OWASP - User contributions [en]

User:Subu Ramanathan

2010-04-12T22:07:45Z

Subu Ramanathan:

Subu Ramanathan is a security consultant with Security Compass. With his wide array of experience in application vulnerability assessments, penetration testing and source code review, Subu plays a valuable part in Security Compass’s Software and Enterprise Assessment Service practice. With reinforced fundamentals in software development, Subu brings to the table a sound understanding of the Software Development Life Cycles (SDLC). Subu is also involved in developing content for various JAVA and .NET based, developer focused security training courses including one offered by SANS institute.

Subu holds a Bachelors in Applied Science and Engineering (Computer Engineering) from the University of Toronto.

* To see my wiki contributions, [[:Special:Contributions/Subu Ramanathan|click here]].
* [mailto:subu(at)securitycompass.com Email address].

Category:OWASP Web Services Security Project

2009-09-01T15:50:36Z

Subu Ramanathan: /* Project Contributors */

==== Main ====

== Introduction ==
Welcome to OWASP Web Services Security Project. This project is designed to serve as a starting point for any web services related inquiries on OWASP. Please note that this is NOT a standalone project and will draw upon relevant resources from other OWASP and external pages.

== Goals ==
The OWASP Web Services Security Project aims to include and maintain a comprehensive list of links to OWASP and external resources.

== Web Services Security ==
OWASP related Web Services links:

[1] [http://www.owasp.org/index.php/Web_Services OWASP Web Services] - A comprehensive introduction to Web Services.

[2] [http://www.owasp.org/index.php/Theres_More_to_Securing_Web_Services_Systems_Than_WS-Security There is More to Securing Web Services Systems Than WS Security] - Insightful page on Web Services Security.

[3] [http://www.owasp.org/index.php/.NET_Web_Service_Validation .NET Web Service Validation] - .NET approach to validating Web Services.

== Project Contributors ==

If you contribute to this Project, please add your name here. 
Project Leads:
* [[User:Subu Ramanathan| Subu Ramanathan]]
* [[User:skazerooni| Sahba Kazerooni]]

==== Web Services Standards ====

== OWASP Web Services Standards Links ==

[http://www.owasp.org/index.php/Category:OWASP_Guide_Project OWASP Guide Project] - A comprehensive development guide on building secure Web Service Applications.

== External Web Services Standards Links ==

''This section of the page needs to be updated''

==== Web Services Tools ====

== OWASP Web Services Tools ==
[http://www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project WSFuzzer]

[http://www.owasp.org/index.php/Category:OWASP_Interceptor_Project Interceptor]

== External Web Services Tools ==

''This section of the page needs to be updated''

==== Testing Web Services ====

== OWASP Links ==

[http://www.owasp.org/index.php/Testing_for_Web_Services Testing Web Services] - Comprehensive OWASP Guide on Testing Web Services.

== External Links ==

''This section of the page needs to be updated''

==== Documents & Presentations ====

== OWASP Documents and Presentations ==

'''Documents Related to Web Services'''

[http://www.owasp.org/index.php/Image:Web_services_security.doc Web Services Security]

'''Presentations Related to Web Services'''

[http://www.owasp.org/index.php/Image:InfoSec_World_2007_-_Web_services_gateways.ppt InfoSec World 2007] - Web Services Gateways presentation from InfoSec World 2007.

[http://www.owasp.org/index.php/Image:AppSec2005DC-Alex_Stamos-Attacking_Web_Services.ppt Attacking Web Services] - OWASP AppSec 2005 DC presentation on Attacking Web Services by Alex Stamos.

[http://www.owasp.org/index.php/Image:OWASPAppSec2006Seattle_Web_Services_Security.ppt WS Security] - OWASP AppSec 2006 Seattle presentation on Web Services Security.

[http://www.owasp.org/index.php/image:OWASPAppSecEU2006_InlineApproachforSecureSOAPRequests.ppt Secure SOAP Requests] - OWASP AppSec 2006 EU presentation on Inline Approach for Secure SOAP Requests.

[http://www.owasp.org/index.php/image:Don’t_drop_the_SOAP_OWASP.ppt Don't Drop the SOAP]

[http://www.owasp.org/index.php/image:AppSec2005DC-Alex_Smolen-OWASP_WebServices_Project.ppt OWASP Web Services Project] - OWASP AppSec 2005 DC presentation on the OWASP Web Services Project by Alex Smolen.

[http://www.owasp.org/index.php/image:OWASPAppSecEU2006_ProtectingWebServicesAndAapplications.ppt Protecting Web Services] - OWASP AppSec 2006 EU presentation on Protesting Web Services and Applications.

== External Documents & Presentations ==

''This section of the page needs to be updated''

==== OLD_PAGE ====
== Welcome to the OWASP Web Services Security Project==

[a brief about web services security in general and the current state of OWASP in web services security]

The following document outlines a proposed layout for a new Web Services Security Project for the Open Web Application Security Project (OWASP).

== Current State ==

'''Current Relevant OWASP Pages'''

1. Web Services
a. Securing web services
b. Communication security
c. Passing credentials
d. Ensuring message freshness
e. Protecting message integrity
f. Protecting message confidentiality
g. Access control
h. Audit
i. Web services security hierarchy
i. standard committees
j. SOAP
i. XML signatures and encryption
ii. Security specifications
k. WS-Security standard
i. Organization of the standard
ii. Purpose
l. WS-Security Building blocks
i. How data is passed
ii. Security header’s structure
iii. Types of tokens
iv. Referencing message parts
m. Communication protection mechanisms
i. Integrity
ii. Confidentiality
iii. Freshness
n. Access control mechanisms
i. Identification
ii. Authentication
iii. Authorization
iv. Policy agreement
o. Forming web services chains
i. Incompatible user access control models
ii. Service trust
iii. Secure connections
iv. Synchronization of user directories
v. Domain federation
p. Available implementations
i. .NET – Web services extensions
ii. Java toolkits
iii. Hardware software systems
q. Problems
i. Immaturity of the standards
ii. Performance
iii. Complexity and interoperability
iv. Key management
r. Further reading

2. A Tale of Two Systems
- case studies of two hypothetical systems, one of which involves openning a mainframe app to the web using a web service, and the risks that are posed.

