WCF security is truly a vast topic. There is a daunting number of details to master, and intricate relationships exist between the various parts. The programming model is very complex, and at first there is an inescapable feeling of navigating a maze. To make things even worse, there are severe implications both at the application and at the business level for getting it wrong. The solution I came up with is a declarative security framework for WCF. For the service, I provided a security attribute (as well as matching support for the host); and for the client, I provided a few helper classes and secure proxy classes. My declarative framework grossly simplifies applying WCF security, and makes security configuration on par with the other aspects of WCF configuration, such as transactions or synchronization. I wanted a declarative model that would be simple to use and would minimize the need to understand the many details of security. As a developer, all you need to do is select the correct scenario (out of the five common scenarios discussed in this chapter) and my framework will automate the configuration. Not only that, my framework mandates the correct options and enforces my recommendations. At the same time, I wanted a model that maintains granularity and control of the underlying configuration if the need for that ever arises.