Explains how to implement secure Web services and includes coverage of trust, confidentiality, cryptography, authentication, authorization, and Kerberos. You’ll also find details on Security Assertion Markup Language (SAML), XML Key Management Specification (XKMS), XML Encryption, Hypertext Transfer Protocol-Reliability (HTTP-R) and more.

Average Customer Review: ( 8 customer reviews )
Write an online review and share your thoughts with other customers.

If your are an Architect seeking a practical implementation solution or a case study to practice in your architecture, this book DOES NOT add value at ALL. As I said, this book lacks practical implementation scenarios especially examples using real world security implementations like Passport, SunONE, EnTrust, Netegrity TransactionMinder etc. So think about it.

If you are newbie wants to get ideas about Web services security then this BOOK IS THE BEST at this time ! But always lookout for latest book so that you don't get buried with obsolete specifications.

9 of 9 found the following review helpful:

The Best Book on Web Services SecurityMay 31, 2003
By Doug Kaye
This is *the* book to date on the topic. I particularly like the blend of strategy and practice that Mark and the others have achieved. They've managed to get straight to the point: The best way to secure web services today is through XML Signature, XML Encryption, SAML, and WS-Security, and this book explains how those technologies work.

Unlike another reviewer, I found this book to be a far better way to learn than the specifications or the online white papers. True, it doesn't get into vendor-specific implementation details, but I expect the vendors to provide that info.

12 of 13 found the following review helpful:

Solid intro to Web Services and its security requirementsFeb 16, 2003
By Richard Bejtlich "TaoSecurity"
Before reading "Web Services Security" (WSS), my knowledge of Web Services relied on a few magazine articles and chapter 10 of "Hacking Exposed: Web Applications." After reading WSS, I have a better idea of how Web Services work and how a variety of acronyms (XACML, XKMS, SAML, etc.) provide security. This 312 page book isn't lengthy enough to make you a Web Services security expert, but it provides a good foundation for consultants and other professionals.

Good security books do more than teach ways to attack and defend various technologies. They assume the reader isn't an expert in the technology or concept, and provide background prior to explaining weapons and tactics to exploit vulnerabilities. WSS meets this challenge by educating readers on the purpose, history, and future of Web Services. The authors take nothing for granted, explaining why transport-level encryption via SSL is insufficient for Web Services. WSS emphasizes key security concepts like "persistence" and separating policy enforcement from decision-making. I also appreciated the authors' willingness to share key insights, like the argument that "like XKMS, XACML is more about applying XML to security, rather than about applying security to XML." (p. 120). This demonstrated knowledge of applying security to a wider range of subjects than just Web Services.

On the down side, I found the SAML section (ch. 6) confusing. The writing style implied another author contributed this material, and the chapter's "checklist" was a list of questions -- not the summaries found elsewhere. I didn't find the legal section (ch. 14) particularly clear, either, despite the hype it received on the back cover.

Overall, WSS is probably the best Web Services security guide currently available. It meets the market need for an introduction to the subject, and covers material neglected elsewhere, like the Liberty Alliance Project (ch. 11). Those with questions on Web Services security would do well to start looking for answers here!

6 of 6 found the following review helpful:

Covers all the basesJan 27, 2003

This very readable book covers the Web services security area well, devoting chapters to all the usual suspects (XML Encryption, XKMS, WS-Security, SAML, et al). The C# and Java code examples are neat, and I was pleased to see the new .NET Web Services Enhancements used in the code.

The standout chapters are on XKMS (I guess that must have been Phill Hallam-Baker's contribution), the WS-Security roadmap, and a chapter on the legal implications of Web services. It's not often you find a legal chapter in a technology book - I guess that is a sign of the times. One of the case studies in the appendix focusses on implementing the Vordel product, though the rest of the book is vendor-neutral.

A lot of this stuff is a moving target, so I'd like to have seen a website of updates provided. But the book itself is an excellent introduction to this over-hyped and sometimes confusing area - highly recommended.

4 of 4 found the following review helpful:

Points you in the right directionNov 15, 2004
By M. Ashworth
Writing a book like this is always going to be a difficult task in an up and coming technology. This book handles it exceptionally well. Although being written in 2003 it manages to cover core web service security issues such as WS-Security, SAML and two options of identification softwre such as Liberty Alliance and the Microsoft .NET passport. For once it is refreshing to read a book that is concerned more with security for you and not trying to evangelise something down your neck. It introduces a good range of security issues that approach different aspects of web services security. This was a great start for me to start learning about web services security and the approaches to implementing it. So its a must read for any beginner in the subject.

See all 8 customer reviews on Amazon.com