3. Theres More to Securing Web Services Systems Than WS-Security
a. What is a web service
b. Web services from the information security perspective
c. Some security implications of this perspective
i. Emergent risks
ii. End-to-end controls
d. Interconnection of systems from different trust domains
i. Some implications of the organization’s risk management process and system development life cycle
ii. Emerging standards for securing web services
iii. WS-Security specifications in process
iv. Trust management revisited
e. References

4. Web Services Architecture and Security
a. The web services architecture
b. Service oriented architectures and distributed systems
c. Complexity is the enemy of security…
d. The architectural models
e. The policy model
f. The service oriented model
g. The resource oriented model
h. The message oriented model
i. The management model
j. The rest
k. References

5. Testing for Web Services (from OWASP Testing Guide)
a. XML Structural Testing
b. XML Content-level Testing
c. HTTP GET parameters/REST Testing
d. Naughty SOAP attachments
e. Replay Testing

6. Image:Web services security.doc

7. Image:InfoSec_World_2007_-_Web_services_gateways.ppt

8. Image:AppSec2005DC-Alex_Stamos-Attacking_Web_Services.ppt

9. Image:OWASPAppSec2006Seattle_Web_Services_Security.ppt

10. .NET Web Service Validation
a. Perfomance penalties
b. Downloading
c. Installation
d. Reporting Bugs
e. Use
i. Methods of use
ii. Attributes
iii. Web.config changes
iv. Using validation
v. Using assertions

11. OWASP WSFuzzer Project

12. OWASP interceptor Project

13. OWASP Guide

14. OWASPAppSecEU2006_InlineApproachforSecureSOAPRequests.ppt

15. Category_talk:OWASP_XML_Security_Gateway_Evaluation_Criteria_Project

16. Don’t drop the SOAP OWASP.ppt

17. AppSec2005DC-Alex_Smolen-OWASP_WebServices_Project.ppt

18. AppSec2005DC-Jeff_Williams-OWASP_AppSec_Guide_2.0.ppt

19. OWASPAppSecEU2006_ProtectingWebServicesAndAapplications.ppt

'''Content'''

- Completeness

- Relevance

- Target audience

'''Organization'''

- Ease of navigation

- Ease of locating a specific topic

- Communication of updates

'''Search'''

-

== Desired State ==

'''Content'''

- Completeness

- Relevance

- Target audience

'''Organization'''

- Ease of navigation

- Ease of locating a specific topic

- Communication of updates

'''Search'''

-

== Proposed Layout ==

The proposed OWASP Web Services Security Project will serve as a starting point for any web services-related inquiries on OWASP. It will consist of a launchpad or home page with an introduction to the project, regular updates to pages in the project, and links to project pages and external resources.

[[Image:WS_Launchpad.jpg|thumb|600px|LEFT|Launchpad Layout (click to see a bigger image)]]

Introduction

[brief description here]

Updates

[brief description here]

External Links

[brief description here]

OWASP Pages

[brief description here]

WS Security Docs/Presentations

[brief description here]

WS Standards

[brief description here]

WS Communications

[brief description here]

XML Security

[brief description here]

Testing Web Services

[brief description here]

WS Tools

[brief description here]

WS Gateways

[brief description here]

SOA Architecture and Design

[brief description here]

WS Implementation Platforms

[brief description here]

OWASP Top 10 Web Services Chapter

[brief description here]

== Goals & Roadmap ==

Currently the project goals are to:

* Creation of launch pad layout

* Create template start page for each subtopic

* Find solid external resources

* Recruit volunteer team (2-4 person)

* For each topic:

- Create start page for the subtopic topic

- Gather all existing relevant articles within OWASP

- Create plan of consolidating all the relevant information

- Contact authors of relevant articles if change is required

- Consolidate all information on the topic

- Find solid external resources

- Create link back to the main Web Services Security Project launchpad

* Research way of communicating any updates to web services pages on launchpad

* Search optimization (both OWASP and Google)

A detailed project plan and schedule will be developed shortly and posted here.

== Project Guiding Principles ==

tbd

== Resources and links ==

This project is not standalone. This project will draw pieces of information from:
* OWASP Guide
* Other OWASP pages
* OWASP documents
* Relevant external links
...

== Feedback and Participation: ==

We hope you find the OWASP Web Services Security Project to be useful. Please contribute to the Project by volunteering for one of the Tasks, sending your comments, questions, and suggestions to sahba@securitycompass.com.

== Project Contributors ==

If you contribute to this Project, please add your name here. 
Project Leads:
* [[User:nbhalla| Nish Bhalla]]
* [[User:skazerooni| Sahba Kazerooni]]
* [[User:Subu Ramanathan| Subu Ramanathan]]

Contributors:
* you? ...

==== Project Identification ====

[[Category:OWASP Project|Web Services Security Project]]
[[Category:OWASP Project]]
[[Category:OWASP Document]]
[[Category:OWASP Alpha Quality Document]]

{{Template:OWASP Project Identification Tab
| project_name = OWASP Web Services Security Project
| project_description = This project is designed to serve as a comprehensive starting point for any web services related inquiries on the web
| project_license = [http://www.gnu.org/licenses/gpl-3.0.html '''GPL''']
| leader_name = Subu Ramanathan
| leader_email =
| leader_username = Subu Ramanathan
| maintainer_name = Subu Ramanathan
| maintainer_email =
| maintainer_username = Subu Ramanathan
| contributor_name1 = Sahba Kazerooni
| contributor_email1 =
| contributor_username1 = Skazerooni
| contributor_name2 = Subu Ramanathan
| contributor_email2 =
| contributor_username2 = Subu Ramanathan
| contributor_name3 =
| contributor_email3 =
| contributor_username3 =
| contributor_name4 =
| contributor_email4 =
| contributor_username4 =
| contributor_name5 =
| contributor_email5 =
| contributor_username5 =
| contributor_name6 =
| contributor_email6 =
| contributor_username6 =
| contributor_name7 =
| contributor_email7 =
| contributor_username7 =
| contributor_name8 =
| contributor_email8 =
| contributor_username8 =
| contributor_name9 =
| contributor_email9 =
| contributor_username9 =
| contributor_name10 =
| contributor_email10 =
| contributor_username10 =
| pamphlet_link = http://www.owasp.org/images/a/a9/Project_flyer.pdf
| presentation_link = http://www.owasp.org/index.php/File:Owasp_education_-_WS_Security_Project.pptx
| mailing_list_name = owasp-web-services
| links_url1 =
| links_name1 =
| links_url2 =
| links_name2 =
| links_url3 =
| links_name3 =
| links_url4 =
| links_name4 =
| links_url5 =
| links_name5 =
| links_url6 =
| links_name6 =
| links_url7 =
| links_name7 =
| links_url8 =
| links_name8 =
| links_url9 =
| links_name9 =
| links_url10 =
| links_name10 =
| project_road_map =
| project_health_status =
| current_release_name = First Release
| current_release_date =
| current_release_download_link =
| current_release_rating =
| current_release_leader_name = Subu Ramanathan
| current_release_leader_email =
| current_release_leader_username = Subu Ramanathan
| last_reviewed_release_name =
| last_reviewed_release_date =
| last_reviewed_release_download_link =
| last_reviewed_release_rating =
| last_reviewed_release_leader_name =
| last_reviewed_release_leader_email =
| last_reviewed_release_leader_username =
| current_release_details = :Category:OWASP Web Services Security Project - First Release
| old_release_name1 =
| old_release_date1 =
| old_release_download_link1 =
| old_release_name2 =
| old_release_date2 =
| old_release_download_link2 =
| old_release_name3 =
| old_release_date3 =
| old_release_download_link3 =
| old_release_name4 =
| old_release_date4 =
| old_release_download_link4 =
| old_release_name5 =
| old_release_date5 =
| old_release_download_link5 =
}}

