A solution implemented at Simon Fraser University to use CAS proxy tickets to provide authorization to web services from thick client web applications.

1. Securing Web Services
Solving the Web Services Security Problem with an XML Gateway
June 2010

2. About Us
IT Services - Jeremy Rosenberg / Steve Hillman

3. • Jeremy Rosenberg
Developer in IT services since 2004
Identity management strategy
Java Developer
About Us
IT Services - Jeremy Rosenberg / Steve Hillman

4. • Jeremy Rosenberg
Developer in IT services since 2004
Identity management strategy
Java Developer
• Steve Hillman
IT Architect
With IT Services since 1987
Unix infrastructure
About Us
IT Services - Jeremy Rosenberg / Steve Hillman

5. About SFU
IT Services - Jeremy Rosenberg / Steve Hillman

6. • Named after famous explorer
Simon Fraser
1776 -1862
About SFU
IT Services - Jeremy Rosenberg / Steve Hillman

7. • Named after famous explorer
• Opened on September 9, 1965
Simon Fraser
1776 -1862
About SFU
IT Services - Jeremy Rosenberg / Steve Hillman

8. • Named after famous explorer
• Opened on September 9, 1965
• One University - Three campuses
• Burnaby
• Surrey
• Vancouver
Simon Fraser
1776 -1862
About SFU
IT Services - Jeremy Rosenberg / Steve Hillman

9. • Named after famous explorer
• Opened on September 9, 1965
• One University - Three campuses
• Burnaby
• Surrey
• Vancouver
• 32,000 students
• 900 faculty
• 1600 staff
• 100,000 alumni
Simon Fraser
1776 -1862
About SFU
IT Services - Jeremy Rosenberg / Steve Hillman

10. About This Presentation
IT Services - Jeremy Rosenberg / Steve Hillman

11. • Definitions
About This Presentation
IT Services - Jeremy Rosenberg / Steve Hillman

12. • Definitions
• XML Security Challenges
About This Presentation
IT Services - Jeremy Rosenberg / Steve Hillman

13. • Definitions
• XML Security Challenges
• About the Layer 7 SecureSpan XML
Gateway
About This Presentation
IT Services - Jeremy Rosenberg / Steve Hillman

14. • Definitions
• XML Security Challenges
• About the Layer 7 SecureSpan XML
Gateway
• Why we chose SecureSpan
About This Presentation
IT Services - Jeremy Rosenberg / Steve Hillman

15. • Definitions
• XML Security Challenges
• About the Layer 7 SecureSpan XML
Gateway
• Why we chose SecureSpan
• A little about Public Keys
About This Presentation
IT Services - Jeremy Rosenberg / Steve Hillman

16. • Definitions
• XML Security Challenges
• About the Layer 7 SecureSpan XML
Gateway
• Why we chose SecureSpan
• A little about Public Keys
• Walkthroughs
• SOAP
• REST
About This Presentation
IT Services - Jeremy Rosenberg / Steve Hillman

17. • Definitions
• XML Security Challenges
• About the Layer 7 SecureSpan XML
Gateway
• Why we chose SecureSpan
• A little about Public Keys
• Walkthroughs
• SOAP
• REST
• Questions
About This Presentation
IT Services - Jeremy Rosenberg / Steve Hillman

18. •First, A Few
Definitions
Definitions
IT Services - Jeremy Rosenberg / Steve Hillman

19. Definitions
IT Services - Jeremy Rosenberg / Steve Hillman

20. Web Service:
Definitions
IT Services - Jeremy Rosenberg / Steve Hillman

21. Web Service:
• An API to a remote procedure
Definitions
IT Services - Jeremy Rosenberg / Steve Hillman

22. Web Service:
• An API to a remote procedure
• Typically accessed over HTTP
Definitions
IT Services - Jeremy Rosenberg / Steve Hillman

23. Web Service:
• An API to a remote procedure
• Typically accessed over HTTP
• Machine-to-machine communications
Definitions
IT Services - Jeremy Rosenberg / Steve Hillman

