Architectural Services | Resources | Views | Contact Arctec Group

SOA, Web Services, and XML Security

Course Objectives: Understand the real risks in SOA, Web Services, and XML. Not just the hype:

  • What standards there are to help and how to use them
  • Where standard don’t help

After completing this class, you should be able to:

  • Architect security services in Web Services and SOA
  • Understand how an attacker looks at Web Services
  • Use best practices

Training is available as private (on or off site) and public sessions. New: Public training sessions starting March 2007 in Chicago, Boston, NYC , LA, San Jose, and DC in conjuncation with Aspect Security. Dates, details, and registration information for public training is here.

SOA, Web Services, and XML Security - One Day

The movement towards Web Services and Service Oriented architecture (SOA) paradigms requires new security paradigms to deal with new risks posed by these architectures. This session takes a pragmatic approach towards identifying Web Services security risks and selecting and applying countermeasures to the application, code, web servers, databases, application, and identity servers and related software.

Many enterprises are currently developing new Web Services and/or adding and acquiring Web Services functionality into existing applications -- now is the time to build security into the system!


Topics covered include understanding how web application risks (such as those in OWASP Guide and OWASP Top Ten) apply in a Web Services world, and Web Services security topics including:

  • Web Services attack patterns
  • Common XML attack patterns
  • Data and XML security using WS-Security, SAML, XML Encryption and XML Digital Signature
  • Identity services and federation with SAML and Liberty
  • Hardening Web Services servers
  • Input validation for Web Services
  • Integrating Web Services securely with backend resources and applications using WS-Trust
  • Secure Exception handling in Web Services
  • Understand the impact of Web 2.0 technologies like Ajax, and REST on distributed systems security

Requesting Training

Training is either full or half day. Training may include up to 30 participants. Courses may be held at client site, or off site. To discuss pricing, availability, and other training questions, mail

Gunnar Peterson is a Managing Principal at Arctec Group. He is focused on distributed systems security for large mission critical financial, financial exchanges, healthcare, manufacturer, and insurance systems, as well as emerging start ups Mr. Peterson is an internationally recognized software security expert, frequently published, an Associate Editor for IEEE Security & Privacy Journal on Building Security In, an Associate Editor for Information Security Bulletin, a contributor to the SEI and DHS Build Security In portal on software security, and an in-demand speaker at security conferences.


"This class was a thorough and well-organized trek through the current Web Services Security landscape. Going beyond just describing the standards and the options available in the Web Services Security world, this class discusses real-world use cases and offers implementable solutions, best practices, even vendor choices in several key areas.  This class provided me with actionable tasks that I took back to my project teams the very next day!"
-Jesse Aalberg, Sr. Enterprise Application Architect, United Healthcare

"The class was distinctly focused on Security requirements and the strength and weaknesses of the various solution approaches we could consider. The result of the course was actionable approaches to providing security in our SOA environment."
-Brad Sillman, Director IT Security, Deluxe Corp.

"Good comprehensive overview of subject, standards, and threats"
- Sr.Security Consultant, Ubizen

"Presenter has very broad and deep technical knowledge on subject. Content: good overview and comparison of SAML and WS-*"
- Security consultant, ING

"Entirely thorough overview of technology surrounding the use of web services with a 1 day presentation"
- Technical consultant Contextis

"This class reinforced the importance of software security assurance to me as it lucidly demonstrated why being bbehind the firewallb is an outdated concept."
-Senior Support Engineer, Software Security vendor

Workshop 2 - Collaboration in a Secure Development Process (Full and 1/2 day sessions)
Target Audience: security personnel, developers, architects, business analysts, and managers
Building more secure software means proactive collaboration in the development lifecycle through leveraging existing artifacts and creating security-centric artifacts. This session focuses on pragmatic techniques to articulate security goals in commonly used artifacts such as Use Cases, Unit Tests, Test Cases, and Software Architecture documents. The session further examines secure coding principles and security-centric artifacts and activities in a series of hands on exercises dealing with Threat Models and Abuse Cases. Workshop participants learn techniques and abilities that allow them to improve their enterprise's software security.

Workshop 3 - Know Your Threats: Threat Modeling (Full and 1/2 day sessions)
Target Audience: security personnel, developers, and architects
This session focuses on the specific discipline of Threat Modeling. The chief value of threat models is to identify and prioritize threats to the systems and assets so that countermeasures and security mechanisms can be architected that make the system resilient. This session includes hands on examples of using threat modeling for distributed systems to build a secure architecture. Workshop participants learn how to identify and model threats using a variety of industry standard models, and how to deploy threat models in the software development process to drive architecture, testing, and coding. Copyright © 2005-7 Arctec Group, LLC All Rights Reserved