__NOTOC__
<headertabs/>

User:Subu Ramanathan

2009-09-01T15:45:26Z

Subu Ramanathan: Added bio for Subu Ramanathan

Subu Ramanathan is a security consultant with Security Compass. With his wide array of experience in application vulnerability assessments, penetration testing and source code review, Subu plays a valuable part in Security Compass’s Software Assessment Service practice. With reinforced fundamentals in software development, Subu brings to the table inept understanding of the Software Development Life Cycles (SDLC). Subu is also involved in developing content for various JAVA based, developer focused security training courses including one offered by SANS institute.

Subu holds a Bachelors in Applied Science and Engineering (Computer Engineering) from the University of Toronto.

* To see my wiki contributions, [[:Special:Contributions/Subu Ramanathan|click here]].
* [mailto:subu(at)securitycompass.com Email address].

Category:OWASP Web Services Security Project

2009-07-27T17:22:50Z

Subu Ramanathan:

{{:Template:Orphaned Projects}}

==== Main ====

== Introduction ==
Welcome to OWASP Web Services Security Project. This project is designed to serve as a starting point for any web services related inquiries on OWASP. Please note that this is NOT a standalone project and will draw upon relevant resources from other OWASP and external pages.

== Goals ==
The OWASP Web Services Security Project aims to include and maintain a comprehensive list of links to OWASP and external resources.

== Web Services Security ==
OWASP related Web Services links:

[1] [http://www.owasp.org/index.php/Web_Services OWASP Web Services] - A comprehensive introduction to Web Services.

[2] [http://www.owasp.org/index.php/Theres_More_to_Securing_Web_Services_Systems_Than_WS-Security There is More to Securing Web Services Systems Than WS Security] - Insightful page on Web Services Security.

[3] [http://www.owasp.org/index.php/.NET_Web_Service_Validation .NET Web Service Validation] - .NET approach to validating Web Services.

== Project Contributors ==

If you contribute to this Project, please add your name here. 
Project Leads:
* [[User:Subu Ramanathan| Subu Ramanathan]]
* [[User:nbhalla| Nish Bhalla]]
* [[User:skazerooni| Sahba Kazerooni]]

==== Web Services Standards ====

== OWASP Web Services Standards Links ==

[http://www.owasp.org/index.php/Category:OWASP_Guide_Project OWASP Guide Project] - A comprehensive development guide on building secure Web Service Applications.

== External Web Services Standards Links ==

''This section of the page needs to be updated''

==== Web Services Tools ====

== OWASP Web Services Tools ==
[http://www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project WSFuzzer]

[http://www.owasp.org/index.php/Category:OWASP_Interceptor_Project Interceptor]

== External Web Services Tools ==

''This section of the page needs to be updated''

==== Testing Web Services ====

== OWASP Links ==

[http://www.owasp.org/index.php/Testing_for_Web_Services Testing Web Services] - Comprehensive OWASP Guide on Testing Web Services.

== External Links ==

''This section of the page needs to be updated''

==== Documents & Presentations ====

== OWASP Documents and Presentations ==

'''Documents Related to Web Services'''

[http://www.owasp.org/index.php/Image:Web_services_security.doc Web Services Security]

'''Presentations Related to Web Services'''

[http://www.owasp.org/index.php/Image:InfoSec_World_2007_-_Web_services_gateways.ppt InfoSec World 2007] - Web Services Gateways presentation from InfoSec World 2007.

[http://www.owasp.org/index.php/Image:AppSec2005DC-Alex_Stamos-Attacking_Web_Services.ppt Attacking Web Services] - OWASP AppSec 2005 DC presentation on Attacking Web Services by Alex Stamos.

[http://www.owasp.org/index.php/Image:OWASPAppSec2006Seattle_Web_Services_Security.ppt WS Security] - OWASP AppSec 2006 Seattle presentation on Web Services Security.

[http://www.owasp.org/index.php/image:OWASPAppSecEU2006_InlineApproachforSecureSOAPRequests.ppt Secure SOAP Requests] - OWASP AppSec 2006 EU presentation on Inline Approach for Secure SOAP Requests.

[http://www.owasp.org/index.php/image:Don’t_drop_the_SOAP_OWASP.ppt Don't Drop the SOAP]

[http://www.owasp.org/index.php/image:AppSec2005DC-Alex_Smolen-OWASP_WebServices_Project.ppt OWASP Web Services Project] - OWASP AppSec 2005 DC presentation on the OWASP Web Services Project by Alex Smolen.

[http://www.owasp.org/index.php/image:OWASPAppSecEU2006_ProtectingWebServicesAndAapplications.ppt Protecting Web Services] - OWASP AppSec 2006 EU presentation on Protesting Web Services and Applications.

== External Documents & Presentations ==

''This section of the page needs to be updated''

==== OLD_PAGE ====
== Welcome to the OWASP Web Services Security Project==

[a brief about web services security in general and the current state of OWASP in web services security]

The following document outlines a proposed layout for a new Web Services Security Project for the Open Web Application Security Project (OWASP).

