Customer Reviews

Expert Web Services Security in the .NET Platform

5 star:		(0)
4 star:		(3)
3 star:		(0)
2 star:		(1)
1 star:		(1)

 

 

The book offers a good general description of Web Services. And specifically on how to make a simple Web Service using the .NET platform. But the thrust of the book is in showing how to incorporate cryptographic methods into the WS communications. The authors claim that perhaps the most important reason that WS have not taken off is security. Without a secure authentication and authorisation of messages, companies are leery about exposing their data via WS.

So the book devotes most of its space to the various cryptographic issues involved in .NET and WS. Some of this is not restricted to WS. For example, you may want to encrypt a channel, over which you will send sensitive data. That data might be a WS message, or something else. Hence, we get explanations of Active Directory, which handles a lot of these grubby details.

Later, they discuss public key cryptography. Which they term asynchronous encryption; not a widely used term. They contrast this to synchronous encryption, which most others call symmetric encryption.

But having said this, the book does offer a reasonable guide to using C# and .NET for WS. What is left for the reader is the much harder problem. That of designing a useful.

Please do not waste your money.
I bought this book looking at the ratings.
No coverate of WS-Security.
It talks about IIS and other setup things, not really about
.Net code.
It looks rehash of one chapter of "Building Secure Microsoft ASP.Net applications".
The book had no code examples. It says it is expert level,
but it is not.

I was excited by the prospect of this book. Many books on web services or ASP.Net offer only a short chapter on security that goes over the different authentication methods and not much more. I was looking forward to a broader end-to-end treatment of security.

Although this book did discuss a wide range of topics, it failed to tie them together. It describes a bunch of technologies but doesn't teach you how to choose between them or use them together. Some case studies or end-to-end diagrams would have really helped.

I also felt that there was not enough depth. Although the book is advertised as "advanced", it's really only an introduction to a bunch of topics. You need to go elsewhere to learn enough to really apply them. The book is quite thin.

I'm not sure who a good target audience for this book is. If you are trying to understand an overview web service security, it falls short because it doesn't do enough to help you understand the big picture. If you understand the big picture and are looking for an advanced treatment of how to implement security techniques, this book will only give you an introduction.

If you are responsible for coding applications using Microsoft's .NET platform, and you want to be sure that you're taking security seriously, you should check out this book pronto. Expert Web Services Security in the .NET Platform, written by Brian Nantz and Laurence Moroney and published by Apress®, covers the ins and outs of writing secure code with the .NET platform.

On the back cover, the user level is marked as Advanced. They're right. The first chapter alone, Web Services and XML Standards, will drop you immediately into the building of a simple web service and its consumer, with descriptions of XML Encryptions and signatures, PKI cryptography, and the various pieces of WS-Security (Web Services Security).

The most secure application won't do much good if it's run on an insecure platform. Chapter 2, Windows Security, describes in detail how to lock down IIS 6.0 (and Windows itself) to the most secure it can be. The following chapter on ASP.NET Architecture provides an overview of the security features in ASP.NET 1.1 with respect to web services.

I really enjoyed going through the chapter on Security Tools and Tips. Not only do you learn how to mask your identity and how to securely update your files, but you learn about the most popular tools available (most of them free) to test your security.

Arguably, the most important security tool is cryptography. The chapter on .NET Cryptography gives a basic overview of the terminology and techniques for encrypting your traffic. This sets the stage for the next few chapters, which go into detail about securing the web services with Integrated Windows Security, SSL, and the Web Services Enhancements (WSE).

Of course, any major site is going to have a lot of data to store that needs to be available to the web server. With so many exploits against SQL servers, Brian and Laurence put in a chapter devoted to securing SQL with ASP.NET, containing information on how to authenticate, how to impersonate, and how to obviate common attacks.

The last bit of protection needed is for the code itself. Open Source is very desirable these days, but many companies maintain their profit levels by protecting their intellectual property. .NET adds protection for the code itself by IL Obfuscation. Proper obfuscation renders reverse engineering techniques practically useless. Chapter 10 explains in detail everything you need to know to protect your code from inspection.

Expert Web Services Security in the .NET Platform provides a lot of valuable information for programmers using the Microsoft .NET platform. My only concern is that it didn't go as deep as it should have. At only 280 pages, it's rather slim to be covering such a deep topic as security throughout .NET. I hope that the second edition is bulked up to cover what was only skimmed over this time. I had to rank this an 4 out of 5, mostly due to the lack of depth in areas. Overall, a very useful book for .NET programmers.

In this smallish 250 page book you would expect a significant proportion of the pages to be spent on WSE. Particularly when the book is for experts. Unfortunately the WSE coverage is only 18 pages.

That's not a fatal flaw though. There are excellent chapters on general security and cryptography. And chapter 10 on code obfuscation will probably be the only book on IL obfuscation until the rumored Decompiling C# arrives.

The book is well written. The style is terse and to the point. One chapter is very screenshot heavy, but the rest use graphics sparingly and to best effect.

I'd like to see a more focused book on WSE, but in the meantime this is a good book on security topics for Windows in general, and for web services in particular.