Web Services Security [Book Review] - Distributed Systems Online, IEEE

IEEE DISTRIBUTED SYSTEMS ONLINE 1541-4922 © 2004 IEEE Published by the IEEE Computer Society Vol. 5, No. 1; January 2004

Moving Web Services to th Secure Side Juan M. Estevez-Tapiador

Web Services Security By Mark O'Neill 312 pages US$49.99 McGraw-Hill Osborne Media, 2003 ISBN 0-07-222471-1

Web Services is a clear example of why an increment in functionality usually goes hand in hand with an increase in security threats and, therefore, security costs. The potential risks of deploying this technology should concern every security professional that might have to deal with them. Network defenses require new protection layers to block the numerous security holes that Web Services usually leave open. Considering the available texts about security in Web Services, Web Services Security is almost without a doubt the best-structured compilation of concepts and practices concerning this field that you can get nowadays. If you aren't familiar with security concepts and practices, you'll need some faith to assume that the underlying techniques provide the required security functions. Even though the authors put in context some general principles concerning cryptography symmetric and asymmetric

encryption, digital signatures, and so forth they don't go into specific algorithms or mathematical foundations. So, the book's goal is that you acquire notions of Web Services' general security requirements and how to use these techniques to help meet them. One of the book's successes is that it follows the general rule that you should first consider security in terms of high-level necessities before selecting a specific technology that can cope with the requirements.

SECURITY SOLUTIONS FOR THE NEW SCENE Part 1 of Web Services Security introduces the reader to the context and purpose of Web Services security. Chapter 1 briefly presents the most important technologies involved in Web Services: Universal Description, Discovery, and Integration; Web Service Definition Language; the well-known XML family, which plays a key role in the world of Web Services; and Simple Object Access Protocol. Chapters 2 and 3 present, respectively, essential security topics and new challenges and threats that emerge in Web Services. Even though the authors adequately introduce the key issues, the issues don't receive a deep treatment. Therefore, it helps to have a background in both topics. Part 2 covers the key themes of XML security. Chapter 4 deals with XML signatures, a building block for several Web Services security mechanisms. Through several illustrative examples, this chapter explains what an XML signature is, which security services it offers, and how to create such a digital signature, place it inside an XML document, and validate it. XML encryption, another building block of XML security, receives similar coverage in chapter 5. The authors justify the need to encrypt XML documents and present scenarios in which you can apply encryption: encrypting an entire XML document, encrypting only the contents, encrypting only a single element, and more. As in other sections, the code examples illustrate well how to perform these steps. Chapter 6, which covers the Secure Assertion Markup Language, discusses the idea of portable trust a single sign-on mechanism that lets entities from one domain invoke services in another domain. Fundamentally, portable-trust technology is concerned with access control for authenticated entities based on a set of policies. The chapter introduces the existing types of assertions, the way they're used, and the most important issues concerning its architecture and deployment. Chapter 7 presents the Extensible Access Control Markup Language, a technology designed to define security policies in XML format and exchange them. The authors discuss and exemplify how XACML allows the definition of rules, which are subsequently consolidated into policies. They introduce both architecture and syntax. Finally, part 2 ends with chapter 8, which presents the XML Key Management Specification, a Web Service that serves as an IEEE Distributed Systems Online January 2004

2

interface to a Public Key Infrastructure. Part 3, which includes only chapter 9, addresses the SOAP security issues covered by Web Services Security. After introducing the stack of specifications composed of WS-Policy, WSTrust, WS-Privacy, WS-SecureConversation, WS-Federation, and WS-Authorization, the chapter explains how to use the building blocks for XML security from part 2 for Web Services. The authors address WS-Security's major elements by describing how to enclose the various security tokens and blocks inside SOAP messages. As the authors state at the chapter's end, the WS-Security specification is just the first in a road map and subsequent specifications could differ from those described in this chapter. Surely, the concepts introduced will carry through into later standards. It's crucial, however, to be alert for new specifications. Part 4 examines several issues related to security in specific Web Services frameworks. Chapter 10 deals with Microsoft's .NET and Passport technologies, and chapter 11 is devoted to the Liberty Alliance Project, an effort initiated by Sun Microsystems and now involving numerous companies. O'Neill and his contributors describe these frameworks' basic architecture and operation and the main security threats they face. Although these two initiatives share the key function of identity management oriented to provide a unified authentication, each takes a quite different approach. As the authors shrewdly observe, you don't often find "UDDI" and "security" in the same sentence. Chapter 12 provides an overview of the UDDI protocol and how to apply the security technologies learned. Access controls, digital signatures, and encryption are required in order to secure transactions among UDDI services. The chapter progressively covers to reach this goal, providing many examples to show how these approaches work in practice. Part 5, which concludes the book, covers miscellaneous Web Services topics. In chapter 13, the authors provide a brief overview of the main e-business XML security concerns. Chapter 14 presents legal considerations related to online contracting. It takes into account the security items required to prove that a certain contract was agreed to online, when it was agreed to, and who agreed to it. Considering the field's rapidly changing nature, the book achieves a good blend of theory and practice. It adequately covers the basic technologies involved in Web Services security using a step-by-step approach. It explains how to use the technologies through many examples, including XML listings and some pieces of Java and C# code. I would have liked to see, however, more case studies as well as practical implementation scenarios. An overall view of how to put them all together to design a complete system would have been extremely useful. The case studies, which are consigned to a single appendix at the book's end, are quite illustrative but receive very superficial coverage. With the exception of a few links, the total IEEE Distributed Systems Online January 2004

3

lack of bibliographic references was surprising. Although this is indeed an evolving field, a list of optional readings and links for those who want to dig deeper into details is always a valuable contribution.

A GOOD STARTING POINT When you try to drop down to vendor-specific technologies in an evolving issue such as Web Services security, you usually must deal with specifications, white papers, implementation details, and so on. For those who want to acquire a sound knowledge of this subject, this book is an excellent starting point. I find it useful for both architects and developers involved with the design of secure Web Services solutions. On the other hand, people only in the security community will find in it an application of some well-established and traditional security practices to a specific technology, with that technology's own threats and challenges.

CONCLUSION If you're considering buying this book, bear in mind, however, that no book on such an incessantly evolving technology can be up to date, even if it's for just a few years. Be careful about what you assume: Don't consider this book's contents as standards because the standards are still being defined but only as a good introduction to the major issues in Web Services security. As in many other fields, to stay updated, periodically consult information sources that are more dynamic than books, such as magazines and journals on these topics as well as standards adopted by industry players. Otherwise, you run the risk of having obsolete specifications.

Juan M. Estevez-Tapiador is a research assistant in the University of Granada's Department of Electronics and Computer Technology. Contact him at [email protected].

IEEE Distributed Systems Online January 2004

4