== Current State ==

'''Current Relevant OWASP Pages'''

1. Web Services
a. Securing web services
b. Communication security
c. Passing credentials
d. Ensuring message freshness
e. Protecting message integrity
f. Protecting message confidentiality
g. Access control
h. Audit
i. Web services security hierarchy
i. standard committees
j. SOAP
i. XML signatures and encryption
ii. Security specifications
k. WS-Security standard
i. Organization of the standard
ii. Purpose
l. WS-Security Building blocks
i. How data is passed
ii. Security header’s structure
iii. Types of tokens
iv. Referencing message parts
m. Communication protection mechanisms
i. Integrity
ii. Confidentiality
iii. Freshness
n. Access control mechanisms
i. Identification
ii. Authentication
iii. Authorization
iv. Policy agreement
o. Forming web services chains
i. Incompatible user access control models
ii. Service trust
iii. Secure connections
iv. Synchronization of user directories
v. Domain federation
p. Available implementations
i. .NET – Web services extensions
ii. Java toolkits
iii. Hardware software systems
q. Problems
i. Immaturity of the standards
ii. Performance
iii. Complexity and interoperability
iv. Key management
r. Further reading

2. A Tale of Two Systems
- case studies of two hypothetical systems, one of which involves openning a mainframe app to the web using a web service, and the risks that are posed.

3. Theres More to Securing Web Services Systems Than WS-Security
a. What is a web service
b. Web services from the information security perspective
c. Some security implications of this perspective
i. Emergent risks
ii. End-to-end controls
d. Interconnection of systems from different trust domains
i. Some implications of the organization’s risk management process and system development life cycle
ii. Emerging standards for securing web services
iii. WS-Security specifications in process
iv. Trust management revisited
e. References

4. Web Services Architecture and Security
a. The web services architecture
b. Service oriented architectures and distributed systems
c. Complexity is the enemy of security…
d. The architectural models
e. The policy model
f. The service oriented model
g. The resource oriented model
h. The message oriented model
i. The management model
j. The rest
k. References

5. Testing for Web Services (from OWASP Testing Guide)
a. XML Structural Testing
b. XML Content-level Testing
c. HTTP GET parameters/REST Testing
d. Naughty SOAP attachments
e. Replay Testing

6. Image:Web services security.doc

7. Image:InfoSec_World_2007_-_Web_services_gateways.ppt

8. Image:AppSec2005DC-Alex_Stamos-Attacking_Web_Services.ppt

9. Image:OWASPAppSec2006Seattle_Web_Services_Security.ppt

10. .NET Web Service Validation
a. Perfomance penalties
b. Downloading
c. Installation
d. Reporting Bugs
e. Use
i. Methods of use
ii. Attributes
iii. Web.config changes
iv. Using validation
v. Using assertions

11. OWASP WSFuzzer Project

12. OWASP interceptor Project

13. OWASP Guide

14. OWASPAppSecEU2006_InlineApproachforSecureSOAPRequests.ppt

15. Category_talk:OWASP_XML_Security_Gateway_Evaluation_Criteria_Project

16. Don’t drop the SOAP OWASP.ppt

17. AppSec2005DC-Alex_Smolen-OWASP_WebServices_Project.ppt

18. AppSec2005DC-Jeff_Williams-OWASP_AppSec_Guide_2.0.ppt

19. OWASPAppSecEU2006_ProtectingWebServicesAndAapplications.ppt

'''Content'''

- Completeness

- Relevance

- Target audience

'''Organization'''

- Ease of navigation

- Ease of locating a specific topic

- Communication of updates

'''Search'''

-

== Desired State ==

'''Content'''

- Completeness

- Relevance

- Target audience

'''Organization'''

- Ease of navigation

- Ease of locating a specific topic

- Communication of updates

'''Search'''

-

== Proposed Layout ==

The proposed OWASP Web Services Security Project will serve as a starting point for any web services-related inquiries on OWASP. It will consist of a launchpad or home page with an introduction to the project, regular updates to pages in the project, and links to project pages and external resources.

[[Image:WS_Launchpad.jpg|thumb|600px|LEFT|Launchpad Layout (click to see a bigger image)]]

Introduction

[brief description here]

Updates

[brief description here]

External Links

[brief description here]

OWASP Pages

[brief description here]

WS Security Docs/Presentations

[brief description here]

WS Standards

[brief description here]

WS Communications

[brief description here]

XML Security

[brief description here]

Testing Web Services

[brief description here]

WS Tools

[brief description here]

WS Gateways

[brief description here]

SOA Architecture and Design

[brief description here]

WS Implementation Platforms

[brief description here]

OWASP Top 10 Web Services Chapter

[brief description here]

== Goals & Roadmap ==

Currently the project goals are to:

* Creation of launch pad layout

* Create template start page for each subtopic

* Find solid external resources

* Recruit volunteer team (2-4 person)

* For each topic:

- Create start page for the subtopic topic

- Gather all existing relevant articles within OWASP

- Create plan of consolidating all the relevant information

- Contact authors of relevant articles if change is required

- Consolidate all information on the topic

- Find solid external resources

- Create link back to the main Web Services Security Project launchpad

* Research way of communicating any updates to web services pages on launchpad

* Search optimization (both OWASP and Google)

A detailed project plan and schedule will be developed shortly and posted here.

== Project Guiding Principles ==

tbd

== Resources and links ==

This project is not standalone. This project will draw pieces of information from:
* OWASP Guide
* Other OWASP pages
* OWASP documents
* Relevant external links
...

== Feedback and Participation: ==

We hope you find the OWASP Web Services Security Project to be useful. Please contribute to the Project by volunteering for one of the Tasks, sending your comments, questions, and suggestions to sahba@securitycompass.com.

== Project Contributors ==

If you contribute to this Project, please add your name here. 
Project Leads:
* [[User:nbhalla| Nish Bhalla]]
* [[User:skazerooni| Sahba Kazerooni]]
* [[User:Subu Ramanathan| Subu Ramanathan]]

Contributors:
* you? ...

[[Category:OWASP Project|Web Services Security Project]]

__NOTOC__
<headertabs/>

Category:OWASP Web Services Security Project

2009-07-27T17:12:34Z

Subu Ramanathan: Added more tabs pertaining to aspects of web services

{{:Template:Orphaned Projects}}

==== Main ====

== Introduction ==
Welcome to OWASP Web Services Security Project. This project is designed to serve as a starting point for any web services related inquiries on OWASP. Please note that this is NOT a standalone project and will draw upon relevant resources from other OWASP and external pages.

