Service Security Revisited

Developing contemporary software architectures requires the consideration and adoption of the Service-oriented Architecture (SOA) principles. Distributed applications are a very common domain in which SOA guides design decisions in particular. For a long time, SOAP and its related stack of standards have been the only technological choice for implementing SOA-based systems. With the increased adoption of the REST concept, an alternative to SOAP is gaining traction. Security considerations have been part of the SOAP-based standardization work since the very beginning. As a result, a mature and comprehensive set of security-related standards is available for building SOAP-based service systems. REST-ful service systems, however, cannot take advantage of such a fully developed security framework yet. This paper therefore revisits the SOAP-based web services security stack in order to identify commonalities, differences and gaps in the security available for REST-ful services. From these findings a desired REST-ful web services security stack is proposed together with related research, development and standardization challenges.