Joined: 30 Apr 2002
Location: Somewhere between 0-160mph
|Posted: Wed Sep 17, 2003 8:43 pm Post subject: Book Review - Web Services Security
Web Services Security
Author: Mark O’Neill with Phillip Hallam Baker, Sean Mac Cann, Mike Shema, Ed Simon, Paul A. Watters and Andrew White
Publisher: Osborne McGraw-Hill
Book Specifications: Soft-cover, 312 pages, no CD-ROM
Category: Web Security
Audience Level: Primarily for software developers and architects deploying XML web services.
Suggested Publisher Price: $49.99USA/$74.95CAN/£31.29 UK
Amazon UK: Web Services Security
Amazon.com: Web Services Security
Special Discounted Security Forums Price : £27.74 UK GBP - http://www.mcgraw-hill.co.uk/securityforums
Synopsis from back cover
Minimize security risks in your system by successfully rolling out secure Web Services with help from this exceptional guide. Web Services Security covers everything network professionals need to know, including details on Web Services architecture, SOAP, UDDI, WSDL, XML Signature, XML Encryption, SAML, XACML, XKMS, and more.
You’ll also get implementation techniques as well as case studies featuring global services provision initiatives such as Alliance project. Practical, comprehensive, and up-to-date, this is a must-have reference for every administrator interested in conquering real-life security challenges through the effective use of Web Services
Working within the Web Services/Web Development field, I was given a copy of the book to review. Prior to receiving this book, my initial thoughts based on the title was that the book would be more geared towards security for web sites and servers including what attacks are used and how to defend against them.
Intended Audience For This Book
This book is intended for software developers, architects, security professionals and network administrators who are responsible for deploying Web Services, who would require more information and knowledge on the security implications
The book starts with a biography of the authors and contributors followed by the content listing. A foreword discussing Web Services by Patrick J. Gannon President & CEO of OASIS Open is next followed by acknowledgements and a brief introduction.
Part 1 – Introduction
Chapter 1 -
- Presenting Web Services
- Defining Web Services
- Introducing the XML Family
- XML for Communication
- An Example Web Services Scenario
- Practical Tools
Chapter 2 -
- Presenting Security
- The Building Blocks of Security
- Peeling back the Layers of Security
Chapter 3 -
- New Challenges and New Threats
- Web Services Security Challenges
- Meeting the Challenges: New Technology For the Web
- Web Services Security Threats
Part 2 – XML Security
Chapter 4 -
- XML Signature
- Making Sense of XML Signature
- Uses of XML Signature for Web Services Security
- Creating and Validating an XML Signature
Chapter 5 -
- XML Encryption
- Introduction to XML Encryption
- Encryption Scenarios
- Encryption Steps
- Decryption Steps
- Code Examples
- The Overlap with XML Signature
Chapter 6 -
- How SAML Enables “Portable trust”
- Deploying SAML
Chapter 7 -
- Introduction to XACML
- Rules in XACML
Chapter 8 -
- XML Key Management Specification (XKMS)
- Public Key Infrastructure
- XKMS and PKI
- The XKMS Protocol
- XML Key Information Service Specification
- Advanced Protocol Features of XKMS 2.0
Part 3 – Security in SOAP: Presenting WS-Security
Chapter 9 -
- Introduction to WS-Security
- SAML and WS-Security
Part 4 – Security in Web Services Framework
Chapter 10 -
- .NET and passport
- Ticket, Please: A Kerberos Overview
- Web Services and .NET
Chapter 11 -
- The Liberty Alliance Project
- What Does the Liberty Alliance Project Have To Do with Web Services?
Chapter 12 -
- UDDI and Security
- UDDI Overview
- Securing Transaction with the UDDI Services
Part 5 – Conclusion
Chapter 13 -
- ebXML Security Overview
- ebXML Registry Security
- ebXML Message Security
- Standards Overview
- EbXML Standards Overview
- Message Security Conclusions
Chapter 14 -
- Legal Considerations
- The Role of Contract Law and Evidence in Online Security
- Applying the Law to Particular Technologies
Appendix A -
- Case Studies
- Local Government Service Portal
- Foreign Exchange Transactions
- XML Gateway Rollout
Part 1: The first chapter is a great introductory for the book. It introduces and explains Web Services then it defines the XML family, not just as eXtensible Markup Language, but also the family of related technologies.
Second chapter introduces encryption, various types of encryption and types of uses from digital certificates to smartcards. The second part of this chapter briefly discusses the vulnerabilities of network, session, transport and application layers of the OSI model.
The third chapter solely focuses on the Web Services security on the application layer using HTTP and SOAP as the underlining technologies.
Part 2: This whole section covers technologies for XML security, which I’ve not actually had any experience on. There are informative chapters on the explanation of XML Signature and XML Encryption stating what it is and what it isn’t, description and deployment of SAML (Secure Assertion Markup Language), XACML, PKI and XKMS.
Part 3: WS-Security, what is it? What does it comprise of and when it was introduced? These questions are introduced in this section. Basic code examples in how it is used with SOAP, XML encryption and SAML.
Part 4: The first section of this part introduces Kerberos, the MS passport, briefly looks into .NET services, the threats against them and against .NET servers. This part is the most interesting for me, purely due to the fact that in my work we develop and deploy web services using asp and .NET technologies. A basic list of ways to protect your servers is given in this section, ranging from removing unused ISAPI filters in IIS to the MSSQL sa account password not being blank.
The sections following .NET introduces and describes the Liberty Alliance Project and finally UDDI, both of which I’ve not even heard of.
Part 5: This final section is a concluding part for the whole book, giving an overview into EBXML (electronic business XML), insight into the legal implications of online security and case studies.
Although most of the book doesn’t apply to what I do in my work, it is nevertheless a very informative and interesting read. The team at McGraw Hill has really put together an overall look on the security of web services, rather than a specific technology and touching on more services that I would ever need to use.
Very well written and in plain English. The book does have technical references that beginners might need further reading to understand. With examples and useful end of chapter checklists the book covers basic security technologies to securing Web Services.
Things I would put against this book is that it lacks practical techniques that could be implemented in a production environment and I found that the case studies were very brief and don’t go into great detail.
I would give Web Services Security 7/10.
Security Forums Discount
The publishers Mcgraw Hill have kindly setup a discount section for Security Forums' users. Discounts can be up to 30% off the RRP and postage is free on all orders over £20 in the UK & Central Europe.
This review is copyright 2003 by the author and Security-Forums Dot Com, and may not be reproduced in any form in any media without the express permission of the author, or Security-Forums Dot Com.