== Goals ==
The OWASP Web Services Security Project aims to include and maintain a comprehensive list of links to OWASP and external resources.

== Web Services Security ==
OWASP related Web Services links:

[1] [http://www.owasp.org/index.php/Web_Services OWASP Web Services] - A comprehensive introduction to Web Services.

[2] [http://www.owasp.org/index.php/Theres_More_to_Securing_Web_Services_Systems_Than_WS-Security There is More to Securing Web Services Systems Than WS Security] - Insightful page on Web Services Security.

[3] [http://www.owasp.org/index.php/.NET_Web_Service_Validation .NET Web Service Validation] - .NET approach to validating Web Services.

==== Web Services Standards ====

== OWASP Web Services Standards Links ==

[http://www.owasp.org/index.php/Category:OWASP_Guide_Project OWASP Guide Project] - A comprehensive development guide on building secure Web Service Applications.

== External Web Services Standards Links ==

''This section of the page needs to be updated''

==== Web Services Tools ====

== OWASP Web Services Tools ==
[http://www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project WSFuzzer]

[http://www.owasp.org/index.php/Category:OWASP_Interceptor_Project Interceptor]

== External Web Services Tools ==

''This section of the page needs to be updated''

==== Testing Web Services ====

== OWASP Links ==

[http://www.owasp.org/index.php/Testing_for_Web_Services Testing Web Services] - Comprehensive OWASP Guide on Testing Web Services.

== External Links ==

''This section of the page needs to be updated''

==== Documents & Presentations ====

== OWASP Documents and Presentations ==

'''Documents Related to Web Services'''

[http://www.owasp.org/index.php/Image:Web_services_security.doc Web Services Security]

'''Presentations Related to Web Services'''

[http://www.owasp.org/index.php/Image:InfoSec_World_2007_-_Web_services_gateways.ppt InfoSec World 2007] - Web Services Gateways presentation from InfoSec World 2007.

[http://www.owasp.org/index.php/Image:AppSec2005DC-Alex_Stamos-Attacking_Web_Services.ppt Attacking Web Services] - OWASP AppSec 2005 DC presentation on Attacking Web Services by Alex Stamos.

[http://www.owasp.org/index.php/Image:OWASPAppSec2006Seattle_Web_Services_Security.ppt WS Security] - OWASP AppSec 2006 Seattle presentation on Web Services Security.

[http://www.owasp.org/index.php/image:OWASPAppSecEU2006_InlineApproachforSecureSOAPRequests.ppt Secure SOAP Requests] - OWASP AppSec 2006 EU presentation on Inline Approach for Secure SOAP Requests.

[http://www.owasp.org/index.php/image:Don’t_drop_the_SOAP_OWASP.ppt Don't Drop the SOAP]

[http://www.owasp.org/index.php/image:AppSec2005DC-Alex_Smolen-OWASP_WebServices_Project.ppt OWASP Web Services Project] - OWASP AppSec 2005 DC presentation on the OWASP Web Services Project by Alex Smolen.

[http://www.owasp.org/index.php/image:OWASPAppSecEU2006_ProtectingWebServicesAndAapplications.ppt Protecting Web Services] - OWASP AppSec 2006 EU presentation on Protesting Web Services and Applications.

== External Documents & Presentations ==

''This section of the page needs to be updated''

==== OLD_PAGE ====
== Welcome to the OWASP Web Services Security Project==

[a brief about web services security in general and the current state of OWASP in web services security]

The following document outlines a proposed layout for a new Web Services Security Project for the Open Web Application Security Project (OWASP).

== Current State ==

'''Current Relevant OWASP Pages'''

1. Web Services
a. Securing web services
b. Communication security
c. Passing credentials
d. Ensuring message freshness
e. Protecting message integrity
f. Protecting message confidentiality
g. Access control
h. Audit
i. Web services security hierarchy
i. standard committees
j. SOAP
i. XML signatures and encryption
ii. Security specifications
k. WS-Security standard
i. Organization of the standard
ii. Purpose
l. WS-Security Building blocks
i. How data is passed
ii. Security header’s structure
iii. Types of tokens
iv. Referencing message parts
m. Communication protection mechanisms
i. Integrity
ii. Confidentiality
iii. Freshness
n. Access control mechanisms
i. Identification
ii. Authentication
iii. Authorization
iv. Policy agreement
o. Forming web services chains
i. Incompatible user access control models
ii. Service trust
iii. Secure connections
iv. Synchronization of user directories
v. Domain federation
p. Available implementations
i. .NET – Web services extensions
ii. Java toolkits
iii. Hardware software systems
q. Problems
i. Immaturity of the standards
ii. Performance
iii. Complexity and interoperability
iv. Key management
r. Further reading

2. A Tale of Two Systems
- case studies of two hypothetical systems, one of which involves openning a mainframe app to the web using a web service, and the risks that are posed.

3. Theres More to Securing Web Services Systems Than WS-Security
a. What is a web service
b. Web services from the information security perspective
c. Some security implications of this perspective
i. Emergent risks
ii. End-to-end controls
d. Interconnection of systems from different trust domains
i. Some implications of the organization’s risk management process and system development life cycle
ii. Emerging standards for securing web services
iii. WS-Security specifications in process
iv. Trust management revisited
e. References

4. Web Services Architecture and Security
a. The web services architecture
b. Service oriented architectures and distributed systems
c. Complexity is the enemy of security…
d. The architectural models
e. The policy model
f. The service oriented model
g. The resource oriented model
h. The message oriented model
i. The management model
j. The rest
k. References

5. Testing for Web Services (from OWASP Testing Guide)
a. XML Structural Testing
b. XML Content-level Testing
c. HTTP GET parameters/REST Testing
d. Naughty SOAP attachments
e. Replay Testing

6. Image:Web services security.doc

7. Image:InfoSec_World_2007_-_Web_services_gateways.ppt

8. Image:AppSec2005DC-Alex_Stamos-Attacking_Web_Services.ppt

9. Image:OWASPAppSec2006Seattle_Web_Services_Security.ppt

10. .NET Web Service Validation
a. Perfomance penalties
b. Downloading
c. Installation
d. Reporting Bugs
e. Use
i. Methods of use
ii. Attributes
iii. Web.config changes
iv. Using validation
v. Using assertions