24. Web Service:
• An API to a remote procedure
• Typically accessed over HTTP
• Machine-to-machine communications
• Allows data source to be loosely coupled to
applications
Definitions
IT Services - Jeremy Rosenberg / Steve Hillman

25. Web Service:
• An API to a remote procedure
• Typically accessed over HTTP
• Machine-to-machine communications
• Allows data source to be loosely coupled to
applications
• Makes systems reusable
Definitions
IT Services - Jeremy Rosenberg / Steve Hillman

26. Web Service:
• An API to a remote procedure
• Typically accessed over HTTP
• Machine-to-machine communications
• Allows data source to be loosely coupled to
applications
• Makes systems reusable
• Very popular with Twitter, Facebook, Amazon, etc
Definitions
IT Services - Jeremy Rosenberg / Steve Hillman

27. Definitions - SOAP vs REST
IT Services - Jeremy Rosenberg / Steve Hillman

28. •SOAP:
Definitions - SOAP vs REST
IT Services - Jeremy Rosenberg / Steve Hillman

29. •SOAP:
• XML Message passing protocol
Definitions - SOAP vs REST
IT Services - Jeremy Rosenberg / Steve Hillman

30. •SOAP:
• XML Message passing protocol
• Numerous ‘WS-’ standards
Definitions - SOAP vs REST
IT Services - Jeremy Rosenberg / Steve Hillman

31. •SOAP:
• XML Message passing protocol
• Numerous ‘WS-’ standards
• Associated with “Big” Web Services
• Most vendor SOA solutions use
SOAP
Definitions - SOAP vs REST
IT Services - Jeremy Rosenberg / Steve Hillman

32. Definitions - SOAP vs REST
IT Services - Jeremy Rosenberg / Steve Hillman

33. •REST:
• URL-addressable objects
Definitions - SOAP vs REST
IT Services - Jeremy Rosenberg / Steve Hillman

34. •REST:
• URL-addressable objects
• “http://maps.google.com/maps/api/geocode/xml?
address=Memorial+University,+NL,+CA”
Definitions - SOAP vs REST
IT Services - Jeremy Rosenberg / Steve Hillman

35. •REST:
• URL-addressable objects
• “http://maps.google.com/maps/api/geocode/xml?
address=Memorial+University,+NL,+CA”
• Accessed and manipulated with standard HTTP
GET/POST/PUT/DELETE
Definitions - SOAP vs REST
IT Services - Jeremy Rosenberg / Steve Hillman

36. •REST:
• URL-addressable objects
• “http://maps.google.com/maps/api/geocode/xml?
address=Memorial+University,+NL,+CA”
• Accessed and manipulated with standard HTTP
GET/POST/PUT/DELETE
• Lightweight client requirements
Definitions - SOAP vs REST
IT Services - Jeremy Rosenberg / Steve Hillman

37. •REST:
• URL-addressable objects
• “http://maps.google.com/maps/api/geocode/xml?
address=Memorial+University,+NL,+CA”
• Accessed and manipulated with standard HTTP
GET/POST/PUT/DELETE
• Lightweight client requirements
• Stateless (every request is self-contained)
Definitions - SOAP vs REST
IT Services - Jeremy Rosenberg / Steve Hillman

38. •REST:
• URL-addressable objects
• “http://maps.google.com/maps/api/geocode/xml?
address=Memorial+University,+NL,+CA”
• Accessed and manipulated with standard HTTP
GET/POST/PUT/DELETE
• Lightweight client requirements
• Stateless (every request is self-contained)
• WS- standards are less mature
Definitions - SOAP vs REST
IT Services - Jeremy Rosenberg / Steve Hillman

39. !
•Web Services Security Challenges
“Put out an A.P.B. on a donut, believed sprinkled.”
IT Services - Jeremy Rosenberg / Steve Hillman

40. Web Services Security Challenges
IT Services - Jeremy Rosenberg / Steve Hillman

41. • Web Services can communicate over many transport protocols
Web Services Security Challenges
IT Services - Jeremy Rosenberg / Steve Hillman

