Web Services Security (Paperback)

~ Mark O'Neill (Author)

Editorial Reviews

Product Description

Explains how to implement secure Web services and includes coverage of trust, confidentiality, cryptography, authentication, authorization, and Kerberos. You'll also find details on Security Assertion Markup Language (SAML), XML Key Management Specification (XKMS), XML Encryption, Hypertext Transfer Protocol-Reliability (HTTP-R) and more.

From the Back Cover

Your definitive Web Services security resource

Minimize security risks in your system by successfully rolling out secure Web Services with help from this exceptional guide. Web Services Security covers everything network security professionals need to know, including details on Web Services architecture, SOAP, UDDI, WSDL, XML Signature, XML Encryption, SAML, XACML, XKMS, and more. You'll also get implementation techniques as well as case studies featuring global service-provision initiatives such as the Liberty Alliance Project. Practical, comprehensive, and up-to-date, this is a must-have reference for every administrator interested in conquering real-life security challenges through the effective use of Web Services.

• Learn the high-level principles of security and how they apply to Web Services
• Deploy Web Services technology following practical and clear examples
• Use XKMS for validation and accountability
• Ensure data integrity by using XML Signature and XML Encryption with SOAP
• Use SAML and XACML for authentication and authorization
• Learn the major components of the evolving ebXML standard
• Gain valuable insight into the legal aspects of Web Services security--including digital signature laws, privacy issues, and application-to-application transactions

See all Editorial Reviews

Product Details

• Paperback: 312 pages
• Publisher: McGraw-Hill Osborne Media; 1 edition (January 31, 2003)
• Language: English
• ISBN-10: 0072224711
• ISBN-13: 978-0072224719
• Product Dimensions: 9 x 7.3 x 0.9 inches
• Shipping Weight: 1.4 pounds (View shipping rates and policies)
• Average Customer Review: 4.4 out of 5 stars  See all reviews (8 customer reviews)
• Amazon.com Sales Rank: #654,606 in Books (See Bestsellers in Books)

Customer Reviews

Most Helpful Customer Reviews

13 of 14 people found the following review helpful:

4.0 out of 5 stars Solid intro to Web Services and its security requirements, February 15, 2003

By	Richard Bejtlich "TaoSecurity.com" (Metro Washington, DC) - See all my reviews (TOP 500 REVIEWER)    (REAL NAME)

Before reading "Web Services Security" (WSS), my knowledge of Web Services relied on a few magazine articles and chapter 10 of "Hacking Exposed: Web Applications." After reading WSS, I have a better idea of how Web Services work and how a variety of acronyms (XACML, XKMS, SAML, etc.) provide security. This 312 page book isn't lengthy enough to make you a Web Services security expert, but it provides a good foundation for consultants and other professionals.

Good security books do more than teach ways to attack and defend various technologies. They assume the reader isn't an expert in the technology or concept, and provide background prior to explaining weapons and tactics to exploit vulnerabilities. WSS meets this challenge by educating readers on the purpose, history, and future of Web Services. The authors take nothing for granted, explaining why transport-level encryption via SSL is insufficient for Web Services. WSS emphasizes key security concepts like "persistence" and separating policy enforcement from decision-making. I also appreciated the authors' willingness to share key insights, like the argument that "like XKMS, XACML is more about applying XML to security, rather than about applying security to XML." (p. 120). This demonstrated knowledge of applying security to a wider range of subjects than just Web Services.

On the down side, I found the SAML section (ch. 6) confusing. The writing style implied another author contributed this material, and the chapter's "checklist" was a list of questions -- not the summaries found elsewhere. I didn't find the legal section (ch. 14) particularly clear, either, despite the hype it received on the back cover.

Overall, WSS is probably the best Web Services security guide currently available. It meets the market need for an introduction to the subject, and covers material neglected elsewhere, like the Liberty Alliance Project (ch. 11). Those with questions on Web Services security would do well to start looking for answers here!

15 of 17 people found the following review helpful:

3.0 out of 5 stars Good concepts coverage - But no example proof, March 8, 2003

By	Prasad Reddy "Prasad" (Sanjose, CA) - See all my reviews

With 2 book on our Web services library shelves, this book adds in as the best for getting introduction to Web services security specifications and popular implementations. If you are little lazy to read the specs from web sites, this book is an ideal choice to get an introduction to them. But again, this book is a bundle of content reproducing the specs of XML Security efforts at W3C, OASIS, WS-Security (IBM & Microsoft), Sun's Liberty, Microsoft Passport. Interestingly this book also contains some obsolete versions of Security specs (So be careful, before you assume things).

If your are an Architect seeking a practical implementation solution or a case study to practice in your architecture, this book DOES NOT add value at ALL. As I said, this book lacks practical implementation scenarios especially examples using real world security implementations like Passport, SunONE, EnTrust, Netegrity TransactionMinder etc. So think about it.

If you are newbie wants to get ideas about Web services security then this BOOK IS THE BEST at this time ! But always lookout for latest book so that you don't get buried with obsolete specifications.

8 of 8 people found the following review helpful:

5.0 out of 5 stars The Best Book on Web Services Security, May 31, 2003

By	Doug Kaye (Kentfield, CA USA) - See all my reviews (REAL NAME)

This is *the* book to date on the topic. I particularly like the blend of strategy and practice that Mark and the others have achieved. They've managed to get straight to the point: The best way to secure web services today is through XML Signature, XML Encryption, SAML, and WS-Security, and this book explains how those technologies work.

Unlike another reviewer, I found this book to be a far better way to learn than the specifications or the online white papers. True, it doesn't get into vendor-specific implementation details, but I expect the vendors to provide that info.