Introduction

Previous page
Table of content
Next page


This book describes how the world of Web Services and the world of information security are coming together. Web Services and security make a compelling match, because Web Services need security in order to enjoy widespread deployment, and security technologies need the ease of deployment provided by Web Services. In theory at least, this is a win-win situation. The downside, though, is that the technologies can be complex and difficult to understand. This book will help you understand Web Services security by explaining the technologies in plain English, using practical programming examples.

We start out by introducing Web Services. Web Services is an important new technology, one which is distinguished by its cross-industry support. IBM, HP, Oracle, Microsoft, Novell, and Sun all offer Web Services frameworks. Gartner predicts that in 2004, Web Services will dominate deployment of new application solutions for Fortune 2000 companies (Gartner, Inc., 2002). Security concepts such as authentication, authorization, and data integrity are referenced throughout this book. These security concepts are given their own chapter to set the scene for later chapters where they are related to Web Services. A common thread running through this book is that Web Services security relies on these established security concepts and technologies, which have not changed or been made obsolete by Web Services.

These two introductory chapters set the scene for a chapter discussing the gamut of security protocols and procedures relevant to Web security. This chapter discusses not only the how of Web Services security, but also the why. Web Services security technologies such as SAML and WS-Security operate at the application layer, but even so, it is important to keep the entire security context of the Web Service in mind. This includes properly configured firewalls, the use of patched and locked-down Web servers, and (especially if digital certificates are used) the use of an adequate security policy document. It would be foolish to address just the new security challenges posed by Web Services and leave a system open to attack through more traditional channels. Therefore, as well as covering the theory of Web Services security, this book is intended to be a practical guide to deploying secure Web Services. This might sound like a lot of work, but once you’re familiar with the basic concepts, it all starts to make sense.

Next, the new security initiatives addressing Web Services are dealt with chapter by chapter. These are XML Signature, XML Encryption, SAML, XACML, XKMS, and WS-Security. If you already know the basics of XML, Web Services, and information security, you can skip directly to these chapters. In addition to these vendor-neutral technologies, vendor-led initiatives such as Microsoft’s .NET myServices and Project Liberty are discussed as well.

The area of UDDI security is still somewhat hypothetical and a matter for debate, but there is a great deal of interest in this debate. Therefore, the application of initiatives such as XML Signature and XML Encryption to UDDI is allotted a chapter. ebXML may be considered as an alternative to Web Services. However, it includes many technologies that overlap with Web Services—XML, of course, and SOAP also. In addition, ebXML has a security model that makes use of technologies such as XML Signature and XML Encryption. Therefore, it deserves a place in the book.

Unusually, perhaps, for a technical book, a chapter is dedicated to the legal aspects of Web Services security. These legal aspects include the digital signature laws as they apply to XML Signature, privacy issues when implementing SAML, and the legal questions arising from application-to-application transactions. Legal considerations are catching up on all aspects of information technology, and Web Services is no exception. Questions like, “When an application connects to another application to make a fraudulent transaction, who is to blame?” and “Is nonrepudiation realistic?” are answered in this chapter.

Although this book is about securing Web Services, we frequently look at the flip side of securing Web Services—attacking Web Services. This is largely speculative, but it is not difficult to look at the techniques used to attack Web applications and extrapolate them to Web Services. The future of Web Services security will depend not only on what attacks are developed against Web Services, but also on which attacks are publicized. As in all walks of life, it is important to “know your enemy.” This book is designed to provide all the information needed to protect Web Services from attack.

The case studies appendix takes the Web Services topics that are covered in the main body of the book and presents them in a real-life context. Each opens with a statement of a problem, and then lists the appropriate Web Services security technologies to be used in the solution. Remember that the entire security context of the Web Service must be taken into account—firewalls, patched and locked-down Web servers, and (for some solutions) the use of either a secure channel (SSL, VPN) or message-level security.

Intended Audience for This Book

Programmers and architects charged with deploying Web Services require knowledge of the security implications of this new technology. In addition, network security professionals require knowledge of the new application-layer security challenges posed by Web Services, and the new security standards that address these challenges. These two groups—security professionals in companies that are rolling out Web Services, and the application professionals actually rolling out these Web Services— are the audience for this book.

Primary Audiences

The primary audiences for this book are software developers and architects who are rolling out XML Web Services.

Secondary Audiences

The secondary audiences for this book include information security professionals who wish to know how to address the security vulnerabilities exposed by the use of XML Web Services.

The book is written in a direct manner, using simple examples where feasible, so it is hoped that the general non-technical reader can also learn about this exciting new area.


Previous page
Table of content
Next page
Web Services Security
Web Services Security
ISBN: 0072224711
EAN: 2147483647
Year: 2003
Pages: 105
Authors: Mark ONeill
BUY ON AMAZON
Database Modeling with MicrosoftВ® Visio for Enterprise Architects (The Morgan Kaufmann Series in Data Management Systems)
Snort Cookbook
Developing Tablet PC Applications (Charles River Media Programming)
GO! with Microsoft Office 2003 Brief (2nd Edition)
Microsoft Office Visio 2007 Step by Step (Step By Step (Microsoft))
Java All-In-One Desk Reference For Dummies
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy