Research paper on WSE Policy Advisor

["Andy Gordon" <adg () microsoft com>]

Hi, readers of this list may be interested in a new paper we've written
describing the architecture of a tool for checking WSE 2 security
policies.  These are XML config files that determine the security
processing of SOAP messages.  Title and abstract below; paper and tool
available from our project page http://securing.ws 

Since XML config files are widely used, the idea of a tool to check them
as part of security reviews is very natural.  Jon Udell has a nice
article about this on his blog from last year, where he advocates
partially populating a threat model from config files.

http://weblog.infoworld.com/udell/2004/05/25.html 

Can anyone point me to other tools for analyzing config files for
security issues?

Thanks,

Andy

An advisor for web services security policies. With K. Bhargavan, C.
Fournet, and G. O'Shea. In 2005 ACM Workshop on Secure Web Services (SWS
2005), Washington DC. ACM Press, 2005. 

We identify common security vulnerabilities found during security
reviews of web services with policy-driven security. We describe the
design of an advisor for web services security configurations, the first
tool both to identify such vulnerabilities automatically and to offer
remedial advice. We report on its implementation as a plugin for
Microsoft Web Services Enhancements (WSE).