42. • Web Services can communicate over many transport protocols
• Commonly accessed over web protocols like HTTP
Web Services Security Challenges
IT Services - Jeremy Rosenberg / Steve Hillman

43. • Web Services can communicate over many transport protocols
• Commonly accessed over web protocols like HTTP
• Easy for Web services to bypass traditional firewalls
Web Services Security Challenges
IT Services - Jeremy Rosenberg / Steve Hillman

44. • Web Services can communicate over many transport protocols
• Commonly accessed over web protocols like HTTP
• Easy for Web services to bypass traditional firewalls
XML
HTTP
XML
Web Services Security Challenges
IT Services - Jeremy Rosenberg / Steve Hillman

45. Web Services Security Challenges
IT Services - Jeremy Rosenberg / Steve Hillman

46. •
XML-based messages can be deliberately
or inadvertently malformed
Web Services Security Challenges
IT Services - Jeremy Rosenberg / Steve Hillman

47. •
•
XML-based messages can be deliberately
or inadvertently malformed
Causes parser or applications to break
Web Services Security Challenges
IT Services - Jeremy Rosenberg / Steve Hillman

48. •
•
•
XML-based messages can be deliberately
or inadvertently malformed
Causes parser or applications to break
Creates new XML threats and
vulnerabilities. E.g:
Web Services Security Challenges
IT Services - Jeremy Rosenberg / Steve Hillman

49. •
•
•
XML-based messages can be deliberately
or inadvertently malformed
Causes parser or applications to break
Creates new XML threats and
vulnerabilities. E.g:
• XML parameter tampering
Web Services Security Challenges
IT Services - Jeremy Rosenberg / Steve Hillman

50. •
•
•
XML-based messages can be deliberately
or inadvertently malformed
Causes parser or applications to break
Creates new XML threats and
vulnerabilities. E.g:
• XML parameter tampering
• XDoS Attacks
Web Services Security Challenges
IT Services - Jeremy Rosenberg / Steve Hillman

51. •
•
•
XML-based messages can be deliberately
or inadvertently malformed
Causes parser or applications to break
Creates new XML threats and
vulnerabilities. E.g:
• XML parameter tampering
• XDoS Attacks
• Message Replay
Web Services Security Challenges
IT Services - Jeremy Rosenberg / Steve Hillman

52. •
•
•
XML-based messages can be deliberately
or inadvertently malformed
Causes parser or applications to break
Creates new XML threats and
vulnerabilities. E.g:
• XML parameter tampering
• XDoS Attacks
• Message Replay
• Oversized/overdeep XML nodes
Web Services Security Challenges
IT Services - Jeremy Rosenberg / Steve Hillman

53. •
•
•
XML-based messages can be deliberately
or inadvertently malformed
Causes parser or applications to break
Creates new XML threats and
vulnerabilities. E.g:
• XML parameter tampering
• XDoS Attacks
• Message Replay
• Oversized/overdeep XML nodes
• Code injection
Web Services Security Challenges
IT Services - Jeremy Rosenberg / Steve Hillman

54. Web Services Security Challenges
IT Services - Jeremy Rosenberg / Steve Hillman

55. •
Transactions are principally machine-to-machine
Web Services Security Challenges
IT Services - Jeremy Rosenberg / Steve Hillman

56. •
•
Transactions are principally machine-to-machine
New thinking around machine-to-machine credentialing
Web Services Security Challenges
IT Services - Jeremy Rosenberg / Steve Hillman

57. •
•
•
Transactions are principally machine-to-machine
New thinking around machine-to-machine credentialing
Login pages won’t work
Web Services Security Challenges
IT Services - Jeremy Rosenberg / Steve Hillman

58. Web Services Security Challenges
IT Services - Jeremy Rosenberg / Steve Hillman

59. • Services and clients must agree on security parameters
• crypto preferences
• standards support
Web Services Security Challenges
IT Services - Jeremy Rosenberg / Steve Hillman

60. • Services and clients must agree on security parameters
• crypto preferences
• standards support
• Need for new kinds of policy coordination
Web Services Security Challenges
IT Services - Jeremy Rosenberg / Steve Hillman

