Security is everyone’s business.
It is especially so if you are in IT. At some point, you will have had to implement, or at least understand, the security aspects of applications. As an application designer, you might have been asked to come up with a security model for your application. If you are an IT administrator, you might have been charged with the task of configuring security for an application. It has been our experience that every architect, designer, developer, administrator, and information officer needs to understand the basics of security technologies.
Most practitioners of IT pick up the basics of security on the job. Almost everyone who has worked for a few years in IT has an intuitive feel for username/password–based authentication. A decade of practice with HTTPS has made many in the IT community familiar with PKI as well. However, the security concepts required for SOA cannot be learned by osmosis. Not only are there new security concepts and technologies that need to be understood, some of the most popular security practices turn out to be counterproductive when used in SOA implementations.
The fact that so few people understand SOA security poses a danger to the success of SOA. In our work as SOA consultants, we encounter too many customers and fellow practitioners who make poor choices about security, with the mistaken assumption that they can apply traditional application security strategies in SOA. It is in this context that we decided to write this book.
We started working with SOA security in 2003 quite by accident. In order to solve a problem of one of our clients, we had to research the state of SOA security and its evolution. As part of that work, we ended up creating a prototype security service that used WS-Security, SAML, SOAP intermediaries, and WS-Addressing. Later, through our work for other clients, including projects involving “SOA appliances,” we came to understand the evolution of SOA security better. In the process three things became very clear:
When Manning asked if we were interested in writing a book about SOA security, we knew that it was a great opportunity for us to fill the void: a book that could be read and understood by all SOA practitioners, without a need for a formal introduction to security topics. We took up the challenge and here’s how we approached it.
In short, we wrote a book for all practitioners of SOA, and not just security specialists, with relevant technical details and lessons from the field. This book is not a comprehensive tome on the topic of SOA security. Instead it is a book that will teach you the 20% of SOA security topics that you will need 80% of the time. We hope this book will deliver value that our peers will appreciate.
3.12.163.175