XML Security

Before going into what the book contains it's important to know that much of the material is based on RSA's view of the security. This isn't a criticism, but an up-front statement of fact because if you're looking for a book that is 100% vendor neutral you are going to have to wait until one is written - this is the only book I know of that is solely about XML security.

The book starts with primers on security and XML to set the context. It then covers, in succession, digital signatures (chapters 4, 5 and 6), and XML encryption. These chapters are consistent with work and specifications produced by XML Signature WG (joint the Working Group IETF and W3C for digital signatures) and the W3C working group for XML Encryption.

Chapter 8 is specific to RSA products. It shows how to implement XML encryption using RSA BSAFE© Cert-J, which can be downloaded in a trial version from RSA's website. Chapter 9 covers XML key management specification, which are consistent with the W3C working group's specifications, and how XML security relates to web services.

Despite the slight bias towards RSA this book is an invaluable reference. It provides an in-depth discussion of major security issues, as well as how they are being addressed by the W3C. It goes without saying that anyone who is responsible for system architecture, design and/or security should carefully read this book.

Rating:
Summary: Excellent book on XML security
Review: When you read the XML specification, you will notice that it contains no notion of security. Critical security functionalities such as encryption, digital signatures, and authentication are simply not part of the XML standard. XML is similar to many other protocols, languages, and operating systems in that it was originally developed without any thought to security and privacy. It is only after serious security vulnerabilities are discovered and publicized that they are patched. But this find, patch, fix mentality of information security is dangerous in that security problems can exist for months or years before they are found.

Similarly within XML, much of the security functionality has been added post- facto, namely in Canonical XML, XML Signature, and XML Encryption Syntax and Processing. By adding security to the core feature set of XML, the W3C has ensured that,
to a degree, the find, patch, fix method won't be the manner in which XML security is developed. A good reference book can help you navigate this XML security landscape.

XML Security is a reader friendly title and focuses more on the implementation of XML. For readers looking for ways to use XML and less coding examples, XML Security is more useful book. The author, Blake Dournaee, is an employee of RSA Security, and the book is an RSA Press imprint. Furthermore, Chapter 8, the book's longest chapter, is about XML Signatures implementing the RSA BSAFE(c) Cert-J toolkit. Even with the RSA vendor bias, XML Security provides a good reference to the XML security functionality.

This book spends more time introducing the reader to security concepts, and Chapters 2 and 3 (Security Primer and XML Primer) provide the reader with a good overview about all of the significant concepts involved. Chapter 6 provides a plethora of XML signature examples. As XML signatures are rich in their features and syntax, combined with the vast number of elements and permutations of those elements, it can be quite difficult for someone to understand how to properly use XML signatures. Chapter 6 provides 14 different scenarios and their proposed solutions. These scenarios range from adding a single signature to a basic XML document, to adding multiple types of signatures to various documents. For readers who need good hands-on examples, Chapter 6 is worth the price of the book alone.