11. OWASP WSFuzzer Project

12. OWASP interceptor Project

13. OWASP Guide

14. OWASPAppSecEU2006_InlineApproachforSecureSOAPRequests.ppt

15. Category_talk:OWASP_XML_Security_Gateway_Evaluation_Criteria_Project

16. Don’t drop the SOAP OWASP.ppt

17. AppSec2005DC-Alex_Smolen-OWASP_WebServices_Project.ppt

18. AppSec2005DC-Jeff_Williams-OWASP_AppSec_Guide_2.0.ppt

19. OWASPAppSecEU2006_ProtectingWebServicesAndAapplications.ppt

'''Content'''

- Completeness

- Relevance

- Target audience

'''Organization'''

- Ease of navigation

- Ease of locating a specific topic

- Communication of updates

'''Search'''

-

== Desired State ==

'''Content'''

- Completeness

- Relevance

- Target audience

'''Organization'''

- Ease of navigation

- Ease of locating a specific topic

- Communication of updates

'''Search'''

-

== Proposed Layout ==

The proposed OWASP Web Services Security Project will serve as a starting point for any web services-related inquiries on OWASP. It will consist of a launchpad or home page with an introduction to the project, regular updates to pages in the project, and links to project pages and external resources.

[[Image:WS_Launchpad.jpg|thumb|600px|LEFT|Launchpad Layout (click to see a bigger image)]]

Introduction

[brief description here]

Updates

[brief description here]

External Links

[brief description here]

OWASP Pages

[brief description here]

WS Security Docs/Presentations

[brief description here]

WS Standards

[brief description here]

WS Communications

[brief description here]

XML Security

[brief description here]

Testing Web Services

[brief description here]

WS Tools

[brief description here]

WS Gateways

[brief description here]

SOA Architecture and Design

[brief description here]

WS Implementation Platforms

[brief description here]

OWASP Top 10 Web Services Chapter

[brief description here]

== Goals & Roadmap ==

Currently the project goals are to:

* Creation of launch pad layout

* Create template start page for each subtopic

* Find solid external resources

* Recruit volunteer team (2-4 person)

* For each topic:

- Create start page for the subtopic topic

- Gather all existing relevant articles within OWASP

- Create plan of consolidating all the relevant information

- Contact authors of relevant articles if change is required

- Consolidate all information on the topic

- Find solid external resources

- Create link back to the main Web Services Security Project launchpad

* Research way of communicating any updates to web services pages on launchpad

* Search optimization (both OWASP and Google)

A detailed project plan and schedule will be developed shortly and posted here.

== Project Guiding Principles ==

tbd

== Resources and links ==

This project is not standalone. This project will draw pieces of information from:
* OWASP Guide
* Other OWASP pages
* OWASP documents
* Relevant external links
...

== Feedback and Participation: ==

We hope you find the OWASP Web Services Security Project to be useful. Please contribute to the Project by volunteering for one of the Tasks, sending your comments, questions, and suggestions to sahba@securitycompass.com.

== Project Contributors ==

If you contribute to this Project, please add your name here. 
Project Leads:
* [[User:nbhalla| Nish Bhalla]]
* [[User:skazerooni| Sahba Kazerooni]]
* [[User:Subu Ramanathan| Subu Ramanathan]]

Contributors:
* you? ...

[[Category:OWASP Project|Web Services Security Project]]

__NOTOC__
<headertabs/>

Category:OWASP Web Services Security Project

2009-07-27T16:42:46Z

Subu Ramanathan: Initial update - Added tabs, new introduction, list of OWASP docs and presentations

{{:Template:Orphaned Projects}}

==== Main ====

== Introduction ==
Welcome to OWASP Web Services Security Project. This project is designed to serve as a starting point for any web services related inquiries on OWASP. Please note that this is NOT a standalone project and will draw upon relevant resources from other OWASP and external pages.

== Goals ==
The OWASP Web Services Security Project aims to include and maintain a comprehensive list of links to OWASP and external resources.

== Web Services Security ==
OWASP related Web Services links:

[1] [http://www.owasp.org/index.php/Web_Services OWASP Web Services] - A comprehensive introduction to Web Services.

[2] [http://www.owasp.org/index.php/Theres_More_to_Securing_Web_Services_Systems_Than_WS-Security There is More to Securing Web Services Systems Than WS Security] - Insightful page on Web Services Security.

[3] [http://www.owasp.org/index.php/.NET_Web_Service_Validation .NET Web Service Validation] - .NET approach to validating Web Services.

==== Documents & Presentations ====

== OWASP Documents and Presentations ==

'''Documents Related to Web Services'''

[http://www.owasp.org/index.php/Image:Web_services_security.doc Web Services Security]

'''Presentations Related to Web Services'''

[http://www.owasp.org/index.php/Image:InfoSec_World_2007_-_Web_services_gateways.ppt InfoSec World 2007] - Web Services Gateways presentation from InfoSec World 2007.

[http://www.owasp.org/index.php/Image:AppSec2005DC-Alex_Stamos-Attacking_Web_Services.ppt Attacking Web Services] - OWASP AppSec 2005 DC presentation on Attacking Web Services by Alex Stamos.

[http://www.owasp.org/index.php/Image:OWASPAppSec2006Seattle_Web_Services_Security.ppt WS Security] - OWASP AppSec 2006 Seattle presentation on Web Services Security.

[http://www.owasp.org/index.php/image:OWASPAppSecEU2006_InlineApproachforSecureSOAPRequests.ppt Secure SOAP Requests] - OWASP AppSec 2006 EU presentation on Inline Approach for Secure SOAP Requests.

[http://www.owasp.org/index.php/image:Don’t_drop_the_SOAP_OWASP.ppt Don't Drop the SOAP]

[http://www.owasp.org/index.php/image:AppSec2005DC-Alex_Smolen-OWASP_WebServices_Project.ppt OWASP Web Services Project] - OWASP AppSec 2005 DC presentation on the OWASP Web Services Project by Alex Smolen.

[http://www.owasp.org/index.php/image:OWASPAppSecEU2006_ProtectingWebServicesAndAapplications.ppt Protecting Web Services] - OWASP AppSec 2006 EU presentation on Protesting Web Services and Applications.

