AJ's blog

February 23, 2007

Security analysis on WCF for the German Gouvernment

Filed under: .NET, .NET Framework, SOA, Software Architecture, Software Development — ajdotnet @ 10:54 pm

Something I was waiting for but nearly missed: Michael Willers has announced the security analysis on Windows Communication Foundation he and his collegues did for the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI).

I had the luck to hear Michael talk about this stuff last october. There where two interesting points in his talk:

  1. He took us through some threat modelling. That may be intersting from a security point of view but what impressed me more was that this was the most sound and structured architecture review I ever saw.
  2. Michael emphasised the fact that developing a secure application was only the first part of the deal. Deploying it — or more to the point secure deployment — turned out to be a challenge of its own. Consequently the statement on his blog:

“The results of this study demonstrates how to implement and securely deploy service oriented distributed systems on the Microsoft .NET Platform. “

Documentation and code (under GPL) can be obtained at the BSI site:

“Beside the complete source code of the WCF reference application the BSI distributes manuals covering WCF specific architecture aspects, authentication, data access, development autonomy, distributed error handling, the hosting environment, transport security, securing resources, and secure service set-up and installation.”

It’s definitely worth a closer look.

UPDATE: Microsoft has provided some of the results as templates and libaries for download. See here (Michael’s announcement) and on the MSDN CAS Tools & Best Practices site (both in German, sorry, but the downloadable content should be in english).

PS: The BSI is “the central IT security service provider for the German Government.” (http://www.bsi.bund.de/english/index.htm)

PPS: The usage of voting machines for elections in Germany does not seem to require IT security 👿 , therefore they are checked and certified by the “Physikalisch-Technische Bundesanstalt, PTB“.

“The Physikalisch-Technische Bundesanstalt (PTB) is the national metrology institute providing scientific and technical services. PTB measures with the highest accuracy and reliability – metrology as the core competence.” (http://www.ptb.de/en/zieleaufgaben/dieptb.html).

PPPS: And by the way: Germany uses Nedap machines, the ones you can play chess with…  😈

That’s all for now folks,

kick it on DotNetKicks.com


1 Comment »

  1. We didn’t want the Machines 😦
    BTW: I have never seen a single one of them. Don’t know how many of them are used…

    Comment by h32 — February 27, 2007 @ 9:47 am

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: