Is WCF or Java Metro security configuration in-scope for your security department; should it be?

Question

Windows Communication Foundation (WCF) is a set of technologies that expose server-side executable code and data over the Internet.

Given the port sharing abilities of IIS, or even that a web developer can host a WCF application unbeknownst to the IT security team, I think that the IT security team should have some control over what is exposed and it's configuration.

Examples of WCF configuration include: Protocol choice, encryption method, and which executable methods are exposed.

1. Do you agree that this technology should be considered in-scope for the IT Security Team.
2. How would you sell this to management for inclusion (given that you're not a manager)
3. What processes would you put in place for auditing and deploying this technology?
4. How would you define support boundries with the application team?
5. ... other items

Part of the reason I ask this question is that at the large companies I worked for, SOAP security was out-of-bounds for the same group that handled perimeter security (often the same group who handled the firewalls and routers).

Perhaps the size of the organisation should be taken into account when asking this question. Is it unreasonable to expect a Firewall administrator to also understand WCF/Metro?

Answer 1

Yes, of course.
It's the same as a code review, or a deployment inspection.
During CR, I would expect configuration files to be part of the code base that is examined; and during a deployment inspection, all configurations you can get your hands on should be opened up and examined.

That also answers no.2 - explain to the manager that its part of the previous reviews.
3. Again, same as above - if you have a process around CR or DI, those should be part of that.
4. Boundaries: and here is a needed clarification - the dev team is responsible for performing the configuration, SecTeam has oversight, verification, and of course is additionally in an advisory/educational status.

---

Wrt the addition of your edit, network/OS security guys really cant do anything with WCF, and shouldnt be expected to. I was referring to the AppSec team, or security architecture, or whatever you want to call them.
Same goes for (most aspects of) SOAP, its an application protocol, network guys just wont know what to do with it.

Answer 2

1. Yes -- sort of. (IMO) It should be up to that team to define minimum requirements; e.g. which encryption methods to use, but they shouldn't lock down the likes of exposed methods. That should belong to developer security architects. Unless of course the IT Security Team has developers on it.

EDIT: It is a little much to expect a firewall administrator (or similar role) to understand WCF/metro. They should understand that it works over HTTP/S/TCP and the basic data structure of a SOAP message, but not too much beyond that. It's too domain specific.