==== OLD_PAGE ====
== Welcome to the OWASP Web Services Security Project==

[a brief about web services security in general and the current state of OWASP in web services security]

The following document outlines a proposed layout for a new Web Services Security Project for the Open Web Application Security Project (OWASP).

== Current State ==

'''Current Relevant OWASP Pages'''

1. Web Services
a. Securing web services
b. Communication security
c. Passing credentials
d. Ensuring message freshness
e. Protecting message integrity
f. Protecting message confidentiality
g. Access control
h. Audit
i. Web services security hierarchy
i. standard committees
j. SOAP
i. XML signatures and encryption
ii. Security specifications
k. WS-Security standard
i. Organization of the standard
ii. Purpose
l. WS-Security Building blocks
i. How data is passed
ii. Security header’s structure
iii. Types of tokens
iv. Referencing message parts
m. Communication protection mechanisms
i. Integrity
ii. Confidentiality
iii. Freshness
n. Access control mechanisms
i. Identification
ii. Authentication
iii. Authorization
iv. Policy agreement
o. Forming web services chains
i. Incompatible user access control models
ii. Service trust
iii. Secure connections
iv. Synchronization of user directories
v. Domain federation
p. Available implementations
i. .NET – Web services extensions
ii. Java toolkits
iii. Hardware software systems
q. Problems
i. Immaturity of the standards
ii. Performance
iii. Complexity and interoperability
iv. Key management
r. Further reading

2. A Tale of Two Systems
- case studies of two hypothetical systems, one of which involves openning a mainframe app to the web using a web service, and the risks that are posed.

3. Theres More to Securing Web Services Systems Than WS-Security
a. What is a web service
b. Web services from the information security perspective
c. Some security implications of this perspective
i. Emergent risks
ii. End-to-end controls
d. Interconnection of systems from different trust domains
i. Some implications of the organization’s risk management process and system development life cycle
ii. Emerging standards for securing web services
iii. WS-Security specifications in process
iv. Trust management revisited
e. References

4. Web Services Architecture and Security
a. The web services architecture
b. Service oriented architectures and distributed systems
c. Complexity is the enemy of security…
d. The architectural models
e. The policy model
f. The service oriented model
g. The resource oriented model
h. The message oriented model
i. The management model
j. The rest
k. References

5. Testing for Web Services (from OWASP Testing Guide)
a. XML Structural Testing
b. XML Content-level Testing
c. HTTP GET parameters/REST Testing
d. Naughty SOAP attachments
e. Replay Testing

6. Image:Web services security.doc

7. Image:InfoSec_World_2007_-_Web_services_gateways.ppt

8. Image:AppSec2005DC-Alex_Stamos-Attacking_Web_Services.ppt

9. Image:OWASPAppSec2006Seattle_Web_Services_Security.ppt

10. .NET Web Service Validation
a. Perfomance penalties
b. Downloading
c. Installation
d. Reporting Bugs
e. Use
i. Methods of use
ii. Attributes
iii. Web.config changes
iv. Using validation
v. Using assertions

11. OWASP WSFuzzer Project

12. OWASP interceptor Project

13. OWASP Guide

14. OWASPAppSecEU2006_InlineApproachforSecureSOAPRequests.ppt

15. Category_talk:OWASP_XML_Security_Gateway_Evaluation_Criteria_Project

16. Don’t drop the SOAP OWASP.ppt

17. AppSec2005DC-Alex_Smolen-OWASP_WebServices_Project.ppt

18. AppSec2005DC-Jeff_Williams-OWASP_AppSec_Guide_2.0.ppt

19. OWASPAppSecEU2006_ProtectingWebServicesAndAapplications.ppt

'''Content'''

- Completeness

- Relevance

- Target audience

'''Organization'''

- Ease of navigation

- Ease of locating a specific topic

- Communication of updates

'''Search'''

-

== Desired State ==

'''Content'''

- Completeness

- Relevance

- Target audience

'''Organization'''

- Ease of navigation

- Ease of locating a specific topic

- Communication of updates

'''Search'''

-

== Proposed Layout ==

The proposed OWASP Web Services Security Project will serve as a starting point for any web services-related inquiries on OWASP. It will consist of a launchpad or home page with an introduction to the project, regular updates to pages in the project, and links to project pages and external resources.

[[Image:WS_Launchpad.jpg|thumb|600px|LEFT|Launchpad Layout (click to see a bigger image)]]

Introduction

[brief description here]

Updates

[brief description here]

External Links

[brief description here]

OWASP Pages

[brief description here]

WS Security Docs/Presentations

[brief description here]

WS Standards

[brief description here]

WS Communications

[brief description here]

XML Security

[brief description here]

Testing Web Services

[brief description here]

WS Tools

[brief description here]

WS Gateways

[brief description here]

SOA Architecture and Design

[brief description here]

WS Implementation Platforms

[brief description here]

OWASP Top 10 Web Services Chapter

[brief description here]

== Goals & Roadmap ==

Currently the project goals are to:

* Creation of launch pad layout

* Create template start page for each subtopic

* Find solid external resources

* Recruit volunteer team (2-4 person)

* For each topic:

- Create start page for the subtopic topic

- Gather all existing relevant articles within OWASP

- Create plan of consolidating all the relevant information

- Contact authors of relevant articles if change is required

- Consolidate all information on the topic

- Find solid external resources

- Create link back to the main Web Services Security Project launchpad

* Research way of communicating any updates to web services pages on launchpad

* Search optimization (both OWASP and Google)

A detailed project plan and schedule will be developed shortly and posted here.

== Project Guiding Principles ==

tbd

== Resources and links ==

This project is not standalone. This project will draw pieces of information from:
* OWASP Guide
* Other OWASP pages
* OWASP documents
* Relevant external links
...

== Feedback and Participation: ==

We hope you find the OWASP Web Services Security Project to be useful. Please contribute to the Project by volunteering for one of the Tasks, sending your comments, questions, and suggestions to sahba@securitycompass.com.

== Project Contributors ==

If you contribute to this Project, please add your name here. 
Project Leads:
* [[User:nbhalla| Nish Bhalla]]
* [[User:skazerooni| Sahba Kazerooni]]
* [[User:Subu Ramanathan| Subu Ramanathan]]

Contributors:
* you? ...

