Don Smith : Web Service Security

WCF Security Guidance

donsmith — Tue, 01 Apr 2008 00:39:00 GMT

If you're looking for pragmatic guidace for securing your WCF services, look no further. The WCF Security project has been posting how-to documents and videos on its community site.

Now is the perfect time to give the team feedback. They aren't done yet and are completely willing, able, and even looking forward to apply your feedback so this can be the best resource on the 'net for WCF security questions.

If you want more details about the project, check out J.D.'s post before you head over to get the goods.

The first of many ARCasts on Web Service Security

donsmith — Mon, 30 Jan 2006 08:38:00 GMT

Just got the email from Ron that he's just posted an ARCast on Web service security. I'm listening to the ARCast now ... this was created from a webcast Ron, Jason, and Fred did in September titled Web Services Security Patterns (Level 300). I was supposed to be on this one, but something came up at the last minute ... so they make fun of me of course.

About 3 weeks or so ago, I got doppler and Window Media Player set up with my iRiver H10 so now I'm automatically pulling down Ron's ARCast and DotNetRocks! so I can tune in on my way to work ... and when I'm on those cool Eliptical machines in the gym. Are there are cool podcasts that .NET developers are listening to ... what about Web service or distributed application podcasts. If they're out there, please let me know.

Message Protection

donsmith — Sat, 28 Jan 2006 03:13:40 GMT

I look in the window of his office and he's banging away on the keyboard. It doesn't look like he's on disney.com or IMing with his Aussie mates - it looks like real work. A few minutes later an IM window is telling me to link to a blog entry on message protection. Okay, so it's not typical work, but it's a good thing for all of us that Jason took the time to publish it.

In his most recent article, Web service security - Threats and Countermeasures - Part 4 : Message Protection – Sign and Encrypt and Encrypt Signature!, Jason covers the threats and countermeasures associated with eavesdropping confidential information. Heck, he even provides sample messages and links to valuable resources to get more information.

Very good Jason, now get back to work :)

Jason is blogging ... woohoo!

donsmith — Mon, 21 Nov 2005 01:31:34 GMT

It's about time! Jason is the program manager on the Integration & Web Service program on the patterns & practices team (the same program I'm the product manager of). Jason is a really sharp guy and he knows a lot about Web services. I think this is going to be a really great blog. Also, now you have two places to go to find out what p&p is doing in the Web services space. We can only hope Jason will write more entries than I do ... hey, I'm trying to get better. So go check out the Hogg Blog (what a name ... haha) and read about the 3 things Jason and I (and the rest of our great team) are working on.

Prizes for best bugs

donsmith — Fri, 21 Oct 2005 21:08:04 GMT

Jason is offering prizes for the best bugs found in our October CTP release of the Web Service Security Patterns. Here are the details.

Help us find bugs in our October CTP! Compare your security knowledge with the best in the world...

As WSE 3.0 gets closer to RTM we are finalizing the testing of our guidance, our quickstarts and wrapping up the security reviews that our external security reviewers (ISecPartners, Foundstone and Infosys) are performing.

For the best 3 bugs reported I will get you a free p&p book such as Integration patterns etc. If you find a security related bug that our security SME's don't find you can select two books!

Please post to our workspace... and don't be afraid to post something that might be wrong.

I'm sure we can throw in some other swag from patterns & practices too. Heck, maybe even a shirt ... I know you could use another one of those :)

Web Service Security Patterns: October CTP Released

donsmith — Fri, 21 Oct 2005 02:38:49 GMT

I'm a couple days late with this entry, but I'd be remiss for not mentioning it at all. This release is a substantial improvement over the past releases. We added even more patterns and updated the implementation patterns to take advantage of WSE 3.0. The WSE 2.0 implementation patterns have been removed from this release. If you want to review the WSE 2.0 implementation patterns in the meantime, check out the August CTP.

The following patterns have been added since the August CTP release. These patterns have all been through the workshop process, but haven't all been through an initial editorial pass ... that's why it's a CTP ;)

Security Token Service
Message Replay Detection
Perimeter Service Router
Message Validation
Exception Shielding
Trusted Subsystem
Protocol Adapter
Delegation

If you're building secure Web services with WSE, you can't afford not to check out this content. Let me know if you have any questions or comments about it.

Web Service Security Patterns: August CTP just dropped

donsmith — Thu, 18 Aug 2005 05:39:28 GMT

Just a quick note to let you know that we just posted the August CTP release of the security patterns content to the community at http://practices.gotdotnet.com/projects/sopatterns. The biggest change from the last release is the inclusion of the Kerberos implementation pattern (that's right, how to implement the KerberosToken in WSE 2.0) and the Kerberos primer in case you need to brush up on your Kerb knowledge. Available in CHM format for your single-file, navigation, hyperlinking pleasure ;-)