop on Security of Web Services and E-Commerce [2005-04-30 (opens in new tab)] Vittorio Bertocci’s visual notation for WS-Security [2005-04-12 (opens in new tab)] Liberty releases interfaces for ID-based web services [2005-03-28 (opens in new tab)] Cisco planning XML device [2005-03-18 (opens in new tab)] Routing Secured SOAP Messages Through Multiple SOAP Intermediaries Using WSE 2.0 [2005-03-15 (opens in new tab)] OASIS ratifies long-awaited SAML 2.0 [2005-02-28 (opens in new tab)] WS-SecureConversation refreshed [2005-02-28 (opens in new tab)] WS-Trust refreshed [2005-02-26 (opens in new tab)] SOAP is dead? [2005-02-17 (opens in new tab)] XML Security Comes to the Fore at RSA [2005-02-11 (opens in new tab)] Liberty Alliance Releases Second Version of Web Services Framework Specifications [2005-01-31 (opens in new tab)] Securing the Username Token with WSE 2.0 [2004-12-24 (opens in new tab)] Putting Policy in Charge [2004-12-06 (opens in new tab)] OMII releases a web service infrastructure for building grid applications [2004-12-05 (opens in new tab)] Sxip Networks: Reinventing Digital Identity [2004-12-03 (opens in new tab)] WSE 2.0 SP2 Golden [2004-10-05 (opens in new tab)] WS-SecureConversation/WS-Trust Interop Workshop [2004-09-17 (opens in new tab)] SOAP inspection / tampering tools [2004-09-15 (opens in new tab)] Nadalin: “WS-Security changing Web services landscape” ” [2004-09-02 (opens in new tab)] ZDNet: “XML Web services security best practices” [2004-08-23 (opens in new tab)] DDJ: “Web Services Ad Hoc Firewalls” [2004-08-18 (opens in new tab)] Demchenko: “White collar” Attacks on Web Services and Grids [2004-08-13 (opens in new tab)] New OASIS WSS TC draft profiles (SAML, REL, SwA, Kerberos, Minimalist) [2004-08-01 (opens in new tab)] Don Smith: “WS-Security Drilldown in Web Services Enhancements 2.0” [2004-07-21 (opens in new tab)] Kirk Allen Evans: “Using WSE 2.0 to Enable Interoperable Kerberos Authentication” [2004-07-20 (opens in new tab)] O’Neill: “XML and Web Services: Are We Secure Yet?” [2004-07-19 (opens in new tab)] eWeek: XML firewalls [2004-07-15 (opens in new tab)] Web Services Firewall Forum XWall Released [2004-07-14 (opens in new tab)] InternetNews: “Prevent a Web Services Insecurity Complex” [2004-07-02 (opens in new tab)] ZapThink: “Implementing Secure Web Services in B2B Environments” [2004-06-24 (opens in new tab)] Simon Johnston on model-driven security for SOA [2004-06-19 (opens in new tab)] OWASP AppSec 2004 [2004-05-25 (opens in new tab)] Bustamante: “Behold WSE 2.0: Removing Another Layer of WS-Pain” [2004-05-24 (opens in new tab)] SOAP features added to MS ISA firewall [2004-05-03 (opens in new tab)] PayPal releases Web Services APIs [2004-05-01 (opens in new tab)] Forum XWALL for MS ISA Server datasheet [2004-04-07 (opens in new tab)] OASIS Standardizes WS-Security [2004-03-29 (opens in new tab)] CNET: “Extra headaches of securing XML” [2004-03-11 (opens in new tab)] Teros: hardware support for WS-Security [2004-02-25 (opens in new tab)] WS-I Publishes Web Services Security Interoperability Guidelines [2004-02-17 (opens in new tab)] Line56: “Web Services Vulnerabilities” [2004-01-29 (opens in new tab)] Panel at CMU West: “Web Services Security” [2004-01-27 (opens in new tab)] OWASP Top Ten Vulnerabilities for 2004 [2004-01-19 (opens in new tab)] Draft: Web Services Security: SOAP Message Security 1.0 [2004-01-04 (opens in new tab)] ZapThink: “A Guide to Securing XML and Web Services” [2003-12-19 (opens in new tab)] Web Services Security Kerberos Binding published [2003-11-26 (opens in new tab)] eWeek: “Free Tools Speed Web-Services Security” [2003-11-24 (opens in new tab)] NeSC: “Practical security for e-Science projects” [2003-11-20 (opens in new tab)] WS-Trust/WS-SecureConversation Interop Workshop [2003-11-18 (opens in new tab)] Faust: “SOAP Web Services Attacks – Introduction and Simple Injection” [2003-11-13 (opens in new tab)] WS-Security from a SmartPhone [2003-11-12 (opens in new tab)] CNET: “Liberty Alliance debuts new standard” [2003-10-31 (opens in new tab)] 2003 ACM Workshop on XML Security [2003-10-01] Xiong, Helander, Forin, Yuval “Secure Invisible Computing” [2003-09-17 (opens in new tab)] CNET: “Microsoft, IBM push Web services advances” [2003-09-17 (opens in new tab)] IBM & MS: “Secure, Reliable, Transacted Web Services: Architecture and Composition” [2003-09-10 (opens in new tab)] Forrester: “Web services standards to converge” [2003-08-27 (opens in new tab)] OASIS: SOAP Message Security, Working Draft 17 [2003-07-16 (opens in new tab)] CNET: “Microsoft bolsters Web services security” [2003-07-10 (opens in new tab)] IBM & MS: “Federation of Identities in a Web Services World” [2003-05-03 (opens in new tab)] CNET: “Passport to get Web services stamp” [2003-02-05 (opens in new tab)] CNET: “Security key goal for Web services group” [2003-01-13 (opens in new tab)] MSDN: “Securing Web Services with ISA Server” [2003-01-13 (opens in new tab)] OWASP: “The Top Ten Web Application Security Vulnerabilities” [2003-01-01 (opens in new tab)] White, Chon: “Wide Open on Port 80” [2002-12-16 (opens in new tab)] InfoWorld: “Microsoft highlights security in Web services development pack” [2002-12-11 (opens in new tab)] CNET: “XML encryption specs approved” [2002-11-22 (opens in new tab)] 2002 ACM Workshop on XML Security [2002-10-15 (opens in new tab)] Netegrity minding the Web services security store [2002-05-16 (opens in new tab)] Slashdot: “XML Web Services & Security” [2002-04-07 (opens in new tab)] IBM & MS: “Security in a Web Services World” [2002-03-16 (opens in new tab)] Paul Prescod: “Some thoughts about SOAP versus REST on Security” [2001-12-28 (opens in new tab)] Phrack: “RPC without borders (surfing USA …)” [2000-06-29 (opens in new tab)] SOAP: “The future or a security nightmare” [2000-06-15 (opens in new tab)] Bruce Schneier: “SOAP”

• Andy’s Aggregate of WS Blogs (opens in new tab)
• securewebservices.org (opens in new tab)

• WSE Wiki (opens in new tab)
• CNET: “GetUpToSpeed – Web Services” (opens in new tab)
• Christian Geuer-Pollmann: Web Services Security Page (opens in new tab)
• Flash-DB Web Services Directory (opens in new tab)
• Google Directory: Web Services (opens in new tab)
• GotDotNet Web Services (opens in new tab)
• Listmania! Build Applications with Amazon.com Web Services (opens in new tab)
• MSDN Web Services Security Specifications Index Page (opens in new tab)
• MSDN: Web Services Developer Centre (opens in new tab)
• MSDN: Web Services Protocol Workshops (opens in new tab)
• OASIS Web Services Security TC (opens in new tab)
• O’Reilly Web Services (opens in new tab)
• Security Focus: Web Application Security (opens in new tab)
• Web Services Interoperability Organization (opens in new tab)
• Xmethods: Publicly available web services (opens in new tab)
• ZapThink (opens in new tab)