[[Category:OWASP Project|Web Services Security Project]]

__NOTOC__
<headertabs/>

Category:OWASP Web Services Security Project

2009-07-27T15:50:21Z

Subu Ramanathan: Added Subu Ramanathan to the list of project leads

{{:Template:Orphaned Projects}}

== Welcome to the OWASP Web Services Security Project==

[a brief about web services security in general and the current state of OWASP in web services security]

The following document outlines a proposed layout for a new Web Services Security Project for the Open Web Application Security Project (OWASP).

== Current State ==

'''Current Relevant OWASP Pages'''

1. Web Services
a. Securing web services
b. Communication security
c. Passing credentials
d. Ensuring message freshness
e. Protecting message integrity
f. Protecting message confidentiality
g. Access control
h. Audit
i. Web services security hierarchy
i. standard committees
j. SOAP
i. XML signatures and encryption
ii. Security specifications
k. WS-Security standard
i. Organization of the standard
ii. Purpose
l. WS-Security Building blocks
i. How data is passed
ii. Security header’s structure
iii. Types of tokens
iv. Referencing message parts
m. Communication protection mechanisms
i. Integrity
ii. Confidentiality
iii. Freshness
n. Access control mechanisms
i. Identification
ii. Authentication
iii. Authorization
iv. Policy agreement
o. Forming web services chains
i. Incompatible user access control models
ii. Service trust
iii. Secure connections
iv. Synchronization of user directories
v. Domain federation
p. Available implementations
i. .NET – Web services extensions
ii. Java toolkits
iii. Hardware software systems
q. Problems
i. Immaturity of the standards
ii. Performance
iii. Complexity and interoperability
iv. Key management
r. Further reading

2. A Tale of Two Systems
- case studies of two hypothetical systems, one of which involves openning a mainframe app to the web using a web service, and the risks that are posed.

3. Theres More to Securing Web Services Systems Than WS-Security
a. What is a web service
b. Web services from the information security perspective
c. Some security implications of this perspective
i. Emergent risks
ii. End-to-end controls
d. Interconnection of systems from different trust domains
i. Some implications of the organization’s risk management process and system development life cycle
ii. Emerging standards for securing web services
iii. WS-Security specifications in process
iv. Trust management revisited
e. References

4. Web Services Architecture and Security
a. The web services architecture
b. Service oriented architectures and distributed systems
c. Complexity is the enemy of security…
d. The architectural models
e. The policy model
f. The service oriented model
g. The resource oriented model
h. The message oriented model
i. The management model
j. The rest
k. References

5. Testing for Web Services (from OWASP Testing Guide)
a. XML Structural Testing
b. XML Content-level Testing
c. HTTP GET parameters/REST Testing
d. Naughty SOAP attachments
e. Replay Testing

6. Image:Web services security.doc

7. Image:InfoSec_World_2007_-_Web_services_gateways.ppt

8. Image:AppSec2005DC-Alex_Stamos-Attacking_Web_Services.ppt

9. Image:OWASPAppSec2006Seattle_Web_Services_Security.ppt

10. .NET Web Service Validation
a. Perfomance penalties
b. Downloading
c. Installation
d. Reporting Bugs
e. Use
i. Methods of use
ii. Attributes
iii. Web.config changes
iv. Using validation
v. Using assertions

11. OWASP WSFuzzer Project

12. OWASP interceptor Project

13. OWASP Guide

14. OWASPAppSecEU2006_InlineApproachforSecureSOAPRequests.ppt

15. Category_talk:OWASP_XML_Security_Gateway_Evaluation_Criteria_Project

16. Don’t drop the SOAP OWASP.ppt

17. AppSec2005DC-Alex_Smolen-OWASP_WebServices_Project.ppt

18. AppSec2005DC-Jeff_Williams-OWASP_AppSec_Guide_2.0.ppt

19. OWASPAppSecEU2006_ProtectingWebServicesAndAapplications.ppt

'''Content'''

- Completeness

- Relevance

- Target audience

'''Organization'''

- Ease of navigation

- Ease of locating a specific topic

- Communication of updates

'''Search'''

-

== Desired State ==

'''Content'''

- Completeness

- Relevance

- Target audience

'''Organization'''

- Ease of navigation

- Ease of locating a specific topic

- Communication of updates

'''Search'''

-

== Proposed Layout ==

The proposed OWASP Web Services Security Project will serve as a starting point for any web services-related inquiries on OWASP. It will consist of a launchpad or home page with an introduction to the project, regular updates to pages in the project, and links to project pages and external resources.

[[Image:WS_Launchpad.jpg|thumb|600px|LEFT|Launchpad Layout (click to see a bigger image)]]

Introduction

[brief description here]

Updates

[brief description here]

External Links

[brief description here]

OWASP Pages

[brief description here]

WS Security Docs/Presentations

[brief description here]

WS Standards

[brief description here]

WS Communications

[brief description here]

XML Security

[brief description here]

Testing Web Services

[brief description here]

WS Tools

[brief description here]

WS Gateways

[brief description here]

SOA Architecture and Design

[brief description here]

WS Implementation Platforms

[brief description here]

OWASP Top 10 Web Services Chapter

[brief description here]

== Goals & Roadmap ==

Currently the project goals are to:

* Creation of launch pad layout

* Create template start page for each subtopic

* Find solid external resources

* Recruit volunteer team (2-4 person)

* For each topic:

- Create start page for the subtopic topic

- Gather all existing relevant articles within OWASP

- Create plan of consolidating all the relevant information

- Contact authors of relevant articles if change is required

- Consolidate all information on the topic

- Find solid external resources

- Create link back to the main Web Services Security Project launchpad

* Research way of communicating any updates to web services pages on launchpad

* Search optimization (both OWASP and Google)

A detailed project plan and schedule will be developed shortly and posted here.

== Project Guiding Principles ==

tbd

== Resources and links ==

This project is not standalone. This project will draw pieces of information from:
* OWASP Guide
* Other OWASP pages
* OWASP documents
* Relevant external links
...

== Feedback and Participation: ==

We hope you find the OWASP Web Services Security Project to be useful. Please contribute to the Project by volunteering for one of the Tasks, sending your comments, questions, and suggestions to sahba@securitycompass.com.

== Project Contributors ==

If you contribute to this Project, please add your name here. 
Project Leads:
* [[User:nbhalla| Nish Bhalla]]
* [[User:skazerooni| Sahba Kazerooni]]
* [[User:Subu Ramanathan| Subu Ramanathan]]

Contributors:
* you? ...

[[Category:OWASP Project|Web Services Security Project]]