Security Controls Applied to Web Service Architectures

Security certification assesses the security posture of a software system to verify its compliance with diverse, pre-specified security controls identified by guidelines from NIST and the US Department of Defense. Service-oriented architectures (SOA) are difficult to certify because they require compliance verification over a mix of local, global, and interaction criteria dictated by the policies of the participating services and SOA governance. Web services further contribute to this difficulty because they lack direct methods to express security controls. Besides being understandable, the method of expression should indicate potential problems complying with chosen services. This paper presents a method for configuring of web service standards to enforce security requirements on service interaction specification documents within a SOA. The outcome serves as a mechanism to direct the population of constraints derived from security controls within standards specification documents, such as WSPolicy. We focus on security controls for auditing and how these can be enforced in an SOA. We introduce a reusable architecture to notate the comparison of security controls across services.