61. • Services and clients must agree on security parameters
• crypto preferences
• standards support
• Need for new kinds of policy coordination
• Incompatibilities have unforeseen consequences
Web Services Security Challenges
IT Services - Jeremy Rosenberg / Steve Hillman

62. Web Services Security Challenges
IT Services - Jeremy Rosenberg / Steve Hillman

63. • Web services enable multi-hop composite applications
Web Services Security Challenges
IT Services - Jeremy Rosenberg / Steve Hillman

64. • Web services enable multi-hop composite applications
• Example: Student on boarding process
Web Services Security Challenges
IT Services - Jeremy Rosenberg / Steve Hillman

65. • Web services enable multi-hop composite applications
• Example: Student on boarding process
• Message level security and audit that can span multihop SOA transactions end-to-end
Web Services Security Challenges
IT Services - Jeremy Rosenberg / Steve Hillman

66. Web Services Security Challenges
IT Services - Jeremy Rosenberg / Steve Hillman

67. Web services expose business functionality through open
APIs, requiring new application-aware security measures.
Web Services Security Challenges
IT Services - Jeremy Rosenberg / Steve Hillman

68. SecureSpan XML Gateway
IT Services - Jeremy Rosenberg / Steve Hillman

69. •
Enter the XML Gateway
SecureSpan XML Gateway
IT Services - Jeremy Rosenberg / Steve Hillman

70. SecureSpan XML Gateway
IT Services - Jeremy Rosenberg / Steve Hillman

71. XML Gateway - What it does
IT Services - Jeremy Rosenberg / Steve Hillman

72. • Parses all Inbound and outbound XML messages
XML Gateway - What it does
IT Services - Jeremy Rosenberg / Steve Hillman

73. • Parses all Inbound and outbound XML messages
• Inspection and modification of XML messages
XML Gateway - What it does
IT Services - Jeremy Rosenberg / Steve Hillman

74. • Parses all Inbound and outbound XML messages
• Inspection and modification of XML messages
• Replace “Username” value in inbound XML message
with value extracted from client certificate
• Prevent spoofing
XML Gateway - What it does
IT Services - Jeremy Rosenberg / Steve Hillman

75. • Parses all Inbound and outbound XML messages
• Inspection and modification of XML messages
• Replace “Username” value in inbound XML message
with value extracted from client certificate
• Prevent spoofing
• Blank-out Student Number value in outbound XML
messages
• Prevent accidental leakage of confidential info
XML Gateway - What it does
IT Services - Jeremy Rosenberg / Steve Hillman

76. XML Gateway
IT Services - Jeremy Rosenberg / Steve Hillman

77. • Thwart attacks
XML Gateway
IT Services - Jeremy Rosenberg / Steve Hillman

78. • Thwart attacks
• Prevent malicious and inadvertent XML attacks
XML Gateway
IT Services - Jeremy Rosenberg / Steve Hillman

79. • Thwart attacks
• Prevent malicious and inadvertent XML attacks
• Prevent other not-so-obvious application-level
attacks - e.g. SQL injection.
• Are you sure every one of your developers
sanitizes their inputs?
XML Gateway
IT Services - Jeremy Rosenberg / Steve Hillman

80. Benefits
IT Services - Jeremy Rosenberg / Steve Hillman

81. • Single point-of-entry for Web Services means:
Benefits
IT Services - Jeremy Rosenberg / Steve Hillman

82. • Single point-of-entry for Web Services means:
• Do rate-control/throttling/queueing to enforce SLAs
Benefits
IT Services - Jeremy Rosenberg / Steve Hillman

83. • Single point-of-entry for Web Services means:
• Do rate-control/throttling/queueing to enforce SLAs
• Standardized logging of all access
Benefits
IT Services - Jeremy Rosenberg / Steve Hillman

84. • Single point-of-entry for Web Services means:
• Do rate-control/throttling/queueing to enforce SLAs
• Standardized logging of all access
• Auditing
Benefits
IT Services - Jeremy Rosenberg / Steve Hillman

