Preface

Security is everyone’s business.

It is especially so if you are in IT. At some point, you will have had to implement, or at least understand, the security aspects of applications. As an application designer, you might have been asked to come up with a security model for your application. If you are an IT administrator, you might have been charged with the task of configuring security for an application. It has been our experience that every architect, designer, developer, administrator, and information officer needs to understand the basics of security technologies.

Most practitioners of IT pick up the basics of security on the job. Almost everyone who has worked for a few years in IT has an intuitive feel for username/password–based authentication. A decade of practice with HTTPS has made many in the IT community familiar with PKI as well. However, the security concepts required for SOA cannot be learned by osmosis. Not only are there new security concepts and technologies that need to be understood, some of the most popular security practices turn out to be counterproductive when used in SOA implementations.

The fact that so few people understand SOA security poses a danger to the success of SOA. In our work as SOA consultants, we encounter too many customers and fellow practitioners who make poor choices about security, with the mistaken assumption that they can apply traditional application security strategies in SOA. It is in this context that we decided to write this book.

We started working with SOA security in 2003 quite by accident. In order to solve a problem of one of our clients, we had to research the state of SOA security and its evolution. As part of that work, we ended up creating a prototype security service that used WS-Security, SAML, SOAP intermediaries, and WS-Addressing. Later, through our work for other clients, including projects involving “SOA appliances,” we came to understand the evolution of SOA security better. In the process three things became very clear:

1. SOA security is an important topic that the global IT community needs to understand.
2. The material available on the Web is fragmented, and it is not easy for even experienced IT practitioners to learn by themselves.
3. The few books available on the topic introduced the standards but did not help general SOA practitioners who are not security experts to put those standards into practice.

When Manning asked if we were interested in writing a book about SOA security, we knew that it was a great opportunity for us to fill the void: a book that could be read and understood by all SOA practitioners, without a need for a formal introduction to security topics. We took up the challenge and here’s how we approached it.

• We made sure that nonexperts could follow this book. We tried to provide all the prerequisites so that you will be able to understand the book without any external resources.
• We provided theory together with working examples. We wanted to make sure that you understood how and why a security solution works so you can modify it to suit your needs. We provide only the essential details of theory to keep it simple.
• We explained how each concept is useful in the real-world and pointed out its limitations and extensions.
• We provided a list of references for readers interested in digging deeper.

In short, we wrote a book for all practitioners of SOA, and not just security specialists, with relevant technical details and lessons from the field. This book is not a comprehensive tome on the topic of SOA security. Instead it is a book that will teach you the 20% of SOA security topics that you will need 80% of the time. We hope this book will deliver value that our peers will appreciate.