• Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Book Review - Web Services Security

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> News // Columns // Articles

View previous topic :: View next topic  
Author Message
Just Arrived
Just Arrived

Joined: 30 Apr 2002
Posts: 1
Location: Somewhere between 0-160mph


PostPosted: Wed Sep 17, 2003 8:43 pm    Post subject: Book Review - Web Services Security Reply with quote

Web Services Security

Author: Mark O’Neill with Phillip Hallam Baker, Sean Mac Cann, Mike Shema, Ed Simon, Paul A. Watters and Andrew White
Publisher: Osborne McGraw-Hill
Book Specifications: Soft-cover, 312 pages, no CD-ROM
Category: Web Security
Audience Level: Primarily for software developers and architects deploying XML web services.
Suggested Publisher Price: $49.99USA/$74.95CAN/£31.29 UK
ISBN: 0-07-222471-1
Amazon UK: Web Services Security
Amazon.com: Web Services Security
Special Discounted Security Forums Price : £27.74 UK GBP - http://www.mcgraw-hill.co.uk/securityforums

Synopsis from back cover

Minimize security risks in your system by successfully rolling out secure Web Services with help from this exceptional guide. Web Services Security covers everything network professionals need to know, including details on Web Services architecture, SOAP, UDDI, WSDL, XML Signature, XML Encryption, SAML, XACML, XKMS, and more.

You’ll also get implementation techniques as well as case studies featuring global services provision initiatives such as Alliance project. Practical, comprehensive, and up-to-date, this is a must-have reference for every administrator interested in conquering real-life security challenges through the effective use of Web Services


Working within the Web Services/Web Development field, I was given a copy of the book to review. Prior to receiving this book, my initial thoughts based on the title was that the book would be more geared towards security for web sites and servers including what attacks are used and how to defend against them.

Intended Audience For This Book

This book is intended for software developers, architects, security professionals and network administrators who are responsible for deploying Web Services, who would require more information and knowledge on the security implications


The book starts with a biography of the authors and contributors followed by the content listing. A foreword discussing Web Services by Patrick J. Gannon President & CEO of OASIS Open is next followed by acknowledgements and a brief introduction.

Part 1 – Introduction
    Chapter 1 -
  • Presenting Web Services
  • Defining Web Services
  • Introducing the XML Family
  • XML for Communication
  • An Example Web Services Scenario
  • Practical Tools
    Chapter 2 -
  • Presenting Security
  • The Building Blocks of Security
  • Peeling back the Layers of Security
    Chapter 3 -
  • New Challenges and New Threats
  • Web Services Security Challenges
  • Meeting the Challenges: New Technology For the Web
  • Web Services Security Threats

Part 2 – XML Security
    Chapter 4 -
  • XML Signature
  • Making Sense of XML Signature
  • Uses of XML Signature for Web Services Security
  • Creating and Validating an XML Signature
  • Checklist
    Chapter 5 -
  • XML Encryption
  • Introduction to XML Encryption
  • Encryption Scenarios
  • Encryption Steps
  • Decryption Steps
  • Code Examples
  • The Overlap with XML Signature
  • Checklist
    Chapter 6 -
  • SAML
  • How SAML Enables “Portable trust”
  • Deploying SAML
  • Checklist
    Chapter 7 -
  • Introduction to XACML
  • Rules in XACML
  • Checklist
    Chapter 8 -
  • XML Key Management Specification (XKMS)
  • Public Key Infrastructure
  • XKMS and PKI
  • The XKMS Protocol
  • XML Key Information Service Specification
  • Advanced Protocol Features of XKMS 2.0

Part 3 – Security in SOAP: Presenting WS-Security
    Chapter 9 -
  • WS-Security
  • Introduction to WS-Security
  • SAML and WS-Security
  • Checklist

Part 4 – Security in Web Services Framework
    Chapter 10 -
  • .NET and passport
  • Ticket, Please: A Kerberos Overview
  • Passport
  • Web Services and .NET
  • Checklist
    Chapter 11 -
  • The Liberty Alliance Project
  • What Does the Liberty Alliance Project Have To Do with Web Services?
    Chapter 12 -
  • UDDI and Security
  • UDDI Overview
  • Securing Transaction with the UDDI Services
  • Checklist

Part 5 – Conclusion
    Chapter 13 -
  • ebXML
  • ebXML
  • ebXML Security Overview
  • ebXML Registry Security
  • ebXML Message Security
  • Standards Overview
  • EbXML Standards Overview
  • Message Security Conclusions
    Chapter 14 -
  • Legal Considerations
  • The Role of Contract Law and Evidence in Online Security
  • Applying the Law to Particular Technologies
  • Conclusions
  • Checklist
    Appendix A -
  • Case Studies
  • Local Government Service Portal
  • Foreign Exchange Transactions
  • XML Gateway Rollout

Content Summary

    Part 1: The first chapter is a great introductory for the book. It introduces and explains Web Services then it defines the XML family, not just as eXtensible Markup Language, but also the family of related technologies.

    Second chapter introduces encryption, various types of encryption and types of uses from digital certificates to smartcards. The second part of this chapter briefly discusses the vulnerabilities of network, session, transport and application layers of the OSI model.

    The third chapter solely focuses on the Web Services security on the application layer using HTTP and SOAP as the underlining technologies.

    Part 2: This whole section covers technologies for XML security, which I’ve not actually had any experience on. There are informative chapters on the explanation of XML Signature and XML Encryption stating what it is and what it isn’t, description and deployment of SAML (Secure Assertion Markup Language), XACML, PKI and XKMS.

    Part 3: WS-Security, what is it? What does it comprise of and when it was introduced? These questions are introduced in this section. Basic code examples in how it is used with SOAP, XML encryption and SAML.

    Part 4: The first section of this part introduces Kerberos, the MS passport, briefly looks into .NET services, the threats against them and against .NET servers. This part is the most interesting for me, purely due to the fact that in my work we develop and deploy web services using asp and .NET technologies. A basic list of ways to protect your servers is given in this section, ranging from removing unused ISAPI filters in IIS to the MSSQL sa account password not being blank.

    The sections following .NET introduces and describes the Liberty Alliance Project and finally UDDI, both of which I’ve not even heard of.

    Part 5: This final section is a concluding part for the whole book, giving an overview into EBXML (electronic business XML), insight into the legal implications of online security and case studies.


Although most of the book doesn’t apply to what I do in my work, it is nevertheless a very informative and interesting read. The team at McGraw Hill has really put together an overall look on the security of web services, rather than a specific technology and touching on more services that I would ever need to use.

Very well written and in plain English. The book does have technical references that beginners might need further reading to understand. With examples and useful end of chapter checklists the book covers basic security technologies to securing Web Services.

Things I would put against this book is that it lacks practical techniques that could be implemented in a production environment and I found that the case studies were very brief and don’t go into great detail.

I would give Web Services Security 7/10.

Security Forums Discount

The publishers Mcgraw Hill have kindly setup a discount section for Security Forums' users. Discounts can be up to 30% off the RRP and postage is free on all orders over £20 in the UK & Central Europe.


This review is copyright 2003 by the author and Security-Forums Dot Com, and may not be reproduced in any form in any media without the express permission of the author, or Security-Forums Dot Com.
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> News // Columns // Articles All times are GMT + 2 Hours
Page 1 of 1

Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register