85. • Single point-of-entry for Web Services means:
• Do rate-control/throttling/queueing to enforce SLAs
• Standardized logging of all access
• Auditing
• Centrally enforced policies
Benefits
IT Services - Jeremy Rosenberg / Steve Hillman

86. • Single point-of-entry for Web Services means:
• Do rate-control/throttling/queueing to enforce SLAs
• Standardized logging of all access
• Auditing
• Centrally enforced policies
• Reusable rich set of authentication mechanisms
Benefits
IT Services - Jeremy Rosenberg / Steve Hillman

87. • Single point-of-entry for Web Services means:
• Do rate-control/throttling/queueing to enforce SLAs
• Standardized logging of all access
• Auditing
• Centrally enforced policies
• Reusable rich set of authentication mechanisms
• Managed by the Infrastructure team on behalf of all
Web Services development groups
Benefits
IT Services - Jeremy Rosenberg / Steve Hillman

88. Why We Chose Layer7
IT Services - Jeremy Rosenberg / Steve Hillman

89. • Industry leader in this space
Why We Chose Layer7
IT Services - Jeremy Rosenberg / Steve Hillman

90. • Industry leader in this space
• Very responsive
Why We Chose Layer7
IT Services - Jeremy Rosenberg / Steve Hillman

91. • Industry leader in this space
• Very responsive
• Available as either hard or soft appliance
Why We Chose Layer7
IT Services - Jeremy Rosenberg / Steve Hillman

92. •
•
•
•
Industry leader in this space
Very responsive
Available as either hard or soft appliance
Extensible using Java. We have Java experts.
Why We Chose Layer7
IT Services - Jeremy Rosenberg / Steve Hillman

93. •
•
•
•
•
Industry leader in this space
Very responsive
Available as either hard or soft appliance
Extensible using Java. We have Java experts.
Supports every standard known to Man
Why We Chose Layer7
IT Services - Jeremy Rosenberg / Steve Hillman

94. Standards
IT Services - Jeremy Rosenberg / Steve Hillman

95. XML 1.0
SOAP 1.2
REST
AJAX
XPath 1.0
XSLT 1.0
WSDL 1.1
XML Schema
LDAP 3.0
SAML 1.1/2.0
PKCS #10
X.509 v3 Certificates
FIPS 140-2
Kerberos
W3C XML Signature 1.0
W3C XML Encryption 1.0
SSL/TLS 3.0/1.1
SNMP
SMTP
POP3
IMAP4
HTTP/HTTPS
JMS 1.0
MQ Series
Tibco EMS
FTP
WS-Security 1.1
WS-Trust 1.0
Standards
IT Services - Jeremy Rosenberg / Steve Hillman
WS-Federation
WS-Addressing
WSSecureConversation
WS-MetadataExchange
WS-Policy
WS-SecurityPolicy
WS-PolicyAttachment
WS-SecureExchange
WSIL
WS-I
WS-I BSP
UDDI 3.0
XACML 2.0
MTOM

96. The Gateway Changes Everything
IT Services - Jeremy Rosenberg / Steve Hillman

97. SOAP Security - Cowboy Style
IT Services - Jeremy Rosenberg / Steve Hillman

98. SOAP Security - Cowboy Style
IT Services - Jeremy Rosenberg / Steve Hillman

99. SOAP Security - Cowboy Style
IT Services - Jeremy Rosenberg / Steve Hillman

100. SOAP Security - Cowboy Style
IT Services - Jeremy Rosenberg / Steve Hillman

101. SOAP Security - Cowboy Style
IT Services - Jeremy Rosenberg / Steve Hillman

102. SOAP Security - Cowboy Style
IT Services - Jeremy Rosenberg / Steve Hillman

103. SOAP Security - Cowboy Style
IT Services - Jeremy Rosenberg / Steve Hillman

104. SOAP Security - Cowboy Style
IT Services - Jeremy Rosenberg / Steve Hillman

105. About DNPKI
IT Services - Jeremy Rosenberg / Steve Hillman

106. Definitely Not a Public Key Infrastructure (DNPKI)
About DNPKI
IT Services - Jeremy Rosenberg / Steve Hillman

107. Definitely Not a Public Key Infrastructure (DNPKI)
• Named out of frustration with the phrase:
• “Cool we have PKI now”
About DNPKI
IT Services - Jeremy Rosenberg / Steve Hillman

108. Definitely Not a Public Key Infrastructure (DNPKI)
• Named out of frustration with the phrase:
• “Cool we have PKI now”
• Needed a way to manage X.509 certificates for:
• https client certificate authentication
• WS-Security Signature Authentication
About DNPKI
IT Services - Jeremy Rosenberg / Steve Hillman

109. Definitely Not a Public Key Infrastructure (DNPKI)
• Named out of frustration with the phrase:
• “Cool we have PKI now”
• Needed a way to manage X.509 certificates for:
• https client certificate authentication
• WS-Security Signature Authentication
• Store and push RSA public keys into LDAP
About DNPKI
IT Services - Jeremy Rosenberg / Steve Hillman

110. Definitely Not a Public Key Infrastructure (DNPKI)
• Named out of frustration with the phrase:
• “Cool we have PKI now”
• Needed a way to manage X.509 certificates for:
• https client certificate authentication
• WS-Security Signature Authentication
• Store and push RSA public keys into LDAP
• Ability to de-provision certificate access
About DNPKI
IT Services - Jeremy Rosenberg / Steve Hillman

111. Definitely Not a Public Key Infrastructure (DNPKI)
• Named out of frustration with the phrase:
• “Cool we have PKI now”
• Needed a way to manage X.509 certificates for:
• https client certificate authentication
• WS-Security Signature Authentication
• Store and push RSA public keys into LDAP
• Ability to de-provision certificate access
• Leveraged existing IdM architecture
About DNPKI
IT Services - Jeremy Rosenberg / Steve Hillman

