Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.


patterns & practices Developer Center

Web Service Security: Scenarios, Patterns, and Implementation Guidance for Web Services Enhancements (WSE) 3.0

Microsoft Corporation

patterns & practices Developer Center
Web Service Security: Home
December 2005

DownloadDownload this guide in PDF format
CommunityWeb Service Security Community Workspace [Content link no longer available, original URL:]

Foreword by Alex Stamos and Scott Stender

As consultants for iSEC Partners, we have helped our customers develop and deploy Web service-based systems in environments that range from financial services to health care, and have helped multiple industry-leading independent software vendors integrate Web services into their products. We have shared our experience of testing and deploying secure Web services in multiple speaking opportunities, including in academic settings, at OWASP chapter and national meetings, and at conferences including SyScan and BlackHat.

In almost every presentation we have given, we are asked how to protect against security risks in a Web services world, and where developers can look for advice on writing secure Web services. Unfortunately, quality content and guidance has been hard to find.

The content provided by Microsoft's patterns & practices team addresses this dire need. The design and implementation guidance will help developers identify application-level security risks in their Web service deployments and implement standard practices to mitigate those risks. We recommend that Web service developers, particularly those using the .NET Framework, review this content and implement its suggestions to help improve security in an increasingly interconnected world. The design and implementation guidance provided in this guide increases understanding of this complex space, and should prove of significant use in the Web service development lifecycle.

Alex Stamos and Scott Stender
Founding Partners
iSEC Partners
November 2005

Alex Stamos is a founding partner of iSEC Partners, a strategic digital security organization. Alex is an experienced security engineer and consultant specializing in enterprise application security and has taught multiple classes in network and application security. Before he helped form iSEC Partners, Alex spent two years as a Managing Security Architect with @stake, performing advanced application security research and consulting. Alex has also run security for a large managed services company and has worked at a DoE national laboratory. He holds a BSEE from the University of California, Berkeley. Alex can be reached at

Scott Stender is a founding partner of iSEC Partners, a strategic digital security organization. Scott brings with him several years of experience in large-scale software development and security consulting. Prior to helping form iSEC Partners, Scott specialized in application security consulting with @stake. In his research, Scott focuses on secure software engineering methodology and security analysis of core technologies. Most recently, Scott was published in the January-February 2005 issue of IEEE Security & Privacy, where he co-authored a paper entitled Software Penetration Testing and presented on Attacking Web Services at BlackHat USA 2005. He holds a BS in Computer Engineering from the University of Notre Dame. Scott can be reached at

Foreword by Rudolph Araujo

Web services have, for a few years now, promised to be the future of the Internet and the World Wide Web. The ability to build rich federated environments that enable complex business-to-business scenarios and allow organizations to expose powerful line of business applications is tremendously exciting. All of this is possible using existing IT assets and investments and by adhering to universal standards that allow for interoperability between disparate technology solutions. With all that potential, the question often raised is why Web services have continued to remain on the "brink of deployment" in many organizations for so long.

In talking to many organizations, I have found that one of the biggest stumbling blocks tends to be the lack of a clear understanding of what it means to securely build and deploy a Web service, and create these truly federated scenarios. Customers complain about information overload with the host of three letter *ML acronyms and WS-* based standards. While a lot of these have been documented by various industry-wide bodies, little or no effort has been made in educating the practitioners in the thick of the battle – the architects, developers and testers building applications – about what they have to offer, how to use them and the tradeoffs and concerns to bear in mind while making design and implementation decisions.

Having been involved in this project right from the start as a technical reviewer, I believe that the Web Services Security guide from the patterns & practices group at Microsoft fills just this void. By providing accurate, timely, and relevant information, this guidance plays a crucial role in making some of the WS-Security standards easier to understand and thus allowing for an increase in the adoption and deployment of Web services. Further, by providing detailed but easy to comprehend explanations of the underlying protocols, such as Kerberos, the authors have ensured that even readers with a limited background in security will have adequate information and pointers, helping them gain valuable insights into this field.

Security personnel reading this guidance should focus on planning deployment scenarios based on the architectural and design patterns. The common scenario driven approach can prove to be of special value and relevance for this use case. On the other hand, developers are well advised to focus on the implementation patterns and technical supplements, which will introduce them to the topics and help them obtain a clear idea of the correct choices to make when faced with similar decisions in their own environments.

Rudolph Araujo
Principal Software Security Consultant
Foundstone Professional Services
November 2005

Rudolph Araujo is a Principal Software Security Consultant and trainer at Foundstone where he is responsible for creating and delivering the threat modeling and security code review service lines. He is also responsible for content creation and training delivery for Foundstone's Building Secure Software and Writing Secure Code – ASP.NET class. Rudolph has many years of software development experience on both UNIX and Windows environments in C/C++ and C#. Prior to Foundstone, Rudolph led the checks development team for BindView bv-Control for Internet Security - a vulnerability assessment product and was a software developer at Morgan Stanley. Rudolph's research interests also span the domain of Web service security and reliability. Rudolph holds a Masters Degree from Carnegie Mellon University with a focus on computer security and is the developer of Foundstone's .NET Security Toolkit, SSLDigger and Hacme Bank tools. Rudolph is also a Microsoft Visual Developer–Security MVP and a contributor to multiple journals such as Software Magazine where he writes a column on software security.


Foundstone Professional Services, a division of McAfee, offers a unique combination of services and education to help organizations continuously and measurably protect the most important assets from the most critical threats. Through a strategic approach to security, Foundstone helps organizations design and engineer secure software. Foundstone's services include source code audits, software design and architecture reviews, threat modeling and Web application penetration testing. For more information about Foundstone S3i services and training, go to

patterns & practices Developer Center

Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.