This publication of the NIST seeks to assist organizations in understanding the challenges in integrating information security practices into SOA design and development based on Web services. This publication also provides practical, real-world guidance on current and emerging standards applicable to Web services, as well as background information on the most common security threats to SOAs based on Web services. This document presents information that is largely independent of particular hardware platforms, operating systems, and applications. Supplementary security mechanisms (i.e., perimeter security appliances) are considered outside the scope of this publication. Interfaces between Web services components and supplementary controls are noted as such throughout this document on a case-by-case basis. The document, while technical in nature, provides the background information to help readers understand the topics that are discussed. The intended audience for this document includes the following: System and software architects and engineers trained in designing, implementing, testing, or evaluating Web services; Software developers experienced in XML, C#, Visual Basic for .NET (VB.NET), C, or Java for Web services; Security architects, engineers, analysts, and secure software developers/integrators; Researchers who are furthering and extending service interfaces and conceptual designs. This document assumes that readers have some minimal Web services expertise. Because of the constantly changing nature of Web services threats and vulnerabilities, readers are expected to take advantage of other resources (including those listed in this document) for more current and detailed information. The practices recommended in this document are designed to help mitigate the risks associated with Web services. They build on and assume the implementation of practices described in other NIST guidelines listed in Appendix F. The remainder of this document is organized into five major sections. Section 2 provides background to Web services and portals and their relationship to security. Section 3 discusses the many relevant Web service security functions and related technology. Section 4 discusses Web portals, the human user's entry point into the SOA based on Web services. Section 5 discusses the challenges associated with secure Web service-enabling of legacy applications. Finally, Section 6 discusses secure implementation tools and technologies. The document also contains several appendices. Appendix A offers discussion of several attacks commonly leveraged against Web services and SOAs. Appendix B provides an overview of Electronic Business eXtensible Markup Language (ebXML), a Web services protocol suite developed by the United Nations Centre for Trade Facilitation and Electronic Business (UN/CEFACT). Appendices C and D contain a glossary and acronym list, respectively. Appendices E and F list print resources and online tools and resources that may be useful references for gaining a better understanding of Web services and SOAs, security concepts and methodologies, and the general relationship between them. Security Division, Information Technology Laboratory, National Institute of Standards and Technology.