Rating: 
Summary: Especially for the novice website designer
Review: A team effort, Web Services Security describes XML and Web Services security technologies, including SAML and the WS-Security roadmap, and provides practical examples in Java and C#. Web Services Security deftly and accessibly explains the technologies in plain English, using clear analogies to help the reader grasp the concepts needed to understand Web Services security, and illustrate implementation techniques as well as case studies featuring global service-provision initiatives such as the Liberty Alliance Project. Highly recommended, especially for the novice website designer. 336 pages
Rating: 
Summary: Solid intro to Web Services and its security requirements
Review: Before reading "Web Services Security" (WSS), my knowledge of Web Services relied on a few magazine articles and chapter 10 of "Hacking Exposed: Web Applications." After reading WSS, I have a better idea of how Web Services work and how a variety of acronyms (XACML, XKMS, SAML, etc.) provide security. This 312 page book isn't lengthy enough to make you a Web Services security expert, but it provides a good foundation for consultants and other professionals.
Good security books do more than teach ways to attack and defend various technologies. They assume the reader isn't an expert in the technology or concept, and provide background prior to explaining weapons and tactics to exploit vulnerabilities. WSS meets this challenge by educating readers on the purpose, history, and future of Web Services. The authors take nothing for granted, explaining why transport-level encryption via SSL is insufficient for Web Services. WSS emphasizes key security concepts like "persistence" and separating policy enforcement from decision-making. I also appreciated the authors' willingness to share key insights, like the argument that "like XKMS, XACML is more about applying XML to security, rather than about applying security to XML." (p. 120). This demonstrated knowledge of applying security to a wider range of subjects than just Web Services.
On the down side, I found the SAML section (ch. 6) confusing. The writing style implied another author contributed this material, and the chapter's "checklist" was a list of questions -- not the summaries found elsewhere. I didn't find the legal section (ch. 14) particularly clear, either, despite the hype it received on the back cover.
Overall, WSS is probably the best Web Services security guide currently available. It meets the market need for an introduction to the subject, and covers material neglected elsewhere, like the Liberty Alliance Project (ch. 11). Those with questions on Web Services security would do well to start looking for answers here!
Rating:
Summary: Solid intro to Web Services and its security requirements
Review: Before reading "Web Services Security" (WSS), my knowledge of Web Services relied on a few magazine articles and chapter 10 of "Hacking Exposed: Web Applications." After reading WSS, I have a better idea of how Web Services work and how a variety of acronyms (XACML, XKMS, SAML, etc.) provide security. This 312 page book isn't lengthy enough to make you a Web Services security expert, but it provides a good foundation for consultants and other professionals.
Good security books do more than teach ways to attack and defend various technologies. They assume the reader isn't an expert in the technology or concept, and provide background prior to explaining weapons and tactics to exploit vulnerabilities. WSS meets this challenge by educating readers on the purpose, history, and future of Web Services. The authors take nothing for granted, explaining why transport-level encryption via SSL is insufficient for Web Services. WSS emphasizes key security concepts like "persistence" and separating policy enforcement from decision-making. I also appreciated the authors' willingness to share key insights, like the argument that "like XKMS, XACML is more about applying XML to security, rather than about applying security to XML." (p. 120). This demonstrated knowledge of applying security to a wider range of subjects than just Web Services.
On the down side, I found the SAML section (ch. 6) confusing. The writing style implied another author contributed this material, and the chapter's "checklist" was a list of questions -- not the summaries found elsewhere. I didn't find the legal section (ch. 14) particularly clear, either, despite the hype it received on the back cover.
Overall, WSS is probably the best Web Services security guide currently available. It meets the market need for an introduction to the subject, and covers material neglected elsewhere, like the Liberty Alliance Project (ch. 11). Those with questions on Web Services security would do well to start looking for answers here!
Rating:
Summary: Worth buying
Review: Does a good job of covering a fast changing area, and features just about everything relevant to it's subject. Material is explained well, and the authors do a good job of putting things in context and not getting too hung up on any particular vendor or technology.
Rating: 
Summary: Not a very usefull book
Review: I am disappointed by this book. I do not find much examples in this book that you can use to write a secured web services program. Most examples in this book are in the form of XML that the security architecture uses. If you are planning to write a secure web service after reading this book, then I do not recommend this book. This book provides a general overview of Web Services Security Architecture with little insight on how to actually write one. If you are developing Web Services using Java, this book is of little help. If you are developing Web Services using .NET, then three are better choices than this book.
Ejaz Jamil, MSEE, MBA
President, Jence Incorproated, Massachusetts.
Rating:
Summary: The Best Book on Web Services Security
Review: This is *the* book to date on the topic. I particularly like the blend of strategy and practice that Mark and the others have achieved. They've managed to get straight to the point: The best way to secure web services today is through XML Signature, XML Encryption, SAML, and WS-Security, and this book explains how those technologies work. Unlike another reviewer, I found this book to be a far better way to learn than the specifications or the online white papers. True, it doesn't get into vendor-specific implementation details, but I expect the vendors to provide that info.
Rating:
Summary: Very complete
Review: This is a very complete reference in that it covers all the current standards that directly and indirectly impact web services security. I really appreciated the examples of how I would go about implementing various features. In that respect, it is a valuable reference for both architects desiring to design a secure web services solution as well as to developers who must implement the solution.
Rating:
Summary: Very complete
Review: This is a very complete reference in that it covers all the current standards that directly and indirectly impact web services security. I really appreciated the examples of how I would go about implementing various features. In that respect, it is a valuable reference for both architects desiring to design a secure web services solution as well as to developers who must implement the solution.
Rating:
Summary: Covers all the bases
Review: This very readable book covers the Web services security area well, devoting chapters to all the usual suspects (XML Encryption, XKMS, WS-Security, SAML, et al). The C# and Java code examples are neat, and I was pleased to see the new .NET Web Services Enhancements used in the code. The standout chapters are on XKMS (I guess that must have been Phill Hallam-Baker's contribution), the WS-Security roadmap, and a chapter on the legal implications of Web services. It's not often you find a legal chapter in a technology book - I guess that is a sign of the times. One of the case studies in the appendix focusses on implementing the Vordel product, though the rest of the book is vendor-neutral. A lot of this stuff is a moving target, so I'd like to have seen a website of updates provided. But the book itself is an excellent introduction to this over-hyped and sometimes confusing area - highly recommended.
Rating: 
Summary: Good concepts coverage - But no example proof
Review: With 2 book on our Web services library shelves, this book adds in as the best for getting introduction to Web services security specifications and popular implementations. If you are little lazy to read the specs from web sites, this book is an ideal choice to get an introduction to them. But again, this book is a bundle of content reproducing the specs of XML Security efforts at W3C, OASIS, WS-Security (IBM & Microsoft), Sun's Liberty, Microsoft Passport. Interestingly this book also contains some obsolete versions of Security specs (So be careful, before you assume things). If your are an Architect seeking a practical implementation solution or a case study to practice in your architecture, this book DOES NOT add value at ALL. As I said, this book lacks practical implementation scenarios especially examples using real world security implementations like Passport, SunONE, EnTrust, Netegrity TransactionMinder etc. So think about it. If you are newbie wants to get ideas about Web services security then this BOOK IS THE BEST at this time ! But always lookout for latest book so that you don't get buried with obsolete specifications.
|
