Scott Densmore leaves patterns & practices

I just noticed that Scott has posted his obituary on his blog. He leaves PAG and joins another team within Microsoft… Take a look at for more information… The good news is that over the last couple of years p&p has built an awesome dev team with the likes of Pete Provost and Brad Wilson…


Web service security – Threats and Countermeasures – Part 2 : Message Replay Protection

Threats Messages may traverse untrusted intermediaries on an insecure network – any of whom could capture the message and resend the message to the service. A replayed message will often cause data inconsistencies (especially true of update operations) Vulnerabilities Limited support for preventing replayed messages Many replay caches do not support web farms – meaning that…


Web service security – Threats and Countermeasures – Introduction

I am starting a series of entries that aim to provide an overview to major threats related to web service security. My goal is to not only inform people of what some major threats are but also stimulate some discussion and pointers to other threats that people consider interesting. Before I start I have created…


Web service security – Threats and Countermeasures – Part 1 : Message Protection – Integrity and Confidentiality

Threats Network eavesdropping leads to disclosure of confidential information An attacker manipulates a message in transit influencing the service’s behavior Vulnerabilities Lack of end to end encryption when sending SOAP messages Lack of a digital signature to verify authenticity of a SOAP message Countermeasures Message Protection Design Patterns: Data Origin Authentication – See  Data…


Everything you ever wanted to know about the Web service security UsernameToken

I am still getting used to the blogging tool – so figured I would try out creating an article. Knocked this little beauty up on UsernameToken’s as I know that is something that has caused a lot of confusion in the past.    


Web Service Security UsernameToken Primer

Challenge A subject that I still see a lot of misunderstanding around is how best to use the UsernameToken when using a user id and password as the basis of authentication for a Web service. Recommendations First and foremost ensure you are protecting password information in the database – preferably by hashing and salting the…


Web service security: Scenarios, Patterns and Implementations is live

The timing couldn’t have worked out any better if we had of tried. We presented our Web Service Security : Scenarios, Patterns and Implementations guide for the first time ever at the patterns & practices summit today – and I just received word that the content has just gone live on MSDN. So, if you…


Introduction, Integration and Securing Web Services Part 3

Alright, as I promised this is the third part of the summary describing what we are currently working on to help people developing distributed applications using Web services using WSE 3.0. This time we are going to drill down into the Security Token Service quickstart that I mentioned before. Web Service Security: Scenarios, Patterns and Implementations…


Help us to help you build mission-critical connected systems

Not sure if you have read Don’s blog yet ( but just in case you haven’t this is your opportunity to influence what guidance our team focuses on for the next 6 – 9 months. We have put together a comprehensive survey to better understand the technical challenges that you and your organization would like…


Introduction, Integration and Securing Web Services Part 2

It is Tuesday morning just one day before Thanksgiving. Leant my friend my car as his was in an accident and just realized the keys to my office were on the key ring. So I am not sitting in a corridor waiting for MS security to let me in. So figured it was a perfect…