112. About DNPKI
IT Services - Jeremy Rosenberg / Steve Hillman

113. About DNPKI
IT Services - Jeremy Rosenberg / Steve Hillman

114. About DNPKI
IT Services - Jeremy Rosenberg / Steve Hillman

115. About DNPKI
IT Services - Jeremy Rosenberg / Steve Hillman

116. About DNPKI
IT Services - Jeremy Rosenberg / Steve Hillman

117. About DNPKI
IT Services - Jeremy Rosenberg / Steve Hillman

118. About DNPKI
IT Services - Jeremy Rosenberg / Steve Hillman

119. About DNPKI
IT Services - Jeremy Rosenberg / Steve Hillman

120. About DNPKI
IT Services - Jeremy Rosenberg / Steve Hillman

121. SOAP Security - Best Practices
IT Services - Jeremy Rosenberg / Steve Hillman

122. SOAP Security - Best Practices
IT Services - Jeremy Rosenberg / Steve Hillman

123. SOAP Security - Best Practices
IT Services - Jeremy Rosenberg / Steve Hillman

124. SOAP Security - Best Practices
IT Services - Jeremy Rosenberg / Steve Hillman

125. SOAP Security - Best Practices
IT Services - Jeremy Rosenberg / Steve Hillman

126. SOAP Security - Best Practices
IT Services - Jeremy Rosenberg / Steve Hillman

127. SOAP Security - Best Practices
IT Services - Jeremy Rosenberg / Steve Hillman

128. SOAP Security - Best Practices
IT Services - Jeremy Rosenberg / Steve Hillman

129. SOAP Security - Best Practices
IT Services - Jeremy Rosenberg / Steve Hillman

130. SOAP Security - Best Practices
IT Services - Jeremy Rosenberg / Steve Hillman

131. SOAP Security - Best Practices
IT Services - Jeremy Rosenberg / Steve Hillman

132. SOAP Security - Best Practices
IT Services - Jeremy Rosenberg / Steve Hillman

133. SOAP Security - Best Practices
IT Services - Jeremy Rosenberg / Steve Hillman

134. Gateway SOAP Assertions
IT Services - Jeremy Rosenberg / Steve Hillman

135. Gateway SOAP Assertions
IT Services - Jeremy Rosenberg / Steve Hillman

136. Gateway SOAP Assertions
IT Services - Jeremy Rosenberg / Steve Hillman

137. Gateway SOAP Assertions
IT Services - Jeremy Rosenberg / Steve Hillman

138. Gateway SOAP Assertions
IT Services - Jeremy Rosenberg / Steve Hillman

139. Gateway SOAP Assertions
IT Services - Jeremy Rosenberg / Steve Hillman

140. Gateway SOAP Assertions
IT Services - Jeremy Rosenberg / Steve Hillman

141. The Zimbra Conundrum
IT Services - Jeremy Rosenberg / Steve Hillman

142. The Zimbra Conundrum
IT Services - Jeremy Rosenberg / Steve Hillman

143. The Zimbra Conundrum
IT Services - Jeremy Rosenberg / Steve Hillman

144. .../courses?user=me
The Zimbra Conundrum
IT Services - Jeremy Rosenberg / Steve Hillman

145. .../courses?user=me
The Zimbra Conundrum
IT Services - Jeremy Rosenberg / Steve Hillman

146. .../courses?user=notme
The Zimbra Conundrum
IT Services - Jeremy Rosenberg / Steve Hillman

147. .../courses?user=notme
The Zimbra Conundrum
IT Services - Jeremy Rosenberg / Steve Hillman

148. REST Security that Never Rests
IT Services - Jeremy Rosenberg / Steve Hillman

149. REST Security that Never Rests
IT Services - Jeremy Rosenberg / Steve Hillman

150. REST Security that Never Rests
IT Services - Jeremy Rosenberg / Steve Hillman

151. REST Security that Never Rests
IT Services - Jeremy Rosenberg / Steve Hillman

152. REST Security that Never Rests
IT Services - Jeremy Rosenberg / Steve Hillman

153. REST Security that Never Rests
IT Services - Jeremy Rosenberg / Steve Hillman

154. REST Security that Never Rests
IT Services - Jeremy Rosenberg / Steve Hillman

155. REST Security that Never Rests
IT Services - Jeremy Rosenberg / Steve Hillman

156. REST Security that Never Rests
IT Services - Jeremy Rosenberg / Steve Hillman

157. Gateway REST Assertions
IT Services - Jeremy Rosenberg / Steve Hillman

158. Gateway REST Assertions
IT Services - Jeremy Rosenberg / Steve Hillman

159. Gateway REST Assertions
IT Services - Jeremy Rosenberg / Steve Hillman

160. Gateway REST Assertions
IT Services - Jeremy Rosenberg / Steve Hillman

161. Gateway REST Assertions
IT Services - Jeremy Rosenberg / Steve Hillman

162. Gateway REST Assertions
IT Services - Jeremy Rosenberg / Steve Hillman

163. Gateway REST Assertions
IT Services - Jeremy Rosenberg / Steve Hillman

164. Lessons Learned
IT Services - Jeremy Rosenberg / Steve Hillman

165. • Security is an enabler
Lessons Learned
IT Services - Jeremy Rosenberg / Steve Hillman

166. • Security is an enabler
• Stick to standards where possible
Lessons Learned
IT Services - Jeremy Rosenberg / Steve Hillman

167. • Security is an enabler
• Stick to standards where possible
• A good vendor is huge
Lessons Learned
IT Services - Jeremy Rosenberg / Steve Hillman

168. • Security is an enabler
• Stick to standards where possible
• A good vendor is huge
• Start small
• Control the service and consumer
Lessons Learned
IT Services - Jeremy Rosenberg / Steve Hillman

169. • Security is an enabler
• Stick to standards where possible
• A good vendor is huge
• Start small
• Control the service and consumer
• Security can be fun!
Lessons Learned
IT Services - Jeremy Rosenberg / Steve Hillman

170. Thank You
!
rosenberg@sfu.ca!
hillman@sfu.ca
!
THANK YOU
IT Services - Jeremy Rosenberg / Steve Hillman